Chapter 4. Crimeware in Small Devices

Bruno Crispo, Melanie Rieback, Andrew Tanenbaum, Ollie Whitehouse, and Liu Yang

This chapter considers the potential for crimeware in small devices, including USB drives, radio frequency identification (RFID) tags, and general mobile devices. These devices can and often do contain important data. As these devices continue to proliferate, crimeware authors may turn their attention to them.

4.1 Propagation Through USB Drives^*

Not counting built-in hardware, USB flash drives are probably the most popular storage devices today. They are small, lightweight, fast, portable, rewritable, and reliable. In 2007, the largest-capacity USB flash drive had a storage size of 64GB [436]. USB flash drives are supported by all modern operating systems. Besides being used in data storage and transfer, these drives find use in a variety of other applications. In particular, they can be used by system administrators to load configuration information and software tools for system maintenance, troubleshooting, and recovery. In case of system failure or emergency, a bootable USB flash drive can be used to launch an operating system [439]. These drives are also used in audio players, such as the iPod produced by Apple, Inc.

While USB flash drives certainly offer convenience in our lives, they also pose security challenges to computer users and organizations. For example, they can be used as carriers of viruses, spyware, and crimeware [431, 432]. Computers and other electronic devices are vulnerable to attackers connecting a flash drive to a free USB port and installing crimeware to retrieve confidential information from the systems. One common feature of USB flash drives is that they are small in size and, therefore, can be easily disguised. For example, they can be integrated into a watch or a pen. This feature helps in information stealing by USB flash drives. In 2006, for example, a man in England was convicted of using an MP3 player to compromise ATMs; he stole roughly $400,000 of other people’s money [434]. The criminal plugged his MP3 player into the back of free-standing cash machines, and the MP3 player then recorded the customer details as they were transmitted over the phone lines to the bank. The recorded information was used to clone cards for taking money from the ATMs.

Crimeware can be propagated by USB flash drives in a variety of ways. The propagator may distribute it intentionally or unintentionally, locally or remotely (e.g., selling USB drives preloaded with crimeware at a very low price on eBay, as in the case involving the sale of wireless routers with malicious firmware described by Tsow et al. [426]). Alternatively, the attacker may intentionally drop USB flash drives containing crimeware in places where they are sure to be found (e.g., bathroom, elevator, and sidewalk)—and simply wait.

In 2006, Stasiukonis and his colleagues were hired by a credit union to evaluate the security of its network system [383]. Instead of using a traditional approach, Stasiukonis and his colleagues prepared some USB flash drives imprinted with a trojan that, when run, would collect passwords, logins, and machine-specific information from a user’s computer, and then email the findings back to them. They scattered these drives in the parking lot, smoking areas, and other areas that employees frequently visited. Most employees who found the USB drives plugged the drives into their computers immediately after they sat down in front of their computers. The collected confidential information was then mailed back to the researchers. Among the 20 distributed USB flash drives, 15 were found by credit union employees and all had been plugged into the company’s computers. The harvested data helped Stasiukonis and his colleagues to compromise additional systems of the company.

Many portable media players (PMPs) have their data saved on USB flash drives. Like the common USB drives used for data transfer, these players pose potential threats to the computers to which they are connected for power recharging and music downloading. Apart from being infected by crimeware stored on a connected computer, some media players based on USB flash drives have inborn threats before they are shipped out from the manufacturers. For example, some of the fifth-generation iPods made by Apple were reported to contain a trojan named RavMonE.exe, a variant of the W32/RJump worm [433, 445]. Upon the iPod being connected to a computer with its auto-run option enabled, the crimeware was installed to the connected computer if the user agreed to the auto-run prompt [452]. The crimeware opened a backdoor providing the attacker with unauthorized remote access to the compromised computer [445, 448]. Imagine that a user connects such an iPod on his company’s computer for downloading music; the crimeware may be propagated to the company’s entire network in just a few seconds. That will allow the attacker to remotely access the company’s computer systems.

In November 2006, Microsoft released Zune [455], a digital audio player. The device plays music and videos, displays images, receives FM radio, and shares files wirelessly with other Zunes. Like the Bluetooth malware, the wireless feature of Zune presents an extra challenge for security forces. For example, Zune will be able to transmit corporate data outside the building without going through the company’s networks.

4.1.1 Example: Stealing Windows Passwords

An example will suffice to show how easy it is to steal the passwords of a Windows system with a USB flash drive. In Microsoft Windows systems, users’ accounts, which also contain usernames and passwords, are kept in the Windows registry and in the SAM (Secure Account Manager) file. The SAM file keeps usernames and hash values of the corresponding passwords. This file is located under the %SystemRoot%system32config directory for the Windows 2000 and Windows XP operating systems and under a slightly different directory for the Windows 9X and Windows NT systems.

