9th ETSI Security Workshop

In January 2014, it’ll be the 9th ETSI Security Workshop, in Sophia Antipolis in the south of France. I’ve always found the event really interesting and have spoken there a couple of times myself.

There’s a call for presentations that’s still open until the 11th of October, so if you’re interested in security and mobile, why not put in an abstract? The topics are really broad-ranging (which is part of the appeal). This year’s include:

1. Machine-to-Machine Security
2. Critical infrastructure protection
3. Cybersecurity
4. Analysis of real world security weaknesses
5. Next Generation Networks security
6. Mobile Telecommunications systems
7. RFID and NFC Security issues
8. Privacy and Identity Management
9. Cryptography and Security algorithms
10. Security in the Cloud
11. Smart city security (energy, transport, privacy, …)
12. Trusted Security (services and platforms)
13. Security Indicators/Metrics
14. Academic research and Innovation
15. Device and smart phones security
16. Malware detection and forensics

More details here: http://www.etsi.org/news-events/events/681-2014-securityws

 

QR codes and security – my take

This blog details some of the risks and security issues of QR codes. If you’re a user looking for advice on how to protect yourself from bad stuff or a company looking to use a QR code in a consumer campaign, check out my tips here

Some background

QR codes, 2D barcodes, they’ve been around for a while. Essentially a barcode of old was just a string of numbers and letters, equating to ‘something’ (in the case of EAN and ISBN codes amongst others). I used to write software for some mobile phone stuff that used both EAN-13 and Code 128 but that’s an entirely different story. Anyway, there are lots of barcode standards around (if you’re interested have a look at the Wikipedia article). 2D barcodes have been around for a while but the QR (Quick Response) version has become the most popular, mainly because there aren’t major patent issues around using it – Denso Wave do not ‘exercise’ their right to it. As a result, it’s very popular and in the first few months of 2011 has become extremely popular in the marketing world. It’s mainly being used for quickly communicating web links (or URIs as they’re properly called) to people so they can get on and buy / see / do stuff, usually from their mobile phones.


Usage

A big supporter in the mobile world is my friend Terence Eden. He runs QRpedia which facilitates the reading of articles in multiple languages, for example in museums and tourist sites. His blog contains some great stories about QR codes and I fully recommend reading it.

QR codes have only become really popular in 2011 because of the rise in the number of smartphone users and the increasing popularity and usability of the mobile web. A raft of applications are available to read QR codes and in some handsets I understand this functionality is pre-installed.

One example of companies using it are the train company, First Great Western, who’ve recently started publishing train timetables as QR codes.

Another example, this time for voucher / marketing purposes is Bulmers for their Cider (see picture), although they’ve not quite got the user experience right – it takes you to a full (non-mobile) website and then once they’ve got all your details give you a printable voucher on your phone. If anyone can point me in the direction of a phone with a printer, I’ll let Bulmers off the hook.

The next picture shows estate agent Hamptons – which in theory looks like a good example – situated in the window of the estate agents (behind the glass so it is protected from tampering) and hopefully displaying the URI it takes the user to (at the bottom left).

Of course a well-designed site could then also take you to its mobile app if it has one (try the tripadvisor site on your mobile for a good example of this).

Security

Where do I stand on QR codes? Well, generally I think they’re quite a good timesaver – they allow me to quickly input a website into a mobile browser, save a link for later perusal or even (as in the case of QRpedia) give me access to much more information on something than I would be able (or bothered) to get normally. I can even see the argument on the SMS and dial features. All good stuff, yet I’m concerned that we technologists are running ahead of the public with the technology (as usual).

It’s the old marketing v security problem. Of course marketing departments want to make use of this great (sort of new) technology, but they’re not paid to think about the security stuff and often they’re not required to do any consultation with a security department, even if it exists. Besides, what security can you actually add to a QR code?

So what’s the risk?

This is not such good example (as shown on Terence’s blog) . The Verrus paybyphone service takes you straight to a mobile site which asks you to enter your credit card details. This is so astonishingly easy to spoof that it is scary. There is no description whatsoever near the QR code about what it is supposed to do. I could therefore also quite easily perform a whole host of attacks (as described below).

