INTRODUCTION

  1.  The author has been involved computing since the early 1980s, the Internet since it's inception, and Internet/Network Security in particular for over 15 years. His area of expertise extends from the Internet to mobile devices and communication protocols in general. He is a regular speaker and trainer at international security conferences, and is currently Technical Director of The Bunker Secure Hosting Ltd.,[8] of which he is also one of the founders.

  2.  Although this written evidence mainly concerns non-Internet related technologies, it is important to note that these technologies can be used as components of wider attacks which may include use of the Internet, or, indeed, the Internet may be used to provide access to data which could then be used to attack one of these technologies (as can be seen in the case of RFID enabled e-passports in section 3 below).

  3.  This written evidence is provided by the author as an individual.

  4.  In order to keep it short, as requested in the original call for evidence, this paper is far from exhaustive. Subjects covered here are intended to address the area of "Defining the problem", and will be in the fields of:

—  Bluetooth.

—  RFID.

—  WiFi.

BLUETOOTH

  5.  Bluetooth is an RF based wire replacement technology operating in the 2.4GHz band.

  6.  The Bluetooth brand and IP is owned by a trade association called The Bluetooth SIG.[9]

  7.  It is commonly used for connection of Mobile Phone to Headset and PDA to PC/Laptop.

  8.  It is capable of carrying Data and/or Voice traffic.

  9.  Problems with Bluetooth were first publicised in November 2003 by the author,[10] concerning theft of data from mobile phones. This was dubbed "BlueSnarfing".[11]

  10.  BlueSnarfing is defined as "Taking an unauthorised copy of data via Bluetooth".

  11.  Certain models of Mobile Phone were found to be vulnerable to BlueSnarfing attacks, in which complete phone books, calendars and other information including the IMEI (the handset's unique identifier which can be used for phone cloning) could be retrieved without the knowledge or authorisation of the owner. This process typically took around 15 seconds.

  12.  Theft of data in this way could lead not only to further loss if information such as house or business alarm codes, or credit card PIN numbers etc were stored in the device, but also embarrassing or compromising breaches of confidentiality, as in the case of Paris Hilton's phone book, which was allegedly Bluesnarfed in February, 2005.[12]

  13.  In April 2004, similar controversy surrounded the revelations provided by Rebecca Loos selling confidential text messages between herself and the England footballer, David Beckham. In this case the owner of the messages herself chose to hand them over to a newspaper, but it is clear that the technology existed, had they but known it, for an enterprising 3rd party to obtain the same information (and more) without her consent.

  14.  Although performing a BlueSnarf attack is illegal, so gauging the true scale of the problem is impossible without breaking the law, it is possible, within the law, to estimate the number of vulnerable phones by a process of statistical estimation. By scanning in public areas for visible Bluetooth enabled devices, and profiling those devices to determine their vulnerability status, it is possible to obtain a rough idea of the scale of the problem. Tests performed in London, on the Underground system, during rush-hour in November 2003, revealed that in a fixed location (Victoria Station), approximately one potentially vulnerable phone passed by every 10 seconds.

—  It is likely that this number is now far higher, as the number of Bluetooth enabled devices entering the market has been increasing steadily, although this is balanced by many of the security issues having been rectified by the manufacturers.

—  Shortly after this test, an independent researcher in Austria, Martin Herfurt,[13] performed tests at a local trade show, and found approximately 1,200 potentially vulnerable devices over a four day period.[14]

  15.  Mr. Herfurt also went on to reveal further problems with Bluetooth devices, known as BlueBugging,[15] in which, amongst other things, SMS messages could be read, written and deleted from devices, as well as sent over the GSM network, again without the owners consent or knowledge. This leads to a number of issues:

—  Victim liable for cost of messaging service.

—  Interception and/or Loss of incoming messages.

—  Impersonation of victim as messages appear to come from their number.

—  Potential for attack on other services where SMS messaging is used for end-user authentication (such as Web Portals, Web Mail etc).

—  Victim liable to be tracked via Internet GSM Tracking services. In this attack (known as BlueStalking), the mobile phone number is entered into a Web-based GSM tracking service, which will then authenticate via SMS text message. Once this message has been acknowledged, it is possible to determine the whereabouts of the device, displayed as a marker on a map, any time of day or night as long as the phone is switched on and visible to the GSM network.[16]

  16.  In addition, voice calls could be initiated, which leads to a set of further issues:

—  Victim liable for cost of call.

—  Revenue generation for 3rd party via calls initiated to Premium Rate services.

—  Interception/Diversion of incoming calls.