One approach to obtain the usernames and the corresponding passwords is to access the SAM file. It is impossible to access the SAM file while the Windows operating system is running, because this file is used by the operating system. However, if an attacker has physical access to the machine, it is possible to copy the SAM file by booting the machine with another operating system. A bootable USB flash drive [439] can be used to accomplish this task. After the machine is booted up, the hard drive containing the SAM file can be mounted to the file system of the running system. Then the SAM file can be copied to a directory of the connected USB drive.

The newly obtained SAM file can be processed offline by using a password recovery tool such as LCP [438], SAMDump [449], SAMinside [450], or pwdump [442, 443, 444]. For example, LCP can extract the usernames and corresponding password hashes from the imported SAM file and then retrieve the passwords of users by using any of three approaches: the dictionary attack, the brute force attack, and the hybrid attack (which combines the former two strategies). Usually, the LCP will find the passwords of the target users in a short time, sometimes within a few minutes. In cases where the password hashes of users are encrypted by the SYSKEY tool of the operating system, a file named system, which contains the ciphertext of the encrypted password hashes, needs to be copied as well to recover the passwords of the target users. The system file is located in the same directory as the SAM file.

The preceding approach may retrieve the passwords of users without their awareness, because the attacker does not make any change to the target system. The only requirement for an attacker is to gain the physical access to a target machine for a few minutes. The copied files can be hidden in the USB flash drive as “deleted” files and recovered later by using some tools.

Another way to compromise a Windows system running on FAT/FAT32 file systems is to boot the system using a USB drive, move the logon.scr file to a backup directory, and change the cmd.exe file name to logon.scr. After that change, the rebooted Windows system will enter the DOS interface directly without asking for a username and password. This approach allows an attacker to change the password of the administrator by using a command such as net user admin mypass [454]; the attacker can then do whatever he or she wants. The compromise may be detected by the administrator soon, once he or she realizes that the administrator password has been changed.

Besides the previously mentioned methods, some tools may be used to reset the accounts and passwords for Windows systems. For example, Windows Key [446, 447] can be installed on a bootable USB flash drive and then used to reset usernames and passwords for a Windows system in a few minutes.

4.1.2 Example: Let’s Go Further

The emergence of the U3 smart drive [451], which allows applications to be executed directly on a specially formatted USB flash drive, has raised even more concern among members of the security community. In September 2006, an instant USB password recovery tool—USB Switchblade [432, 437]—was demonstrated as part of Hak5, an online technology show. USB Switchblade consists of a U3 USB flash drive with a payload capable of installing backdoors and extracting confidential information from a connected system [440]. Unlike the traditional USB flash drives, U3 flash drives are self-activating and can auto-run applications when inserted into a system. Upon being inserted into a machine running Microsoft Windows system, USB Switchblade silently recovers information from the system such as password hashes, IP addresses, browser history, auto-fill information, and AIM and MSN Messenger passwords, as well as creating a backdoor to the target system for later access. This tool takes advantage of a feature in U3 to create a virtual CD-ROM drive on the USB flash drive, allowing the Windows auto-run function to work. In case the auto-run option is disabled, or if U3 is not used, USB Switchblade can be started by executing a single script on the drive. The tool has evolved to circumvent the antivirus protection of some systems that would usually detect malicious executables.

Another U3-based malware—USB Hacksaw [431]—has been developed as an extension of USB Switchblade. Once installed on a system, it will run a process in the background whenever the computer starts, waiting for a USB flash drive to be connected. When a USB flash drive is inserted into the system, its contents are automatically copied and sent through an encrypted SMTP connection to a remote email account controlled by an attacker. Both USB Switchblade and USB Hacksaw are available on public web sites.

4.1.3 DMA Vulnerability

Direct memory access (DMA) is a feature of modern computers that use bulk data transfers to copy blocks of memory from the system RAM to or from a buffer on a device without subjecting the CPU to a heavy overhead. With DMA, a CPU would initialize the data transfer, then do other operations as the transfer is in progress, and receive an interrupt from the DMA controller once the transfer has been completed. Many types of hardware use DMA for data transfer, including disk drives, graphics cards, and networks cards. The specifications for both Firewire and USB, for example, have provisions for DMA. That means under many circumstances a device plugged into a Firewire or USB port has the ability to read and write the physical memory of the connected computer. Such access bypasses the control of the operating system for security check.

Becher, Dornseif, and Klein have demonstrated how to exploit the DMA feature of a system by plugging an iPod running Linux into the Firewire port of a target machine [122]. The iPod successfully grabbed a screenshot of the connected machine without the computer’s permission. Actually, the authors claim that they can read and write arbitrary data from and to an arbitrary location of the memory. Thus they can scan the memory for key material and inject malicious code to the memory. For example, the malicious code may scan the hard drive of the target machine for confidential documents and copy them to the iPod.

4.1.4 Gauging the Risk

One feature of USB-based crimeware is its low propagation cost. All an attacker needs is a bunch of USB flash drives, on which the attacker installs the crimeware. Because the size of crimeware is small, it can be loaded onto almost any USB flash drive. In mid-2007, the cost for a 1GB USB flash drive was approximately $10.

