Just Say No To (Some) Mobile Apps

Even in the mobile world, we still haven’t learned how to write secure applications.

It’s been more than twenty years since office applications, or applications in general, have been commercialized. And it’s been more than twenty years that we’ve had problems with these applications. Now it seems we’re are reinventing the wheel again with mobile.
I remember being interviewed back in 1999 by a Seattle radio station about the latest PC virus of the week, and the frustrated engineers down the road at Microsoft who called in to say I didn’t know what I was talking about. I didn’t. But neither did they.

Opening all attachments in the Outlook email client at the time seemed logical. But when the bad guys started disguising their latest malware as common jpg, pdf, or doc extensions, then it wasn’t such a great idea. The ILOVEYOU virus spread around in the world in a mere five hours and shut down email servers everywhere because people couldn’t resist opening the infected attachment. Yet it took Microsoft another four years to constrain attachment behavior in its Microsoft Outlook product and begin a regular cycle of monthly patches for all its products.

Other software has had their own share of problems, too—Adobe, Java, to name just a few.

The point is after twenty years, you’d think we’d finally get software creation right. You’d think that if we’d learned anything about securing software over the last two decades, we could apply those best practices to the green fields of Android and, yes, iOS. That doesn’t seem to be the case. Apps are requesting (or surreptitiously gaining) access to a variety of unrelated services on our mobile devices either because variables are set incorrectly or because of a naked attempt to learn as much about the end user as possible.
And the end user simply doesn’t know enough or care.

I see this with younger people who do not remember ILOVEYOU. They haven’t experienced the negative consequences of accepting attachments in email from … well… anyone. And to be fair we haven’t yet seen serious compromises resulting from mobile apps but that day is coming.

With mobile, a compromise may not mean your email is slow or your device reboots. Instead your social media presence gets messed up or your bank assets suddenly shrink. Or your company suffers a data breach. We do a lot more with our mobile devices today so the stakes are much higher.

So how do we deal with leaky or promiscuous mobile apps?

We can start with better behavior. Just as we now recognize SPAM and know not to wire money to your neighbor whom you saw yesterday mowing the lawn but is today now inexplicably stuck in Nigeria without a cent, we need to be able to say “No” to some of these apps—no matter how compelling they might be. We need to stop and think about the potential consequence of having an app that’s requesting the permission of ten services on our mobile device. For example, why does that note taking app need to know your geolocation?

The practice of developing secure apps can be the foundation of a great marketing campaign. Show me an app that states “Our mobile app does what it says it does … and nothing more.” I’d buy that.

This article originally appeared on Linkedin.com

Posted in Uncategorized | Leave a comment

Covert Hacking Of IoT Trivial Say Researchers

The Internet of Things is made of circuit boards with hardware operating systems called firmware. Many of these devices are just the basic chipset and were not conceived to connect to the Internet—hospital monitors, remote telemetry units– yet they are being made to do so today in increasing numbers. Even the devices designed to connect to the Internet—closed-circuit cameras, baby monitors–have their flaws.  Consistent in almost all is the ability to accept rogue firmware updates without question.

Presenting this week at the annual RSA Conference held in San Francisco, Ang Cui and Salvatore Stolfo, both of Red Balloon Security, announced multiple vulnerabilities in the Avaya ONE X Voice over IP (VoIP) phone system. Exploitation, they said, can lead to general mayhem, including turning the phone into a listening post, propagating malware to other phones, and then propagating malware to other embedded devices that the phone can reach on the network such as printers or routers.

Cui and Stolfo presented similar VoIP vulnerabilities found within the Cisco 7900 series phones at the Amphion Forum San Francisco in 2012. For that attack one first needed to physically attach a dongle to the phone. Once compromised, the phone would then eavesdrop on conversations within the room — even when the phone was not off the hook.

For this new attack, the pair said they could remotely compromise devices as well as other devices on the corporate network. For example, a Fortune 500 company might receive a maliciously coded resume over the Internet and — in the time it takes the hiring manager to print that document — fully compromise the corporate network with rootkits on various embedded devices. In other words not only has the printer been compromised in this attack, but also other embedded systems devices on the corporate network such as vulnerable VoIP phones on desks throughout the office.

Cui described the exploitation of one of the Avaya vulnerabilities as simple, almost trivial.  “I can fit the entire attack information on a Post-It note,” he said. “The barrier to entry here is very, very low. So the probability that no one has found this vulnerability in my opinion is very low, right. But we’re the very first people to have actually publicized this one. In my mind it’s entirely plausible that someone has exploited this vulnerability before.”

Cui said he’s been disclosing details of the vulnerability to the vendor and not the public. In an email, Deborah Kline, Corporate Communications, North America and Global Technology PR for Avaya confirmed “We are aware of the issue and committed to delivering a fix no later than March 1, 2014.”

The malicious resume example above allows the attacker to gain a foothold in the corporate network by creating a reverse IP tunnel. With that the attacker may now send remote commands to the printer such as scanning MAC addresses to identify specific known device vulnerabilities. When the attacker attempts to SSH into a vulnerable phone, the attacker could then use ARP poisoning to convince the phone that the compromised printer is able to provide it firmware updates. Using a second reverse IP tunnel on the printer, the attacker would then use Trivial File Transfer Protocol (TFTP) to install a rootkit on the desktop phones within the Fortune 500 office.

Once a device or series of devices have been compromised, how would an attacker exfiltrate the data?

Cui said he’s found a way for any device to broadcast data in a surreptitious way. “We came up with this technique that essentially turns a very standard PC circuit boards that you find in all kinds of embedded devices into improvised radio transmitters,” he said. “So I’m not using the wireless chip set, I’m not using anything that’s meant to be an RF transmitter. I’m using code, software that basically forces the existing circuit board to act like an ad hoc transmitter. And this is something that an attacker can use to transmit a signal out the window, for example, and sneak all sorts of sources of data out. It’s very difficult to detect at the moment.”

