net.wars: The house always wins

by Wendy M Grossman | posted on 03 August 2007

Las Vegas really is the perfect place to put a security conference: don't security people always feel like an island of sanity surrounded by lunatic gamblers? Although, equally, it's probably true that Las Vegas casinos probably have some of the smartest security in the world when it comes to making sure that the house will always win.

Wendy M Grossman

A repeated source of humour this week at Black Hat has been the responses from various manufacturers when they're told that their systems are in fact hackable.

My favourite was the presentation explaining how to hack the RDS-TMC radio service that delivers information about upcoming traffic jams and other disruptions to in-car satellite navigation systems. The industry's response to the news that Italian guys could effectively control traffic was pretty much that even if it was possible, which they seemed inclined to doubt, it would take a lot of knowledge, and anyway, it's illegal…

Adam Laurie got a similar response from RFID people when he showed you could in fact crack one of those all-singing, all-dancing new e-passports and, more than that, that you can indeed clone those supposedly "unique" RFID chips with a device small enough that you could pick up the information you need just standing next to someone in an elevator. (What a Las Vegas close-up magician could do with one of those…)

The industry's response to the news that Laurie could clone ID tags was to complain triumphantly that Laurie's clones "don't have the same form factor". You're an RFID chip reader. What do you see?

"I believe in full disclosure," said Laurie. "They must know you can program in any ID you want." But that's not what they tell the public.

And then there's mobile phone malware, which according to F-secure's Mikko Hypponen is about where PC viruses were ten years ago. We have, he figures, a chance to stop them now, so we won't wind up ten years from now with all the same security risks that we face with PCs. Some of the biggest manufacturers have joined the Trusted Computing Group (an effort to secure computer systems that unfortunately has the problem that it treats the user as a potentially hostile invader).

But viruses and other bad things spread a lot faster between mobile phones because they are specifically designed for…communication. The average smartphone has Bluetooth, infrared, USB, and its network connection, and each of those is a handy way of getting a virus into the phone, not to mention also MMS, user downloads, and memory card slots. And, in future, probably WLAN, email, SMS, and even P2P. This is the bad side of having phones that can run third-party applications and that are designed to be, damn it, communications devices.

Viruses that spread by Bluetooth are particularly entertaining because of the way Bluetooth's software handles incoming connections.

Say a nearby phone tries to send your phone a virus. Your phone puts up a message asking you to confirm that you want to accept it. You click No. The message instantly reappears (viruses don't like to take no for an answer). There is in fact a simple solution: walk out of range. But most users don't know to do this, and in the meantime until they say Yes, their phone is unusable. The first virus to appear in the wild, 2004's Cabir, spreads very easily if users do something risky – like turn on their phone.

This is obviously a design problem caused by a failure of imagination, even though anti-virus companies such as Kaspersky have been warning for at least a decade that as the computing power of mobile phones increased they would become vulnerable to the same problems as desktop computers.

By far the vast majority of mobile phone malware is written for Symbian phones, by the way. Palm, Windows Mobile, and other operating systems barely figure in F-Secure's statistics. Trojans are the biggest threat, and the biggest way phones get infected is user downloads.

It would not noticeably ruin the user experience for mobile phone manufacturers to change the way Bluetooth handles such incoming requests.

It took the Meet the Feds panel to regain a sense of proportion. The most a mobile phone virus can do to a new phone equipped with a mobile wallet is steal your money and send out text messages to all your contacts that will alienate them forever, leaving you with a ruined life. (Take comfort from the words of the novelist Edward Whittemore, in his book Sinai Tapestry: "No one was safe, and there was no security – just life itself.")

Bad security is still bad security, and "the Feds" sure do a lot of it, and the rather stolid face they present to the public pushes us to regard them as comical. But they're gambling with far bigger consequences than any of us, as Chris Marshall of the NSA reminded everyone. He was out to dinner with his counterparts from a variety of countries, and they were discussing what "homeland security" really means.

The representative from New Zealand spoke up: he has children living in New Zealand, Australia, the US, and France, where he also has grandchildren.

"Homeland security," he said simply, "is where my children are."

Technorati tags:   
You're cheating! - You can discuss this article on our discussion board.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, follow on Twitter or send email to netwars(at) skeptic.demon.co.uk (but please turn off HTML).