Another feature of USB-based crimeware is its high hit rate, based on the statistics that 15 out of 20 scattered USB flash drives had been found and plugged into a company’s computers by the firm’s employees [383]. This hit rate is much higher than that of traditional phishing emails. By using state-of-the-art techniques, more than 99% of phishing emails can be filtered by the mail servers before they can reach the recipients [13, 14]. According to a phone survey conducted by Pew Internet & American Life Project in 2005, 2% of people who received phishing emails admitted to providing the requested information [113]. Hence the hit rate of phishing emails is expected to be 0.01 × 0.02 = 0.02%, much lower than that of USB-based crimeware. An important factor responsible for the high hit rate of USB-based crimeware is that few people will refuse to take a free USB flash drive given its convenience for data storage and transportation. If it is an iPod, people will like it even more.

Statistics show that the total financial loss attributed to phishing was $2.8 billion in 2006 [252], and the average loss per victim was $1244 [441]. We believe that USB-based crimeware may cause a higher loss than the traditional phishing emails, owing to its much higher hit rate. A person having a USB flash drive loaded with crimeware may share the drive with family members, friends, or colleagues. Thus, USB-based crimeware will hit at least one victim if the crimeware is not detected by the antivirus software. Assume such an attack causes the same amount of average loss (i.e., $1244) to a victim as phishing does. Then a $10 investment in a USB flash drive will make a profit of $1244 for the attacker. What else can be more profitable than this business? The loss will be worse if one USB flash drive harvests information from more than one victim. While a victim is not likely to fall prey twice to the same phishing attack, he or she will not escape the attack of the crimeware unless it is removed by the antivirus software from the system.

Attackers may also design crimeware that propagates through the USB port. In other words, the program can “infect” any USB storage device that is inserted into the machine. If a USB device becomes infected, it can spread the crimeware to other machines it plugs in. In countries where pirated software is popular, computer users may not be able to update their antivirus software in time to avoid the attack. The USB-based crimeware in such systems is expected to survive longer than usual because of the out-of-date virus database used by the systems. That will cause more damage to both individuals and society.

The storage size of USB flash drives has increased rapidly, going from the initial 8MB [453] to 64GB in 2006 [349]. This huge capacity provides convenience when the goal is theft of bulk information. For example, a thief could steal all of a server’s or PC’s data, take it home, and crack the security at the attacker’s leisure.

4.1.5 Countermeasures

Several techniques can be used to reduce the threats posed by USB-based crimeware. First, all users should keep their antivirus software up-to-date. This will make it more difficult for the crimeware to circumvent the security check of the system.

A lot of USB-based crimeware takes advantage of the auto-run feature of Windows system, so disabling the auto-run feature of the Windows system will help to reduce the likelihood of being automatically infected by crimeware contained in a connected USB flash drive. Organizations such as financial institutions may also need to disable the USB ports of the computers used by their employees.

Some administration tools [435] can be used to control the use of USB devices, to track information as it is read from or written to the USB devices, and to log every event and attempt to access the USB devices. The logs will help to trace the attacker in case some information has been stolen or suspicious accesses have been performed.

Because a lot of crimeware steals information and communicates with remote attackers, it is very important to keep computers behind the protection of the firewall and to make sure the firewall is working well. In case a computer has been infected by USB-based crimeware, stop using that machine and cut off its network connection before taking further actions to clean the crimeware.

Fortunately, USB-based crimeware has aroused public attention. Both industries and researchers are making valiant efforts to mitigate the threats posed by it. The good news is that some manufacturers of USB drives have begun to let their products be shipped with built-in antivirus protection [193]. Nevertheless, we need to recognize that the built-in antivirus software must be updated the first time the USB drives are used. As time goes on, the regular USB drives without protection will be gradually replaced by the new ones with antivirus protection.

4.2 Radio Frequency ID Crimeware^*

Radio frequency identification (RFID) technology is on the verge of exciting times: Standards are solidifying, RFID tag prices have hit an all-time low, and the mandates of the two largest proponents of RFID—the U.S. government and Wal-Mart—have motivated RFID trials on a global scale. By 2015, the total market for RFID is predicted to soar to $24.5 billion [78]. InformationWeek dubbed RFID as one of the “Five Disruptive Technologies to Watch in 2007” [394].

But as RFID’s growth attracts more media attention, undesirable characters may also begin to take notice of this technology. Big money tends to mobilize criminals, who are creative in finding ways to steal it. RFID’s main security defense is its learning curve, but deployers should not assume that criminals will be technophobic. Financially motivated attackers have long embraced the Internet, along with other emerging technologies such as instant messaging and MySpace, using them to extort large sums of money from companies and individuals alike. In fact, financially motivated, technologically based attacks are on the rise: According to a Symantec study [209], more than half of recent major Internet threats tried to harvest personal information—a sign that financial gain is likely behind the attacks (i.e., through spam, phishing, and botnets). Trojans, worms, and viruses often steal usernames and passwords for financial web sites. Identity theft features were found in 54% of the top-50 malicious code samples detected by Symantec in 2005.

