Chapter 13
Paranoid: But Not Paralyzed
As companies develop their smart products, they need to become thick-skinned about what are generally accepted traditions in the tech industry.
A good example is teardowns as soon as products become available. Photos of components, guesses about their likely suppliers, likely costs, and product margins show up on blogs, the most prominent of which is a website called iFixit.
“An iFixit teardown is at once a twenty-first-century repair manual, a work of art, an exhibition of a curiosity, and an activist gesture.”1
Some of the advice and related parts available on the site are for the aficionado. Example: “Apple has substituted (on the Verizon iPhone 4) the two bottom Phillips screws near the dock connector with 5-point ‘Pentalobular’ screws. This guide will illustrate how to replace the Pentalobe screws with good ol’ regular Phillips screws.” It has for sale a “liberation kit,” which includes a 5-point “Pentalobe” screwdriver, a #00 Phillips screwdriver, and two 3.6 mm “Liberation” Phillips screws.2
Most users find the site even more useful for a whole variety of repair guides for cars, cameras, and other devices.
Then there are the bragging rights from the teardowns. Says Popular Science magazine: “In late 2006, PopSci.com had one of its all-time highest traffic days when we posted photos looking inside the then just-to-be-released Nintendo Wii. At that point, we had beaten even iFixit to the punch.”
Jailbreaks and Roots
The term “jailbreak” has become synonymous with the Apple iPhone. It's in response to very high international roaming rates the carriers expect and because many users believe they are being double-charged for tethering when they are already paying for data plans.
The first iPhone jailbreak procedure was in fact quite tedious, requiring users to download various software tools and manipulate code within the iPhone's framework. However, over time iPhone jailbreak has evolved and become a reasonably simple process. Today, all that is required to jailbreak your iPhone in most cases is to download one software tool and literally click a button.3
In response, Apple has periodically updated the iPhone operating system. AT&T and other carriers have implemented detection technology to identify users who have “jail-broken” their iPhones. It's a cat-and-mouse game.
The concept of jailbreak on the iPhone has evolved into what's called rooting on Android devices. “Rooting is the process by which you regain administrative access to your phone. Even though Android is an open source operating system, you still don't have full ‘root access’ to do what you please. Back when the iPhone launched in 2007 the hardcore techies quickly realized the true potential of the device, and the cruel software limitations that Apple had sealed it with. What became ‘Jailbreaking’ on the iPhone was quickly translated to other platforms as well, and when the world saw the first Android back in 2008, the term ‘Rooting’ was born,” says the Android Authority blog.4
The Barnes & Noble Nook is an Android device. “The device's color touchscreen and assortment of Internet-enabled applications help differentiate it from Amazon's increasingly ubiquitous Kindle.”
“Barnes & Noble intends to eventually expose more of the Nook's Android functionality to end users in future updates, but Android enthusiasts have already gotten a head start.” They rooted it to make it an incredibly inexpensive tablet at its $250 (and declining) price.
The teardowns and the rootings pale in comparison to the much more malicious hacking that targets digital products and websites.
“Tarred and Feathered”
The repeated and public humiliation of Sony by hackers over a matter of months shocked the technology world. Its PS3 game console was once considered invulnerable. “But in December 2010 at the Chaos Communication Conference in Berlin a group of European programmers calling themselves fail0verflow revealed they had finally broken specific lower levels of the PS3's encryption system that let them run their own programs on the console.”5
Not long after that, in/famous hacker George “Geohot” Hotz decided to open up a veritable Pandora's Box of problems for Sony by rereleasing the PS3's master security key to the public. This move essentially allows anyone to run custom code on the PS3 and worse, with a bit of additional fiddling, pirated games.6
Blogged the Daily Tech:
Much as Sony has abused its corporate power over users, hackers—most notably Lebanese-based Idahc (Twitter) and the international group “LulzSec” (Lulz Security)—have lorded their superior security skills over the clueless giant, constantly mocking and lashing it.7
Sony a clueless giant? If so, there may be many more examples.
Time magazine ran an article where it talked about hacks at Citigroup, the FBI, the CIA, Mastercard, Visa, and elsewhere.
So who would you like to hack today? A bank, a website, a corporation or perhaps a government agency that's rubbing you the wrong way? The hacktivist group LulzSec is taking requests.8
If a mainstream magazine like Time can talk about it, think of the discussions at Black Hat conferences, which “are a series of highly technical information security conferences that bring together thought leaders from all facets of the infosec (information security) world—from the corporate and government sectors to academic and even underground researchers.”9
Actually, the infosec world is very well aware of what are called Common Weaknesses. MITRE maintains the CWE (Common Weakness Enumeration) website, with the support of the U.S. Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors, along with authoritative guidance for mitigating and avoiding them.”10
The errors make for exotic language such as “Improper Neutralization of Special Elements used in an SQL Command” (“SQL Injection”) and “Buffer Copy without Checking Size of Input” (“Classic Buffer Overflow”).
The big problem, of course, is that the CWE site catalogs more than 800 programming, design, and architecture errors that can lead to exploitable vulnerabilities. Hackers, the white-hat and the malicious kinds, continue to add to that already long list of 800.
British tabloid News of the World was closed down in July 2011 over a phone-hacking scandal. The newspaper owned by Rupert Murdoch allegedly snooped on voice-mail messages of murder victims, as well as celebrities, politicians, and the British royal family. These were shady reporters. Now extrapolate that to imagine what more technology-savvy hackers can do.
Next Generation of Even More Terrifying Hacking
Richard Perkins and Mike Tassey were told that an in-flight hacking platform was impossible. In response, the pair showed off their wi-fi hacking, phone-snooping, homemade UAV at the Black Hat conference in Las Vegas in August 2011. They call their creation the Wireless Aerial Surveillance Platform; it is described in detail in our case study later in this chapter.
Researchers have demonstrated that certain pacemakers that use a wireless signal for easy tweaking are vulnerable to anyone with the correct reprogramming hardware. Doctors use these wireless programming devices to make subtle adjustments to the heart helpers without the need for further surgeries. Unfortunately, the signal they use is unencrypted, meaning that anyone who finds a way to obtain such a device could literally manipulate the heart of a patient, causing cardiac arrest or even death. 11
At the same Black Hat conference, Don Bailey and Mathew Solnik presented how they had “found a way to unlock cars that use remote control and telemetry systems like BMW Assist, GM OnStar, Ford Sync, and Hyundai Blue Link. These systems communicate with the automaker's remote servers via standard mobile networks like GSM and CDMA—and with a clever bit of reverse engineering, the hackers were able to pose as these servers and communicate directly with a car's on-board computer via “war texting”—a riff on “war driving,” the act of finding open wireless networks.”12
Also at that conference, a pair of researchers demonstrated how home automation systems can be vulnerable to attacks. “Carrying out their research independently, [Kennedy] and [Rob Simon] came to the same conclusion—that manufacturers of this immature technology have barely spent any time or resources properly securing their wares.”13
The vulnerability of smart cars, homes, and medical devices means we all have to plan for far smarter security.
Technology's “Area 51”
After Apple had its well-publicized antenna issues with the iPhone 4, it took a handful of journalists on a tour of its wireless testing lab.
“Apple's wireless lab has 16 different anechoic chambers—think of them as bank vaults, padded with foam shaped into pointy cones to stop all reflections, designed to create completely radio-neutral environments. Each of these chambers is estimated to have cost $1.2 million. The existence of this lab used to be secret,” an Apple PR representative pointed out. “Now it's not.”14
Google's data centers have long been even more secretive. In April 2011 Adam Swindler of the Google Enterprise group blogged, “Many of you have been interested in visiting our data centers to see how we work to protect your data, but access to them is tightly restricted. Since we can't give everyone a tour, we look for other ways to provide some visibility into these buildings. Last year we published the Google Apps security white paper, earlier this year we hosted a security and privacy webcast, and today we're sharing a video that highlights some of the capabilities in our data centers.”15
There was widespread speculation about why Google was showcasing that video. Some thought it was in response to a recent data center outage at Amazon and they wanted to assure customers their data centers were secure. Others speculated it was in response to the more open stance Facebook had taken with its Open Compute Project (see Chapter 8), which highlighted detailed information of its recently opened Prineville data center.
If Google is secretive about its data centers, was it also helping Apple be secretive about its iCloud data center? PC Magazine reported:
… it's a Google Earth shot of Apple's giant data center in the boonies of North Carolina. The image was previously unavailable on Google Earth, but as Apple's iCloud announcement nears, the company seems to have allowed Google to show the massive, 500,000-square-foot facility to the world.16
Labs and data centers are part of the industry's “Area 51,” the military base in Nevada of UFO rumor fame. They exist behind prying eyes and there is usually plenty of disinformation about them. There is always risk of hostile activity. As we saw in Chapter 4 the whole country of Estonia was brought to its knees for weeks in a cyber attack widely speculated to have originated in Russia.
On its official blog Google described its investigation of a similar attack in 2009:
Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident—albeit a significant one—was something quite different.
First, this attack was not just on Google. As part of our investigation we have discovered that at least 20 other large companies from a wide range of businesses—including the Internet, finance, technology, media, and chemical sectors—have been similarly targeted. We are currently in the process of notifying those companies, and we are also working with the relevant U.S. authorities.17
In 2008, as he was getting ready to unveil his 400,000-square-foot “SuperNAP’ in Las Vegas, Switch CEO Rob Roy remarked he expected it to be filled by the world's most prominent companies. He was promising 100 percent, not 99.99 percent, uptime—the Holy Grail in enterprise computing.18
That, of course, demands extreme security measures.
The Wall Street Journal described some of the security at the facility:
The guards … are not your typical rent-a-cops. These are Switch employees recruited from the Marines and other military services—buff, dark-uniformed hunks who sport sidearms inside the building and automatic weapons outside. They never smile.19
Switch could be guarding against threats from hostile countries, but even more against industrial espionage.
Dumpster Diving in the Digital Age
Gizmodo, which ended up paying for and dissecting a prototype of the iPhone 4 that an Apple employee misplaced at a bar, described its impression of Apple's security:
At their Cupertino campus, any gadget or computer that is worth protecting is behind armored doors, with security locks with codes that change every few minutes. Prototypes are bolted to desks. Hidden in these labs, hardware, software and industrial-design elves toil separately on the same devices, without really having the complete picture of the final product.20
Gizmodo went on to suggest Apple's tight security was tied to marketing advantage: “The Gran Jefe Steve trusts them to avoid Apple's worst nightmare: The leak of a strategic product that could cost them millions of dollars in free marketing promotion. One that would make them lose control of the product news cycle.”
Actually, Apple and other technology companies have the tight security to protect against many different ways trade secrets are compromised. A paper by Mark L. Krotoski of the U.S. Justice Department21 highlights some of the scenarios based on prior cases and investigations:
- A trusted employee with access to valuable company information who, after becoming disgruntled, downloads and transmits the information to others outside the company, who offer it to the “highest bidder.”
- A competitor who devises a scheme to gain access to company information for use in fulfilling an international contract.
- Employees who execute a plan to steal proprietary information and take it to another country and are stopped at the airport.
- After being offered a senior position with a direct competitor, and before tendering his resignation, an employee uses his supervisory position to request and obtain proprietary information he would not normally be entitled to access. After taking as much proprietary information as he can, he submits his resignation and takes the materials of his former employer to his new position and employer.
Of course, to go with the dark arts, there is always the dark humor. The Apple iPhone bar incident described earlier led to a series of industry jokes that go like this:
A Microsoft/Nokia/RIM (take your pick) employee lost a secret prototype of the company's next-generation device. The person who found the prototype tried to sell it to the highest bidder and was offered just $10. Asked why, the publisher of a tech blog said, “Even $10 is too much to bring in an extra 50 page views, particularly since 40 of those will come from the vendor CEO's desk.
Ouch.
Conclusion
Teardowns, jailbreaks, and rootings—they are almost badges of honor in the technology world. They are tame, however, compared to the malicious hacking and espionage technology companies are increasingly facing. In such a climate, it helps to be paranoid. The next section on the Wireless Aerial Surveillance Platform shows other reasons to be vigilant. Of course, being paranoid does not mean being paralyzed. The technology elite just look at it as a cost of doing business. Life has to go on.
Case Study: Wireless Aerial Surveillance Platform
In late July 2011, Mike Tassey and Rich Perkins drove more than 1,700 miles from their homes in the Midwest to Las Vegas, Nevada. The drive was mostly uneventful. There were hundreds of miles of flat farmland at the front end and hundreds of miles of desert at the other end. The big excitement was a crack in the car's windshield, thanks to a mud-covered pickup truck dropping baseball size chunks of mud, rocks, and gunk onto the highway in front of them.
They were carrying some yellow cargo that could have brought law enforcement scrutiny. No, there was nothing explosive. If the law had run a background check, it would have soon found both Tassey and Perkins had fairly high-level security clearances. Both have worked for the U.S. Air Force and other federal agencies.
The cargo was definitely explosive, but in a different sense. Tassey and Perkins were carrying an FMQ-117B U.S. Army target drone to the Black Hat/DefCon conference in Las Vegas.
The 14-pound, 67-inch wingspan drone is by itself dated technology. It was first shipped in 1979 for surface-to-air defense training. The 2 × 6 cell 22.2v 5000 mAh LiPo batteries allow it to fly for less than an hour at a time, compared to the drones that go across the world in today's battles.
It was the payload and capabilities that impressed the tough-to-impress security audience the conference attracts each year. (The audience is by definition paranoid. Many pay cash for the conference and register under assumed names.)
The payload (a Via Epia 10000EG Pico ITX motherboard, 1 GHz Via C7 CPU, 1 GB of memory, storage in the form of a 32 GB Voyager GTR Flash drive, networking via a USB 4G dongle, an HD camera, and the Linux operating system BackTrack) is designed for hacking, assisted by a custom-built 340-million-word dictionary for brute-forcing passwords.
The drone is equipped with a pair of 900 MHz XBee radios that provide telemetry and data link. These channels are protected by 128-bit AES encryption and allow the controllers on the ground to access the payload and flight computers remotely as if they were present onboard.
Just what does it do with all that technology?
In an early concept it was designed for wi-fi penetration in a target area over which it is flying. The thermal sensors on the aircraft's skin, the onboard GPS sensors to detect the horizon, and the airframe's attitude and position in space allow for an accuracy of under three meters. Navigation coordinates are preplanned using software integrated with the Google Maps repository and are as simple as clicking on a map.
In its current iteration it adds a Universal Software Radio Peripheral (USRP) made by Ettus Research, and it can intercept calls made on GSM phones (like the iPhone that uses AT&T's GSM network) into connecting with it as if it were a standard cell-phone tower. It then records any phone conversations or text messages while connecting the call via VOIP, giving the impression the call went through normally.
Says Tassey:
What we call our Wireless Aerial Surveillance Platform is a proof-of-concept UAV (Unmanned Aerial Vehicle) designed to demonstrate the ability of a relative layman to utilize off-the-shelf and open-source components to craft an autonomous platform from which to launch attacks against wireless clients, networks and cellular phones on the ground.
