The Long Road to a Law on Product Security in the UK

As the UK’s Product Security and Telecommunications Infrastructure Bill entered Parliament today, I had some time to reflect on how far we’ve come.

I was reminded today that today was a long time coming. The person who triggered this was someone that I worked with when I was at Panasonic and he was at Nokia. Twenty years ago, we were sat in one of the smallest meeting rooms at Panasonic Mobile, next to the smoking room as it was the only one available – the Head of Security Research from Vodafone, the Head of Security of GSMA, plus the Security Group Chair of GSMA and me.

The topic was hardware (IMEI) security and more broadly mobile phone security and how to deal with embedded systems hacking at an industry level. What kind of new measures could be brought in that would genuinely help to reduce the problem of mobile phone theft and make phones more secure? As they say, from small acorns, mighty oaks grow. I’d also argue it is probably quite a bit about persistence over a very long time.

It takes a very long time to make meaningful changes and while it’s easy to point out flaws, it’s harder to build new technology that addresses those in a game-changing way with complete industry buy-in. That’s pretty much what recommendations and standards bodies do, with the aim of seeking consensus – not complete agreement, but at least broad agreement on the means to effect large scale changes. Gradually and over a long period of time.

So we did that. Both in the Trusted Computing Group (TCG) and through the work of OMTP’s TR1: Advanced Trusted Execution Environment which led to chip-level changes across the industry and ushered in a new era of hardware security in the mobile phone industry, providing the foundation of future trust. All of this work nearly complete before an iPhone was on the market, I might add and well before Android! From our published work, we expected it to be in phones from around 2012 onwards and even then it took a little while before those OS providers hardened their systems sufficiently to be classed as really good security, but I should add that they have done a really good job of security leadership themselves since then.

With saturation in the smartphone space, around 2013/2014 the industry’s focus moved increasingly to the M2M (machine-to-machine) or IoT (Internet of Things) space, which had existed for a while but on a much smaller scale. A lot of things were coming together then – stuff was getting cheaper and more capable and it became increasingly viable to create more connected objects or things. But what we also saw were increasing numbers of companies ‘digitising’ – a washing machine vendor worried that they would be put out of business if they didn’t revolutionise their product by connecting it to the internet. That’s all well and good and I’m all for innovation, but the reality was that products were being put on the market that were really poor. With no experience of creating connected products, companies bought in ready-made solutions and platforms which came with little-to-no security measures. All the ports were exposed to the internet, default passwords were rife and never got changed, oh and software updates, what are they? It was and still is in many parts of the market, a mess.

Remember that this was new products being put into a market that was already a mess – for example, most webcams that had been sold for years were easy to access remotely and lots of tools had been created to make it even easier to discover and get into these devices, allowing intrusion into people’s private lives, their homes and their children.

Work began in organisations like the GSMA on creating security requirements for IoT that would force change. At the same time, hardware companies started to transfer their knowledge from the smartphone space into the hardware they were creating for the growing IoT sector. The IoT Security Foundation was established in late 2015 and the UK’s National Cyber Security Strategy from 2016-2021 stated that “the UK is more secure as a result of technology, products and services hacking cyber security designed into them by default”, setting us down the path that led us to the legislation introduction today. All of that work was an evolution and reinforcement of the growing body of product security recommendations that had already been created over a long period of time. Another thing I’ve observed is that in any particular time period, independent groups of people are exposed to the same set of issues, with the same set of tools and technologies at their disposal to rectify those issues. They therefore can all logically come to the same conclusions on things like how best to tackle the problem of IoT security.

In 2016, the Mirai attack happened (more info in the links below) and that helped to galvanise the support of organisations and politicians in understanding that large-scale insecurity in connected devices was a big and growing problem. A problem that was (mostly) easily solvable too. Other news stories and issues around IoT just added to this corpus of information that things weren’t well. You can also read more about the Code of Practice we created in the UK in the links below, but the key takeaway is this – there are small but fundamental changes that can raise the bar of cybersecurity substantially, reducing harm in a big way. This ranges from taking a firm stance on out-of-date and dangerous business practices e.g. companies and individuals being lazy, taking the easy route about things like default passwords and the hardware and software you use in your product development, to modernising the way that companies deal with security researchers – i.e. not threatening them and actually dealing with security issues that are reported by the good guys. So creating meaningful change is also about taking a stand against baked-in poor practice which has become endemic and so deeply entrenched throughout the world and its supply chains that it seems impossible to deal with.

