Was it Only Faith-Based Mobile Security?

July 24, 2013

Most people consider their mobile phone voice and SMS conversations private.  Carriers have been telling us they “use encryption” for years.  We have no reason to worry about conducting non-public business over our mobile phone, do we?

Well, first, privacy is not an on-or-off concept.  There are degrees-of-privacy — less if you are screaming over a voice connection and flailing about in a crowded room, and more if you are virtually alone, speaking in a low voice or texting in a large, almost empty hotel lobby.  That seems like an easy to internalize risk management rule-of-thumb.

Think again.  Not all mobile phone connections are equally secure.*

When it has options, your mobile phone connects to the strongest radio frequency (RF) signal source (it is more complex than that, but additional detail will not change this argument).  If that signal source is under the control of hostile parties, your privacy likely just disappeared.

Some of you might be familiar with low-power cellular base station — sometimes called a mobile network extender.  If you live or work in an area having little to no signal from your mobile carrier, one option has for years been connecting a small box (a femtocell) to your Internet ​service that will behave like the standard cell towers you cannot reach — only at a much lower power and range.

These mobile network extenders have been the target of hacker attention and modification for years.  Earlier this month two researchers demonstrated how they modified a couple different types of Verizon network extenders in ways that enabled them to intercept all voice and SMS text traffic using them.  It is an excellent, brief demonstration, and is worth a quick watch.

“Hackers Turn Verizon Box into Spy Tool.”
http://www.youtube.com/watch?feature=player_embedded&v=y9WU0Y03A9g

This hack is small enough to carry around in a backpack, and it can intercept and record all calls, text messages, and data sent by mobile devices within range.

Characterizing this risk is a challenge.  Whenever you are in a predictable location doing sensitive business using a mobile phone, you are above zero risk.  If you are having a strategic planning meeting and need to conference some participants in, maybe using a mobile phone is no longer risk-appropriate.  If you are working through a deal that will (at least potentially) have a material financial impact on your organization, and you are in your office or the office of a partner and either of you is a known “deal-maker,” maybe a mobile phone is no longer risk-appropriate.  The key might be to ask, “Would it be OK if this conversation or text were shared with my competitor, my regulator, my boss, or the public?”  If the answer is a consistent “yes,” then you might be OK.  If the answer includes one or more “no” responses, then maybe there is another channel for communications that would better serve your company.  This is a frustratingly vague risk issue.

Over time, the vulnerable equipment will tend to age-out of the environment.  Until then, though, this situation will present a low-probability, but potentially-high impact risk for all of our financial services companies.

 

*Lets set aside the issue of government data-harvesting and analysis for today.  That is the topic for another blog entry.

REFERENCES:

“Hackers Turn Verizon Box into Spy Tool.”
http://www.youtube.com/watch?feature=player_embedded&v=y9WU0Y03A9g

“UPDATE 1-Researchers Hack Verizon Device, Turn It Into Mobile Spy Station.”
http://www.reuters.com/article/2013/07/15/verizon-hacking-idUSL1N0FL08620130715
Mon Jul 15, 2013

“Researchers Reveal Way To Hack Into Verizon’s Network.”
http://www.crn.com/news/security/240158359/researchers-reveal-way-to-hack-into-verizons-network.htm
By Robert Westervelt, July 16, 2013

“Verizon Femtocell Hack Intercepts Calls, Data Transmissions.”
http://threatpost.com/verizon-femtocell-hack-intercepts-calls-data-transmissions/101309
by Michael Mimoso   July 16, 2013 , 12:28 pm

 

For those with technical interest in this subject:

 