There are a number of threats to the consumer from the misuse of QR codes. These aren’t usually because of a big security mistake by the company advertising its product or whatever with the QR code, however it could turn out to be quite a nasty PR experience for the company involved if they’re not careful with the way in which they do it.

  • QRjacking (not a good term – it is actually a form of Pharming) – This is the practice of putting stickers over existing QR codes which link to wherever the attacker wants them to go. Dan Wilkerson published this blog back in May 2011 which has some nice pictures.
  • Scanjacking (as opposed to clickjacking) Here’s a paper I like by App Sec labs which assesses some QR readers and how a payload can be inserted into a QR code if JavaScript is allowed to be randomly executed on the device. This post the other day talks about using QR codes to point to an evil server running metasploit to “attag” a target (I don’t like that term either).
  • Man-in-the-middle attack – This is where again, a sticker is placed over the legitmate QR code or is falsely advertised in a newspaper or magazine. The user has their credentials captured or bank details taken, then they are redirected back to the
    correct website with an error such as ‘you didn’t type your details correctly’. It is unlikely that the average user would pick up on what was going on. Colin Mulliner mentioned this kind of attack when he did some great work around NFC (Near Field Communications) a few years back. In fact many of the attacks he describes mirror in some ways the attacks possible on QR.
  • Phishing – Randomly posting QR codes that entice people to scan them but actually go to something malicious is highly tempting for attackers. You could probably even get people to attach to your fake WiFi network. You could imagine lots of places that could be targeted e.g. bars, bus stops etc. This could of course happen via email, asking you to scan and download an application to your phone. The QR code below was sent to me the other week by a friend, It isn’t malicious and I’m not sure it even works on mobiles, but I liked the potential!

  • Spear Phishing – Extending the Phishing method described above, but targeting a particular individual or a small group (imagine dropping a fake competition flyer around an extremely upscale bar).
  • Premium rate SMS fraud – One of the things that is supported with QR codes is the ability to make calls and send SMSs. I’m not going to explain exactly how here, but the information is pretty widely available. It would seem pretty trivial to do a premium rate fraud using fliers for a competition at a concert or sporting event. Less so for call fraud because of the time and hassle involved for the user, but depending on the social engineering aspects of the attack, it could be done.
  • Pre-registration fraud – Terence Eden found an incident where Nokia had failed to register a bit.ly link on a QR code which could have quickly been hijacked by an opportunist, this would probably be technically classed as a pre-registration fraud although very rare.
  • False Advertising – This is a sophisticated attack on a company, perhaps by an activist group by putting fake QR codes in advertisements. It is obviously incumbent on magazines and newspaper to check adverts and their sources anyway, but I’m not sure how well this is done. Even if some form of checking did take place, it could be side-stepped by only putting the malicious content live once the target publication is in the shops.

Generally with all the attacks on QR codes, they have to be very well crafted and prepared to be successful. For the savvy attacker, it is a social engineering exercise. It all comes down to what logical next steps a user could expect to take. In general though, it is quite difficult to launch a traditional distributed attack without high cost. The chances of detection and therefore prosecution are higher than other types of attack. For example, the benefits of crafting an attack where you want to encourage the user to use their phone, scan the QR code from their computer with their device, download an application and therefore maliciously get access to their information is so complicated and difficult it almost isn’t worth doing. There’s too much other low hanging fruit out there in terms of attack success.

Is there anything that can be improved in terms of security? Well a lot comes down to the reader software applications themselves and how they present the data to the user once it has been scanned. This helps the user make a reasonably informed, intelligent decision. From a technical point of view though, it is difficult to defend QR URIs even by using blacklisting services such as stopbadware.org. Premium rate attacks seem also difficult to defend against as the numbers could be (and are) changed easily. The time window between a successful attack and the blacklisting is still attractive to an attacker. Some forms of URL redirection could potentially be ‘triaged’ by the barcode reader application with some helpful warnings to the user, but given the propensity for companies to use URI shortening services, it may have limited success as an effective security measure. Given all the other security scenarios that could happen (e.g. what if the QR code is situated in a hostile environment with a compromised WiFi router?), it does seem futile at the moment to introduce other measures which may actually just confuse the user further.

