BBH Central IconBBH Report Home PageSandy and Dave
  CENTRAL home  |   REPORT home About/Contact Us  |   Subscribe  |   Index by Topic  
The September 30, 2008 Issue Provided by System Dynamics Inc.
Table of Contents Print this article Email this article to a friend

I Can Listen To Your Phone Calls: A Guest Article by Jeremy Bennett

Note from the Editors: Security often takes a back seat to features. Companies often seem to pay attention only when their mistakes hit the headlines. We invited Jeremy Bennett, a long-time Silicon Valley security expert, to write a guest article on broadband security.

Jeremy Bennett has over 12 years of experience with computer and network security software development at companies including Hewlett-Packard and Symantec. He is currently a Software Architect at Aruba Networks where he leads the development of key projects including the award-winning RFprotect Wireless IPS. At Symantec, he led the design and architecture for the company’s intrusion detection and prevention products including Symantec Network IPS and Symantec Deception Server; his solutions were included in gateways, firewalls, and the entire suite of Norton security products. He earned a degree in computer science, with honors, from the University of Michigan.


Introduction

I distinctly remember my first security vulnerability discovery. I was eight. Early in the year a friend's family had gotten a TV with--of all things--a remote control. Later in that year a different friend's family purchased the same model. We soon discovered that the remote control from one could control the other. For almost a week the game was to sneak into the back yard while someone was watching TV and change the channel and then hide. Juvenile? Yes, we were eight. I've since grown up. Sadly, IR remotes have not.

In the broadband home, your backyard is the Internet. This always-on connection provides a window into your home and, if you're not careful, can give the juvenile and the malicious alike the ability to not only change the channel on your TV but also rent videos with your account, make long distance phone calls on your bill, steal your address book, or even steal your identity.


Your Broadband is My Broadband

The most talked-about security issue for the broadband home is the very nature of broadband--the pairing of faster speeds with always-on technology. An Internet connection that is "always on" means faster access to online services, new services that push information into the home--and a discoverable target for vandals, thieves, and organized crime.

In the world of dial-up Internet, a single device would use the phone line to form a connection to the network. In addition to being slow, this connection prevented other incoming and outgoing calls; most users would therefore connect only when needed and disconnect when done. From a threat standpoint, this meant that the computer was open to attack only for the duration of the dial-up connection. The next connection was given a new IP address and would need to be discovered all over again. If an attacker gained control of the device, they would need to keep the dialup connection active, or redial, to keep that control.

A broadband user, by contrast, does not need to disconnect because no other services are disrupted during the connection. More and more homes now use the Internet connection to actually make those same phone calls. Devices connected by broadband may keep the same addresses for days, weeks, or months. Attackers have plenty of opportunities to probe and attack these devices; once they have gained control they can silently use that same Internet connection for their own purposes.

Once a device has been compromised, the device and its Internet connection become another tool in the attacker's arsenal. They can collect information and steal money and identities by installing software to watch the valid owner's behavior (SpyWare) and capture their passwords (keyloggers). In addition, compromised devices often become members of massive collections of machines controlled by these attackers (botnets). Vandals use botnets to flood commercial web sites with traffic and prevent other users from accessing them. Thieves use them to attack other homes and steal bank accounts and credit card numbers. Finally, highly-organized Internet crime groups use them to blackmail web site owners, attack government systems, and hide and distribute illegal files.


Bluetooth, Wi-Fi, and Wireless

Wireless technologies like Bluetooth, Wi-Fi, Zigbee, Wireless USB and others promise to free us from pulling and connecting wires. They promise we can put our devices anywhere and stay connected. They also remove the guarantee of privacy offered by a cable.

Unlike a cable, which can only move data between the devices connected to its ends, a wireless "connection" uses radios to broadcast data from one device and receive it on another. Like FM radio towers, these broadcasts can be received by any radio in range. How far it can go is a function of the transmit power of the original radio and the sensitivity of the receiving antenna. Many examples exist of researchers greatly extending the distance at which a, supposedly, short range transmission can be received. In one experiment, researchers were able to attack a Bluetooth phone from more than a mile away.