“What is a Femtocell.”
http://en.wikipedia.org/wiki/Femtocell

“Vulnerability Note VU#458007 — Verizon Wireless Network Extender multiple vulnerabilities”
Original Release date: 15 Jul 2013 | Last revised: 23 Jul 2013 (this includes some of the command-line details)
http://www.kb.cert.org/vuls/id/458007
“Multiple Verizon Wireless Network Extender CVE-2013-4877 Multiple Security Bypass Vulnerabilities”
http://www.securityfocus.com/bid/61393/discuss
“Verizon Wireless Network Extender CVE-2013-4875 Local Privilege Escalation Vulnerability”
http://www.securityfocus.com/bid/61394/discuss
“Verizon Wireless Network Extender CVE-2013-4874 Local Privilege Escalation Vulnerability”
http://www.securityfocus.com/bid/61395/discuss
Credit:  Doug DePerry and Tom Ritter of iSEC Partners

Verizon network extenders have been the targets of hacker modification for years.

“Hacking the Verizon Network Extender.” February 28, 2010
http://va7drm.wordpress.com/2010/02/28/hacking-the-verizon-network-extender/
“After a few late nights of hacking/programing he had an AVR re-creating the GPS serial signals as it was in the US!”
“Hacking the Verizon Network Extender — Part 2.” March 28, 2010
http://va7drm.wordpress.com/2010/03/28/hacking-the-verizon-network-extender-part-2/
“Cellular, Radio, and Hacking.” April 19, 2012
http://va7drm.wordpress.com/2012/04/19/cellular-radio-and-hacking/
“Several months we discovered that the “HDMI” port on the bottom allowed for serial access to the Linux OS. One of our guys was able to gain Root access to the device.  So I’m sure it’s possible to do all the hacking from a totally software aspect…”

Advertisements

Another Reason to Resist BYOD Using Consumer Mobile Devices

July 4, 2013

“The Bluebox Security research team – Bluebox Labs – recently discovered a vulnerability in Android’s security model that allows a hacker to modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user.”[Jeff Forristal]

(If you are interested, read more about the timeline and technical details at http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/)

Technical details aside, roughly 900 million Android devices are at material risk.  When Jeff Forristal, Bluebox CTO wrote that this vulnerability permits a hostile party “to modify APK code,” he could have added …”to do anything code can do.”  That means all data, all logs, all identities and other secrets that exist on a vulnerable Android device are at risk.  It doesn’t stop there, because that hostile code can also use the network to exfiltrate the data, to download new functionality, to attack or explore the networks to which an infected device attaches.  The coder’s creativity and time appear to be the only limits.

Google released a fix months ago, but there are numerous inhibitors to rapid deployment of Android updates — device manufacturer’s and carrier’s implementation and operating decisions being core to this problem.  In any case, the vulnerability exists in Android 1.6 and later, and it seems reasonable to assume that it will be a relatively long time before a material subset of those 900 million Android devices has the relevant updates applied.

All of us supporting financial services information and infrastructure operations security know we have employees who believe it is their right to work using their personal mobile device (Android, iOS, or other OS, material vulnerabilities across all types of consumer mobile devices).  They use any number of methods to migrate non-public business information to their mobile endpoint and/or their favorite cloud storage.  Some of us have active or emerging BYOD programs being rolled out for any number of reasons — too often, BYOD fever.  Many of those roll-outs enable concentrations of non-public business information on the unmanaged consumer endpoint.  The risks associated with both those types of behaviors just increased.

If you are not already doing so, now is the time to invest serious energy into steering these BYOD projects into directions that are more likely to protect our customers, our investors, and the overall health of our corporations.  In the presence of facts like this new Android vulnerability, “do your own thing” at the endpoint seems increasingly out-of-phase with the legal and regulatory environment in which financial services exists.

REFERENCES:

“Uncovering Android Master Key that Makes 99% of Devices Vulnerable.”
By Jeff Forristal, Bluebox  CTO
http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/

“Android Vulnerability Enables Malicious Updates to Bypass Digital Signatures.”
By Michael Mimso
http://threatpost.com/android-vulnerability-enables-malicious-updates-to-bypass-digital-signatures/


%d bloggers like this: