Abstract
Adoption of wireless communications using radio wave frequencies is closely associated with critical infrastructure sectors and services like transportation, utilities, public safety, law enforcement, national defense, and news media. Consumer applications started with the use of radio in the early 20th century, gathering momentum as content quality and variety increased (entertainment as well as news updates) and radios became a standard piece of living room furniture. The invention of the transistor in 1947 offered the promise of mobility and suggested innovative uses like tagging wildlife for tracking. In the 21st century, it is we who are increasingly tagged by our smart and chatty devices, exposing us to the potential for undesirable disclosure of our location and personal information through proliferation of “attack surfaces.” Globally, wireless penetration rates vary, with some countries bypassing wireline telecommunications in favor of wireless.
Keywords
RFID; sensor; smartphone; smart device; malware; hacking; hack strategy; command and control; Internet of Things (IoT); penetration rate
Wireless Innovation and Adoption: Early Market Penetration
The use of wireless communications technology based on radio wave spectrum has exploded in terms of number of transmissions, frequencies licensed, user demographics, and use case scenarios since Marconi’s first experiments in 1895. And while the profile for adoption of wireless technology follows the familiar bell curve described by Everett M. Rogers in his Diffusion of Innovations (first published in 1962), those who represent the five different types of technology adopters—innovators (2.5%), early adopters (13.5%), early majority (34%), late majority (34%), and laggards (16%)1—have shifted.2
Although the innovators were often individual inventors or associated with research labs (with some degree of government funding), the early adopters in the beginning of the 20th century tended to be involved in transportation (including aviation and maritime activities, e.g., open-sea radio signaling during the Titanic disaster in 1912, an improvement over the use of carrier pigeons and visual signaling with flags),3 law enforcement, national defense (e.g., in the Anglo-Boer War, 1899–1902), utilities (e.g., telecommunications and energy), and news media. Individual early adopters outside those sectors were more likely to be hobbyists who scanned Popular Mechanics for technological updates and how-to instructions. Mass marketing campaigns to promote the adoption of technological changes appeared much later, as did adoption by retail and manufacturing businesses and civilian government agencies.
The first AM radio broadcast for music and entertainment was in 1906. The Radio Act of 1912 mandated that amateur (ham) radio operators be licensed and that ships deploy 24-hour radio service with a trained operator (in part a response to the inadequate rescue response to the Titanic). The American Radio Relay League, founded in 1914, helped organize relay stations for more efficient and reliable long-distance signaling4 similar to the way routing tables organize telephony transmissions. The Federal Communications Commission (FCC) was established by the Communications Act of 1934, in part to address inadequacies in the earlier Radio Act of 1912 and subsequent Radio Act of 1927, under which the Federal Radio Commission was formed to address broadcasting.5
In 1933, the Bayonne, New Jersey, police department launched two-way AM radio use in patrol cars, five years after Detroit police first started using regular one-way radio communications in patrol cars. The two-way radios combined transmitter and receiver. In 1946, a taxi driver in St. Louis, Missouri, made the first mobile telephone call over a Southwestern Bell service.6 This was the same year that newspaper cartoon detective, Dick Tracy, started using his two-way radio watch (the two-way TV watch didn’t show up until 1964) to communicate with others on the police force in his pursuit of bad actors.7 By 1948, wireless telephone service was available in 100 cities, although the service was very limited. Essentially a party line over which calls were placed by an operator, the service could handle only three subscriber calls simultaneously. The metropolitan area’s infrastructure consisted of a single transmitter, centrally located, signaling over the limited radio spectrum licensed by the FCC for this use. The equipment in the trunk required to run this early mobile telephone, which weighed in at about 80 lb and dimmed the headlights when used, would make the 1983 Motorola “brick” cellular phone—released 35 years later and weighing in at a mere 5 pounds—feel more truly mobile.8 Monthly subscriptions and local call charges were expensive in 1948: the equivalent of almost $200 today. The service was typically used by businesses: utility companies, truck fleet operations, and journalists. Adoption was limited to about 5000 customers making some 30,000 calls per week.
Wireless Market Penetration: US Context
By contrast, in 2014, 90% of American adults owned a cell phone,9 about 221.4 million individuals,10 and collectively used about 204.6 billion monthly voice minutes in 2014.11 Similar to IBM founder Thomas J. Watson’s underestimation of the potential market appeal of computers, a 1983 McKinsey & Co. report prepared for AT&T predicted 900,000 US cellular subscribers by 2000. That milestone was reached in 1987, however; there were 109 million subscribers in the United States by 2000.12 This shift to deep penetration of the marketplace took time and development of contributing factors: battery technology to extend time between charges; invention of transistors (1947) to replace large, heavy, environmentally fragile vacuum tubes and enable a broad range of convenient consumer products from hearing aids to pocket-sized GPS to nanoscale devices;13 expanded spectrum availability and accessibility through a well-defined system for its allocation; favorable economic and cultural climates that championed technological possibility and perceived value; development of vernacular, human readable computer programming code; and even marketing approaches that made exotic innovation somehow familiar and affordable.
It is hard to imagine being completely removed from the reach of radio spectrum technology. Even those who venture into austere or isolated environments can find hardened personal devices like avalanche transceivers and others for location and communication services in “no service” areas. Wildlife has been tracked via radio since the late 1950s. We are in an unusual time in which communications technology is so embedded into our environment that we become de facto users, whether because of the credit cards or passport we carry, our fitness sensors, our mood-sensing shoes,14 or our baby’s rubber ducky, Edwin.15
There were some 304,360 cell sites in the United States as of year-end 2013, which represent an 87% increase over a period of 10 years (December 31, 2003, through December 2013).16 Although the FCC expects the demand driving that growth to slow, anticipated qualitative changes to the traffic (e.g., increased video streaming, which is more data-intensive) will require continued investment from telecom service providers in mobile backhaul technology—as much as $43 billion, collectively, between 2013 and 2017—to connect with mobile switching centers. From these centers, connections are made to “the provider’s core network, the public switched telephone network (PTSN), or the Internet” to ensure routing and onward transmissions of traffic.17
Wireless Penetration Rates: Global Context
The key consensus point around why we use wireless communications in the United States, whether data or voice, is that it is convenient. We are willing to tolerate performance failures that would be unacceptable from a wireline service provider with respect to level of service expectations. Indeed, the dropped calls, lack of vocal clarity, and battery insufficiency have provided us a new set of socially acceptable excuses for not wanting to communicate with a caller. The inefficiencies are preferable to being tethered to a landline, even one with a portable handset. Mobile carriers continue to add services like conference calling to mimic the features available on fixed lines. In addition, even as the uptake in wireless subscriptions continues, the cost of use is going down and compares favorably to wireline use, as shown in Fig.
For other parts of the world, the initial game changer that wireless service introduced was building up capacity for communications. The plain old telephone system (POTS) infrastructure for voice (and data) services was not as dense elsewhere as in the United States, even in what are now considered Eurozone nations. As a case in point, the average wait time for obtaining landline service in some Central and Eastern European countries (CEEs) in 1990 was 11.5 years.19 Data collected by the ITU for 2013 show significant mobile phone penetration, with the percentage uptake by individual subscribers ranging from 81.5 (Bulgaria) to 96 (Czech Republic).20
The increase in penetration rates between 2005 and 2015 for mobile phone subscribers in Africa is significant and exceeds fixed-telephone subscriptions dramatically. Table 2.1 shows comparative data gathered by the ITU for penetration rates in UN-defined global regions. Clearly, individuals in Africa and the Arab States have largely elected to skip the POTS generation of technology in favor of adopting newer wireless technology that is less costly to deploy over large areas. Across Sub-Saharan Africa, the aggregated penetration rate for mobile broadband subscriptions grew 156% between 2010 and 2011, slowed to 85% between 2011 and 2012, then to 21% between 2012 and 2013, to 25% between 2013 and 2014, and is estimated to have grown 35% between 2014 and 2015. Over this same five-year time period, the fixed broadband penetration rate has only grown minimally, and from a much lower starting base penetration rate.
Table 2.1
Longitudinal Comparison of Technology Penetration Rates by UN Regiona
In Europe and Asia, one can see a steady decline in fixed-line subscriptions over time. This phenomenon has also been noted in the United States among households. Statistics from the World Bank show that fixed telephone subscriptions have declined between 2011 and 2015 in 66% of countries worldwide, stayed fairly stable in 12%, and increased in 23% of the 206 countries worldwide for which data were reported.21
Wireless Penetration Rates: Security Risk Context
By looking at both wireline and wireless penetration rates, one can begin to appreciate the relative vulnerability, in terms of communications capacity and resiliency, of different populations. The United States exemplifies an overbuild condition, in which legacy wireline capacity is now layered with wireless capacity. Other countries, especially those that skipped over the POTS generation of technology, rely more heavily on their wireless infrastructure; out-of-band capability to support more robust authentication services, for example, is limited. Protecting that wireless infrastructure becomes more critical when it is, in effect, the only telecommunications infrastructure.
The expanded subscriber base for wireless communications worldwide, combined with the extension of wireless use case scenarios across all industries, makes WAPs more attractive targets to opportunistic bad actors. There is more potential gain. At the same time, tools for mobile hacking are becoming more prevalent, thus lowering the learning threshold (and cost) to those potential bad actors who are looking to reap benefits or wreak havoc.
At the 2013 Black Hat Conference, for example, versatile, economical tools and techniques publicized for maliciously targeting WAPs included the following functionalities:
Transform another person’s mobile phone into an audio or video bug, operated by a command and control (C&C) web server
Extrude information from pacemakers and other embedded medical devices
Exploit Android operating system “master key” vulnerability by hiding malicious code behind trusted, cryptographically vetted signatures
Install surveillance tools that bypass malware detection and mobile device management controls, and then gather text and email location information
Intercept voice, data, and text traffic, as well as clone connected devices
Build malicious chargers for iPhones
Implement a surreptitious, large-scale sensor-based tracking system that records activities of groups and individuals
Manipulate Flash storage memory to control devices and even ICS by hiding malicious files or compromising performance
Decrypt traffic sent by Bluetooth-enabled “smart” devices
Clone a RFID tag (or access badge) by using a microcontroller to modify the reader22
The above tools and techniques are already common knowledge. Innovation in hacking, cracking (defeating security controls in wireless systems), and skyjacking (mobile hostage taking) WAPs continues enthusiastically, as does malicious interest in elevating privileges or gaining unauthorized access to mobile devices on various platforms: jailbreaking (iOS), rooting (Android), and unlocking (Windows).23
The need for securing mobile devices is a recurring theme among researchers and IT professionals as the number of devices, users, and applications—as well as the diversity of use cases—continues to proliferate. Concerns about the compromise of a single WAP that can then create an opening into a trusted network environment are captured in “top security threat” discussions. These threats act at multiple levels of the OSI stack and can be used as part of a layered attack against a government agency, public utility, or corporation, as well as against individuals. The potential (and realized) threats against WAPs often mirror those against corporate data centers. These threats include the following attack strategies.
Attack Strategy: Mobile Payment
Attacks aimed at acquiring credentials for accessing bank accounts, social security numbers, and credit cards make headlines annually. One attack approach is extracting information stored in bulk on cloud servers. A predictable adaptation, as centralized servers are more tightly protected and mobile payment applications are adopted, is malware aimed at gathering payment credentials from multitudes of devices.24
Attack Strategy: Malware Transmission
In one articulation, watering hole techniques attract unwitting visitors to legitimate news sites that are contaminated with hidden malware. Compromised devices can then pollute the devices belonging to colleagues and friends, even those who only respond to messages from trusted contacts. Spreading malware from mobile device to mobile device across a trusted network of other wireless users is just one attack scenario if AV controls are not installed, are managed ineffectively or not at all, or if the malware has not already been identified.25 Zero-day attacks and the proliferation of polymorphing malware (malware code that constantly changes, making signature-based detection difficult) compromise the effectiveness of AV mechanisms.
Attack Strategy: C&C (ICS Environment)
Another attack scenario is infection of a wired ICS network by a wireless device if AV controls are inadequate at the device or server level. One of the pieces of malware especially culpable is Havex, used to extrude data from ICS, especially those deployed in energy critical infrastructure that use Open Platform Communications or OPC. Havex is a remote access tool (RAT) type of malware. It leverages the functionality of the OPC, which consolidates information from numerous subsystems that operate independently.26
Attack Strategy: DoS
In addition to the Havex OPC vulnerability, reports point to DoS risks in manufacturing industry production environments that rely on assembly-line processes, enterprise resource planning (ERP) systems, and building management solutions.27
Attack Strategy: Suicide Malware
The next evolution of scareware and ransomware—the latter being malware that blocks even authorized access to data contained on a device and locks down the target’s hard drive—could be malicious code that self-destructs. It is like a 21st century echo of the self-igniting magnetic tape through which the Mission Impossible TV team of the 1960s learned about the next mission, but the instructions this code destroys are the operating system instructions and memory. In the process of erasing evidentiary traces of the exploit, thus sabotaging incident response routines, this blastware will wipe out, not just lock out, all data on the device’s hard drive if the code is modified in any way. This pernicious code can disrupt efforts to monitor possible advanced persistent threat (APT) activity.28 It could also make holding a device hostage pending payment of extortion seem much the lesser of this new evil. By eliminating telltale traces of the attack pattern, it also makes reverse engineering the attack for the purpose of building proactive detection capability—and sharing alerts to other system operators—very difficult.
Attack Strategy: SMS Infection Vector
Changes in user behavior make SMS an interesting attack vector. Smartphones are used five times more for texting in the United States, for example, than for phone calls.29 This increased opportunity coincides with SMS use to spread and propagate malware (e.g., Trojans and worms) and SMS agents, through contact information stored on the initially compromised phone. Scams perpetrated through links buried in messages trigger premium services and SMS subscriptions. Fig. 2.2 shows top categories of SMS spam observed in 2014. To some analysts, this adaptation of old technology points to more unified communications and the need for user awareness “that threats can be delivered across a variety of areas.30
Attack Strategy: Mobile Commerce
Online retailing makes good business sense from the perspective of businesses that can save dramatically by moving some transactions away from brick-and-mortar storefronts. Increasingly, consumers use multiple devices to accomplish purchases and often are even less prudent and security-conscious with mobile than with desktop devices.32
In addition to shopping online from mobile devices, consumers are paying online: 30% of ecommerce transactions are completed from smartphones.33 A 2015 survey of 250 large organizations that are heavily engaged in online commerce (average revenue of respondents was more than $2.5 billion) indicated that between 25% and 49% ($92.3 million per year) of fraud incidents were attributed to transactions using mobile devices.34
Attack Strategy: IoT
Onboard vehicle controls, embedded medical devices, smart clothing and household appliances, and ICS are just some of the use cases that comprise the IoT (or as some have suggested, the Internet of Threats). The potential for attacking these WAPs exists, as illustrated in the well-publicized Jeep hack demonstration in 2015.35 Manufacturers and consumers need better guidelines about what kind of information is collected and transmitted from these devices and how such communications can be managed and protected.
The IoT also turns homes into computer centers, with a router/firewall “protecting” a zone containing home security systems, air conditioning/heating systems, washers, dryers, refrigerators, ovens, and other appliances. Homeowners are ill-prepared to defend against hackers who can apply decades of experience with attacking corporate and agency data centers. In fact, attacks on home routers were observed in 2014.36
Attack Strategy: Layered Vulnerabilities
Of the 6.3 million Android apps analyzed by Symantec in 2014, 17% were characterized as disguised malware.37 Vulnerabilities exist for Windows and iOS apps as well, in part because of vulnerability issues at various layers. The Open Web Application Strategy Project (OWASP) has identified 10 top mobile risks, as shown in Fig. 2.3.
Hacking Goals: Strategies and Steps
In Chapter 3, Blurred Edges: Fixed and Mobile Wireless Access Points, you will learn about the various goals (end games) of hackers. These goals can be as simple as taking over a mobile device at a hackers’ convention or as complex as transferring funds from a company’s bank account into a relay bank account. The more complex the goal, the more likely the hacker will need to execute multiple hack techniques to overcome the defense in depth countermeasures protecting the assets desired by the hacker.
To achieve their goals, hackers must lay out a plan for their attack. The plan may be created by working backwards from their goals, for example, to obtain user identifier and password for a company’s account, identify a company’s personnel with needed credentials, identify the most likely person from whom to obtain credentials, identify locations where a targeted person communicates via wireless access, identify means to hack into these WAPs, and hack into these points when the person is present. Each part of the planned hack may use a different attack strategy or approach.
Each part of the attack strategy will typically follow the following steps:
Reconnaissance—understanding the defenses protecting the assets associated with the hacker’s goal. Reconnaissance can be either active (i.e., probing the network or computer) or passive (i.e., network sniffing).
Scanning—using the information obtained during reconnaissance to further examine the assets’ defenses and weaknesses.
Gaining Access—exploiting the weaknesses identified during reconnaissance and scanning to gain access to the assets.
Maintaining Access—keeping access to the assets for future exploitation and attacks.
Covering Tracks—avoiding detection by the assets’ countermeasures and removing evidence of the hack.
Discussions of successful hacks start in Chapter 4, Hacks Against Individuals. Although these discussions start with the hacker gaining access to an individual user’s information assets, the reader should recognize that planning, reconnaissance, and scanning were required to achieve this access.
The enthusiasm to embrace wireless possibilities and explore a myriad of use case scenarios for consumer and organizational products and services has outpaced cautious discussion among the general public about the long-term impact of too much interconnectedness. In the United States, legal constraints on collecting and protecting ephemeral data, such as movement from one location to another, have been minimal.
Thus our stage is set for a deeper discussion about the differentiation between fixed and mobile WAPs, implications for their potential compromise, and interfaces with wired systems.
Comments
Post a Comment