Though many of the faults of 802.11 (Wi-Fi) have been publicized, many home networks still run unencrypted or use WEP. These networks are open to trivial exploitation by anyone with a laptop and a Pringles can. Unfortunately, even the knowledgeable and careful who are using WPA2-PSK are not immune--an attacker can listen to a WPA2-PSK protected network and then derive the network password by using a dictionary, some basic rules, and a fast computer.

Attacking Wi-Fi networks is interesting, but once on the network the attacker must then attack the computers--and that can be hard. Bluetooth, on the other hand, allows attackers to use fast and powerful computers to attack slower and more constrained personal devices, like phones. Because most Bluetooth devices have only a few buttons--three in the typical Bluetooth headset--they're easier to attack. Bluetooth security hinges on the passcode used in pairing devices, so if an attacker can guess the passcode then they can connect. Any device that uses a fixed pairing code that cannot be changed (many use 0000, 1234, etc.) may as well have no passcode at all. Once connected the attacker can steal contacts, forge SMS messages, see photos, or even listen in on phone calls.

Car Whisperer listens and talks to you as you pass by --> Click for larger picture

Emerging standards like Zigbee and UWB (the foundation of wireless USB) will face similar challenges to Bluetooth and Wi-Fi. How will we configure security on a light switch? Security in these emerging technologies is a constant struggle between the inconvenience of configuring security and the insecurity of predictable defaults.


The Network Effect

Yesterday's "network" included the computers on our desks, the switches, routers, and servers in the data center, and the wires that connected them. Today's "network" is made up of the devices in our pockets, on our ears, hanging on our walls, and floating in our fishponds.

This new network is linked together wirelessly. Pieces are constantly being added, subtracted and moved.

If we don't pay attention, we may find that someone else has decided to turn off the heat and use our phone to call our bank to change our ATM PIN number.


So What?

A friend commented recently "So what if someone can do these things, it's not like they are stealing my money." Here's some food for thought:

If I can use your Cable/DVR I can:

  • Buy Pay Per View from your account and watch it at home
  • Hide illegal content on your DVR hard drive.
  • Use your DVR as a tool to attack other homes

If I can use your home VoIP phone I can:

  • Register your credit cards. Many credit card companies use caller ID to authenticate registration.
  • Make long distance calls on your bill
  • Pretend to be you when calling your business contacts or friends.

If I can access your cell phone I can:

  • Listen to your phone calls
  • Get your full address book
  • Copy all of your private pictures and video
  • Send SMS messages on your behalf.
  • See all of your SMS messages. Note that some banks use SMS to help authenticate online banking sessions.


Advice to Vendors

Vendors must make an effort to think of security before the attackers do. This is a tall order as the market has not, to date, encouraged this. In Securing Java (John Wiley & Sons, 1999), Gary McGraw and Edward Felten observed that "Given the choice between dancing pigs and security, users will pick dancing pigs every time". That is, being first to market with a new technology has often outpaced securing that technology. Historically, vendors of consumer equipment have not given strong thought to security until after an embarrassing vulnerability has been found.

Specifically, vendors should:

  • Think about security during product design (Lesson: WEP)
  • Avoid unchangeable PINs -- Lesson: Car Whisperer provides a great example of what can happen if you don't
  • Avoid insecure default configurations
  • Test security rigorously
  • Take discovered vulnerabilities seriously -- Lesson: Apple's security flaw in iPhone


Advice to Consumers

Consumers drive the market. When a product is shipped prematurely and is discovered to have flaws, there is an outcry from product owners. Unfortunately, those same product owners often continue to buy hardware and software from the very same vendor that had the huge security flaw only days before. Until there are market penalties for poor security, vendors will not follow any of the advice above.

Specifically, consumers should:

  • Ask questions. You do not need a PhD in cryptography to ask how a Bluetooth headset with an unchangeable PIN of 0000 can be secured [Editor's note: Oops! that's my new Bluetooth headset]
  • Change defaults. If your home wireless network is called "linksys" and your router's password is still "admin", no amount of vendor vigilance will help you.
  • Don't buy products from vendors with poor security history. Simply put, it takes more money and more time for a vendor to release a secure product. If vendors are penalized for cutting corners, the investment in security becomes unavoidable.

( www.arubanetworks.com )