These trends suggest that RFID technology may also become a popular target, once criminals determine that it is profitable. The upcoming paragraphs will ponder the logical but unexplored concept of RFID crimeware—attacks focused on obtaining financial returns in the context of RFID technology.

4.2.1 Radio Frequency Identification

RFID tags are remotely powered computer chips that augment physical objects with computing capabilities. RFID blurs the boundaries between the online and physical worlds, giving physical objects a “virtual” presence, thus increasing their visibility and efficiency in a wide range of automated processes. More abstractly, RFID tags also serve as an enabler for ubiquitous [473] or invisible [474] computing, allowing individuals to manage hundreds of wirelessly interconnected real-world objects, as if an intuitive extension of their own physical bodies.

RFID tags may be as small as a grain of rice (or smaller), and have built-in logic (microcontroller or state machine), a coupling element (analog front end with antenna), and memory (pre-masked or EEPROM). Passive tags (such as the tracking device shown in Figure 4.1) are powered exclusively by their reading devices, whereas active tags also contain auxiliary batteries on board. Under ideal conditions, passive low-frequency (LF) tags (125–135 kHz) can be read up to 30 cm away, high-frequency (HF) tags (13.56 MHz) up to 1 m away, ultra-high-frequency (UHF) tags (2.45 GHz) up to 7 m away, and active tags 100 m or more away [120].

Figure 4.1. Typical RFID usage: compact discs.

RFID deployments also employ a wide variety of physically distributed RFID readers, access gateways, management interfaces, and databases. A typical example of RFID back-end architecture is the Electronic Product Code (EPC) network. Its consists of RFID tags, RFID readers, data filtering/correlation servers, object name (ONS) resolvers, and EPC Information Service (EPCIS) databases.

RFID Applications

RFID promises to unleash a flood of new applications, forever banishing wires, lines at the grocery store, and pocket change from our daily lives. RFID proponents also extol its commercial uses for asset tracking and supply chain management. Contactless access passes help us police our residential, industrial, and national borders, while consumers have embraced RFID-based retail systems such as PayPass and SpeedPass and automatic toll payment systems such as EZ-Pass, IPass, and SunPass. RFID-based personal applications are also proliferating, ranging from “smart” refrigerators, to interactive children’s toys, to domestic assistance facilities for the elderly. RFID tags can identify lost house pets [279] and even keep tabs on people; the data carriers have assisted with surgeries [248], prevented the abduction of babies, and tracked teenagers on their way to school. Subdermal RFID chips have even become hip accessories for patrons of some European nightclubs. They have also been (less glamorously) deployed for tracing the origins of cadavers donated to the medical school at the University of California [319].

Why RFID Is Big Money

The RFID industry is growing. In 2005, the global market for RFID technologies was $1.94 billion. By 2015, it is predicted to reach $24.5 billion [78]. However, despite the value of RFID itself, the application domains that use RFID equipment are worth even more. One type of frequently RFID-tagged objects, shipping containers, carry $185,000 worth of cargo on average, and sometimes up to $2 million to $3 million each [243]. Pharmaceuticals are also big-ticket RFID-tagged items; Trizivir, a three-in-one HIV drug from GlaxoSmithKline (one of the 32 most commonly counterfeited drugs [280]), costs $825 per month [11]. But most importantly, the retail economy (and its frequently tagged supply chain) involves more than $1845 trillion in transactions annually [457]. With these amounts of money at stake, it is easy to see how the success of RFID in any given application depends on having a reliable and secure environment for operations.

4.2.2 RFID Security Problems

RFID’s association with big-ticket physical objects could make even nontechnically savvy criminals take note of this technology. This section discusses the major classes of attacks against RFID systems as well as the attacker model.

Major Classes of RFID Attacks

• Skimming. RFID tags are designed to be readable by any compliant reader. Unfortunately, this allows any compatible reader to scan tagged items unbeknownst to the bearer. Attackers can also collect RFID information from greater distances by eavesdropping on the more powerful outbound RFID queries.

• Tracking. RFID technology could facilitate the monitoring of individuals’ whereabouts and actions. RFID readers placed in strategic locations (such as doorways) can record RFID tags responses, which can be persistently associated with an individual person. Also, RFID tags with non-unique identifiers can enable tracking by forming constellations, or recurring groups of tags that are associated with an individual.

• Tag cloning. Tag cloning produces unauthorized copies of legitimate RFID tags. Attackers in a supermarket, for example, might write appropriately formatted data on blank RFID tags, identifying the products as similar, but cheaper versions. A real-world example of tag cloning occurred when researchers from Johns Hopkins University and RSA Security cloned a cryptographically protected Texas Instruments digital signature transponder, which they used to buy gasoline and unlock a digital signal transponder (DST)–based car immobilizer [44].

