Memorandum by Adam Laurie
1. The author has been involved computing
since the early 1980s, the Internet since it's inception, and
Internet/Network Security in particular for over 15 years. His
area of expertise extends from the Internet to mobile devices
and communication protocols in general. He is a regular speaker
and trainer at international security conferences, and is currently
Technical Director of The Bunker Secure Hosting Ltd.,
of which he is also one of the founders.
2. Although this written evidence mainly
concerns non-Internet related technologies, it is important to
note that these technologies can be used as components of wider
attacks which may include use of the Internet, or, indeed, the
Internet may be used to provide access to data which could then
be used to attack one of these technologies (as can be seen in
the case of RFID enabled e-passports in section 3 below).
3. This written evidence is provided by
the author as an individual.
4. In order to keep it short, as requested
in the original call for evidence, this paper is far from exhaustive.
Subjects covered here are intended to address the area of "Defining
the problem", and will be in the fields of:
5. Bluetooth is an RF based wire replacement
technology operating in the 2.4GHz band.
6. The Bluetooth brand and IP is owned by
a trade association called The Bluetooth SIG.
7. It is commonly used for connection of
Mobile Phone to Headset and PDA to PC/Laptop.
8. It is capable of carrying Data and/or
9. Problems with Bluetooth were first publicised
in November 2003 by the author,
concerning theft of data from mobile phones. This was dubbed "BlueSnarfing".
10. BlueSnarfing is defined as "Taking
an unauthorised copy of data via Bluetooth".
11. Certain models of Mobile Phone were
found to be vulnerable to BlueSnarfing attacks, in which complete
phone books, calendars and other information including the IMEI
(the handset's unique identifier which can be used for phone cloning)
could be retrieved without the knowledge or authorisation of the
owner. This process typically took around 15 seconds.
12. Theft of data in this way could lead
not only to further loss if information such as house or business
alarm codes, or credit card PIN numbers etc were stored in the
device, but also embarrassing or compromising breaches of confidentiality,
as in the case of Paris Hilton's phone book, which was allegedly
Bluesnarfed in February, 2005.
13. In April 2004, similar controversy surrounded
the revelations provided by Rebecca Loos selling confidential
text messages between herself and the England footballer, David
Beckham. In this case the owner of the messages herself chose
to hand them over to a newspaper, but it is clear that the technology
existed, had they but known it, for an enterprising 3rd party
to obtain the same information (and more) without her consent.
14. Although performing a BlueSnarf attack
is illegal, so gauging the true scale of the problem is impossible
without breaking the law, it is possible, within the law, to estimate
the number of vulnerable phones by a process of statistical estimation.
By scanning in public areas for visible Bluetooth enabled devices,
and profiling those devices to determine their vulnerability status,
it is possible to obtain a rough idea of the scale of the problem.
Tests performed in London, on the Underground system, during rush-hour
in November 2003, revealed that in a fixed location (Victoria
Station), approximately one potentially vulnerable phone passed
by every 10 seconds.
It is likely that this number is
now far higher, as the number of Bluetooth enabled devices entering
the market has been increasing steadily, although this is balanced
by many of the security issues having been rectified by the manufacturers.
Shortly after this test, an independent
researcher in Austria, Martin Herfurt,
performed tests at a local trade show, and found approximately
1,200 potentially vulnerable devices over a four day period.
15. Mr. Herfurt also went on to reveal further
problems with Bluetooth devices, known as BlueBugging,
in which, amongst other things, SMS messages could be read, written
and deleted from devices, as well as sent over the GSM network,
again without the owners consent or knowledge. This leads to a
number of issues:
Victim liable for cost of messaging
Interception and/or Loss of incoming
Impersonation of victim as messages
appear to come from their number.
Potential for attack on other services
where SMS messaging is used for end-user authentication (such
as Web Portals, Web Mail etc).
Victim liable to be tracked via Internet
GSM Tracking services. In this attack (known as BlueStalking),
the mobile phone number is entered into a Web-based GSM tracking
service, which will then authenticate via SMS text message. Once
this message has been acknowledged, it is possible to determine
the whereabouts of the device, displayed as a marker on a map,
any time of day or night as long as the phone is switched on and
visible to the GSM network.
16. In addition, voice calls could be initiated,
which leads to a set of further issues:
Victim liable for cost of call.
Revenue generation for 3rd party
via calls initiated to Premium Rate services.
Interception/Diversion of incoming
Impersonation of victim.
Mobile Phone being used as a listening
device by initiating a call to the attacker who can then monitor
any conversation in the vicinity of the phone.
17. In the case where the phone provides
built-in modem and/or networking facilities, it is possible to
use the device to connect to the user's Internet Service Provider,
or, even worse, to private back-end or corporate networksthe
victim's device may then be used to launch untraceable attacks
on 3rd party or internal corporate sites, or as a gateway for
unsolicited email (SPAM).
18. Finally, using BlueBugging techniques
it was possible to modify the storage areas on victim devices,
including the phone book, which could lead to more problems:
Man In The Middle attack: by modifying
an entry to dial a voice bridge instead of the intended number,
it would be possible to then create an outgoing call from the
bridge to the originally stored number and connect the two calls
together. To the victim pressing the speed-dial on their phone,
this would not be apparent, but the voice bridge would then be
in a position to monitor both sides of the conversation.
Compromising entries added to Calendar
or Phone Book.
19. All of the above problems have a potential
bearing on mobile phone forensics, as the data found on the phone
(or lodged with the service provider relating to the phone) can
no longer be relied upon if the device is known to be vulnerable
to these kind of attacks.
20. Within 12 months of these revelations,
The Bluetooth SIG initiated a security testing and awareness program
within their development community by facilitating prototype and
production model device testing at their tri-annual industry interoperability
events known as "UnplugFests".
