How could voicemail insecurity affect your Facebook, Google or Yahoo! account?

It is nearly three years since the News of the World voicemail hacking scandal erupted (a case that’s in court right now). The blog and article I wrote at the time are still the most popular posts I’ve written. I was involved in drafting a set of guidelines for network operators which was published very soon after.

I was therefore quite surprised when a friend sent me the following link which explains how web application security researcher Shubham Shah managed to use voicemail vulnerabilities within network operators to exploit two-factor authentication (2FA) for some pretty major services (e.g. Google, Yahoo!, LinkedIn and so on). The way that 2FA is setup sometimes is that it will call your mobile number. Obviously an automated system isn’t usually setup to determine if you actually answered the call, so the code can go through to voicemail. And that’s how the attack goal is achieved. If the attacker can get into your voicemail account via a vulnerability in procedures or via CLI (Calling Line Identity) spoofing (i.e. faking your phone number), then they can get access to the rest of your life. Sounds simple and it is.

The phone theft debate continues…

A number of articles on mobile phone theft in the papers this weekend (20-21st July 2013). Regular readers will know that I’ve spoken quite a lot about phone theft in the past and at various events.

Snatch thefts are particularly high because the phone is ‘active’ at that point and not locked

The Daily Mail discusses the fact that Apple will publish the update later this year which will enable the “authentication lock” feature which will prevent the re-enablement of stolen phones after theft. It also mentions that GPS won’t be able to be disabled and the phone wiped – common methods used by thieves to prevent tracking of phones and one which also encouraged snatches of ‘active’ devices.

In the Daily Telegraph, Boris Johnson apparently said “Each of your companies promote the security of your devices, their software and information they hold, but we expect the same effort to go into hardware security so that we can make a stolen handset inoperable and so eliminate the illicit second-hand market in these products”.

This is badly off the mark – the problem is not the hardware security (this was addressed years ago and the work was acknowledged by the Home Secretary in 2008). The real problem is the export of devices – they are not blocked outside the UK so can continue to be used. This has nothing at all to do with hardware security, but it has everything to do with the ability to disable devices globally.

Other countries such as the US have only recently joined the party, claiming massive new street theft problems. The truth is this – phone theft will have always been a problem but it has only been recently that high profile violent robberies have forced them into action. What have the authorities been doing for the last ten or so years?

Apple’s authentication lock is not a kill switch

The terminology being used by politicians and the media is incorrect – preventing access to services is actually the opposite of reaching out and telling a device to ‘die’. Creating a real kill switch like that could in itself become a security problem. Imagine being able to turn off every phone in the world?

The reality is that the functionality for an “authentication lock” has only been technically possible in the past 5 years, because previously the manufacturer would have virtually no relationship with the customer. These days all the major OS providers ask users to sign up for an account with them to access services – and that’s the key. A relationship with the end user means that they can take action because they know when that phone gets used post-theft.

In the past, this simply wasn’t possible for the network operators. No operator (as far as I know) has presence in every country in the world, so it wouldn’t usually see a phone if it had been exported. Yes, the IMEI (identity of the device) could technically be shared with a global database called the Central Equipment Identity Register, but that one piece of data is not reliable for many reasons including a rash of counterfeit devices in some countries. However if a phone has to connect home over the web, it allows a lot of information to be checked and even shared with the rightful owner. Although it is not fool-proof, it is the right thing to do as it makes the phone less attractive to a thief. It does raise a question for the Android manufacturers particularly. Will they now ask Google to provide this functionality for them, or somehow try and build it into their own anti-theft find-and-locate apps (which will not be as robust as putting this in at the OS level)?

Next steps

Assuming the industry gets this right (and I hope they do), the ball will be back in government and Police hands. With rising theft figures, it is very easy to blame the manufacturers and operators. In reality this is a complex and largely social problem – people are still going to snatch expensive mobiles and try to use them to pay for things / use their functions etc and sell them. There’ll be a new, lucrative challenge for the cracking community to disable things like authentication lock. Up until 2011, the UK was the only country that had really done lots of things to help address theft in a proper manner including:

  • education for young people (youth-on-youth crime is very high)
  • posters in high crime areas like London
  • legal measures (making it illegal to change the IMEI number and possess the equipment to do so)
  • working with industry to harden devices (OMTP TR1)
  • encouraging industry to share information on theft (stolen IMEI numbers)
  • setting up a dedicated Police unit to target thieves

Mobile phone theft affects ordinary people – for that reason alone, politicians like Boris Johnson are going to continue to jump on what has been for years a populist bandwagon.

"Apple does not have a process to track or flag lost or stolen product"

“Apple does not have a process to track or flag lost or stolen product”. That’s exactly what the Apple support pages say.

Having worked on the problem for years and seen the human consequences of violent theft, it appears a fairly arrogant statement to make. It’s not a safe, fluffy world out there (unless you live your life permanently in a gated development).

As Intel’s Robert Siciliano told Reuters in January‘Apple seems to have not considered stolen devices and instead is relying on the honor system’….’The honor system is devised with the mindset that we are all sheep and there are no wolves.’