• Relay Attacks. Attackers can use relay devices, which intercept and retransmit RFID reader queries and/or RFID tag responses, to carry out man-in-the-middle attacks on RFID deployments. RFID relay devices have been independently implemented by at least three researchers: Ziv Kfir [213], Jonathan Westhues [476], and Gerhard Hancke [165].

• Tag spoofing. Attackers can use actively powered devices to emulate one or more RFID tags. Tag emulators can create fake tag responses by synchronizing themselves with the querying RFID reader’s clock signal and then using either a passive load resistor [475] or actively transmittted sideband frequencies [351] to send data in accordance with higher-level RFID standards.

• Denial of service. Attackers can exploit RFID systems by preventing either the RFID tags or back-end RFID middleware from functioning. For example, thieves could steal RFID-tagged items by deactivating/removing tags or by placing them in a Faraday cage. An attacker could also engage in a denial-of-service attack by using the opposite approach: flood an RFID system with more data than it can handle.

• Malware. Attackers can also use RFID malware—that is, traditional “hacking” attacks condensed down so that they fit onto (and can be launched from) RFID tags. RFID malware encompasses three distinct categories: RFID exploits, RFID worms, and RFID viruses [350]. RFID exploits can take the form of buffer overflows, code insertion, and SQL injection attacks. RFID worms and viruses are simply RFID exploits that copy the original exploit to newly appearing RFID tags. The main difference between the two is that RFID worms rely on network connections to propagate, whereas RFID viruses do not.

Attacker Model

So far, the most prominent RFID attackers have been graduate students. That’s not a problem, because grad students have good intentions and a limited profit motive. However, the attacker model might not remain that way: Profit-driven attackers are likely to appear, once RFID becomes sufficiently pervasive. Parallel to the current situation with Internet malware, RFID may then face attackers who range from bored kids to organized crime.

Low-stakes attackers (also known as script kiddies) are likely to appear once simple (or fully automated) RFID attacks have proven to be profitable. Internet lore has provided many historical examples of such attackers. For example, in 2001–2002, JuJu Jiang planted a commercial keylogger at 13 Kinko’s stores in Manhattan [316]. Over the course of nearly two years, he collected more than 450 online banking usernames and passwords from Kinko’s customers. The hijinks ended when investigators discovered and traced Jiang’s IP address back to his mother’s apartment.

RFID technology is also likely to face challenges from profit-driven attackers who focus on low-risk, easily exploitable targets. The simplest RFID-based attacks are physical attacks (i.e., Faraday cages, tag swapping) or unauthorized tag querying/rewriting using a standard OEM RFID reader. Ultimately, more sophisticated attacks (i.e., tag spoofing, selective tag jamming) will likely come within reach of the low-skill attackers, as inexpensive RFID tag emulation devices should soon be appearing on the commercial market (i.e., OpenPICC [475]).

High-stakes attackers are more worrisome. Focusing on broader-scale, high-profit operations, organized criminals could adopt RFID as a shiny new tool to enhance their preexisting criminal activities. Criminals have never proven to be technophobic; the Internet has already become a playground for their extortion and identity theft activities. Furthermore, if RFID is used to identify and secure big-ticket articles such as bulk pharmaceuticals, passports, money, and cars, organized crime will surely embrace the use of RFID crimeware.

Nontraditional attackers could also emerge, in the form of businesses and governments. These entities could (perhaps inadvertently) abuse the capabilities of RFID-enhanced data collection, thus blurring the line between attackers and “the establishment.” To avoid such missteps, the RFID-enabled collection of personal data must be regulated and monitored for legal compliance.

4.2.3 Types of RFID Crimeware

Traditional crimeware takes several forms. Similarly, RFID crimeware manifests itself in multiple variations, including RFID-enabled vandalism (of data or physical objects), RFID-enabled identity theft (of personal/financial information), and RFID-enabled theft (of data or physical objects).

RFID-Enabled Vandalism

Not everyone considers digital vandalism to be a serious crime. Think about a defaced website: Is it lighthearted and amusing? An act of self-expression? Political activism? Or is the defacement just plain criminal? One thing is certain: No matter how frivolous such acts may seem, digital vandalism is definitely not harmless. Security software firm McAfee estimates that cybertheft and vandalism cost the U.S. economy $20 billion per year [328].

Worse yet, criminals perform other acts of vandalism on the Internet, such as distributed denial-of-service (DDoS) attacks, that cause monetary losses and public embarassment. For example, in 2000, the DDoS attacks on Yahoo!, eBay, Amazon.com, and other prominent web portals led to approximately $1.2 billion in lost revenues. Digital vandalism is a convenient weapon for competitors and enemies. However, profit-driven criminals have also discovered the utility of vandalism; they use DDoS attacks (via botnets) to extort money from web sites, offering “protection” from the attacks if they are paid a fee.

