3: Invisible Threats
The chapter opens with a description of a demonstration at a security conference of a fairly simple and cheap system - a computer and about $1,500 worth of additional equipment - that could intercept cell phone communications. The same presented had previously suggested (#N: but not demonstrated) that it is possible to break the encryption that protects cellular communications. Taken together, this suggests cell phones are not as secure as many assume them to be.
Given that cell phones are used for more than voice communication - smart phones can be used to access the Internet, including e-commerce and banking sites - there is greater concern over security of communications, but not much progress. The methods security in place today were conceived two or three decades ago, in the 1980's. And little has been done to improve upon it.
Some detail is provided on encryption used by various carriers: Sprint and Verizon in the United States use a CMDA method of encryption originally designed for the military that is difficult to break - all other carriers, and all other countries (about 80% of the phones in current use), rely on an older standard called GSM that is much more vulnerable. In some locations, no encryption is used at all - in parts of South America, Africa, and Asia, there are no plans to upgrade to more secure equipment.
The vulnerability of GSM has been demonstrated - while it takes significant horsepower to crack the code (a lookup table of all possible encryption keys is over 2 TB), it is possible to do so - with an amount of processing power and memory that is on the high-end of consumer equipment, it can be done in about a minute.
Using an interception station, such as the one described initially, makes it easier to do: a mobile device must authenticate itself to the network, but the network doesn't have to authenticate itself to the device - so long as the network node response correctly to the device's request to connect, the device assumes it to be legitimate. Worse, the network, rather than the device, chooses the form of encryption - so the operator of the intercepting equipment can simply switch to the very lowest level of security. Some carriers and devices indicate this to the user, but few users notice or care.
Ultimately, the result is that cell phone communications can be intercepted and decrypted in real time, making them no more secure than land lines - and quite possibly less, as the hacker doesn't need to access physical circuits to tap into the communications.
Vulnerabilities of Wireless Connections
The author is alarmed that advertisements suggest the convenience of technology without regard to the threat. An advert for real-time banking shows a man buying a cup of coffee, then sitting down to check his bank balance to see that that transaction had already been registered. His concern is that this advocates the use of vulnerable wi-fi networks to access bank accounts.
The use of public hotspots for access is harmless enough when a user is doing something that doesn't involve sensitive information - watching a video, browsing the web, etc. - but when any transaction involves sensitive data, it's cause for concern. Checking your stock portfolio or buying an item online involves transmitting sensitive data, including account passwords. And yet, this is exactly what banks are encouraging in their commercials - and suggesting that consumers take advantage of the convenience, without considering the dangers.
It's much easier, and requires far less equipment, to eavesdrop on wi-fi transmissions than on cellular ones. A cyber-criminal with a laptop computer could easily sit in an cafe, like the one in the advert, and intercept all incoming and outbound data from anyone in the vicinity by setting up his connection to act as a hotspot through which data would be funneled.
The author goes into some of the details as to the reasons networks are insecure, and it largely comes down to consumer complacency. If a device required the customer to make a more secure connection, it could be done in fewer places and with more difficulty. It's complicated enough for consumers just to set up their equipment in the first place (one 2006 study found that 85% of returned home network equipment was not defective, the consumer just couldn't figure out how to make it work), and the added complexity of requiring the customer to leverage additional security features is asking too much.
A hypothetical scenari: a hacker interested in some data a company is working on can search LinkedIn to find people who work in the appropriate department, and FourSquare broadcasts their locations. He might learn from one of them works from home on certain days, which gives him the opportunity to test the strength of their wireless router. Or he might find out they go to a given coffee shot and try to tap into their communications from their smart phone. (EN: not entirely implausible, but such a hacker would have to catch a lucky break.)
The danger is even greater if the company allows employees to work remotely and connect, via the Internet, to resources on the company servers. Any point of vulnerability from using wireless enables the hacker to access any resources that an authorized employee could by intercepting the signals and spoofing their credentials.
Voice and Video Systems
The use of IP telephony likewise brings gaping security holes. In one example, a hacker merely plugged the cable from a house phone in the lobby of a building into his laptop, and gained access to the VoIP system, and the ability to monitor all voice traffic on the internal network. One security expert explains that the security of VoIP systems is extremely weak and easy to defeat and exploit.
Surveillance cameras, meant to assist in maintaining the security of a building, can also be turned against it. Some of the "tricks" that are seen in Hollywood films are entirely possible, and there's even shareware applications that facilitate it. Since the video systems are delivered over IP networks rather than private wires, you don't even need to be on site to tap into the security feeds, case the facility from the inside, and even send a false signal (a loop recorded from the same camera) to fool human observers.
Given that police departments in some metropolitan areas are replacing or reducing manned patrols in favor of monitoring video camera feeds, perpetrators could even be hidden when entering or existing the building.
Wireless Accessories
Like television remote controls, most wireless accessories have little to no security: the signals of wireless keyboards and mice are relatively easy to spoof, and take control of the computer to which they are connected.
The example given is disrupting PowerPoint presentations at a conference. Some details on various methods for doing this are presented, but there's no example of how this can be used for anything other than malicious mischief - disrupting the slideshow to fluster the speaker.
Far more practical would be to use a device that read the keystrokes of a wireless keyboard. This would require accessing an office twice (once to install an eavesdropping device, another to retrieve it). (EN: this is only slightly more effective than wired methods for doing the same: I'd be surprised if anyone checked their cables regularly to notice an extra dongle between the keyboard and the unit.)