I do have some further ideas on this topic, but I’d welcome your comments and ideas, just add a comment to this blog.

Obviously what applies to QR codes applies to anything else, barcode or otherwise that you can’t decipher, such as ‘NFC’ tags which you ‘touch’ with your phone. I’ll be writing about this closely related and upcoming technology soon.

Android@Home – Now I’ll hack your house (part 2)

So in part one I introduced some of the reasons why home control hasn’t been a mass-market success, here I’ll discuss some of the potential uses and then cover some security points.

Uses of Home Control

To get your minds in gear, I’ve listed out some possible (and existing uses of home control). The idea of Android@Home will be to bring all this together. I’m guessing people are going to need to buy more network switches in their homes!

  • Curtain and window blind control
  • Electrical outlet control (timers and on/off)
  • TV control
  • Lighting control
  • Home CCTV
  • Burglar alarm
  • Motion sensors
  • Child monitoring
  • Garden lights
  • Pond waterfall and fountain pumps
  • Bath level monitors
  • Home cinemas
  • Thermostats and heating
  • Smart meters
  • White goods monitoring and control (fridges, cookers, washing machines etc.)
  • Doorbells

By Google open-sourcing the platform, this creates a defacto standard for people to kick-start the home control industry. If you look a bit deeper, the technology is a combination of a wireless protocol from Google and a hardware Accessory Developer Kit based on Arduino which means you can access USB devices too. Their software project is on Google Code . Arduino also have a ‘lilypad’ range  for wearable applications. This could even further extend the applications for Android@Home. There are some interesting Arduino projects around, including a combination door lock. I can see how Near Field Communication (NFC), touch tech fits into all of this, but not so much machine-to-machine (M2M) technology, but in theory it could easily be interfaced. The real cleverness in all of this will be in mashing up the data and applications – mood lighting for music, intelligent context based decision making – e.g. I am the only person in the house so switch to home monitor mode when I leave. I believe this will fly because home control has been quite a popular geek project with various methods tried by people such as PSP home controllers.

Security

Clearly, this technology is a hugely attractive target to hackers, good and bad. Being able to find out what your neighbours are up to is going to mean there is a generic consumer market for attacking these systems. This is bad news for your home network.

 
“you are relying on the developer to get it right”
 

Existing problems with Android Market come down to malicious software that has slipped through and plain old bad coding from developers. With home control solutions, you are relying on the developer to get it right. Not only for security, but also for safety. This is an untested area so is probably not completely covered by regulation but I would certainly be worried about my oven accidentally over-cooking something by 12 hours. Many of the goods that are produced with wireless control are going to have their own local safety interlocks but an intentional malicious attack or exploit to vulnerabilities with particular manufacturers could cause chaos. Suddenly your house has become part of critical national infrastructure! Imagine an attacker turning everything on in every house in the UK that was connected? It could easily bring down the national grid. The existence of a botnet of houses could be used to blackmail governments. Wireless, device and perimeter security are the main issues that need to be considered. A lot of this technology is built around the web, which in my view is simply not secure, nor web-runtimes robust enough for these kinds of critical applications.

At a much lower level, if burglars could remotely access your home control system, they could shut off all your security and lights enabling a much easier burglary. Conversely, it can be argued that the user is in much more control, so if their house is burgled in the middle of the day (the majority are), the user can be alerted immediately. This in itself may not be enough to prevent the burglary, but the simple fact that this function exists increases the chance of the burglar being caught. The deterrent that this creates could actually reduce burglary.

One other low level crime which could increase is handset theft. More people lose phones than have them stolen, but by putting home control onto the phone (perhaps it’s an NFC lock to the house too), you are making the user much more of a target.

I could go on and talk about other things such as further loss of privacy – think about the mountain of data Google will be sat on about your habits. There are some other projects which are studying this area – the internet of things. The EU-funded webinos project is also looking at the dangers of connecting real, physical things to the internet and how that can be secured, it’ll be an interesting one to watch. Wait for Google to make their next move in this space – automotive.