Vandalism of this kind is likely to cross over into the RFID domain. Criminals could vandalize high-value databases (such as the EPC Information Service databases) for the purposes of extortion or to cripple competition. For example, RFID-wielding crooks could use a technique similar to cryptoviruses [487] to aid their extortion attempts. First demonstrated in 1989, a cryptovirus employs military-grade cryptography to take data hostage. The attacker could encrypt data in the victim’s database (perhaps using an RFID worm) and then send a ransom note, demanding that a specific sum of money be sent to an e-payment account maintained by the remote malicious user (e.g., EGold, Webmoney) in exchange for the key enabling decryption of the “kidnapped” data.

Unfortunately, RFID merely makes this situation worse, by enabling criminals to vandalize tagged physical objects via their corresponding RFID tag data. This is most vividly illustrated with an example. Ford Motor Company uses reusable active RFID transponders on every vehicle at its manufacturing facilities in the United States. When a car enters a painting booth, the RFID transponder queries the database to find the correct paint code; it then routes this information to a robot, which selects the correct paint and spray-paints the vehicle [154]. It takes only a small bit of imagination and a back-of-the-envelope calculation to realize how serious the financial consequences of vandalism would be in this scenario. Thus, not only does RFID give computer criminals an unprecedented ability to cause financial damage, but it also increases their leverage when performing high-stakes extortion.

RFID-Enabled Identity Theft

Unbeknownst to many, the Internet is a classroom, meeting place, and bazaar for thieves of personal/financial data. Identity theft is lucrative—stolen personal or financial data can readily be resold on the black market. For example, stolen Visa Gold or Mastercard details sell for $100 apiece [492]. Criminals use the stolen information to make online purchases, having the goods delivered to a drop. The illicit goods are then resold through online auctions. Lists of 30 million email addresses can also be purchased for less than $100 [398]. According to the Federal Trade Commission, approximately 10 million Americans have their personal information abused every year, costing consumers $5 billion and businesses $48 billion annually [492].

Identity theft is so lucrative that it is likely to be carried over into the RFID arena. There are several ways that criminals can perform RFID-enabled theft of personal/financial information; one vivid example is skimming attacks against RFID credit cards. Two researchers from University of Massachusetts at Amherst, Tom Heydt-Benjamin and Kevin Fu, recently demonstrated the skimming of cleartext information from RFID-enabled credit cards [172], including the cardholder name and credit card number. They dubbed it the “Johnny Carson attack,” after Carson’s “Carnac the Magnificent” sketches, in which he divined answers without physically opening an envelope containing the questions. Heydt-Benjamin and Fu hypothesize that, in a similar way, criminals could bribe post office employee to harvest credit card information from sealed envelopes.

Criminals could also adopt RFID malware [350] as a tool for identity theft. RFID malware is composed of RFID exploits (buffer overflows, code insertion, SQL injection), RFID worms (RFID exploits that download and execute remote malware), and RFID viruses (RFID exploits that leverage back-end software to copy the original exploit to newly appearing RFID tags). Attackers could thus use RFID tags as a low-risk way to install remote malware, perhaps to harvest personal/financial data from the back-end database.

To continue the analogy, criminals looking for vulnerable RFID readers could perform “RFID wardriving” (modeled after WiFi wardriving [36] or warkitting [426]), where criminals wander the streets looking for exploitable RFID readers. Or perhaps, if they seek a vulnerability in specific RFID middleware, criminals could try their hand at RFID “fuzzing”; this involves the use of RFID emulators to randomly send partially invalid RFID data to RFID middleware, with the purpose of elucidating automated vulnerablity.

Spamming (i.e., sending scores of unwanted emails) is another frustrating practice that criminals use to turn a profit on the Internet. A common misperception is that spammers earn money from product sales; the reality is that spammers primarily get their revenue from other sources. These ventures may include banner ads (which pay the spammer per click), the covert downloading of a program that dials a premium-rate toll number, accepting payment for nonexistent items, and “pump and dump” stock schemes, which encourage people to buy (thus raise the price of) a certain stock, so spammers can then sell it for a profit [232]. RFID tags could also be enlisted for “spamming” purposes. For example, an EPC Gen2 tag could have a bogus URI that points to a banner ad instead of an ONS server, thus earning revenue for the spammer for each tag read.

RFID-Enabled Physical Theft

Even in the digital age, both high- and low-stakes criminals still pursue the theft of physical objects. Cars make an especially attractive target. According to the National Insurance Crime Bureau (NICB), the total losses from vehicle theft are more than $8 billion annually in the United States [221]. Identification (fake or not) is also worth a fair amount on the black market: Stolen passports are worth $7500, and counterfeit ones are worth $1500 each [149]. Gadgets and commercial items also attract thievery. The U.S. retail industry loses $46 billion annually to retail and supply chain theft [488], and losses from cargo stolen “in transport” have been estimated to be as high as $12 billion [180].

RFID is now hyped as a tool to secure these big-ticket items—from cars, passports, and retail items to 40-foot shipping containers. Of course, traditional security procedures and tools will remain available. Nevertheless, if RFID proves to be the “weakest link,” making the theft of big-ticket physical items any easier, even criminals who are not technically savvy will start to take notice.

