Highlights from the SyScan 2014 Conference

syscan image.png

An industry conference is always a good place to learn and get updates on the latest security trends. I recently attended the Symposium on Security for Asia Network (SyScan), an annual conference held in Singapore, which brings together computer security researchers from around the world. This year, security myths were dispelled and several interesting topics were discussed at the conference. The following is a list of some of the topics and demonstrations I found interesting at this year’s conference.

Smart cars at risk
Most cars today contain Engine Control Units (ECUs), computers that enable the engine to communicate with other vehicle components. Researchers at SyScan 2014 explained how they managed to simulate a car environment on their desktop using second-hand ECU devices purchased from online Web stores. The researchers managed to carry out basic automotive actions such as acceleration, braking and steering, as well as gain an understanding of the underlying proprietary protocols of the car. What this means is that once an attacker gains control of the ECU, they can basically control the car.

Being able to control a car’s ECU is far more dangerous than being able to manipulate its automation functions such as opening closing windows and turning lights on and off. It is pretty scary if adequate controls are not put in place to prevent an attacker from gaining control of the ECU. This could become more problematic as more and more cars become part of the Internet of Things (IoT). Microsoft has recently tested the latest version of their Windows in-vehicle infotainment system, while Apple already unveiled CarPlay, an entertainment system that enables users to see their iPhone interface on a car’s built-in display.

Mobile point-of-sale infected with malware
2014 has seen the emergence of several point-of-sale (PoS) malware, some of which were involved in several high-profile attacks against the retail industry. Today, mobile point-of-sale (mPOS) terminals have also become a target. mPOS devices are often used for card payments, especially for small and medium-sized businesses.

Most mPOS devices run on Linux, and researchers at SyScan were able to compromise and take over an mPOS device by using removable drives or Bluetooth. To prove their claims, they installed the game Flappy Bird on the device, and then played it on the device’s LCD screen using the PIN input buttons as the controls.

The researchers highlighted how mPOS devices can be hit by malware that can keep track of payment information and subsequently share the records online, or perform special functions such as making  the device accept payment from cards using any PIN code.

The proliferation of RFID and NFC devices
Today, everyone interacts with radio frequency identification (RFID) and near field communication (NFC) enabled devices. They are present in our door-entry cards, transport cards and contactless credit cards. Radio waves are everywhere!

The “RFIDler”, a low-level RFID communication open-source platform prototype presented during the conference, is used to read and write common types of tags. The platform will soon be available to the general public. It was interesting to see how easily it can be used, as well as the potential damage it can cause. For example, an existing card can be duplicated in a couple of seconds. According to the platform’s author, even if a card format is unknown, the platform is extensible and a new card format can be added in less than a week.

Now that a common extensible reader and writer exist, how long will it be before these devices become targeted by attackers?

Mobile security versus anonymity
Users who cannot live without their smartphones may have already thought about the consequences of losing their devices. To help ease those fears, a researcher at SyScan 2014 presented a hardened Android Read-Only Memory (ROM) solution that he created, dubbed Cryptogenmod. Cryptogenmod is based on Cyanogenmod, an open-source operating system for mobile devices based on Android. The  aim is to provide a minimal ROM with remote and physical access protection. Remote protection is achieved by reducing the attack surface, so there will not be a Web browser or an app store on the smartphone. Physical access protection is more complex and is achieved by using secure application containers, strong encryption, and some indicators of a negative operational environment.

Other safeguards were described including one which detects if a SIM card is removed or a debugger is attached. If one of these actions is detected, the application containers will be unmounted and require a passphrase to be opened again, while the phone will be locked automatically and require the owner to login again. With this solution, should you lose your phone, your data will remain secure. However, I am not sure if users want a device that is connected but does not allow them to surf the Web or even use the camera (which is known to leak the user’s location). That sounds like a not-so-smartphone.

Overall, while smartphones are still a hot topic I expect to see the Internet of Things dominate industry discourse for the foreseeable future as people gradually delegate tasks to smart devices in order to save themselves time and effort.

To find out more, check out the videos and published papers at SyScan’s main website.

Dutch public transportation may be hackable with an Android smartphone

The smartcards used to pay for public transportation in the Netherlands may now be hacked with an Android phone, according to a report from NOS.nl. The crack requires two free apps that allow the cracker to load the card with money and travel without paying anything.

NOS carries little detail on the nature of the hack, but Dutch hackers appear to have a somewhat long and storied history of cracking Netherlands’ smartcard, the OV-Chipkaart. The chip inside the card has been modified repeatedly by the card creator, Trans Link, but there is no shortage of tutorials on how to hack them, and there are plenty of stories about hacks that have taken place. There are also less technical Android apps to circumvent paying for transport, like OV Hacker, which plays the tone a Chipkaart would make when successfully scanned in order to trick bus drivers.

A research article from 2009 laid out how the RFID chip inside the card can be read with an NFC reader, decrypted with one application, and then reloaded with the desired amount by another application. The chip has been modified since then, but there’s at least one thread on the xda-developers forums where a user notes that his Android smartphone was able to read out the (encrypted) contents of his OV-Chipkaart with the NFC reader inside his phone.

