Wi-Fi’s WPA Hacked… Again

31 03 2013

Introduction

Since its implementation, Wi-Fi has had a troubled time establishing a reliable encryption standard despite its exponential growth in popularity among businesses and casual users alike. After the epic failure of the Wired Equivalent Privacy (WEP) algorithm in 2001 due to weak and predictable encryption methods, a new encryption standard was needed to pick up where WEP had failed (Borisov, Goldberg and Wagner). The Wi-Fi Alliance’s Wi-Fi Protected Access (WPA) and the Institute of Electrical and Electronics Engineers’ (IEEE) WPA2 standard, which provided stronger encryption and mutual authentication, was supposed to be the answer to all of our Wi-Fi woes (Wi-Fi Alliance 2). It has done a decent job; at least until the Wi-Fi Protected Setup (WPS) feature was introduced. This is a great example of how tipping the scale in favor of convenience rather than security didn’t work out so well.

A Brief Background on WPA/2

For the scope of this discussion, I will only be addressing the personal pre-shared key (PSK) flavor of WPA. While WPA and WPA2 are indeed much more robust security mechanisms than their predecessor, WEP, they do have problems of their own. Both implementations of WPA use a 4-way handshake for key exchange and authentication. WPA utilizes a constantly changing temporary session key known as a Pairwise Transient Key (PTK) derived from the original passphrase in order to deter cryptanalysis and replay attacks. During this process the user-selected PSK is input into a formula along with the Service Set Identifier (SSID) of the given network, and the SSID length and then hashed 4096 times to derive a 256-bit Pairwise Master Key (PMK). Another function is performed on the PMK using two nonce values and the two Media Access Control (MAC) addresses from the access point and the client which in turn generates a PTK on both devices (Moskowitz). These PTKs are then used to generate encryption keys to encrypt further communications (Wi-Fi Alliance). The problem is that this 4-way handshake can unfortunately be observed by a third party. If an outside device captures the handshake, then the two MAC addresses, nonce values, and the cipher suite used can be obtained. The PTK can then be generated by the outsider (Moskowitz). A dictionary or brute force attack can then be run against the PTK to find the corresponding original PSK it was derived from. Therefore choosing a weak password significantly reduces the effectiveness of WPA and greatly increases the chances that your PSK will be discovered.

Then Came WPS

In 2007 the Wi-Fi Alliance decided to make connecting to WPA enabled networks easier for home users and developed the WPS specification. Their goal was to promote best practices for security while providing ease of use (Wi-Fi Alliance 1) for home users. Essentially they accomplished this by creating a backdoor into your WPA enabled network.

WPS comes in two modes of operation, a push-button-connect mode and a personal identification number (PIN) mode. Furthermore the PIN mode is split into two subcategories, an internal registrar and external registrar mode (Viehböck 3-4). While the push-button mode has security implications of its own, we are going to focus on the external registrar PIN mode of operation.

This is Where Things Get Interesting

The external registrar PIN mode of operation only requires that a foreign wireless device send an 8 digit PIN that matches the 8 digit PIN set on the WPS-enabled access point or external registrar used to authenticate WPS clients. If the PIN that was sent matches, the access point or registrar responds with the PSK needed to authenticate to the network. Thus, the security of a WPA2 enabled network even with a strong 60 character passphrase could potentially be compromised by exploiting an 8 digit PIN. To add insult to injury, the 8 digit PIN is actually 7 digits, with the eighth digit being a checksum of the previous 7. The 8 digits are then split in half during transmission, with digits 1-4 being the first half of the PIN and 5-8 being the second half. During PIN authentication each half of the PIN is sent and authenticated separately. Based on the response given by the access point or registrar for a submitted PIN, an attacker can determine if the first and second halves were correct or incorrect independently of each other. At this point, to gain unauthorized access to the network, you essentially just need to brute force two 4-digit PINs or 104 + 104. That’s only 20,000 possible combinations. Additionally, since the eighth digit of the PIN is a checksum, you really only have a maximum of 104 + 103, or 11,000 possible values to brute force (Viehböck 4-6). Keep in mind that this has nothing to do with the strength of your actual WPA passphrase. The most disturbing implications of this are that an otherwise well-secured, unfeasibly penetrable WPA-PSK network could still be easily compromised by guessing 1 of 11,000 possible values.

What Devices are Affected by This?

This attack was published in late 2011 and unfortunately the vast majority of small office/home office (SOHO) wireless routers in use remain vulnerable. Additionally, most of the wireless routers and access points on the market have this WPS feature enabled by default and with certain vendors the user isn’t even given the option to disable it! Wireless router vendors have been notified of this vulnerability and some vendors have already released firmware updates disabling the WPS PIN feature by default and in some cases giving the user the option to disable it (Viehböck 9). The problem is that the average home user will probably not routinely update their router firmware and may remain vulnerable indefinitely. A recent scan using Wash, a tool which is used to identify WPA networks which are vulnerable to this attack, revealed 14 vulnerable SSIDs within close proximity to my home. There is also a spreadsheet of known vulnerable devices hosted on Google Docs (WPS Flaw Vulnerable Devices).

How to Protect Yourself

Update your router or access point to the latest firmware available and completely disable the WPS feature. If your device will not let you disable WPS, contact your vendor or consider purchasing a device that will let you. Also, it couldn’t hurt to run the Wash tool and see if your network is listed as being vulnerable. If you want to take it one step further, the Reaver tool will enable you to run the WPS PIN attack against your own network to determine if you are indeed susceptible to this vulnerability.

______________

Borisov, Nikita, Ian Goldberg and David Wagner. “Security of the WEP Algorithm.” n.d. (In)Security of the WEP algorithm. 16 February 2013.

Moskowitz, Robert. Weakness in Passphrase Choice in WPA Interface. 4 November 2003. 17 February 2013. <http://wifinetnews.com/archives/2003/11/weakness_in_passphrase_choice_in_wpa_interface.html&gt;.

Viehböck, Stefan. Brute forcing Wi-Fi Protected Setup. 26 December 2011. Document.

Wi-Fi Alliance. “State of Wi-Fi Security.” January 2012. Wi-Fi Alliance. Document. 16 February 2013. <http://www.wi-fi.org/sites/default/files/uploads/20120229%20State%20of%20Wi-Fi%20Security_09May2012_updated_cert.pdf&gt;.

—. Wi-Fi Certified Wi-Fi Protected Setup. December 2010. Document.

“WPS Flaw Vulnerable Devices.” n.d. Document. 17 February 2013. <https://docs.google.com/spreadsheet/ccc?key=0Ags-JmeLMFP2dFp2dkhJZGIxTTFkdFpEUDNSSHZEN3c&gt;.

Advertisements




Jailbreaking iPhones – What’s at stake?

1 11 2012

by Adam Rauf

Chances are, if you’re a smartphone owner in the year 2012, you most likely are carrying either an iPhone or an Android device.  If you’re an iPhone user, you’re probably quite happy with your device; after all, it can run a lot of applications, make phone calls, and send text messages, amongst other features.  However, your Android brethren often will chastise you for having such a “locked down” device, considering rooting an Android has slowly become a very easy task over the years.  Granted, there are a lot of concerns in having a device that is rooted (or jailbroken), but the ability to overclock, tether, and generally do what you wish with your handset is a privilege that is not as easily bestowed to iPhone users.

A quick Google search for “jailbreak iphone” will lead to a Wikipedia article about “Privilege Escalation.”  To the common user, what is that exactly?  Privilege Escalation is “the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application used to gain elevated access to resources that are normally protected from an application or user[1].”  So in essence, jailbreaking allows the user to exploit some sort of bug in the operating system so that they can gain full access to their handheld device.  In the case of Android devices, people would install custom roms, new basebands and versions of the OS, or as stated previously, be able to tether or overclock their phones.  In the case of the iPhone, users may be less tempted to want to install custom roms, but being able to overclock, tether, and upgrade baseband radios for better signal are certainly neat advantages that bedroom hackers may be interested in.  Now, keep this in mind, it’s still an exploitation of the operating system.

Jailbreaking does come at a price.  Back in 2009, 21-year old Australian student Ashley Towns wrote the first “iPhone virus [2].”  Jailbreaking software available at the time installed an SSH service on their phone.  And if users did not change their default password [“alpine”], they could be hit with this version of this virus, which would change their wallpaper and play Rick Astley’s single, “Never Gonna Give you Up[2].”  So while this was no more than an annoyance at the time, Towns proved that as easy as it was to jailbreak your device, you also had to worry about now changing your SSH passwords, which many users could possibly neglect.  As the saying goes, “with great power comes great responsibility.”

This same bug was exploited just weeks later, but with more malicious intent.  Security company F-Secure pointed out that users in the Netherlands were being targeted, particularly in their banking logins [3].  While Towns may have been trying to bring awareness to this security hole as a Whitehat, this was clearly more of a malicious intent, basically treating the iPhones as a botnet, with a command & control post, and could propagate to more phones via unsecured wifi, for example [3].

Of course, Apple being the walled garden that it is, saw serious issues with this idea of jailbreaking.  Not only did it create new vulnerabilities, but the stability of the device was now compromised.  No longer could people have the device that “just works.”  Perhaps for the same reason that they build all of their machines to certain specs, the last thing the company wanted was for devices such as the iPhone and iPad as well as the iPod to be hacked.  For quite some time, they saw this as copyright violation.  However, in 2010, the DMCA (Digital Millenium Copyright Act) that Apple used as its legal muscles gave way to jailbreaking.  The copyright office found jailbreaking to not infringe on any rights and granted an exemption to it [4].  As much noise as Apple made about it, they had lost this battle.  So now, it was no longer illegal to jailbreak your phone, but much like Android handset carriers, they did warn you that it would void your warranty.

To also deal with the “walled garden” effect of Apple and provide a means to get apps, the Cydia app was developed.  Users can go to JailbreakMe.com on their device and quickly jailbreak their phone [5].  They also made it quickly reversible, so that you can go back to iTunes and restore your device [5].  There is however, no guarantee that you can’t brick your device, or cause some sort of damage to it.  And because Cydia is overlooked by a team of users not specifically working at Apple, you can’t always trust what apps you can download, and there’s no rigorous testing process; you’re basically going in somewhat blind into territory that’s unchartered.  None of the apps are going to be signed by any authority, and there’s nothing stopping a user from flooding the market.  Does that sound scary to any of you yet?