There are certainly lots of wolves out there. Mobile phone theft appears to be starting to grow again.

Apple’s Q3 figures released in July 2012 showed a net profit of $8.8B. So is it too much to ask Apple to spend a bit of that profit on a process that helps consumers and reduces the desirability and ease of theft? They certainly have the global reach to do it (and currently, much more than the mobile network operators). It seems to me a little unfair for them to put everything on the mobile network operator just because they have the contract with the end user.

The Police (particularly in the UK) are doing their best against street crime and it is surely incumbent upon Apple as a good corporate citizen to try and help minimise theft of hot products such as the iPhone. 

Channel 4 did a great report on the situation in London last month:

Criminals are getting savvy – they’re also turning off the find and locate features of modern smartphones and wiping the devices so you’ll never get them back. They can even continue using the phones in the country they were stolen in, even if the IMEI number is blocked. They just don’t use the core “phone” functionality. WhatsApp and everything else will work just fine.

Phone theft is a tough nut to crack, as I pointed out in this talk. However, if certain companies are just putting their head in the sand and responding to the media with ‘no comment’, we’re in a bad place.

Combating phone theft – US takes a step forward but is it enough?

It seems that the theft of mobile phones is starting to be recognised in other parts of the world than the UK at the moment. A few of the American newspapers are reporting on the announcement that mobile network operators (or carriers as they are known over there) have done a deal with the FCC to block stolen mobile devices. This is all good news and I don’t want to pour cold water over what is going to be generally good for the consumer in the long term.

This never used to happen in the old days

Why has it taken until now?

The concept of a global blacklist (or Central Equipment Identity Register [CEIR]) for mobile devices has been written in stone (well the GSM specs) for a very long time. See this paper from mobile security veteran Charles Brookson from 1994, which talks about the CEIR. Operators have quietly ignored this requirement and very few are connected to it. Even local blacklisting has been an issue over the years, with issues over sharing information with other operators inside single countries. The practical difficulties are always cited as well as cost. Having been involved in a lot of this debate, a lot of the arguments just don’t wash. As an example, using prohibitive cost as a reason not to maintain a blacklist is laughable. Storage cost is ridiculously low, management is minimal and the operators themselves will see direct benefits from not allowing criminals to hook up stolen phones on their networks. The simple answer to network operator blacklisting is: “where there’s a will, there’s a way”.

Identity changing is not the issue it once was

Another argument that has been frequently wheeled out is that criminals will just change the identity (the IMEI number) of the device to side-step the blocking system. The fact is that IMEI number changing has dropped off massively since the turn of the century as more security has been built into devices (through a lot of effort in a number of industry initiatives). My presentation ‘Mobile Phone Theft: An unsolvable problem?’ from 2011 expands on some of this. There is a 42 day breach reporting process run by the GSM Association which nearly all the manufacturers are involved in. It seems as though the manufacturers have played their part, but it could be argued that the network operators haven’t.

What are governments doing?

It could also be argued that governments haven’t really played their part in all of this. Only the UK has really stepped up and addressed the criminals who actually perpetrate these crimes with legislation and through a dedicated Police unit, the National Mobile Phone Crime Unit. What meaningful steps have other countries taken to help their citizens from the blight of mobile phone theft?

Are we addressing the right problem any more?

Apparently the US system is going to take two years to become operational and this is where I have a bit of an issue. Development and deployment could probably happen a lot more quickly than this, given that the standards have already existed for nearly 20 years. My other issue is about whether we’re addressing the right problem anymore? If mobile phones have evolved to the point that they are now more mobile computer than phone, we should look at what will drive a thief. Thieves take phones generally for their inherent value. That is why historically, blocking a phone’s network access has essentially disabled the device and made it valueless. This isn’t the case in 2012. If you block the IMEI number, guess what? Anyone can still use the phone – you can use the WiFi connection to get on the web, you can use WhatsApp and Skype and you’ll still be able to download stuff from app stores. While this still remains the case, mobile phone theft is going to continue to be a problem. In some ecosystems, the vendor is actually in a very strong position (think those companies with fruits in the name) and they have actually provided additional tools to help against theft. What they need to make sure now is that those devices are not ‘re-activated’ after theft.

What can I as a user do to help myself?

  • It sounds a bit obvious, but make sure you use your device PIN-lock feature. It can be a pain to use, but it is highly effective in ensuring that whatever is on your device stays on your device. Although thieves generally just care about selling the device on, you still don’t want all your personal data potentially going astray.
  • Another piece of sensible advice is to be aware of your surroundings; don’t leave your phone on tables in cafes, be careful where you’re using your phone (in dangerous neighbourhoods etc) and when out and about at night. In big cities, tube and metro exits are commonly targeted as people turn their phones on when they surface.
  • And finally, write down your IMEI number – you’ll need this to give to the Police and network operator if your phone ever gets stolen. You can get the number from the back of your handset or by typing in *#06# at the home screen of your phone.

Don’t advertise your phone to thieves

We’re never going to stop people stealing things, but at least in the US and the UK life is being made slightly more difficult for thieves making things slightly more safe for you.