Read 4 remaining paragraphs | Comments

Highlights From Black Hat Conference

Black Hat is over. The year’s biggest and probably most influential IT security conference again had a lot of interesting talks to offer, and of course also the most important part: Meeting with other people from the industry to share news, ideas (and beer). As for the talks, there wasn’t much earth-shattering this year. Aside from sessions on Apple’s view on security and improvements in Windows 8, the mobile talks were what got most of my attention.

Because mobile platforms have become so important, they have gotten the attention of cybercriminals. (Check the McAfee Threats Report for more information.) There is also a lot of interesting stuff going on. And a lot of mistakes being repeated. Again. An eye opener should be Collin Mulliner’s talk about scanning mobile IP ranges and seeing what kind of devices are there. The result is really scary. Apparently people do not realize that often when you’re online with a mobile device using GSM, GPRS, G3, etc. that the device is not only able to access the Internet. It is also accessible from the Internet. So putting up sensitive hardware without any access authorization is a bad idea. Bad as in “it could cause a power failure in the company” or “it may cause the plant to burn down.” To have your surveillance cameras exposed is not exactly ideal either.

Even more disturbing was Charlie Miller’s talk on near-field communications (NFC) on some mobile devices. He highlighted one major point of failure in the IT industry that is repeated over and over again. Say you have something that security wise is pretty solid. Meanwhile marketing and product management add an additional feature. That’s happened in the case of NFC on mobile devices, which would be great for authentication or payments. They just got “enhanced” with device-to-device communications. What’s wrong about that?

Instead of exposing just NFC-related apps, if you can send someone to a web page without his acknowledging it, your attack surface is suddenly the web browser and everything (multimedia, documents, Flash, etc.) related to it. During the session Georg Wicherski demonstrated such an attack nicely using a webkit exploit. Thus another good technology turns into a security hazard because of one too many additions. My obvious advice: Disable NFC on your phone until vendors came up with ways to secure it.

Time for Defcon

Now I have another three days of conference to attend: Defcon, which has run for 20 years. (That time is exceeded only by the Chaos Communication Congress, which will take place for the 29th time this year.) Defcon looks massive in the number of its sessions and attendance. (Some major talks, such as “FX” and Greg’s event on Sunday, for example, were not presented at Black Hat, instead exclusively at Defcon.) We’ll see what is going on there.

PS: Best hack at Black Hat? I met a woman at a vendor’s party who hacked her way into the VIP area. The vendor had given out different “coins,” one golden, another black, which was the VIP coin. After obtaining the normal gold coin, which wasn’t easy as she had no ticket for Black Hat to begin with, she simply painted the background black with a pen. Worked.

I gave her a new challenge: Gatecrash the VIP area of Defcon’s Freak Show, which McAfee will sponsor this year. Infected Mushroom will play. See you there! :)

NFC Payment Test at Olympics Will Inspire Mobile Attackers to Go for the Gold

Visa is testing out its PayWave contactless payment service at the Summer Olympics in London. Every athlete will get a Samsung Galaxy SIII phone enabled with near-field communication (NFC) along with Visa’s payment app. Contactless payments aren’t new, and similar payments by mobile phone have been tested by Google with its Wallet app and other NFC smartphones.

Image of Samsung Galaxy SIII

A Samsung Galaxy SIII will be given to every athlete competing at the 2012 Summer Olympics in London.

When we last looked at NFC phones and similar apps, there were questions of whether an attacker could go after the apps or the phone hardware and the Android OS. Since then we have seen a PIN-reset vulnerability that allowed an attacker to use the free prepaid card and the ability to crack PINs on the phone. Google updated the Wallet app to fix those vulnerabilities and make attacks much harder. Now attackers would need to go after the hardware itself, though this does not necessarily involve going after the Secure Element portion. One can get excellent results by targeting the OS and its NFC-handling libraries.

Fuzzing the hardware, which involves feeding corrupt or damaged data to an app to discover vulnerabilities, is a good first step. Researchers Charlie Miller and Collin Mulliner fuzzed SMS messages to great effect to discover exploitable vulnerabilities on Android and iOS phones a few years back. Mulliner has also looked at fuzzing NFC tags, going as far as developing a Python library and framework for testing older devices. Recently he updated his software to measure Android devices, allowing him to inject crafted NFC tags to a phone and then monitor the results. He can programmatically feed crafted or damaged NFC tags to Android’s library and then capture any crashes or code-execution opportunities.

Collin Mulliner’s NFC library can be used in fuzzing Android phones. This is very useful for discovering new vulnerabilities.

The Samsung Galaxy SIII goes on sale in North America and wordlwide within the first two weeks of July. An attacker wishing to target the device can purchase one easily and use Mulliner’s research to help find vulnerabilities and eventually develop exploits to steal a victim’s credit card. The large number of readers at the Olympics will provide places where a successful attacker can use stolen credentials to make purchases. The Olympics will also provide a concentrated pool of targets (people and phones) to pilfer from–especially if everyone is busy watching who wins the medals and not worrying about where his or her phone is.