Apple has gone to great lengths to brand and image themselves as a secure vendor.  Their slogan of “It just works,” amongst their hip campaigns is supposed to imply that you won’t be dealing with all of the viruses/malware of Windows.  But, we’re starting to see phishing attacks on users.  Myself and friends included have gotten text messages leading to nefarious URLs.  And since some of us are on Android or jailbroken iOS devices, we can sideload apps.  What’s to say we haven’t downloaded something insecure?  Apple may say you don’t need an antivirus, but the mobile space is still relatively new to us and it may come back to bite us later.  For example, is there any way we could detect if we’re being DNS cache poisoned, or if people are intercepting our data when we sign into wifi?

Let’s fast-forward to the future, where we currently still have no cracks into the iPhone 5.  The iPhone 5 runs iOS 6, and has yet to be broken.  In fact, as early as today, October 9th, the jailbreak team working on it has disbanded [6].

Okay, so now we all have some background on what jailbreaking is, and where we are with it.  The questions I pose to you, the readers, is what incentives do we see with jailbreaking these days?  Is it purely to stiff the man and have full access to the device, or is it no longer important due to the malware and vulnerabilities that are propagating in the mobile space [and thus requiring users to install anti-virus and anti-malware apps]?  Does the fact that jailbreaking is now easier somehow make Android less attractive, considering how easy [*chuckle*] it was to root Android phones previously to get the same kind of performance from iOS?

If I may throw my hat in the ring, I tend to think jailbreaking was once a huge part of the “nerdy” culture, much like how people would choose to run Linux over Windows or Mac.  You might not do anything really amazing with it, but you got some “cool points” from peers for jailbreaking/rooting your device and throwing customized UIs and applications over top of it.  But then again, much like Linux, it was the privileged few that could afford to get iPhones or Android devices in the beginning.  But now, as we start to see devices drop to the cost of pennies, you’re a small part of a large majority.  You’re not really running a whole different OS than everyone; you’re running something modded.  And while that still might be “cool,” that hip appeal is slowly starting to fade.

Recently, the US Navy also showed how the mobile space is getting to be a scarier place.  The recently released “Placeraider” malware they developed would silently use your camera function to take pictures while you are unaware, upload the photos to one of their servers, and map out a 3D image of your surroundings [7].  This is absolutely frightening; rooting or not, security has become a bigger issue, and will continue to become an issue as we move forward.  It also emphasizes the importance of users being more diligent as to what permissions they grant applications when they install them, especially when this program asked for no more rights than your common photo app like Instagram [7].

I currently own a Samsung Galaxy Nexus [the Apple lawsuit is another story].  I’m running the latest Google OS of Jellybean.  I didn’t have to root my device like I rooted my original Motorola Droid to get a lot of the features I got on this device.  I no longer need to overclock, I no longer have an issues with tethering, and I’m able to sideload apps if I wish.  Is the appeal for rooting there for me?  Not really.  Unless I want to spend time bragging to friends, there’s not a whole lot I would like to change about my phone.  And with Apple devices, we’re starting to see the same thing.

Are users interested in voiding their warranties, downloading apps from possibly untrusted/untested sources, and opening themselves up to exploits outside of Apple?  Probably not.  While Apple does make mistakes, they do have a responsibility to their users to patch vulnerabilities.  In the Android world, there certainly are people who help take the sourcecode from the Google Devs and morph it into custom roms that may patch vulnerabilities that aren’t even patched with the official OS.  While that can still be true with Apple devices, the certainly do cost more, and definitely more to replace.  So the “fun factor” of jailbreaking your device may not stack up against the “cost factor” of having to replace the device.

______________

1. “Privilege Escalation.”  Wikipedia, The Free Encyclopedia.  Wikimedia Foundation, Inc.  4 October 2012.  Web.  <http://en.wikipedia.org/wiki/Privilege_escalation&gt;

2. Andersen, Brigid.  “Australian Admits Creating First iPhone Virus”  ABC News AU.  10 November 2009.  Web.  <http://www.abc.net.au/news/2009-11-09/australian-admits-creating-first-iphone-virus/1135474&gt;

3. “New iPhone worm can act like botnet say experts.”  BBC News.  23 November 2009.  Web.  <http://news.bbc.co.uk/2/hi/technology/8373739.stm&gt;

4. “Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies.”  Copyright.gov.  Web.  Revised 24 August 2012.  <http://www.copyright.gov/1201/&gt;

5. Comex, Grant Paul, Jay Freeman (saurik), MuscleNerd, et al.  “JailBreakMe.”  JailBreakMe.  Web.  <http://www.jailbreakme.com/&gt;

6. Harbison, Cammy.  “iOS 6 Untethered Jailbreak Team Splits As New Alliances Are Formed, Still Promising Results.”  International Digital Times.  9 October 2012.  Web.  <http://www.idigitaltimes.com/articles/11677/20121009/ios-6-untethered-jailbreak-team-splits-new.htm&gt;

7. McLellan, Heather.  “US Navy Helps Create Camera-Hijacking Smartphone Malware.”  The Escapist.  1 October 2012.  Web.  <http://www.escapistmagazine.com/news/view/119890-US-Navy-Helps-Create-Camera-Hijacking-Smartphone-Malware&gt;





