About these ads

Archive

Archive for March, 2011

PsyOps Tweets

March 30, 2011 3 comments

Only a couple of days after the post dealing with the impact of Internet Connectivity and Social Networks for propaganda (and more in general for PsyOps Operation) my dear friend and Colleague David Cenciotti reported to me an interesting article dealing with the use of  Twitter for psyops campaign (after the tweets of war for aleged military operations I already talked about)… Only a few hours and it happened exactly what I had theorized (even if in a quite sophisticated manner).

As a matter of fact, as reported in the above quoted article, it looks like a patriot hacker, named The Jester (th3j35t3r) used Twitter to send specific messages to erode the morale of the loyalist enemy troops. For sure no one ever before today had never thought of taking so literally the well-known twetter motto “Follow me”, which sounds much better as “Follow My Thoughts”.

This occurrence confirms the need of keeping the internet connections up and running during military operations. Next prophecy? Will we soon see wi-fi drones in the Unified Protector Operation? And Maybe Loyalist hackers performing wardriving against them?

About these ads

Mobile Warfare… Certified…

March 30, 2011 3 comments

In this post I explained that, what I called the mobile warfare (that is social protest driven by mobile technologies and social networks), is rapidly spreading all over the Middle East, apparently with a systematic time scale (so far events in Tunisia, Egypt and Libya have been separated by approximately a month).

Many observers claim that, in the shorter term, Syria and Bahrain could be the next targets of internal protests (last week 150 people were killed in Syria and today the government led by PM Naji Otri has resigned, apparently a quantum shift).

But the wave coming from Maghreb, led by the mobile warfare, seems unstoppable and in the longer term, also Iran and Iraq, the main barriers of fundamentalism, could be affected as well.

Of course, one of the most exciting things of Infosec, is the fact that the reality is always one step ahead of the imagination. As a matter of fact I tried to imagine different ways in which bad guys from totalitarian regimes could prevent mobile technologies and social networks from achieving their scope to encourage citizens to join the protests, including DDoS, Internet connectivity disruption and so on… I could not imagine, however, that one could think to issue rogue certificates for some high profile websites used for email and chat in order, maybe, to intercept cumbersome and subversive communications.

That is exactly what happened with the Comodo Affaire in which some fraudulent certificates were issued by the Comodo Certificate Authority, exploiting a vulnerability of a couple of Italian affiliates (sigh!) globaltrust.it and instantssl.it allowing to issue a legitimate signed certificate on behalf of any requesting entity. This vulnerability was used in order to issue rogue Certificate Signing Request (CSR), that is false request to obtain legitimate SSL certificates for the following web sites:

  • login.live.com
  • mail.google.com
  • http://www.google.com
  • login.yahoo.com
  • login.skype.com
  • addons.mozilla.org

For those of you, who are not too much practical with Public Key infrastructure and Cryptography, this means that, in simple words, once obtained a rogue certificate one may build a false web site (for instance a false mail.google.com website) to capture precious information normally “traveling” on the web encrypted, for instance username and password of private email. This is called a man-in-the-middle attack.

Since it was discovered that the rogue Certificate Signing Request originated from an ISP located in Iran, an alleged political origin for the attack was proposed, motivating it with the attempt of the Iranian government (enforced by a Cyber Army), to intercept communications and more in general emails and chats belonging to political leaders not “too close” to the positions of Mr. Mahmoud Ahmadinejad (mmhh.. at least for the alleged purpose, to me it reminds Operation Aurora, doesn’t it?)

Now, it looks like that a lonely ranger Iranian hacker, not belonging to any army, claimed the to be the only author of hack (at this link the complete history and a detailed analysis of the event). Probably a real Iranian involvement will not ever been confirmed, but to me, the doubt that this action was planned to stop the mobile warfare remains intact. Otherwise I would not be able to understand why only certificates related to secure communication methods were affected, often used by dissidents to organize protests and share news with the world.

Corps of (Network and Security) Engineers

March 29, 2011 7 comments

A couple of posts ago, in the article “Tweets Of War”, I discussed about the possibility to use consumer mobile devices and Internet connectivity as a kind of weapons, for instance to tweet the positions of enemy troops in order to address allied bombs as did, for instance by some rebels in Libya (simply go to twitter.com and issue a search for the tweets by #LibyanDictator.

Of course this fact raises the question of the importance of internet connectivity during military actions, and, as a consequence, also of the importance of information security, which may not be limited to “simple” message encryption: as an example, referring to the above mentioned example, we cannot authenticate tweets so we may not exclude a priori that they are spoofed tweets in order to drive the allied bombs towards the wrong target (we might always think to authenticate them with a Comodo Certificate!).

As a matter of fact, maintaining the internet connectivity has become a primary priority, that is the reason why U.S. army, for instance, is thinking to implement appropriate technologies and countermeasures in order to maintain or restore Internet connectivity during military actions. Times change and I would almost say that what was once considered the corps of engineers, today, in a mobile warfare, should be called  Corps of (network and security) Engineers. What the Corps of Engineers do in the real battlefield (build connections and bridges), the Corps of (network and security) Engineers do in the Cyber-battlefield (build internet connections and connectivity bridges).

Strictly speaking, why maintaining the Internet Connectivity is so important? Of course, the main reason is for the purpose of propaganda in terms of “evangelism to the cause”, gathering of the faithful, and why not, foreign public involvement.  We have seen  so far, how much has been important (and keeps to be important) for the winds of change blowing in the Maghreb, the role of mobile technologies and social networks, at the beginning for spreading the movements (also beyond the boundaries) and then to bear witness to the World of what was really happening, in all the cases playing a crucial role for the advent of the Odissey Dawn operation (while I am writing, you only need to go to Twitter for being spectator of the dramatics occurrences in Libya: from the reporting of events to requests for help, doctors, etc.). This role is much more important during the military operations where, typical case, both parties claim real or alleged success in combat operations, or provide each other the responsibility for civilian casualties.

But a closer look shows an even more important factor, apparently secondary, but probably potentially decisive in a situation similar to the one occurring in Libya where you are fighting a civil war between rebels and loyalists. In a similar context the Internet may play a primary role for conveying PsyOps messages, not only to encourage citizens to join the protests, as it is happening in Syria, where Facebook is being used to gather followers to revolt; but also for opposite purposes convincing rebels to disarm and return back to their families without further bloodshed. This does not sounds new since such a similar operation had been attempted from the Egyptian Government (actually with a tragicomic outcome) by overtaking the main mobile operators and flooding their mobile subscribers with propagandistic messages which were supposed to encourage the younger people to support the falling government and abandon the protests (a complete report at this link in Italian). One might say that this is not a new concept (read for instance the following article issued in 2001), the difference is that, in 2011, both the transmission technologies and, most of all, the reception technologies (read mobile devices) are much more sophisticated and spread making this kind of operation really effective if compared to how it could be ten years go.

Of course there is a further dramatic question to be addressed for psyops messages propagated through the Internet, and it is the one pertaining to information security, some aspect of which I have already addressed in this post. On one hand, whatever message is transmitted through the Internet may be suitable to man-in-the middle attacks and hence hacked if not properly secured throughout the propagation process: hacking in this case would correspond, for instance, to alter, if not invert, the content. What if the above mentioned tweets were spoofed providing false coordinates? Maybe am I flying with the fantasy if I say that the authors could have negotiated a priori with the recipients some predefined semantics with which to transmit the messages.

On the other hand, it is likely that the Corps of (Network and Security) Engineers will not have to worry about only to establish and maintain the internet connectivity in military operations, but also to face, in a cyber-battlefiedl, enemy malware weapons and/or jamming of Denial-Of-Service tools specifically conceived to attack psyops sources at the root (it is appropriate to say!) in order to make them unusable. In any case, they will not have to underestimate in any way  the impact of hacking from a psyops perspective (in favor or against, (just think of echo raised from the recent  Libyan TV hacking).

Mobile Warfare in Syria

March 27, 2011 8 comments

Sources report that last week 150 people were killed during the protests against president Bashar al-Assad in Syria. Also in this circumstance, as already happened in Tunisia, Egypt and Libya, the world is witnessing to the protests thanks to the hundreds of citizen reporters equipped with their mobile devices and Internet connections.

The mobile warfare is acting in these countries too: as a matter of fact the tweets allow to follow the protests in real time, by mean of continuously up-to-date short messages, while Facebook allows the spread of the movements throughout the Nation (and not only): the blue social networks calls to join the revolution, by mean of continuously increasing groups, the largest of which The Syrian Revolution 2011, currently counts more than 90.000 supporters. In the same time, more and more videos shot by mobile devices are flooding YouTube.

In a certain sense it looks like the Middle East is playing a global Risk board game, whose troops are represented by mobile devices, whose effects on the social landscape effects on the social landscape have no geographical boundaries, especially for those governments that restrict the civil liberties of their citizens. This global Risk match is far from the end, since the invasion of the Mobile Warfare (and its effects for the governments)  is also happening in Yemen and Bahrain, which are suffering similar outbreaks of protests. It is interesting to notice that all the peaks of the revolutions were spaced, in a time scale, by approximately one month:

  • Tunisia, Jan 14th 2011: president Ben Ali ousted;
  • Egypt, Feb 11th 2011: president Mubarak stepped down;
  • Libya, March 19th 2011: after two weeks of fight Operation Odissey Dawn begins

If we perform a kind of extrapolation, does this mean that peaks of the protest in Syria and Jordan will reach the maximum at the half of April?

Mobile Warfare spreading into Middle East

Speculation aside, as far as Syria is concerned, what is happening is following the same pattern advised in Maghreb area with the only difference that, so far, Syria did not decide to disrupt the internet connection in order to stop the stream of information towards foreign countries.