We made several modifications, but did not use any custom manufactured parts. As an example, we modified the airframe to utilize the electric motor to quiet the UAV so that we could operate nearly silently. We added an off-airframe processing capability that can reside anywhere on the Internet. This capability makes use of the Compute Unified Device Architecture (CUDA), which allows the use of NVidia Graphics Processing Units (GPUs) present on inexpensive video cards to process mathematical data at incredible speeds.
Most of the hardware and software is easily available online. The average enthusiast can build and operate this. The whole package cost us only around $6,000 to put together.
Says Perkins:
The thrust of the concept was that organizations spend large amounts of money on physical security (locks, doors, fences, guards, etc.), which is focused on the “bad guy” being a person with a backpack, a car in the parking lot, or an imposter with a laptop. The more we looked at the state of security the more it became obvious that no one is looking up at the skies.
No one is looking up because, until recently, the technology and the skills needed to create a viable unmanned cyber-attack drone were out of the reach of anyone not affiliated with the government or part of a specialized group of researchers at a university. The average person thinks of the General Atomics MQ-1 Predator used by the U.S. Air Force when they hear the word drone. Those cost millions of dollars each.
That has changed. Today nearly anyone with just a few hundred dollars can design and build a powerful autonomous UAV with the capability to fly hundreds if not thousands of miles completely without intervention.
We saw that the use of UAVs to launch cyber-attacks was a threat vector that had not been considered or modeled by organizations today, but one that was very plausible given the state of technology and the availability of off-the-shelf parts. Our goal was to utilize what was available to create a drone which would illustrate the threat, forcing organizations to take a hard look at how they view information security.
Tassey continues:
The UAV allows an attacker to get inside the perimeter defenses, to spoof access points within your network and isolate clients for attack, attack your wireless infrastructure by breaking encryption and then leverage any of hundreds of onboard tools to attack internal machines, gather data, gain access to critical systems and cause service interruptions or move sensitive data out of the network through the aircraft. It really is able to get in, loot and pillage, and then get out without traversing the boundary defenses that organizations spend so much time and money building. In addition, it also gives the attacker the ability to attack GSM cellular phones, giving them the ability to monitor phone conversations and SMS messages, reroute phone numbers, and inject audio and data. Think of the volume of company proprietary data or personal information that is communicated every day via cellular phones and one begins to understand the type of damage that can be done.
The reaction at the conference was very positive. The online response to them in various communities they are part of has been mixed.
Perkins explains:
We have received comments ranging from “I'm going to report you to the FAA/FCC [the U.S. agencies that oversee aviation and telecommunications]!” to the more violent “I'm going to shoot the drone down with a shotgun.” What we found is that while the Internet has provided a medium through which like-minded people can gather and develop their ideas, there is still distrust and animosity toward outsiders or those who these communities perceive as portraying their hobby or interest in a potentially negative way. We found that many of the comments were based on fear.
The gratifying thing is the positive uses people are finding for the device. Small cheap UAVs can be developed for law enforcement and the military to enhance their mission capabilities by providing instant oversight of a battleground, crime scene, or search area. Customs and Border Patrol agents on patrol could use a small hand-launched UAV equipped with low-light near-infrared cameras to locate “coyotes,” smugglers, and illegals, and provide an ability to cover large areas of intractable terrain from the air. Intelligence agencies could use a small UAV to attack local target networks, gather signals intelligence, and tracking of subjects by video and electronic emissions. Search and rescue and law enforcement could use these types of UAVs to provide communications relay, drop beacons, and provide extended search capabilities without the cost and limitations of a manned aerial platform.
Tassey says over the course of the project that “We have found that there are quite a few groups doing UAV research for imagery and radio projects from around the world.”
Whether their device is used positively or negatively, they deserve credit for raising the level of paranoia around tech security.
Summarizes Perkins:
“We want people to stop thinking that they can be complacent and make assumptions about security, because the bad guys aren't complacent at all. They are creative, intelligent, and always take the path of least resistance. It is truly a case of ‘If we can do it … so can they.’”