A more practical application might be to use a scrambler to disrupt an entire office by interfering with wireless mice and keyboards - but such an attach would be hard to pull off because the disruptor would need to be in the open, in line-of-sight of the devices.
As such, the threat posed by hacking wireless components is presently trivial, but as technology progresses, it may have the potential to pose a more serious threat.
Bluejacking
When cordless phones appeared on the American market around 1980, they had a short range and a narrow band of frequencies, such that it wasn't uncommon for people living nearby to pick up each others' conversations if they happened to be on the phone at the same time. It was unintentional eavesdropping, more of a nuisance than a security concern. It took about ten years to resolve the issue with phones that had a longer range, a broader spectrum of frequencies, and the ability to use channels within a given frequency.
While the problem of overlap among cordless phones has been solved, baby monitors now use the lower and narrower spectrum, such that people can pick up the transmissions of their neighbor's baby monitor. The author names a class-action suit brought by a Chicago resident when he discovered that his neighbors were able to hear the audio and see the video within his nursery. (EN: The case was later dismissed.)
Similar concerns have been raised about Bluetooth technology, commonly used in headsets and earpieces for cellular phones. While the range of Bluetooth is only about thirty feet, it can be extended significantly with additional hardware. While Bluetooth is limited to about seventy channels and devices scan for an available one, there is encryption between the "master" and "slave" devices.
The practice of "Bluejacking" is a prank that can be annoying, but is basically harmless: it scans for open devices within range ands ends them as a form of short text-message that is displayed on the device.
A more concerning trick is "Bluesnarfing," which is able to retrieve data files from other Bluetooth gadgets. In some cases, you need to know the name of the file (but the locations and names of files such as address books are standard on devices by a given manufacturer); in others, you can simply request all the files. This has since been disabled by manufacturers by requiring a device to authenticate before receiving data, and was not much of a problem to begin with because it requires the device to be in "discoverable" mode - which is generally disabled by default and must be turned on purposefully.
There was also a brief panic over the use of Bluetooth in cars, to enable wireless connection to MP3 players and enable the car's audio system to serve as a speakerphone for hands-free mobile while driving. This got some media attention, but the whistle-blower never did produce any credible evidence of vulnerability. A few hackers have made an earnest effort to exploit this, but the worst thing they were able to do was to make the entertainment system computer reboot itself.
(EN: Interesting that the author chooses to disclose the disproof in this instances. In others, he's used the same tactic of suggesting what "could" happen without evidence, and in still others he seems to have purposefully omitted disproof to create the impression the claims were valid.)
One more valid concern is that some Bluetooth-enabled devices are set to a default PIN such as 0000 or 1234, and given that few users will change default settings, it's possible to jack the connection by using a default pin - to eavesdrop on a conversation or even interrupt it by sending audio.
There is also a technique to connect to a Bluetooth device by fooling it into pairing with another device. As such, it would be possible to activate the microphone on a remote device to overhear anything within range pf the microphone (EN: Though this would likely cause the device's LED indicator to indicate the device is active, which would be rather conspicuous.)
Military Vulnerability
The author details some of the vulnerability with military reconnaissance technologies: video signals from the Predator drone and Rover units, used to survey an area to gather intelligence, was found to be unencrypted.
This enables enemy forces to detect the presence of surveillance devices in a given area, and even tap into the geed to see what information is being gathered by their opponents, and taking advantage of the surveillance as well - in effect, to follow the vehicle back to its home base.
It has also been found that, using a $26 piece of software and a satellite dish, it's possible to receive and decrypt images taken by spy satellites.
Naturally, the military has reacted to this, including encryption on newer units, but deplouing the new units and recalling the older ones may take a few years, during which time the vulnerabilities will still be in effect in the field.
Quantum Key Encryption
The principles of quantum mechanics are being used to develop stronger methods of encryption. The explanation overly-detailed, but it essentially uses a method of encryption that can't be observed without altering it - hence any attempt for an unauthorized party even to view an encryption key can be used to invalidate the key and report the attempt at intrusion.
The author mentions seeing a demonstration in 2008, and remarks that the speed and security were "incredible." However, the communication in this demonstration was using lasers between two devices within line-of-sight of one another. (EN: There's an odd turn of phrase - "the system I saw demonstrated further had to be compatible with fiber-optic networks" - which I take to mean it currently is not, though the clumsy diction of that phrase is a bit ambiguous.)
Advice to Users
Even though the author has demonstrated numerous weaknesses, he suggest there's no need to be paranoid, and suggests some common-sense practices to be more secure.
- On your home network, change the default settings on your network router, especially the password, and give your home network a name that is not descriptive (not "Smith Residence") and require a password in order to connect.
- When using public wi-fi hotspots, always use a secure connection to conduct any private transactions. Even with this precaution, avoid checking your bank balances or using your credit card unless it simply can't wait until you get to a safe location.
- On devices that automatically switch between a secure wireless network and wi-fi, disable switching by default or learn to recognize the indicator that tells you when wi-fi is in use.
- Set your laptop and other devices to accept connections only after a user request.
Most importantly, don't believe everything you see. Companies promote how cutting-edge their solutions are, and turn a blind eye to the gaping security holes that still exist, like the bank advertisements that show how easy it is to log into your account at a coffee shop. Eventually, the technology will catch up, to the point where such things can be done with adequate security. But until then, it's up to the customer to consider the consequences and choose to proceed with caution - or to refrain from availing themselves of such conveniences.