I’ll never forget one meeting I was in where I presented a draft of the Code of Practice, where a guy from a technology company said “what we need is user education, not this”. I felt like I was on really solid ground when I was able to say “no, that’s rubbish. We need products that are built properly. For over 20 years, people have been saying we only need user education – it is not the answer”. I was empowered mainly because I could demonstrably show that user education hadn’t worked and perhaps that’s depressingly one of the reasons why we’re finally seeing change. Only in the face of obvious failure will things start to get better. But maybe I’m being too cynical. A head-of-steam was building for years. For example I was only able to win arguments about vulnerability disclosure and successfully countering “never talk to the hackers” because of the work of lots of people in the security research community who have fought for years to normalise vulnerability reporting to companies in the face of threats from lawyers and even getting arrested in some cases. And now we’re about to make it law that companies have to allow vulnerability reporting – and that they must act on it. Wow, just let that sink in for a second.

In the hacking and security research community, are some of the brightest minds and freest thinkers. The work of this community has been the greatest in effecting change. It may not be, in the words of someone I spoke to last week ‘professional’, when what I think they mean is ‘convenient’. The big splash news stories about hacks to insecure products actually force change in quite a big and public way and sadly the truth is that change wouldn’t have happened if it wasn’t for these people making it public, because it would have been mostly swept under the carpet by the companies. It is that inconvenient truth that often makes large companies uncomfortable – fundamental change is scary, change equals cost and change makes my job harder. I’m not sure this culture will ever really change, but uniquely in the tech world we have this counter-balance when it comes to security – we have people who actively break things and are not part of an established corporate ecosystem that inherently discourages change.

Over the past 10 years, we’ve seen a massive change in attitudes towards the hacking community as cyber security becomes a real human safety concern and our reliance on the internet becomes almost existential for governments and citizens. They’re now seen as part of the solution and governments have turned to the policy-minded people in that community to help them secure their future economies and to protect their vital services. The security research community also needs the lawyers and civil servants – because they know how to write legislation, they know how to talk to politicians and they can fit everything into the jigsaw puzzle of existing regulation, making sure that everything works! So what I’ve also had reinforced in me is a huge respect for the broad range of skills that are needed to actually get stuff done and most of those are not actually the engineering or security bit.

A lot of the current drive towards supporting product security is now unfortunately driven by fear. There is a big ticking clock when it comes to insecure connected devices in the market. The alarm attached to that ticking clock is catastrophe – it could be ransomware that as an onward impact causes large-scale deaths in short order or it could be major economic damage, whether deliberate or unintended. A ‘black swan of black swan events’ as my friend calls it. Whatever it is, it isn’t pretty. The initial warnings have been there for a while now from various cyber attacks and across a range of fronts, positive work has been taking place to secure supply chains, encourage ‘secure by design / default’ in the product development lifecycle and to increase resilience in networks – which is the right thing to do – the security should be commensurate with usage and in reality the whole world really, really relies on the internet for literally everything in their lives.

This is another factor in the success of current cyber security work around the world. I work with people from all corners of the earth, particularly in the GSMA’s Fraud and Security Group. Everyone has the same set of issues – there are fraudsters in every country, everyone is worried about their family’s privacy, everyone wants to be safe. This makes this topic less political in the IoT space than people would imagine and every country’s government wants their citizens to be safe. This is something that everyone can agree on and it makes standards setting and policy making a whole lot easier. With leadership from a number of countries (not just the UK, but I have to say I’m incredibly proud to be British when it comes to the great work on cyber security), we’re seeing massive defragmentation in standards such that we are seeing a broad global consensus on what good looks like and what we expect secure products and services to look like. If you step back and think about it – thousands and thousands of individuals working to make the world a safer place, for everyone. So the acorn twenty years ago was actually lots of acorns and the oak tree is actually a forest.

So to everyone working on IoT security around the world I raise a glass – Cheers! and keep up the fantastic work.

My RSA talk on the UK’s Code of Practice for Consumer IoT Security in 2019.

Further reading:

Covid-19 SMS/text message scams: advice for mobile phone users

Fraudsters are using the Covid-19 crisis as bait to conduct SMS scams on a global scale. Many of these criminals are adapting their existing campaigns to exploit the situation.

