Highlights from the SyScan 2014 Conference

syscan image.png

An industry conference is always a good place to learn and get updates on the latest security trends. I recently attended the Symposium on Security for Asia Network (SyScan), an annual conference held in Singapore, which brings together computer security researchers from around the world. This year, security myths were dispelled and several interesting topics were discussed at the conference. The following is a list of some of the topics and demonstrations I found interesting at this year’s conference.

Smart cars at risk
Most cars today contain Engine Control Units (ECUs), computers that enable the engine to communicate with other vehicle components. Researchers at SyScan 2014 explained how they managed to simulate a car environment on their desktop using second-hand ECU devices purchased from online Web stores. The researchers managed to carry out basic automotive actions such as acceleration, braking and steering, as well as gain an understanding of the underlying proprietary protocols of the car. What this means is that once an attacker gains control of the ECU, they can basically control the car.

Being able to control a car’s ECU is far more dangerous than being able to manipulate its automation functions such as opening closing windows and turning lights on and off. It is pretty scary if adequate controls are not put in place to prevent an attacker from gaining control of the ECU. This could become more problematic as more and more cars become part of the Internet of Things (IoT). Microsoft has recently tested the latest version of their Windows in-vehicle infotainment system, while Apple already unveiled CarPlay, an entertainment system that enables users to see their iPhone interface on a car’s built-in display.

Mobile point-of-sale infected with malware
2014 has seen the emergence of several point-of-sale (PoS) malware, some of which were involved in several high-profile attacks against the retail industry. Today, mobile point-of-sale (mPOS) terminals have also become a target. mPOS devices are often used for card payments, especially for small and medium-sized businesses.

Most mPOS devices run on Linux, and researchers at SyScan were able to compromise and take over an mPOS device by using removable drives or Bluetooth. To prove their claims, they installed the game Flappy Bird on the device, and then played it on the device’s LCD screen using the PIN input buttons as the controls.

The researchers highlighted how mPOS devices can be hit by malware that can keep track of payment information and subsequently share the records online, or perform special functions such as making  the device accept payment from cards using any PIN code.

The proliferation of RFID and NFC devices
Today, everyone interacts with radio frequency identification (RFID) and near field communication (NFC) enabled devices. They are present in our door-entry cards, transport cards and contactless credit cards. Radio waves are everywhere!

The “RFIDler”, a low-level RFID communication open-source platform prototype presented during the conference, is used to read and write common types of tags. The platform will soon be available to the general public. It was interesting to see how easily it can be used, as well as the potential damage it can cause. For example, an existing card can be duplicated in a couple of seconds. According to the platform’s author, even if a card format is unknown, the platform is extensible and a new card format can be added in less than a week.

Now that a common extensible reader and writer exist, how long will it be before these devices become targeted by attackers?

Mobile security versus anonymity
Users who cannot live without their smartphones may have already thought about the consequences of losing their devices. To help ease those fears, a researcher at SyScan 2014 presented a hardened Android Read-Only Memory (ROM) solution that he created, dubbed Cryptogenmod. Cryptogenmod is based on Cyanogenmod, an open-source operating system for mobile devices based on Android. The  aim is to provide a minimal ROM with remote and physical access protection. Remote protection is achieved by reducing the attack surface, so there will not be a Web browser or an app store on the smartphone. Physical access protection is more complex and is achieved by using secure application containers, strong encryption, and some indicators of a negative operational environment.

Other safeguards were described including one which detects if a SIM card is removed or a debugger is attached. If one of these actions is detected, the application containers will be unmounted and require a passphrase to be opened again, while the phone will be locked automatically and require the owner to login again. With this solution, should you lose your phone, your data will remain secure. However, I am not sure if users want a device that is connected but does not allow them to surf the Web or even use the camera (which is known to leak the user’s location). That sounds like a not-so-smartphone.

Overall, while smartphones are still a hot topic I expect to see the Internet of Things dominate industry discourse for the foreseeable future as people gradually delegate tasks to smart devices in order to save themselves time and effort.

To find out more, check out the videos and published papers at SyScan’s main website.