Smartphone security

24 09 2012

The concept of the cellular phone was not something new. In a sense, portable radios which have been in use since 1921 can be defined as early cellular phones (1)(4). In 1947, cellular phones were developed as mobile car phones, a concept created by Bell Laboratories. However, it not until 1973 that the world was first introduced to the cellular phone we know today. Conceived by Motorola, the first cellular phone combined the idea of the car phone with modern technology to make the phone fully portable (1). With each passing decade, cellular phones began to advance greatly, technologically surpassing its predecessors and rendering them obsolete. Today they are basically mini computers or smartphones. Smartphones are defined as “a device that lets you make telephone calls, but also adds features that you might find on a personal digital assistant or a computer” (3). With the new capabilities and growing access to the Internet, smartphone security has become a growing issue. Smartphones use their own specific network protocols to send and receive data, either by phone calls, web browsing, file transferring, etc. (5). These protocols include General Packet Radio Services (GPRS), Enhanced Data GSM Environment (EDGE), Universal Mobile Telecommunication Service (UTMS), Wideband Code-Division Multiple Access (WCDMA) and others. Due to the fact that these protocols are wireless they are highly susceptible to many security vulnerabilities. One such vulnerability is the “Evil Twin” attack. An “Evil Twin” attack occurs when a hacker makes a fake server with a legitimate hotspot service identity; so that when a user connects their information can be intercepted (6). The improvement of security for smartphone network protocols is imperative to prevent these kinds of attacks; a good example can be seen in the upgrade from IPv4 to IPv6 and IPsec.

Smartphone viruses have not been as common as computer viruses even though they are essentially the same thing, executable files (7). This is because unlike computer operating systems which are mainly Microsoft products, smartphones vary in operating systems, software, and hardware. Also these viruses can only be spread to phones that have access to internet downloads, Bluetooth connection, and multimedia messages. The first smartphone virus called, Cabir, was created by malware developers to test its capability (7). Although it infected a small number of Bluetooth enabled phones, an undeniable statement was made that smartphones were not invincible to viruses and other security risks. Smartphone viruses have the capability of deleting contacts, calendar appointments and spread by sending infected multimedia messages to all your contacts. As smartphones continue to grow in popularity the threat of wide spread viruses rises (7).

To improve network and software security certain steps must be taken. The improvement of network protocols such as GPRS through encryption is paramount. German computer engineer Karsten Nohl deciphered the algorithm used by several telecommunication companies to encrypt mobile Internet traffic (8). He also discovered that several companies do not encrypt their digital data at all.  These improvements should be made along the same lines as IPv6 and IPsec, which incorporated authentication and encapsulation. To improve software and operating systems security, patches for mobile operating systems should be kept up to date. Several companies have developed virus detection software for detecting and removing viruses found on a phone. To prevent viruses from infecting your phone via Bluetooth, turn off Bluetooth broadcasting. By using these methods and others, smartphone security can be improved.

_____________

(1)  “Cell Phone History.” . Oracle ThinkQuest, n.d. Web. 18 Sep 2012. <http://library.thinkquest.org/04oct/02001/home.htm&gt;.
(2)  “History of Cell Phones.” . N.p., n.d. Web. 19 Sep 2012. <http://www.global-source-mkt.com/cellphonefacts.html&gt;.
(3) Cassavoy, Liane. “Cell Phones.” . N.p., n.d. Web. 18 Sep 2012. <http://cellphones.about.com/od/glossary/g/smart_defined.htm&gt;.
(4) Brian, Marshall. “How Cell Phones Work.” . N.p., n.d. Web. 16 Sep 2012. <http://www.howstuffworks.com/cell-phone.htm&gt;.
(5) Coustan, Dave. “How Smartphones Work.” Network Protocols. N.p., n.d. Web. 14 Sep 2012. <http://electronics.howstuffworks.com/smartphone3.htm&gt;.
(6) Coustan, Dave. “How Smartphones Work.” The Future of Smartphones. N.p., n.d. Web. 14 Sep 2012. <http://electronics.howstuffworks.com/smartphone5.htm&gt;.
(7) Layton, Julia. “How Cell-phone Viruses Work.” . N.p., n.d. Web. 16 Sep 2012. <http://electronics.howstuffworks.com/cell-phone-virus.htm&gt;.
(8) O’Brien, Kevin. “Hacker to Demonstrate ‘Weak’ Mobile Internet Security.” The New York Times. N.p., n.d. Web. 18 Sep 2012. <http://www.nytimes.com/2011/08/10/technology/hacker-to-demonstrate-weak-mobile-internet-security.html&gt;.