Some of the examples we’ve seen on the twitter hashtag #covid19scamsms include text messages that trick recipients into divulging their personal and financial details based on lures of ‘goodwill payments’, ‘free home testing kits’ or ‘threats of a fine for breaking lockdown conditions’. In this post, we collate guidance from expert organizations and government agencies worldwide to help mobile phone users thwart such attacks as well as providing our own advice.

Two examples of scam SMS messages being sent by fraudsters exploiting the coronavirus pandemic.

Firstly, what are the tell-tale signs to look out for?

It can be very difficult to work out whether a message is real or not. The reason for this is that fraudsters are trying to trick you into believing that a message is genuine. One of the problems with SMS is that the sender ID can be easily spoofed. This means that something that looks real — for example, the sender is a name rather than a number, and says something like: “US_Gov” — might not in fact be real. Here’s a list of other things that might suggest an SMS is suspect:

  • The message comes from an unrecognisable number.
  • The message contains misspelt or poorly worded phrases.
  • The message uses strange characters that look like legitimate letters (in order to avoid spam filters and get through to you).
  • The message contains a web link for you to go to.
  • The message requests payment or suggests you will receive money if you provide your details.
  • The message attempts to rush or panic you into taking immediate action.
  • The message uses doubtful or clearly false names of government agencies or organizations, either in the web link or the message text itself.

Next, what action should you take?

  • Never reply to the SMS or click on suspicious links. These could result in your phone being infected with malware or you losing money if you’re persuaded to enter credit card details or personal information such as addresses or passwords.
  • Don’t let anyone pressure you to make quick decisions. Stop and think; challenge the information provided in the SMS.
  • Only contact organizations using details obtained from official websites.
  • Check whether a government agency actually did send out messages to people. This might take a bit of searching on the web, but sometimes they’ll explain exactly what they sent. One example is the UK’s coronavirus SMS message.
  • If the message refers to a charity or non-profit, verify that the organization is registered – for example, in the US follow Federal Trade Commission advice, or in the UK search the charity register. Consider donating money via a different mechanism.
  • Keep your mobile phone’s software up-to-date to help reduce the chance that malware could exploit your device.

How can I help others?

We have started to tweet out some examples of these on twitter to help organizations around the world with gathering threat intelligence. The hashtag we are using is:

#covid19scamsms

If you receive a message, in the first instance, you should try and report this to your network operator. They are best-placed to tackle the issue and initiate blocking measures. In many countries you can do this by forwarding the SMS to 7726 (more details provided below). It helps to do this – it is important that the operator knows you’ve received a message that isn’t legitimate because this will tell them that something has got through their filters.

We would encourage anyone who receives a scam SMS message to post a screenshot to the hashtag as a small way of assisting in tackling the problem. For example, the information contained in the message could be a web link to a malicious site which can be taken down before it can cause harm to lots of users. Please make sure you remove any identifying information such as your phone number before you post an image.

And finally, how can you report the fraudulent activity so that government agencies and mobile network operators can take action?

Australia
Canada
  • Forward the spam message to the short code 7726 (SPAM)
  • Call the Canadian Anti-Fraud Centre on 1-888-495-8501 (toll free) or report online.
European Union
New Zealand
  • Forward the TXT message to the free shortcode 7726 (SPAM).
UK
  • Contact your mobile network operator by forwarding the message to 7726.
  • Notify ActionFraud – the UK’s National Fraud and Cyber Crime Reporting Center — either online or by calling 0300 123 2040.
USA
  • Copy the message and forward it to 7726 (SPAM).
  • Report it to the Federal Trade Commission at ftc.gov/complaint.

Related links and further reading

As stated above, we ask that people post screenshots of any examples of Covid-19 SMS scams. Please use the hashtag #covid19smsscam – https://twitter.com/hashtag/covid19scamsms?src=hashtag_click.

Australian government advice

Canadian Anti-Fraud Centre

New Zealand government advice

UK government advice on phishing and bogus contact updated to include examples of Coronavirus (COVID-19) scams

US Federal Communications Commission advice on Covid scams

About the author

James Tyrrell is a Threat Modelling Analyst at Copper Horse.