These are held over a one week period and most of the major mobile
phone and PDA manufacturers participate, as did the author.
21. As of October 2006, Security Testing
at the UnplugFests has been discontinued, the author is under
NDA regarding the details of work undertaken at the UnplugFests.
22. RFID is an acronym for "Radio Frequency
It is commonly used in building access control, retail security
and animal identification.
23. Trials under way for credit card replacement/enhancement,
and machine readable travel documents such as e-passports
are already in common use.
24. Typical form factors are plastic card,
key fob or injectable glass pellet.
25. Many forms of RFID rely on a unique
serial number programmed into the device at time of manufacture
for their security. Manufacturers make much of the guarantee of
"uniqueness" of the serial number, and therefore the
security of the device or the system secured by it.
26. Potential problems are cloning, skimming,
relaying and profiling/tracking:
Cloning is the process of producing
a functional copy of the device. Experiments have shown that it
is possible to imitate more or less any form of RFID tag with
specialist equipment, which, although custom built, is not particularly
bulky or costly, so could be effectively deployed.
Several demonstrations of this technique
have been performed at security conferences worldwide,
but the full ramifications are often lost in the debate as to
whether a device that does not follow the original form factor
is a true clone or not.
The author has found it is relatively
simple to produce a "true" clone of many supposedly
"impossible to copy" devices, such as the EM4102,
which not only contains the same serial number as the original,
but also follows the same form factor. The full details have not
yet been released into the public domain, but the Author can provide
demonstrations on request.
27. Additional security measures such as
cryptography may be applied to protect data stored in the RFID
device. An example of this would be the e-passport:
A cryptographically protected device
requires a key to be known to the reader in order to authenticate
and to decrypt the data stored on the device.
In the case of a device such as an
e-passport, this key must be easily available to authorised users,
such as border guards, immigration officers etc, whilst still
being secure from unauthorised users. This is achieved by deriving
the key from data printed on the identity page of the passport
itself, which is made visually available to authorised users,
but, in theory, remains unavailable to an attacker.
28. The problem with this scheme is that
the data required to derive the key may be available through other
channels. In the case of the e-passport, the key is derived from
the passport holder's Date of Birth, the Passport Number and the
Expiry Date of the passport (there is a further optional field
included in the calculation, but in all cases so far seen by the
author, this field has been blank).
All of this information is included in the data required to be
submitted to the US Homeland Security Agency under the Advanced
Passenger Data agreement:
The author has shown that poorly
configured airline websites can leak this data,
and, even if that were not the case, the number of individuals
with access to the data (web designers, maintainers, internet
service providers, software engineers etc) is sufficient to give
cause for concern.
This gives rise to the possibility
of skimming the passport, as well as cloning it.
Cloning of e-passports has already
been demonstrated by Lukas Grunwald, a German security researcher.
Reading of the data contained within
e-passports can be demonstrated by the author, using low cost,
off-the-shelf RFID equipment, a laptop, and his own software.
29. WiFi is a generic term for Wireless
Local Area Networking.
30. WiFi networks are used to provide local
connectivity to both home and office users, and would typically
be configured to provide Internet access for multiple computers
around the building without the need for expensive or disruptive
cabling, by using RF operating in the 2.4GHz and 5GHz bands.
31. There are typically three modes of security
Open. In this mode there is no encryption
of over-the-air traffic and all data is visible to anyone within
range of the WiFi base station.
This protocol provides encryption for all WiFi traffic, and purports
to protect the user from unauthorised access to their network,
or "sniffing" of broadcast traffic. Unfortunately, the
encryption used in the WEP protocol was shown to be fundamentally
flawed by researchers at Berkely in 2001.
Despite this, five years on, WEP continues to
be shipped as standard on most WiFi equipment, and is probably
the most common form of protection in use today.
WPA"WiFi Protected Access".
This protocol and it's variants are intended to replace WEP and
provide a much higher degree of protection. Most modern equipment
is capable of providing this standard.
is the process of searching for WiFi networks whilst driving,
and plotting them on a map. An Internet visible map of WarDriving
data can be found at "Wigle", the "Wireless Geographic
which, at the time of writing, holds over 8 million individual
WiFi location records worldwide. From this map it is clear that
very large numbers of unprotected or WEP protected WiFi networks
have been deployed in the UK, and are therefore vulnerable to
33. Attacks on WiFi networks potentially
cover the entire range of possible attacks on network connected
computers, and so are beyond the scope of this paper, but suffice
it to say that as well as loss of data through "sniffing"
of over the air traffic, the potential for direct installation
of key loggers, trojans, viruses and other malicious code exists,
as does the possibility of using the compromised network as a
launchpad for attacks on other Internet connected systems.
34. It is often the unexpected interaction
between systems, or the addition of new technologies to otherwise
reasonably mature devices that leads to security issuesFor
example, adding Bluetooth to mobile phones led to compromises
of services that had previously been secure, such as OBEX File
Transfer (Bluesnarfing) and RFCOMM (Bluebugging).
35. Manufacturers have a tendency to put
"user-friendliness" before security on their list of
36. Security may not be part of the initial
design process on a new product, and tends to be added or given
proper consideration only after problems occur.
37. When security is considered in the initial
design, it may be looked at too much in isolation of other factors
surrounding the deployment of the technologyfor example,
e-passports have strong cryptography protecting their contents,
but this is weakened by the availability of the data required
to generate the cryptographic keys, and thereby access the "secure"
38. It is very unusual for a product to
be "recalled" due to security issues. In devices such
as mobile phones, problems may be fixed for future releases, but
thousands of vulnerable devices are left in the field, their owners
largely unaware that they are effected by the problem.
21 October 2006
8 http://www.thebunker.net/ Back