 





Smart Phones & Tablets – Security vs Usability

31 07 2012

Let’s start with some interesting facts on Smart Phone and Tablets

  • In June 2011, for first time ever people spent more time using mobile applications (81 mins) than browsing mobile web (74 mins) (Lookout Mobile Security)[1]
  • In 2011, for the first time, smartphone and tablet shipments exceed those of desktop and notebook shipments (Meeker)[2]
  • As of July 19th, 2012, total number of applications available on Android Market is “485422” (Appbrain)[3]
  • As of July 21st 2012, Estimated number of applications downloaded from Android Market  are 9,613,765,347 (Androlib)[4]
  • Total Active Apps available for download on iTunes: 684,396 (Biz)[5]
  • 83 percent of young people sleep next to their cell phones (Pearcy) [6]
  • The value of mobile payment transactions is projected to reach almost $630 billion by 2014, up from $170 billion in 20105 (Lookout Mobile Security)[7]

How many of you used smartphone in last one hour and how many of you have it next to you while reading this blog?  How many of you are reading this blog on smartphone or tablet?

Don’t you think that the exponential growth in the Mobile Application and usage of Smart Phones is also attracting cybercriminals who want to take advantage by spreading Mobile Malware, Virus or using smart phones to steal information or get access to sensitive data? Hackers will try to spread virus over mobile network as smart phones besides making phone calls are used for SMS, MMS, Email, Mobile Application including personal and business and Mobile Commerce including internet banking. This gives hacker’s multitude of options of exploit networks, phone/tablet and mobile applications.

You may be surprised that Smart Phones have more threats of security breach compared to your desktop or laptop. Unlike desktops or laptops, Smart Phones do not receive patches and upgrades commonly. Users don’t change their O/S or Mobile server frequently – in most cases it never gets changes. Contrary to laptop or tablet, smartphones are always on and running.

There are growing number of viruses, worms and Trojan horses that are targeting smart phones. Though so far none of the new attacks have done extensive damage, it may be a matter of time before it occurs. The nature of these attacks may be impacting an individual user e.g. using their personal information to make calls, use their payment information in case of Mobile Commerce or internet banking over phone. It can also impact the organization either by stealing the company related data residing on smart phones and tablets, or using the smart phones to get on to their network. Besides this attackers can also generate attacks to degrade or overload mobile networks eventually resulting in Denial of Services or causing phones to make hoax calls – dial and disconnect.

Some of the threats faced by Smart Phones & Tablets are

  • Application Based Threats – Malware, Spyware, Privacy Threats, Vulnerable Applications
  • Web-Based Threats– Phishing Scams, Social Engineering, Drive-By Downloads, Browser exploits
  • Network Threats – Network Exploits, Wi-Fi Sniffing, Man In the Middle attacks, Bluetooth Sniffing and SMS hijacking
  • Physical Threats – Lost or Stolen Devices, Data Breach, Loss of Personal or intellectual property and trade secrets

Both iOS and Android, the two leading smartphone O/S have their own unique security model. iOS is extremely proprietary while Android is open. This very fact has its own implications and these vulnerabilities have been exploited on both of them. E.g the DroidDream malware that emerged in the Android Market in Q1, 2011 utilized two exploits, Exploid and RageAgainstTheCage to break out of the Android security sandbox, gain root control of the operating system and install applications without user intervention (Strazzere)[8]. As a result of DroidDream, Google ended up pulling more than 50 apps from Android Market. Similarly, JailbreakMe 3.0 for Apple iOS device, even though non-malicious web page, it exploits two vulnerabilities to jailbreak a device. (Jean)[9] Mac hacker Charlie Miller has found a way to sneak a fully-evil app onto your phone or tablet, right under Apple’s nose. (Greenberg) [10]

Despite the threats and security concerns, there is no denying that the growth of Smart Phones and tablets is on rise and we are going to see more and more applications and functionalities available on these devices. Now you might be thinking about the classic two factor conundrum – Usability vs Security. Below are some of the steps that will help us striking a balance between Usability and Security

Data Protection – Do not store any sensitive data e.g passwords, personal data on phone. Ensure that applications are storing all the confidential data on server rather than on phone. For the data stored on phone use the encryption API or software provided by OS or third party. When the application is closed, ensure that the data from the cache is also cleared.  Data Management and secure key management helps in protecting the sensitive data not only on phone but also on any external/flash media e.g. SD cards, Flash Media

Credentials and Tokens – Rather than using password only authentication, consider using authorization tokens (e.g. OAuth 2.0 Model) on the device. These tokens can be encrypted in transmit using SSL/TLS. Ensure that these tokens are time bound and ensure that either password or keys are not visible in cache or logs.

Securing Data in Transit – Smartphone support various communication networks and they can join a particular network randomly. For sending any data one can use signed certificates by CA providers or use strong encryption algorithm like AES with appropriate key length. To avoid man in the middle attach, avoid establishing a connection without verifying end point. Last but not least, do not send any sensitive information using SMS or MMS. For securing data and communication, one can integrate the solution in Network based technologies e.g. NAC to identify the appropriate access rights based on the user identification and security profile of handheld device.

Mobile Device Management – Besides using the OS password and application remote kill possibilities, consider implementing a Mobile Device Management solution that can implement various policies like phone lock or data wipe after ‘N’ number of failed login attempt. Using MDM solution you can lock, wipe, track, manage applications downloaded and do a remote restore if required. This provides a safety not only against any loss or theft but also helps managing the applications that can reside on phone along with implementation of corporate mobile polices.