—  Impersonation of victim.

—  Mobile Phone being used as a listening device by initiating a call to the attacker who can then monitor any conversation in the vicinity of the phone.

  17.  In the case where the phone provides built-in modem and/or networking facilities, it is possible to use the device to connect to the user's Internet Service Provider, or, even worse, to private back-end or corporate networks—the victim's device may then be used to launch untraceable attacks on 3rd party or internal corporate sites, or as a gateway for unsolicited email (SPAM).

  18.  Finally, using BlueBugging techniques it was possible to modify the storage areas on victim devices, including the phone book, which could lead to more problems:

—  Man In The Middle attack: by modifying an entry to dial a voice bridge instead of the intended number, it would be possible to then create an outgoing call from the bridge to the originally stored number and connect the two calls together. To the victim pressing the speed-dial on their phone, this would not be apparent, but the voice bridge would then be in a position to monitor both sides of the conversation.

—  Compromising entries added to Calendar or Phone Book.

  19.  All of the above problems have a potential bearing on mobile phone forensics, as the data found on the phone (or lodged with the service provider relating to the phone) can no longer be relied upon if the device is known to be vulnerable to these kind of attacks.

  20.  Within 12 months of these revelations, The Bluetooth SIG initiated a security testing and awareness program within their development community by facilitating prototype and production model device testing at their tri-annual industry interoperability events known as "UnplugFests".[17] These are held over a one week period and most of the major mobile phone and PDA manufacturers participate, as did the author.

  21.  As of October 2006, Security Testing at the UnplugFests has been discontinued, the author is under NDA regarding the details of work undertaken at the UnplugFests.

RFID

  22.  RFID is an acronym for "Radio Frequency IDentification".[18] It is commonly used in building access control, retail security and animal identification.

  23.  Trials under way for credit card replacement/enhancement, and machine readable travel documents such as e-passports[19] are already in common use.

  24.  Typical form factors are plastic card, key fob or injectable glass pellet.

  25.  Many forms of RFID rely on a unique serial number programmed into the device at time of manufacture for their security. Manufacturers make much of the guarantee of "uniqueness" of the serial number, and therefore the security of the device or the system secured by it.

  26.  Potential problems are cloning, skimming, relaying and profiling/tracking:

—  Cloning is the process of producing a functional copy of the device. Experiments have shown that it is possible to imitate more or less any form of RFID tag with specialist equipment, which, although custom built, is not particularly bulky or costly, so could be effectively deployed.[20]

—  Several demonstrations of this technique have been performed at security conferences worldwide,[21] but the full ramifications are often lost in the debate as to whether a device that does not follow the original form factor is a true clone or not.[22]

—  The author has found it is relatively simple to produce a "true" clone of many supposedly "impossible to copy" devices, such as the EM4102,[23] which not only contains the same serial number as the original, but also follows the same form factor. The full details have not yet been released into the public domain, but the Author can provide demonstrations on request.

  27.  Additional security measures such as cryptography may be applied to protect data stored in the RFID device. An example of this would be the e-passport:

—  A cryptographically protected device requires a key to be known to the reader in order to authenticate and to decrypt the data stored on the device.

—  In the case of a device such as an e-passport, this key must be easily available to authorised users, such as border guards, immigration officers etc, whilst still being secure from unauthorised users. This is achieved by deriving the key from data printed on the identity page of the passport itself, which is made visually available to authorised users, but, in theory, remains unavailable to an attacker.

  28.  The problem with this scheme is that the data required to derive the key may be available through other channels. In the case of the e-passport, the key is derived from the passport holder's Date of Birth, the Passport Number and the Expiry Date of the passport (there is a further optional field included in the calculation, but in all cases so far seen by the author, this field has been blank).[24] All of this information is included in the data required to be submitted to the US Homeland Security Agency under the Advanced Passenger Data agreement:[25]

—  The author has shown that poorly configured airline websites can leak this data,[26] and, even if that were not the case, the number of individuals with access to the data (web designers, maintainers, internet service providers, software engineers etc) is sufficient to give cause for concern.

—  This gives rise to the possibility of skimming the passport, as well as cloning it.

—  Cloning of e-passports has already been demonstrated by Lukas Grunwald, a German security researcher.[27]

—  Reading of the data contained within e-passports can be demonstrated by the author, using low cost, off-the-shelf RFID equipment, a laptop, and his own software.[28]

WIFI

  29.  WiFi is a generic term for Wireless Local Area Networking.[29]

  30.  WiFi networks are used to provide local connectivity to both home and office users, and would typically be configured to provide Internet access for multiple computers around the building without the need for expensive or disruptive cabling, by using RF operating in the 2.4GHz and 5GHz bands.