Further Thoughts on SIM Swap

I recently wrote about the topic of SIM swapping on my company’s site. This was also posted to the GSMA’s Fraud & Security Group blog. There has been an increase in the amount of awareness of the issue over the last 18 months or so and I expect that to continue throughout 2020. Some factors are driving it – the recently published Princeton paper is probably the first scientific analysis of these problems, especially on the social engineering aspect. Others are the sheer life impact as I describe in my earlier blog – either a huge loss of money or life-takeover of all the victim’s online accounts.

Some feedback I received from industry colleagues on Linkedin is worth mentioning:

  • While I refer to ‘SIM swap’ – because that is the colloquial term we all understand, what is really happening is a re-assignment of the user’s credentials to access services, by the operator to another SIM card, rather than a specific issue with the SIM itself. It’s primarily a process and procedural issue.
  • Like many other cyber security issues we face (not just in telecoms), particularly for trans-national issues, there is almost a complete absence of law enforcement. I’m not just talking about action, but even basic interest would be useful. Where it comes to technical topics, it can be very difficult for the victim to describe it to the Police, but a lack of Police training and structure for dealing with cyber security issues means ultimately criminals get away with it. This perpetuates the cycle of crime. If it’s international, then probably nothing will happen.
  • The authentication of the real user is at the core of the issue – improving these procedures in line with the increased attack surface and asset value is overdue.
  • SMS 2FA is not the solution that should be recommended because SS7 is too vulnerable – I actually disagree with this one on the basis that as an interim solution it is easy for operators to deploy and would raise the bar significantly. SS7 attacks are much more difficult to conduct than social engineering and it ignores the fact that SS7 monitoring, controls and firewalls in-line with GSMA guidance have been and are being implemented across the world.
  • One side-point was made that SMS 2FA isn’t 2FA because the phone number isn’t something the user controls. I think this is not correct – the second factor is really a combination of “something you have (the phone that receives the message)” and “something you know (the code that is sent)”. This point also kind of ignores the practicalities of the problem – you need something that is going to work for millions of users. SMS 2FA is still the easiest and least worst solution for this. Arguably you’re sending the message ‘in-band’ and associated with the thing that is being targeted, however logically, at that point it is under the control of the authentic user. These days there are other channels the operator could possibly use which are sort-of ‘out-of-band’ and they should explore these – i.e. Whatsapp, Signal messages or using an authenticator app such as Duo. I would argue that at least for the last two of these, they’re still quite niche for the ordinary user and that raises complexity in the customer service chain, ultimately actually reducing security. It would also have to carefully thought through – attackers don’t remain static.
  • One point was made that “We have to stop knitting new applications with old technology” and “Same horse same speed… ” – I and others would agree with this. With 5G we had a real opportunity to make a clean break from legacy technologies, however it hasn’t happened. We’ll carry some of those problems with us. I guess there are some similar analogies to replacing lead pipes in houses and cities – it is an economic and practical upgrade problem. We’ll get there I think.
  • Other comments talked about regulation and putting the liability onto operators for the financial losses of users. It is really not that simple in my view. If the target of the service is someone’s email or breaking into the bank – does the network operator retain sole liability for that? We also have to remember that the issue here is the criminals doing this – let’s focus on them a bit more and start prosecuting them.

The UK’s National Cyber Security Centre has an excellent and pragmatic guide for enterprises using SMS: ‘Protecting SMS messages used in critical business processes‘.

10 Inspirational Women in the Mobile Industry

Today is International Women’s Day and I was thinking about the women who had influenced my thinking in the mobile industry over the past year. I have to say, I thought twice about writing this blog – I didn’t want to patronise or embarrass the individuals mentioned in this piece and that certainly is not my intention. At the end of the day, I have decided to publish as they all deserve to be recognised as the movers and shakers they are in the mobile and/or web and internet security world and after all, the theme this year is “make it happen”!

No more glass ceilings

In alphabetical order, I have included their twitter handles where appropriate, so you can follow them:

Karen Barber, Independent Mobile Business and Startup Advisor

Twitter: @KLBarber

Source: Twitter
I first met Karen at the ForumOxford event in May 2014. She has advised many mobile startups and continues to do so, helping people to productise and bring to market new mobile applications and services. Dedicated, with great connections, she is generous with time and advice.