Anti-Virus and Anti-Malware – You might be thinking, what about various Anti-Malware or Anti-spyware solutions. The good news is that there is plenty of options available including on device personal firewall. Anti-spam software can be used to protect against any unwanted SMS or MMS messages. However one needs to be careful, as they do have a negative impact on the performance of phones and applications. Smartphones are highly optimized and somewhat tight on resources – RAM, CPU and Battery. Running Anti-Virus, malware tools can have significant impact on the performance and consumption of resources. During the scan, CPU utilization goes up to 80% and wide fluctuations in batter up to 264mA (Stephanow & Subramanian). This consumption is directly associated with the amount of data, hence back to the point discussed above – one must be careful in identifying which data needs to reside on phone. One shall try to have the data available on the cloud or back end server, reason it is easier to secure a server; not only maintain the data integrity but also securing it in case of any loss or theft of phone.

Conclusion: By implementing some or all of the above mentioned steps, organizations and individuals can secure their smartphones and ensure that they are enjoying increased productivity without worrying about the securing their data, applications and phones.

________

  1. Androlib. (n.d.). http://www.androlib.com/appstats.aspx. Retrieved from http://www.androlib.com.
  2. appbrain. (n.d.). http://www.appbrain.com/stats/number-of-android-apps. Retrieved from http://www.appbrain.com.
  3. Biz, A. (n.d.). App Store Statistics. Retrieved from http://148apps.biz/app-store-metrics/.
  4. Greenberg, A. (n.d.). iPhone Security Bug Lets Innocent-Looking Apps Go Bad. Retrieved from http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/.
  5. Jean. (n.d.). Analysis of the jailbreakme v3 font exploit. Retrieved from http://esec-lab.sogeti.com/post/Analysis-of-the-jailbreakme-v3-font-exploit.
  6. Lookout Mobile Security. (n.d.). MOBILE THREAT REPORT. Retrieved from https://www.mylookout.com/mobile-threat-report: https://www.mylookout.com/mobile-threat-report
  7. Meeker, M. (n.d.). techcrunch.com/2011/02/10/meeker-mobile-slides/.
  8. OWASP. (n.d.). OWASP Mobile Security Project. Retrieved from https://www.owasp.org/index.php/OWASP_Mobile_Security_Project.
  9. Pearcy, A. (n.d.). http://www.prdaily.com/Main/Articles/Infographic_83_percent_of_young_people_sleep_next_9391.aspx. Retrieved from prdaily.com.
  10. Stephanow, P., & Subramanian, L. (n.d.). An Architecture To Provide Cloud Based Security Services for Smartphones.
  11. Strazzere, T. (n.d.). Update: Android Malware DroidDream: How it Works. Retrieved from http://blog.mylookout.com/blog/2011/03/02/android-malware-droiddream-how-it-works.

 





Vehicle Telecommunication: Services and Security

26 07 2012

Auto manufacturers today are focusing on enhancing the connectivity and networking experience by embedding microcontrollers and communication capabilities in the vehicle. Features such as Bluetooth, Navigation system, in vehicle infotainment, remote commands, and Wi-Fi hotspot capabilities are becoming standard fitments. These are some of the services available today:

  • Companies like ‘Relay Rides’ are offering peer-to-peer car sharing service with the help of telecommunication service providers like OnStar, where a car owner can rent out their car to another Relay Ride subscriber [1]. Both parties don’t need to meet to hand over keys. Owner leaves the keys in the car, doors are unlocked remotely, renter uses the car for the duration as per rent contract and then leaves the car with keys inside and locks the car.
  • A stolen vehicle can be slowed down remotely on the advice of police, avoiding a high speed car chase.
  • Emergency services can be dispatched to locations even when the driver is unable to communicate.
  • One can send a vehicle lock or unlock request to their car which could be several hundred miles away, using a Mobile app.
  • Similarly, start the car or stop it using key fob or mobile app.
  • There are players who offer Wi-Fi hot spot in the car so that kids can stream their favorite videos relaxing at the rear seats on a long trip. Up to eight devices can be connected at once [2].
  • There are services available which read vehicle data and present it on mobile app or in an email. One doesn’t need to check the tire pressure using a gauge anymore; mobile app reads the tire pressure, gas remaining, mileage etc. for you.

There are several players in today’s market like GM’s OnStar, Ford’s SYNC, BMW’s Assist, Lexus’ Enform, Toyota’s Safety Connect, and Mercedes’ mbrace. There is a growing concern that the security features available, to protect these devices and services is not as robust as one would like it to be. There have been several instances of security breach. ‘Proof-of-concept’ software developed using homemade software and a standard computer port dubbed ‘Carshark’ was used to demonstrate that critical safety components of a vehicle can be hacked. Another situation where approx.. 100 vehicles were disabled from a ‘remote disable system’ that was installed by a car dealership. It was later found out that it was a disgruntled former employee who remotely disabled the cars and set off the horns. There was also a case where, an aftermarket GPS navigation service provider, recorded driver behavior and was selling that data to Dutch police to target speeding vehicles [3].

Swiss researchers tested scenarios of car hacking, with key fobs in close proximity to the vehicle (within range of the antenna). Using the two-antenna approach, cars were successfully hacked and driven away. Security researchers have cracked the keys used by multiple types of key fobs, including the Hitag 2 encryption key. The proprietary encryption keys used to transmit data between the key fob, receiver, and engine are not secure enough. Only a few car manufacturers use 128-bit Advanced Encryption Standard (AES) keys. Many use 40- or 48-bit keys, which security experts regard as ineffective [4]. Similar research was carried out on tire pressure gauges and found that wireless networks built in many cars did not perform authentication or input validation.