  31.  There are typically three modes of security for WiFi:

—  Open. In this mode there is no encryption of over-the-air traffic and all data is visible to anyone within range of the WiFi base station.

—  WEP—"Wired Equivalent Privacy".[30] This protocol provides encryption for all WiFi traffic, and purports to protect the user from unauthorised access to their network, or "sniffing" of broadcast traffic. Unfortunately, the encryption used in the WEP protocol was shown to be fundamentally flawed by researchers at Berkely in 2001.[31]

Despite this, five years on, WEP continues to be shipped as standard on most WiFi equipment, and is probably the most common form of protection in use today.

—  WPA—"WiFi Protected Access".[32] This protocol and it's variants are intended to replace WEP and provide a much higher degree of protection. Most modern equipment is capable of providing this standard.

  32.  WarDriving[33] is the process of searching for WiFi networks whilst driving, and plotting them on a map. An Internet visible map of WarDriving data can be found at "Wigle", the "Wireless Geographic Logging Engine",[34] which, at the time of writing, holds over 8 million individual WiFi location records worldwide. From this map it is clear that very large numbers of unprotected or WEP protected WiFi networks have been deployed in the UK, and are therefore vulnerable to attack.

  33.  Attacks on WiFi networks potentially cover the entire range of possible attacks on network connected computers, and so are beyond the scope of this paper, but suffice it to say that as well as loss of data through "sniffing" of over the air traffic, the potential for direct installation of key loggers, trojans, viruses and other malicious code exists, as does the possibility of using the compromised network as a launchpad for attacks on other Internet connected systems.

CONCLUSIONS/GENERAL OBSERVATIONS

  34.  It is often the unexpected interaction between systems, or the addition of new technologies to otherwise reasonably mature devices that leads to security issues—For example, adding Bluetooth to mobile phones led to compromises of services that had previously been secure, such as OBEX File Transfer (Bluesnarfing) and RFCOMM (Bluebugging).

  35.  Manufacturers have a tendency to put "user-friendliness" before security on their list of priorities.

  36.  Security may not be part of the initial design process on a new product, and tends to be added or given proper consideration only after problems occur.

  37.  When security is considered in the initial design, it may be looked at too much in isolation of other factors surrounding the deployment of the technology—for example, e-passports have strong cryptography protecting their contents, but this is weakened by the availability of the data required to generate the cryptographic keys, and thereby access the "secure" passport.

  38.  It is very unusual for a product to be "recalled" due to security issues. In devices such as mobile phones, problems may be fixed for future releases, but thousands of vulnerable devices are left in the field, their owners largely unaware that they are effected by the problem.

21 October 2006

9   https://www.bluetooth.org/ Back

10   http://www.thebunker.net/security/bluetooth.htm Back

11   http://trifinite.org/trifinite_stuff_bluesnarf.html Back

12   http://technology.guardian.co.uk/online/news/0,12597,1423271,00.html Back

13   http://trifinite.org/trifinite_group_martin.html Back

14   http://trifinite.org/Downloads/BlueSnarf_CeBIT2004.pdf Back

15   http://trifinite.org/trifinite_stuff_bluebug.html Back

16   http://www.verilocation.co.uk/mobile_phone_tracking.aspx Back

17   https://programs.bluetooth.org/upf/ Back

18   http://en.wikipedia.org/wiki/RFID Back

19   http://www.passport.gov.uk/general_biometrics.asp Back

20   http://cq.cx/proxmark3.pl Back

21   http://cq.cx/verichip.pl Back

22   http://www.aimglobal.org/members/news/templates/rfidinsights.asp?articleid=1535&zoneid=24 Back

23   http://www.emmicroelectronic.com/Products.asp?IdProduct=5 Back

24   http://www.icao.int/mrtd/download/documents/TR-PKI%20mrtds%20ICC%20read-only%20access%20v1_1.pdf Back

25   http://www.britishairways.com/travel/ba6.jsp/imminfo/public/en-gbus Back

26   http://www.guardian.co.uk/idcards/story/0,,1766266,00.html Back

27   http://www.wired.com/news/technology/0,71521-0.html?tw=rss.index Back

28   http://rfidiot.org Back

29   http://en.wikipedia.org/wiki/Wifi Back

30   http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy Back

31   http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html Back

32   http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access Back

33   http://en.wikipedia.org/wiki/WarDriving Back

34   http://www.wigle.net Back