House Keys Under the Doormat? Nope, in Your Phone

One of my friends recently locked himself out of his apartment. I found this out when I called him because although he didn’t have his keys, he did have his smartphone. This was one of those times he wished he lived in one of those hotels with the Assa Abloy NFC-enabled locks.

It turns out he doesn’t need to go to a hotel to open his door with a phone. Kwikset will soon be selling Kevo, a new deadbolt that can be unlocked with a Bluetooth-enabled phone. You can replace your old door locks with one of these new models.

Kevo_deadbolt1

The Kwikset/Unikey Kevo deadbolt is controlled via a Bluetooth-enabled smartphone app.

The Kevo lock [see demo video] is based on technology from Unikey, a winning company on the ABC TV show Shark Tank. Unikey’s background is in developing biometrics-access controls. Those controls are the ones you see on TV or in movies when a character places a palm or finger on a pad to open a door. With these locks we can all have similar technology guarding our homes.

Security Concerns
Another thing that you would notice from those same shows and movies is that the bad guys are always trying to break these high-security locks and access controls. The difficulty facing the average computer crook when facing a government high-tech lock is that there are so few of these locks to test against. Contrast those to millions of Bluetooth locks that one can buy off the shelf. The bar is much lower with Bluetooth because if they damage one lock during testing, the criminals can easily buy another one and try again.

The biggest payoff for technical attackers against a lock like this is to duplicate your keys or introduce a new one of their own. With physical keys they would need to get possession of them to make copies; with digital keys they need to break encryption and/or bypass security on the device that holds the keys (smartphone or key fob).

The deadbolts come with a single key fob, similar to car keys with transponders in them, and more can be purchased. It’s not clear yet whether, as with transponder keys, one needs to go through a complex process to activate additional fobs. The security of the fobs makes the smartphone a relatively easier target to go after.

There is an iPhone app that lets you manage both your own door key plus those of other residents (e.g., friends, house sitters, etc.) and temporary keys. Android phones also support Bluetooth. So the choice to produce the iPhone app first may have to do with the relative ease of decompiling Android apps.

IPhones are not necessarily more secure, as a knowledgeable attacker can jailbreak a phone and gain access to a decrypted version of the Kevo key app. Using tools like disassemblers, they can then seek out the methods used to secure the keys within the app and potentially reverse-engineer the protection or discover a method of creating new keys. They may also be able to force the app to accept new keys, essentially adding a master key to every one of these Bluetooth-enabled locks. That is actually not as likely as the criminal’s finding a way to attack a single target’s locks.

Future of Physical Security?
Locks are not invincible, not even high-tech locks. The more such locks are installed, the greater the incentive for robbers to break in through technical means. Why steal one set of keys if they can attack a smartphone app and steal all the keys? Fortunately, as the crooks start to take notice of such devices, so will security researchers. Unlike the bad guys, security folks will test these locks and help them improve. I’m sure my smartphone-toting, key-forgetting friend will appreciate that.

Why Does My Car Have Its Own Smartphone?

You would be surprised at the number of places you can find a GSM SIM card. Outside of your mobile phone, they can be found in power meters, water meters, vending machines, etc. These SIM cards (virtually identical to the one in your mobile phone) are used for machine-to-machine communication. Essentially all of these devices need to make mobile phone calls to other machines, usually for billing.

Machine-to-Machine Fraud/Theft of Service
Because it’s just machines talking to other machines, they don’t really need a voice plan and most if not all of their usage will be data. If the idea of “borrowing” the SIM card from the power meter outside your house for a few “free” downloads crossed your mind, you wouldn’t be the first. But consider the story of a woman in Tasmania who received a SIM card stolen from a power meter and used it to download movies for four months. She eventually destroyed the SIM card, yet the police tracked her down due to the large number of personal calls she had made with her mobile phone. She received six months in jail followed by two years of probation and was ordered to repay the power company nearly US$200,000 for all the data used.

Machine to Machine(m2m) SIM cards are generally identical to other SIM cards. Occasionally they may be smaller in order to be permanently installed in hardware. Credit: Giesecke & Devrient GmbH

Machine-to-machine SIM cards are generally identical to other SIM cards. Occasionally they may be smaller to be permanently installed in hardware. Credit: Giesecke & Devrient GmbH

Cars with Smartphones: Telematics, Diagnostics, and Attackers

Power meters aren’t the only devices that need their own smartphones. TV commercials by auto manufacturers show a man calling his wife, before her airplane takes off, to ask her to remotely unlock the doors of their car. Remote unlocking, engine starting, GPS/mapping, vehicle recovery, and crash assistance are features of what are known as telematics systems. Usually you would pay a monthly fee to the manufacturer to have access to all these features. In some cases you can get diagnostic output from car sensors emailed to you.