Automotive manufacturers have been focusing on security of these embedded devices. NXP Semiconductors, which is one of the solution providers, offers authentication capabilities based on device identity and service profiling. Their microcontrollers feature hardware cryptographic accelerators (ECC, RSA, AES, DES), and support a broad range of symmetric and asymmetric (public key) algorithms and protocols. One can enable access control to in-vehicle network ensuring messages from wireless interfaces and between ECUs, are authenticated and encrypted [5].

Conclusion: Several vehicle features and services are available today, using wireless communication involving private data. This attracts hackers so that they could gather data and sell them to prospective buyers. Automobile manufacturers and telecommunication service providers are coming up with technology to secure the connection, but a lot more needs to be done.

_______________

  1. Relay Rides. https://relayrides.com/onstar
  2. Audiusa.com Home page. http://www.audiusa.com/us/brand/en/owners/audi_connect/wifi_hotspot.html
  3. Shane McGlaun, Sept 7, 2011. Automotive Security.pdf http://www.mcafee.com/us/resources/reports/rp-caution-malware-ahead.pdf
  4. Mathew J. Schwartz, http://www.informationweek.com/news/security/vulnerabilities/229000561
  5. NXP Semiconductors NV., http://www.nxp.com/campaigns/connected-mobility/technologies

 





Automotive Telematics/Infotainment Systems: Security Vulnerabilities and Risks

21 07 2012

Audi Chairman Rupert Stadler was spot on when he said:

 There is a revolution taking place. Some of the most exciting new consumer electronics aren’t the ones in your living rooms or in your offices. They’re the ones in your cars.” [1]

However with the rapid advancement in the development of vehicle telematics/infotainment systems and integration of numerous technologies in them the scope of security vulnerabilities in vehicles are exponentially expanding and the risk of potential hacker attack are rapidly growing.

A number of latest and upcoming telematics/infotainment systems in today’s automotive include the following features and technologies:

  • Vehicle Communication Systems: The main purpose of these systems is to establish an external data connection of the vehicle with telematics service provider using existing cellular technologies such as LTE, GSM, CDMA, etc. that practically makes the vehicle as a mobile node and provides it access to the cloud.
  • Radio User Apps: A number of new and almost all upcoming future vehicles are planned to be equipped with In-Vehicle Infotainment systems that support a wide variety of user apps. The user apps provide a variety of services that include audio/video services, access to social media, internet browsing capabilities, etc. A number of these app services are subscriptions based and typically contain sensitive user information.
  • Wi-Fi/Bluetooth/USB Mediums: A variety of connectivity mediums are supported in the latest vehicles that include Wi-Fi, Bluetooth and USB technologies that allow the vehicles to communicate and pair with external consumer devices such as user smart phones, cameras, entertainment systems, gadgets, etc. as well as with external data hotspots for internet access.
  • Web-Based Services: A number of web-based features are also available for the latest vehicles that offer services such as vehicle location capabilities, locking/unlocking vehicles remotely, remote start features, remote diagnostics, software updates, etc.

Now let’s look at some of the challenges and security vulnerabilities these services/features pose to the vehicle owner, service providers or the automotive manufacturers…

Firstly, when the vehicle is connected to the telematics service provider, it becomes a network/cloud node and usually gets assigned an IP address that allows it to communicate over the cellular link. This makes the vehicle as an interesting target for hackers as it can provide them with potentially free access to internet or backend systems through which they can perform all sorts of illegal cyber activities as well as allow them to potentially steal sensitive personal information of the user. Also, having a public IP address makes the car vulnerable to all sorts of cyber viruses and security attacks. Furthermore, a hacker can use networking hacking techniques such as port scanning, firewall loop holes, etc. to get unauthorized access to the vehicles as well as the service providers.

The other important security vulnerability is how the communication between the vehicle and telematics service provides is secured and protected. A hacker can potentially sniff the communication between the vehicle and backend service provider and can potentially steal sensitive user information such as account numbers, contact information, user names, and passwords along with other billing related information. This information can then be used by hacker on web based services to track user activities, vehicle usage, location of vehicle, etc.

Another interesting challenge/vulnerability that the new features pose is the management and storage of the static and dynamic data that is generated with the use of these telematics services in a secured manner. [2] The main challenge is to identify the different types of data services used and to manage them in a way that security of sensitive information (important personal data) is not compromised. If certain data is not stored in the automotive itself, the user needs to be notified where and how their data is getting stored and what security protocol is followed in order to address privacy concerns.

The other series of security vulnerabilities arise from the inclusion of a variety of web based apps in the infotainment systems on the vehicles. A number of apps included are supposed to provide access to social media sites to the user. Any unauthorized access to these apps can expose personal information of user to the hacker that may include usernames, passwords and other personal information. Also, a number of other apps are subscription based services that contain user information with respect to the purchased subscription. Any vulnerability or unauthorized exposure of this information to the hacker would allow him to use it in a way that would result in financial losses to the user.