RFID-specific attacks can facilitate the theft of services (from usage of ski lifts, or public transportation, to cheating highway toll payment systems) or the theft of physical objects. One of the most obvious methods of RFID-specific theft is to deactivate or swap RFID tags on retail objects. However, RFID technology can also allow criminals to steal larger-ticket items. A classic example was the 2005 Johns Hopkins University/RSA Security attack against the Texas Instruments Digital Signal Transponder (TI-DST) [44]. During their security analysis, the JHU/RSA team reverse-engineered the details of TI’s proprietary cipher, and then used an array of 16 FPGAs to crack the 40-bit cryptographic keys on DST tags in just under an hour. These keys were then used to create cloned DST tags, which allowed the group to disable a vehicle immobilizer in a 2005 Ford automobile and to purchase gas at various Exxon–Mobil locations.

Perhaps surprisingly, the JHU/RSA Security attack was not as academic as some people might think. There are documented cases of real-world car thieves stealing cars via wireless attacks on keyless entry and ignition systems [12]. In one case, thieves stole two of soccer star David Beckham’s BMW X5 SUVs in six months by using laptops to wirelessly break into the car’s computer. It takes as long as 20 minutes to crack the encryption, so the thieves followed Beckham to the mall where he had a lunch appointment, and attacked the car after it was parked [12].

Regardless of the antitheft technology used, expensive physical objects will attract high-stakes attackers. Despite the learning curve, criminals will inevitably evolve their techniques to adapt to technological advances. And if it proves to be sufficiently profitable, criminals will learn how to attack RFID technology.

4.2.4 Countermeasures and Other Considerations

RFID deployers can take a number of countermeasures to protect individuals and businesses from RFID crimeware. Like with many other systems, RFID security requires a combination of policy-level, procedural, and technological controls.

Policy-level controls may include high-level RFID/IT security policies, interorganizational security policies (i.e., EPCglobal), and high-level privacy policies for RFID-collected data. Deployers also have the obligation to raise public awareness about the inherent dangers of their RFID systems, so as to help prevent the users from being exploited.

Procedural controls come in many forms, but primarily entail the use of other kinds of security controls to supplement those provided by RFID. For example, physical access control is a critical security measure for many high-stakes applications; random inspection can help to ensure that RFID tags belong to their corresponding physical objects. Such spot checks can help to protect objects ranging from transport containers to e-Pedigreed drugs.

Auditing is another tool that RFID system operators can use to verify the behavior of their systems. Also, RFID system architects should devote attention to providing security awareness training courses for RFID operators and must explicitly outline procedures for secure tag disposal. For more examples of practical, common-sense advice on how to secure RFID systems, the reader is advised to check out the National Institute of Standards and Technology (NIST) RFID Security Guidelines (NIST SP 800-98) [284].

Technological controls for RFID have prompted a considerable body of media coverage and research. Researchers have developed a range of technological RFID security tools and techniques, including permanent tag deactivation (RFID tag removal/destruction, SW-based tag “killing”), temporary tag deactivation (Faraday cages, sleep/wake modes), on-tag crytography (stream/block ciphers, public-key algorithms), off-tag cryptography (external re-encryption), on-tag authentication (lightweight protocols, e-Pedigrees), on-tag access control (hash locks [365]/ pseudonyms), and off-tag access control (Blocker Tag [205], RFID Enhancer Proxy). There are entire dedicated survey papers available [204] that discuss the breadth and scope of the options that are available. The reader is highly recommended to consult such sources [25].

System deployers must also adhere to best-practice RFID tag security principles, such as limiting read/write access to RFID tag data, using non-informative tag ID formats, and using strong on-tag cryptography, when appropriate. RFID middleware also has its own security demands. Best practices for RFID middleware include bounds checking, sanitizing input data, eliminating unnecessary features, limiting permissions/access, parameter binding, code auditing, and following secure programming practices.

In summary, system designers must assume that RFID is the weakest link of the security within a larger application, and then design their systems accordingly. Considering the amount of money at stake, and the evolution toward an increasingly hostile and financially motivated breed of attacker, RFID system architects and operators need to be increasingly proactive in defending against threats to their systems.

4.3 Mobile Crimeware^*

Today, mobile devices are quickly becoming an important part of our daily computing experience. Over the last 10 years, we have seen the introduction of cross-platform sandboxed¹ code execution environments such as J2ME,² as well as native yet multiplehandset-supported (i.e., develop one, run on many) systems such as BREW.³. This fueled the initial wave of application development on mobile handsets. In addition, we have seen a movement in part by handset manufacturers away from proprietary operating systems to documented and extensible platforms such as Symbian,⁴ Windows Mobile,⁵ and Mobile Linux. With the ability to develop code for handsets and platforms on an after-market basis, there is the risk that—as occurred with the desktop—mobile crimeware will appear.