Anne Bouverot, GSMA

Twitter: @annebouverot

Source: https://www.flickr.com/photos/itupictures/8094137683/ (CC BY 2.0)

As Director General of the GSMA, an association of over 800 member network operators and associate companies, Anne has a huge job to herd the cats of the mobile industry whilst negotiating with the governments of the world over regulatory and policy concerns. She is one of only two women on the Board of the GSMA (Mari-Noëlle Jego-Laveissière of Orange recently joined). Only this week she highlighted that: 1.7 billion women in low and middle income countries don’t own a mobile phone – a gender gap of 200 million.

Melanie Ensign, FleishmanHillard
Twitter: @imeluny

I met Melanie while I was out in Las Vegas for Blackhat and DEFCON in 2014. Determined and skillful, Melanie liaises with the media and the hacking community over security concerns on behalf of some telecom companies. This role requires a head for technology and strong people skills, both of which Melanie has in abundance.

Virginie Galindo, Gemalto

Twitter: @poulpita

Source: https://blog.html5j.org/2013/06/w3c-developer-meetup-tokyo.html

As Chair of the W3C’s Web Crypto group, Virginie has one of the hardest jobs in the web world. The recent rise in interest of encryption on the web has made this activity all the more important. In an almost entirely male group, with some extremely volatile and passionate personalities, Virginie has shown incredible leadership, leading to a seat on the Advisory Board of W3C.

Helen Keegan, Independent Mobile Marketing Specialist

Twitter: @technokitten

Source: https://t
echnokitten.blogspot.co.uk/

Helen is one of the most well known people in the mobile marketing community. She runs the Heroes of the Mobile Fringe series of events every year at Mobile World Congress in Barcelona including the spectacularly popular Swedish Beers. Facilitating connections between startups, mobile companies and VCs. Another unsung heroine of the mobile industry, probably responsible for numerous collaborations between companies that previously would never have met.

Dominique Lazanski, GSMA

Twitter: @dml

Source: Twitter

A well known Internet governance expert, Dominique now advises the GSMA on policy issues and cyber security. She is also on the Board of the UK’s Open Data User Group amongst other things. A true visionary and passionate about securing the future of an open and free internet for all.

Sue Monahan, Small Cell Forum

Source: linkedin

Appointed as CEO of the Small Cell Forum in 2014, Sue has shown great leadership and has made great use of her large global network of mobile industry colleagues to raise the profile of small cells and develop the future of mobile networks.

Marie-Paule Odini, HP

An expert in NFV and SDN (she co-chairs the ETSI NFV SWA working group), Marie-Paule is a Distinguished Engineer at HP and their CTO, EMEA for Communications Media Solutions. Intelligent, resourceful and full of ideas, I had the pleasure of meeting her at ITU World in Qatar where we discussed smart cities, drones and disaster relief.

Natasha Rooney, GSMA

Twitter: @thisNatasha

Source: W3C

Natasha is a Web Technologist for the GSMA and co-chair of the Web and Mobile Interest Group at the W3C. A self-declared geek, she has thrown herself into the role and has taken leadership on quite a few critical issues for the future of the web. She has gained the respect of pretty much everyone I know in a very short space of time (oh and as of the Global Mobile Awards in 2015 is now mates with John Cleese!).

Nico Sell, Wickr

Source: ambassadorialroundtable.org

A staunch defender of privacy, Nico Sell co-founded and is CEO of the privacy and security sensitive messaging app Wickr. Personable and highly intelligent, Nico commands the respect of the hacking community and also runs the successful DEFCON kids event and the R00tz Asylum which is bringing up the next generation of security technologists. At this point, I’ll take the opportunity to apologise to Nico for “borrowing” one of the Stegocat posters at Wickr’s DEFCON party!

Let’s Make it Happen

There are many other women across the past year that have influenced me and that I have not mentioned. Some of those don’t have a public profile or keep themselves to themselves, but they’re also often unrecognised by their own companies. I’m constantly impressed by many women that are often juggling parenting responsibilities with international travel and partners who are also in busy careers.

The simple fact that I’m writing this shows that world society still has a long way to go, even in the West. Most of the meetings I go to are still populated by white middle aged suits (yes, me too!). Whilst most people in my age group have moved on from old stereotypes, you still hear some pretty shocking stories of prejudice and public humiliation towards women by bosses and colleagues.

To the male readers of this blog – I see many meetings where “he who shouts loudest” seems to be the “successful” conclusion of a lot of email discussions and meeting decisions. Next time you’re speaking in a meeting – stop and think: perhaps you should listen to someone else’s view? That person may be the woman next to you who isn’t choosing to engage in the usual testosterone-fuelled meeting argument.