Crash assistance is usually handled by the car calling a center run by the manufacturer. In the movie “Live Free or Die Hard,” actor Justin Long portrays a computer hacker who social-engineers the call center agent into remotely starting the car. That was Hollywood; yet at the recent Black Hat USA conference, security researchers Don Bailey and Mat Solnik expanded on earlier research to locate and attack car telematics systems.

Their previous research involved using mobile phone databases to help in identifying and locating specific mobile phones. The new research involves using those same mobile databases to locate machine-to-machine devices. The researchers were able to determine a given device had a machine-to-machine SIM card because it would not answer a voice call. This is similar to war dialing, in which an attacker dials a block of telephone numbers until he locates a computer modem instead of a live person.

Bailey and Solnik also figured out that telematics systems used machine-to-machine SIM cards to dial home and provide most of their remote services. By fuzzing binary or system text messages, the “attackers” were able to determine which messages would allow them to remotely unlock and start a particular model of car. They were basically replicating what that man’s wife did in the commercial–just without authorization.  Fortunately they’re responsible researchers and not car thieves; they’re working with the car manufacturer to remedy this vulnerability.

These war-texting/text-fuzzing attacks aren’t the only ways to attack cars. The Center for Automotive Embedded Systems Security (CAESS), a joint venture of two universities, has demonstrated an attack involving inserting a CD with malicious (WMA) audio files into the stereo and taking over the automobile’s Engine Control Unit computer. The team succeeded in shutting down a running car by controlling the engine. Starting a car and shutting a car down remotely are both useful attacks, but they also managed to create a botnet that accepts commands and can exfiltrate data to the attacker using the machine-to-machine data connection.

As devices get smarter and more connected, we’re going to see more attacks targeted at them. The good news is that with researchers such as Bailey and Solnik we’ll be better prepared when these attacks eventually arrive.

Looking Into Google Wallet’s Security Setup

Google just announced its new near field communication payment service, Google Wallet. We’ve looked at Google’s NFC service and security before, but at that time the details were still scarce. Now we’ve gotten a better look at what lies within Google Wallet. It’s part service, part hardware, and part app.

The Service
Google Wallet is a variation of the usual “tap and pay” NFC payment service: Instead of using your PayPass credit or debit card, you use your Nexus S smartphone at the cash register. By partnering with MasterCard, Google gets access to the former’s network and the large number of stores and businesses that have PayPass readers installed. This is usually the safest part of the system, with the credit card processor maintaining payment card industry data security standards (PCI-DSS). You’re more likely to be hit by a crook brushing by you with an RFID reader to steal or transmit your credentials to a fake RFID card (called a ghost and leech attack).

The Hardware
Currently only one phone is supported, the Nexus S (on the Sprint mobile network). A Citi MasterCard or Google’s own prepaid card are required to use the NFC hardware built into the phone. Your credit card credentials (and eventually your coupons and loyalty cards) are stored in a “secure element” (the NXP PN65K chip). The chip uses cryptography (PKI and Triple-DES) and memory protection to ensure that criminals will find it very difficult to extract your credit card information. The “secure element” does not protect you alone; it also interacts with the Google Wallet app to prevent easy thefts.

The App
The Google Wallet app plays a role in storing and accessing your credit card information from the “secure element”. Unlike with your credit cards, you need to enter a PIN to initiate a tap-and-pay transaction. This step prevents the bad guys from brushing by you in a crowd to grab your info via NFC.

Android apps are relatively easy to reverse-engineer, so that would probably be the first step an attacker would take. Google says that only authorized apps will have access to the “secure element” chip, and the chip uses asymmetric encryption to authenticate access to stored secrets (credit card credentials). This implies that an attacker has a good chance of extracting the authentication key from the Google Wallet app. The next step would be to create a malicious application that emulates the official Wallet app to fool the “secure element” chip into giving up your credentials. From here, the attacker can collect account information for sale or for attempts at cloning the data to new NFC cards.

The Google Wallet app has not yet been widely released, so it’s difficult to properly identify possible weaknesses. Once it’s available on more phones, we’re bound to see more research from both the criminal element and legitimate security researchers.