The integration of different connectivity technologies brings another set of security vulnerabilities for the telematics/infotainment systems. For example, any security compromises in the Bluetooth protocol can result in the hacking of personal contacts information by the hacker or unauthorized access of user’s phone by the hacker. Any vulnerability in the USB stack can potentially result in hackers accessing the operating system of the telematics/infotainment systems that can expose sensitive system information of the user or vehicle.

Conclusion

In summary, the security vulnerabilities discussed above can result in the identity theft of vehicle users, loss of critical information such as usernames/passwords, unauthorized access to the internet by the hackers that can result in cybercrimes which can get the user in legal complications. Also, any loopholes or security weaknesses can result in legal complications and bad media publicity for the automotive manufacturers as users can potentially sue them if their security or privacy is breached or compromised.
____________

[1] Telematics Update. (Jan 12, 2011). Telematics and security: Protecting the connected car. Retrieved July 10, 2012 from < http://analysis.telematicsupdate.com/intelligent-safety/telematics-and-security-protecting-connected-car >

[2] Sastry Duri, Marco Grutese. (2002). Framework for Security and Privacy in Automotive Telematics. IBM Thomas J. Watson Research Center.





Is your vehicle safe?

20 07 2012

Problem

Everyone is starting to realize that modern vehicles have tons of computers inside them. By some counts, there are 30+ modules computing and performing different functions for your vehicle. Some control the vehicle’s engine and propulsion system, while others control various body functionalities. These computers can be hacked, just like any other. Vehicle hacking started out with people creating custom EEPROM chips that allowed racers and sports drivers to modify their vehicle’s performance for very little cost. While this could cost vehicle manufactures money it in warranty costs, it was generally of little interest, since, in some cases, it accounted for new sales—people who were interested in purchasing a car that could be easily modified. Racing and driving is already a dangerous sport, so it would be unlikely that someone modifying their vehicle’s performance would have any legal grounds to pursue against the manufacturer.

Twenty years later, today’s cars present a new problem. Modules don’t just control the performance; they can accelerate the car, turn the car, roll the windows up\down, disable propulsion, change gears, etc. Anyone with time and persistence can figure out how these work. Some information is even readily available for purchase from the OEMs, and tools can be found for around $500 US[1]. Additional users can cheat the system to reduce their costs[2]. Take, for example, OnStar, a paid service offered by General Motors that sends directions to your car, makes phone calls, connects you to a personal assistant, etc. If this system is hacked by an outside user, that person might gain the ability to send the driver bogus directions, or worse yet, disable the vehicle as it is driving 75MPH down the interstate.

These may seem like pretty rare problems or perhaps not even that serious, but picture the future of vehicles driving themselves[3]. If you tell your vehicle to go to Orlando, FL but you end up driving down a boat dock in Northern Michigan, you may end up, at the very least, pretty upset, or worse yet injured or even killed.  This is why we need to worry about tapping in!

Tapping in

How can this be possible, you ask? As any computer hacker will tell you, having access to the computer is critical, and we leave our cars parked and exposed out in the open all the time. If I told you someone could slip under your car, pinch a wire and know your driving habits or disable your car, you may not believe me. But you would be wrong. It is a very real possibility. Yesterday’s car problems were mechanical; today’s stem from software and electronics issues.

For the service community or the service savvy, it could be as simple as buying a vehicle connector and sending commands to your car. I can cite one example in particular, where on a cold weather trip, the passenger played a joke on the unaware driver by rolling the windows up and down from his laptop. Now, that just is a simple example of what can be done, but perhaps running the cruise control by

creating a gateway from your PC is another possibility. Essentially, if the hacker could pass through all messages until he starts to understand what each CAN message contains, and then slowly start to change the data between the two, this could definitely be done for cruise control and probably a few other distributed systems on today’s car.

It is the malicious few that we have to worry about and protect our vehicles against. It would be nice to know that if there was some attached module or gateway sending and changing the commands to modules, we would know about it.

Solutions

Encrypting the data could go very far in preventing most of these types of attack. Using both confusion and diffusion, bytes of messages could be scattered into multiple messages, making the message a discontinuous set of bytes rather than a set of 8,16 or 32 bit raw values. Encrypting the data using a key could also help in eliminating the values. Perhaps rather than speed going from 0-15, it goes from 0, 5,1,2 making the pattern unrecognizable, for the most, part as vehicle speed or something linear.

As to the service type attacks, these would need better passwords to protect the features they provide. Currently, these are done with fairly small numbers; let’s say a 16 bit password. Even at 16-bit, if one key is tried every three seconds, that will only take 28 hours. Three seconds is probably on the low end for someone that desperately wanted to figure that out. Not to mention, that is the max time to crack the code. In addition, the password, or “unlocking mechanism,” can be purchased through the OEM, due to legislated mandates to support your local mom and pop shops[4].

The service part is the most difficult to solve, as how does one know if the commands are coming from a legitimate user trying to fix their car or a rogue device that is going to roll down up your windows, lock your doors and turn the heat on full blast with you inside it? I would almost like to advocate that the owner of the car provides the locking key and provides it only to those he feels he can trust, rather than the key being randomly programmed at the factory and never changing over the vehicle’s life. Additionally, making the key longer will prevent much of the brute force attack, but where there is time, there is a way….