Mobile platforms lend themselves to mobile crimeware in a number of ways that are quite unique when compared to the desktop. The first of these aspects is the “premium” services that exist in modem telecommunications. Some premium-rate numbers require the calling of a number; this is similar to the old dialers that were seen on the desktop when modems were the most prevalent means of achieving connectivity. Another unique aspect of mobile platforms is the practice of either sending or receiving SMS or MMS messages to a premium number. The result is a set of direct methods for obtaining a financial benefit from crimeware without having a long and protracted set of hoops through which to jump to extract the cash. To establish one of these premium-rate numbers is a trivial matter. A number of Internet-based services offer such solutions,⁶ placing the onus on the purchaser (the purchaser of the service, not the end user) of such services to play by the rules and within any applicable laws.

The other unique element with regard to mobile devices is simply the sheer number⁷ of different vectors through which malicious code can be introduced.

While mobile devices inherit all the means that exist on the desktop, they also introduce a number of unique vectors through their extensive communications capabilities.

Today we have only one known example of crimeware on mobile devices, RedBrowser.⁸ RedBrowser is a trojan written in Java (MIDP⁹/CLDC¹⁰) and executed within the J2ME environment. Once executed, it attempts to send premium-rate SMS messages, thus causing the user direct fiscal loss and potentially leading to disputed billing with the user’s carrier (mobile service provider). Because RedBrowser was developed in Java, it executed not only on smart-phone operating systems but also on any proprietary platform or handset that implemented J2ME and MIDP/CLDC support. However, things are not all bad: By default, the MIDP security model states that if the code is not signed and attempts to send an SMS, then the user should be prompted. This prompting does not occur if the code is signed and, therefore, trusted. Some vendors, such as RIM in the BlackBerry, have extended this security model further with their own security controls.

In the case of RedBrowser, which wasn’t signed, the user was continually prompted so that RedBrowser could send messages. While it is a proof of concept, this program does not pose a significant threat to users. Even so, this requirement on signing should be seen as a hurdle that will be overcome by determined attackers if it becomes cost-effective. There have already been several examples of malicious code being signed by valid certificates; the process simply requires the registration of a company and the appropriate amount of money being paid to the certificate-signing authorities.

While the MIDP specification provides a degree of protection, there is no such protection afforded to Windows Mobile devices currently. Conversely, Symbian 9 introduced a fine-grained capabilities model that affords similar protection as MIDP against such threats. However, as a result, it is also open to the same attack vector of obtaining a valid signing certificate.

This type of crimeware (i.e., one that causes financial loss) can be expected to become more prevalent in the future as the benefits to the attacker can be obtained relatively quickly (i.e., receiving the money 10 days after revenue is received from the operator). In terms of mobile devices’ susceptibility to other classes of crimeware, such as theft of personal information, the story is also similar. J2ME (and thus Java) by its nature is a sandbox and so only has limited access to user data outside this sandbox. Windows Mobile, on the other hand, provides some protection from untrusted applications—that is, those unsigned applications whether or not in a two-tier device—through the restriction of trusted APIs. Symbian 9 utilizes its fine-grained capabilities model to provide protection from applications that are not signed with the appropriate capabilities (permissions). Even with these protections from malicious code such as trojans, other avenues for attack will continue to exist. Thus, as the sensitivity of the data we store on these devices increases, along with the many methods of transmitting the data out of the device, the likelihood that attackers will start to target these devices will also grow.

Another example of malicious code that may be used for nefarious purposes, such as the extraction of personal of sensitive information, is spyware. Numerous examples of spyware can be cited for mobile platforms ranging from Windows Mobile to Symbian, although compared to their desktop counterparts, they remain rudimentary. Nevertheless, their ability to obtain valid signing certificates is extremely worrisome. We have already seen one example for the Symbian 9 platform that managed to obtain such a signing certificate. Today’s spyware requires an attacker to have physical access to a device to install the application initially, and it typically focuses on logging call, SMS, and email data as opposed to keystrokes, web history, and content from the device. Over time, however, we can expect this situation to change. It is not inconceivable that these early incarnations will eventually lead to more aggressive spyware that is installed in drive-by, download-style situations and that targets the user-supplied data and the data held on the device. When will this occur? To be fair, only when the data on mobile devices increases sufficiently (i.e., when these devices become the weapon of choice in Internet banking or payment), when users’ computer usage patterns change enough that they move away from the desktop, and when the desktop becomes significantly more difficult to attack. Only then will attackers have the incentive to research, develop, and deploy their weapons of mass infiltration.

In summary, mobile crimeware is not a major issue at the present time, but there definitely exist opportunities for it to become one. Users typically don’t see their mobile devices as computers, the security is a generation or two behind that seen on the desktop, the security solutions are not as evolved, there is a larger attack surface than with any other platform, mobile devices are increasingly holding sensitive personal information, and there are quick and direct means to directly cause fiscal loss. These facts do not paint a pretty picture, but the security industry at least has the opportunity to raise these issues today in the hope that through collaboration with operators, operating system vendors, and key industry players we can address these issues before they become a problem.