The glass ceilings do still exist, but there are lots of rays of light and it is great to see so many of my friends and colleagues doing so well. Long may it continue until the point we don’t need an International Women’s Day.

If you want to mention a woman in the mobile, security or web world who has inspired you, please leave a comment below!

Edit: 08/03/14 – some small edits and tidy-ups, and to actually put them in alphabetical order!


Cyber Security in the Mobile World: MWC Lunchtime Seminar Series

I’ve been running a cyber session on behalf of UKTI and BIS for the past few years. The event has been an increasing draw as a hub for security and privacy discussion at Mobile World Congress. We have an absolutely stellar line-up this year, across three days of lunchtime sessions and I’m really looking forward to MCing! If you’re around at MWC, come along to the UKTI stand in Hall 7 (7C40) at the times below.

#MWC15

Cyber Security in the Mobile World: MWC Lunchtime Seminar Series

In the fourth year of our MWC Cyber Security in the Mobile World event, the topic remains at the top of the headlines. 2014 saw a large number of attacks which were both news-grabbing and serious. Are things getting better or are they going to get worse?

Securing the Internet of Things
Mon 2nd March
12:00 to 12:40
Location: Hall 7, UKTI stand 7C40

The Internet of Things (IoT) has exploded in the last year. Many machine-to-machine (M2M) and IoT devices being purchased by consumers and being implemented within technology from cars to chemical plants, are we adequately prepared to handle the increased cyber risk?

Introduction:

• Richard Parris, Intercede: Introduction to the Cyber Growth Partnership

Keynote speakers:

• Richard Parris, Intercede: The Role of SMEs in Securing IoT
• Marc Canel, Vice President of Security, ARM: Hardware security in IoT
• Svetlana Grant, GSMA: End to End IoT Security

Mobile Cyber Security for Businesses
Tues 3rd March
12:45 to 13:25
Location: Hall 7, UKTI stand 7C40

The Prime Minister recently said that 8 of 10 large businesses in Britain have had some sort of cyber attack against them. With a big increase in the number of mobile devices, how can businesses defend themselves, their data and their employees? What cyber standards are being developed and what enterprise security mechanisms are being put into the devices themselves?

4 person keynote panel, moderated by David Rogers:

• ETSI, Adrian Scrase, CTO
• Samsung, KNOX, Rick Segal, VP KNOX Group
• Good Technologies, Phil Barnett, Head of EMEA
• Adaptive Mobile, Ciaran Bradley

Innovation in Cyber Security: Secure by Default
Wed 4th March
11:40 to 12:20
Location: Hall 7, UKTI stand 7C40

Our speakers will get straight to the point by giving 3 minute lightning talks on a variety of innovations in cyber security.

1. Symantec, IoT Security, Brian Witten
2. W3C, Web Cryptography, Dominique Hazaël-Massieux
3. NCC Group, Innovative Security Assessment Techniques, Andy Davis
4. Plextek, Automotive Security, Paul Martin, CTO
5. SQR Systems, End-to-End Security for Mobile Networks, Nithin Thomas, CEO
6. CSIT, Queens University, Belfast, Philip Mills & David Crozier
7. Trustonic, Your Place or Mine? Trust in Mobile Devices, Jon Geater, CTO
8. NquiringMinds, Picosec: Secure Internet of Things, Nick Allott, CEO
9. Blackphone, Blackphone update, Phil Zimmermann
10. GSMA, The Future of Mobile Privacy, Pat Walshe

Master of the House? Who Controls the Home in the Internet of Things?

I had an interesting conversation with an American friend recently about how the AT&T Digital Life product had helped him take control of the temperature in his house…. from his wife!

I’ve experienced air conditioning wars at a company I used to work at – the thermostat was at the end of the office near the door. At various points, certain people would go and turn it up to full heat, whilst others would go and turn it fully down to cold. It was a mess. In the end facilities resolved it by taking control away entirely and nobody was happy.

Whilst slightly amusing, it does raise interesting questions for the future home internet-of-things (IoT) solutions.

Is the administrator or ‘Master’ of the house IoT system de facto the most tech-savvy person in the house? Statistics on technical career choices would dictate that is probably usually a man. Does that put women in an unfair or weak position when it comes to privacy?
What rights do other family members have to privacy and control?
What about visitors?

Rental Homes and Holiday Lets

What about rented homes? In the future home automation, monitoring and other IoT solutions are likely to be built in to new homes. What rights do people who are leasing homes have when it comes to ensuring that the Landlord cannot monitor or control such a system?

Abusive and Controlling Relationships

What happens in cases of domestic violence, controlling behaviour and abuse? Spyware applications are often used by jealous partners so there is nothing to say that such people wouldn’t also use IoT technology as part of their controlling behaviour.

The Good Side

On the flip-side, there are plenty of examples of cameras being used by home owners which have caught thieves, discovered abuse by child minders and by carers for the elderly. For some vulnerable people, door cameras have been helpful to deter and detect cold callers who would take financial advantage of them.

These new social realities are happening now. Whilst home IoT solutions are generally fantastic, for some people, even being at home may become a problem.

ForumOxford Mobile Security discussion

Join me on Friday the 11th at 3pm (UK), 7am (PDT), 10am (EDT) for a discussion via linkedin on the topic of mobile security. I’ll be talking about everything from mobile phone theft and fingerprint scanners, to what the future could hold.

More details here. So hopefully see you all there. If you can’t make it, have a look at this book if you’re interested in the topic.

9th ETSI Security Workshop

In January 2014, it’ll be the 9th ETSI Security Workshop, in Sophia Antipolis in the south of France. I’ve always found the event really interesting and have spoken there a couple of times myself.

There’s a call for presentations that’s still open until the 11th of October, so if you’re interested in security and mobile, why not put in an abstract? The topics are really broad-ranging (which is part of the appeal). This year’s include:

1. Machine-to-Machine Security
2. Critical infrastructure protection
3. Cybersecurity
4. Analysis of real world security weaknesses
5. Next Generation Networks security
6. Mobile Telecommunications systems
7. RFID and NFC Security issues
8. Privacy and Identity Management
9. Cryptography and Security algorithms
10. Security in the Cloud
11. Smart city security (energy, transport, privacy, …)
12. Trusted Security (services and platforms)
13. Security Indicators/Metrics
14. Academic research and Innovation
15. Device and smart phones security
16. Malware detection and forensics

More details here: http://www.etsi.org/news-events/events/681-2014-securityws

 

CCC bust Apple’s fingerprint scanner?

Just a few days ago I wrote about some of my concerns on biometrics, after the launch of the fingerprint scanner ‘TouchID’ on the iPhone 5S. It appears that they may have been well-founded. The Chaos Computer Club in Germany have released a blog and video which seems to show TouchID being broken by a fake fingerprint. Back to the drawing board again on biometrics? Watch the video for yourself below:

 

You are the Key: Fingerprint Scanning on the iPhone 5S

So, here we are. Another iPhone launch and seemingly even less features. The September 10th launch of the iPhone 5S brings the only physical feature of note: fingerprint scanning via “Touch ID” which is built into the main button of the phone (an elegant way of doing it by the way). This turn of events is more about a push by Apple towards acceptable secure m-payments and stronger user authentication for the web and app store rather than just being completely about access control to the device itself. I’m pretty sure that there’s a strong pull from the business / enterprise sector as well for this kind of technology. In my experience, senior management seem to quite like things they’ve seen in a sci-fi film such as palm-print security access and voice recognition in front of big strong-room doors. Perhaps a blue LED or two to top it off. That of course, is real security. Not.

Just like in the movies! It must be secure!

So what does this technology really bring us and why hasn’t it been implemented before? Let’s concentrate on just the access control piece here.

Leaving your keys hanging around

Unlike PIN numbers, you leave a number of exact replicas of your fingerprints in various public places when you go about your daily business. That’s like leaving an exact imprint of your front door key over twenty times a day on things like the side of your car door, on a coffee cup and on the table of your favourite pub. In all likelihood, the back of your mobile phone probably contains a pretty good copy of your fingerprint right now. In 2008, the German interior minister Wolfgang Schauble found this out when hacktivists collected his fingerprints from a glass. And remember: once you’ve lost your fingerprint you can’t really get it back (you only have a limited number!).

There are some pretty extreme examples of people who’ve been tortured for bank PIN numbers and even one case in Malaysia where a man had his finger cut off to steal his fingerprint protected Mercedes.

There is an argument to say that most street thieves (like burglars) are not going to want a direct confrontation with the owner, but there’s also plenty of evidence of violence during mobile phone theft from people being shot or held at knifepoint, just for their phone.