In fact, proactive detection is a big problem because of the random nature of these attacks. The attacker could be using any part of the electromagnetic spectrum to broadcast the data. This easily defeats current methods of protection and detection.

“The way we’re doing this isn’t by using any traditional means like network penetration,” Cui said. Citing TEMPEST, a National Security Agency codename for methods used to spy upon others and also to shield equipment from leaking unintentional radio or electrical signals, sounds, or vibrations in the glass of an office building, Cui said he’s reversing that by intentionally causing printers, VoIP phones, and routers to emanate data as one way for a bad guy to exfiltrate data. A single injection of rather trivial code, he said, could turn an ordinary chip into something that can broadcast data remotely—even through brick walls. Because the electromagnetic spectrum is large, network admins wouldn’t know where to look to detect the leak.

But Salvatore Stolfo said Cui and his team weren’t just attacking printers and VoIP phones for fun at RSA, they were also attempting to drive home seriousness of attacking the IoT infrastructure, whether its printers in the office or monitors on a SCADA network.

At RSA Red Balloon showed the resume attack as described above but then repeat that attack with a security solution known as <a href=”http://www.redballoonsecurity.com/technology.html”>Symbiote</a> created by his company in place on the device.  Symbiote is special code included within the vendor’s firmware and it basically protects a device against rogue updates. If the vendor ever wants to ship a new feature set via firmware, then a new piece of Symbiote is included with that update.

As for getting the device to broadcast without a radio transmitter, Stolfo said there could be benefits to that, too.  “If you think of all the SCADA devices that are already distributed through plants and what not– the cost of wiring all that stuff would be enormous for any kind of a monitoring infrastructure,” he said. “So simple broadcasting would be a dramatic reduction in costs.”  A utility worker could swipe the device and know its status instantly.

But just how prevalent are these attacks if they are so simple? To find out Cui and Stolfo also announced at RSA their Advanced Embedded Security Ops (AESOPs), a program designed to monitor how prevalent these attacks might be in the real world.

“What we’re going to do,” Cui said, “is supply equipment to one of our strategic partners, place it in their network—albeit a phone, a printer or a router—and we will sense over some period of time whether or not they’ve been exploited without them knowing it. It’s very likely that there’s lots of exploitation going on in the wild that no one’s aware of. We have been easily spotting all these vulnerabilities and the bad guys have too. They’re not ethical researchers who will report these to the vendor, they’re going to use them. And so we want to place these sensors at particular locations both in government and in large enterprises to determine whether or not our thesis is correct:  that there are a lot of embedded devices out there that are under attack continuously.”

Originally appeared in DeviceLine

Posted in Uncategorized | Leave a comment

How Mobile Fingerprint Scanners Can Fail

This week a major mobile carrier unveiled a new line of phones secured with fingerprint scanners. While there’s the convenience of merely pressing your finger to gain access to a device, there’s a recognized trade-off for security; Biometrics are not yet reliable today. And, unlike passwords, which you can change, or two factor authentication which usually requires a password and something you have like a card or a phone, fingerprints can’t be changed after a compromise.

What’s really happening when you scan your fingerprint? Under the hood the fingerprint scanner usually doesn’t capture the entire print but looks instead for points of individuality. Say a fingerprint scanner captures eight or ten unique points, these points are converted into numbers and then via an algorithm into a hash. It is this hash that is stored either locally (on the device) or externally (in the cloud).

In theory hashes are one-way algorithms that can’t be reversed. Unfortunately, Moore’s Law applies with a vengeance here and in time faster, less expensive processors will render today’s hashes trivial. But let’s assume the hash is pretty robust—-how easy is it then to get a specific fingerprint for a device you want to access?

Depending upon what’s one the other side of the lock, having more fingerprint scanners in the world might lead to people to start cutting off fingers in order to gain access. How likely is that?

In my book, When Gadgets Betray Us, I chronicle the bizarre case of K. Kmaran, a Kula Lumpur accountant and carjacking victim, whose severed finger was used to gain access to his biometrically-protected $75,000 second-hand S-Class.

Biometrics companies responded by checking for lividity—in other words, the fingerprint must be warm and moist at the time of the scan, except there’s another problem. Even if your finger remains intact, still on your hand, your fingerprints are everywhere and some prints are recoverable with relative ease. For example, someone might lift a fingerprint off a CD case lying on your desk in your office and make a latex impression from it.

Sound far fetched? Take a look at this clip from MythBusters.

As the video shows, heat and moisture checking can be defeated by licking the image or by producing a latex mold over a live, warm finger. True, most people won’t have access to all the materials that the MythBusters team uses, but a determined attacker might. Again, it all depends what’s on the other side of the lock; if it’s a corporate mobile phone, it might be worth someone’s time.

In the real world Japanese ATMs have been using fingerprint scanners for years. They use vein-pattern recognition, which goes beyond the surface-level fingerprint and instead recognizes the unique pattern of veins within the digit. This circumvents both the use of latent prints and the lividity question. But the ATMs also combine finger scans with traditional two-factor security of a card and a PIN. This has proven to be very effective over the years and should this system be compromised, if your fingerprint is for example widely distributed in the media—-as happened to former German Interior Minister, Wolfgang Schauble, in 2008–you can at least change your card and/or your PIN.

With the current mobile phone technology we’re not talking about multi-factor authentication. Not yet. Perhaps, after a few mobile device-level hacks, however, that will change.

This blog originally appeared on DeviceLine

Posted in Uncategorized | Leave a comment