One could easily imagine a scenario where the user is just forced to open up the device and remove the security protection before the criminal makes off. This scenario could just as easily be argued for users with PIN protection and it seems (from my unscientific hearsay point-of-view!) that we haven’t heard of many instances of thieves doing this. What seems to be more prevalent is either unattended theft or snatch theft where the phone is actually being used (and is therefore unlocked and ready to go).

“The number of phones found on the London Underground alone was 25,000 in 2011”

According to the Office of National Statistics’ report on Mobile Phone Theft [pdf], the Crime Survey of England and Wales for 2011/12 showed that 7 in 10 incidents of mobile phone theft were personal thefts (e.g. pickpocketing or snatch) or ‘other thefts of personal property’. These ‘others’ are defined as: “items stolen while away from home, but not carried on the person (such as theft of unattended property in pubs, restaurants, entertainment venues, workplaces etc.).”

Let’s also bear in mind that a lot of people could believe they’ve been pickpocketed or that their phone was stolen from somewhere when they have in fact just lost their device. The number of phones found on the London underground alone was 25,000 in 2011.

Convenience

What fingerprint biometric technology does give you is convenience, more so given that the sensor for Touch ID is built into the key that you would have to press anyway. Instead of having to make four or more finger movements and the possible engagement of brain to remember a PIN, you instead have almost instantaneous access, which when you consider how many times you have to enter your PIN into your phone every day is surely a good thing. What convenience then hopefully gives you is increased adoption by users, which overall is again a good thing. Most people using fingerprint access control security than a few using a PIN is a much better situation for everyone.

However, this is certainly not all a bed of roses. Usability is a big issue once you look into it (and I’m not sure how much Apple have taken this into consideration).

Some people just simply can’t use fingerprint readers. For example, the very young, the elderly and some disabled people. In addition “False negatives” can be caused by various factors such as:

  • Long fingernails
  • Arthritis
  • Circulation problems
  • People wearing hand cream
  • People who’ve just eaten greasy foods
  • Fingerprint abrasion, includes: the elderly, manual labourers, typists, musicians
  • People with cuts

In some senses, this functionality could be regarded as socially regressive, or at least a not socially inclusive and accessible technology. These types of users must fall back to things like PIN usage to provide access control.

Technology progression

Technical details of the Apple solution are not clear, but a lot of fingerprint technologies have failed in the past and I am sure that this one will come under intense scrutiny by security researchers. I have demonstrated the “gummy finger” attack against an optical fingerprint scanner myself at conferences and in lectures, even creating a working latex ‘replacement’ fingerprint aka ‘Diamonds are Forever’.

Researchers have even gone as far as ‘lifting’ fingerprints, reversing the image (to get it back to the right way round) and etching them in order to create a pattern for new, usable replicas (see the gummy finger link above for more details). Other researchers have also defeated ‘liveness’ or pulse detection too.

Summary

So what do I really think? I think for high-end enterprise use cases (one area that Apple has been really going after in the past couple of years), this does make sense. I can imagine a CEO complying with that kind of policy more than a mandatory very long PIN or password. If they’re really important people though, you can certainly imagine them being targeted to copy their fingerprints as I mentioned at the beginning.

For your average user, maybe just maybe, the convenience aspect will make this a success. What that would mean is more devices secured at rest (i.e. left on café tables), so an opportunistic thief would not be able to get immediate access. It could even provide a different, potentially more secure way of authenticating to banking and payment services over the web or in a shop. I truly hope that users do not become the targets of more violent assaults where they are forced to give fingerprint access to their device.

Lastly, I hope that the Apple security engineering team have done their job correctly. At the end of the day, your fingerprint is translated into 1s and 0s. A representation of this has to be stored on the device in some way. Each time you access your phone, your data is then processed through an algorithm to get compared. If that is not done properly using secure hardware, then there’ll be another set of people producing hacking tools to address a new market for criminals to get around the fingerprint protection. The first commercially sold fingerprint scanner on a phone that I remember was in 2004 in the GI100,a PanTech device that was released in Asia. I looked into and rejected fingerprint scanning as a possibility for mobile phones at Panasonic in 2005 for many reasons (not least the processing capability needed). Nearly 10 years later it’ll be interesting to see whether it really is a useful security technology or just simply a movie-inspired gimmick.