From a political and social perspective, all the involved countries have too many aspects in common: long-living governments (in Syria the al-Assad Dynasty governed continuously for 40 years, which become 42 in case of the monarchy of Bahrain), younger generations with no dream and trust on future, eager for more freedom. Most of all, younger generations which have access to internet connections and social networks (I was in Syria for work three years ago and can confirm that, even then, the penetration of internet, mobile technologies and social network was well established), through which they may observe, study (and compare), the (apparently) better conditions of their occidental peers.

I think the process is irreversible, and indeed is likely to increase (Saudi Arabia, Iran and Iraq will probably be suffering other outbreaks in the middle term). Meanwhile will be interesting to notice if the involved governments will apply preventive measures, on large scale, for instance the disruption of the Internet connections, or targeted specifically on mobile devices or preventing to reach the social networks for sharing tweets, groups or videos…

Android Virtual Machine on RIM Tablet, A Security Concern?

The rumors were confirmed and at the end it looks like that the forthcoming RIM Tablet, named Playbook, will be able to run Android Applications. This will be possible thanks to an optional “app player” that will provide an application run-time environment for Android v2.3 code (no mention so far for Honeycomb), allowing users to download Android applications directly from BlackBerry App World and run them on their (future) BlackBerry PlayBook.

This does not sound new to me (at this link an article in Italian in which I discussed about the rumors of an Android Virtual Machine for the Playbook), but in my opinion the point of interest does not rely on the fact that the announced “app player” builds a bridge between the Android and RIM worlds (as a matter of fact the RIM Tablet will offer also a second “app player” for the Blackberry Java applications), but it is really interesting to point out the information security perspective since it looks like that the paradigm Write (Malware Once), Use Many, will undoubtedly come true.

We know that, from the beginning of the 2011, the poor Android is suffering of multiple infections, and this peak of malware is not only due to the fact that the Google platform captured #1 ranking in the mobile platforms but, most of all, to the fact that the number of users which leverage the Android capabilities for professional use is growing day by day. Of course, the effort for developing malware is commensurate  with the value of the target, hence this evidence (together with the fact that Android is an Open Platform and the android market policies are not as strict as the ones from Cupertino) explains why the Android is a little too much sick in this period (and also because, in my opinion, security issues are the main reasons at the base of Mountain View’s decision to hold Honeycomb tight, not making its source code publicly available (at least so far).

Now, the perspective to use the Android as a “malware bridge” to other platforms might sound very appealing to cyber crooks, so this improbable openness from the RIM side could become a little bit embarrassing for Google from an Infosec perspective, further encouraging other malware writers to address their efforts towards the Android. Android Virtual Machine spreading for sure makes life easier for developers but, undoubtedly ends up making it harder (from a security perspective) for users and IT Manager.

And what about the future? It looks like the scenario could become even more complicated since the Android Virtual Machine (the notorious Dalvik, in the middle of a lawsuit against Larry Ellison’s Oracle) could soon land on other devices. As a matter of fact, Myriad, a member of the Open Handset Alliance, which collaborates with Google to develop Android is working for an Alien Android (that is a Dalvik compatible Virtual Machine, called Alien Dalvik) capable to run Native Android application on alien platform, furthermore at the same speed of the Original Android (so, not bad, the malware infections will propagate at the same speed then the original platform). Of course this could sound even more appealing for malware writers.

Definitively the Android is no longer satisfied to be reference platform for the market, rather seems to be pointing to became the reference platform also for malware. Who knows if one day we will ever see an Apple infected by an Android?

Tweets Of War

March 24, 2011 4 comments

In a recent post, I discussed the influence and the role of (consumer) mobile technologies and social networks (“Mobile Warfare”) in the events that are changing the political landscape in the Mediterranean Africa, coming to conclusion that they are setting new scenarios which will have to be taken seriously into consideration by all those governments which still put in place severe limitations to human rights.

To me, “to be taken into consideration” means that all those governments will have to deploy “extreme measures” (hopefully less extreme than completely unplugging the Internet connection as already done by Egypt and Libya) in order to prevent mobile technologies from acting as catalyzers for the protests and also from turning common citizens into real time reporter for the most powerful magazine ever issued: the social network). More realistically these measures might include threats specifically targeted for mobile equipment involving hacking techniques commonly known in the infosec arena, such as Distributed Denial Of Service, or also malware aimed to alter the normal functioning of the devices.

On the opposite Site is also clear that modern army will also deploy “unconventional weapons” targeted to maintain Internet connectivity during military operations, mainly for PSYOPS purposes (or at least I was supposed to believe so). As a matter of fact the tweets, pictures, and videos shot from mobile devices during the dramatic days in Tunisia, Egypt and Libya had a dramatic impact on the foreign public opinion. In Tunisia and Egypt the dramatic images shot  from mobile devices contributed to create the international pressure which led to the fall of their respective governments; in Libya, they acted as an accelerator for the definition of “No Fly Zone” and the consequent “Odissey Dawn” operation.

But there is also another point which makes more and more important to maintain Internet connectivity during military operations and is not simply related to PSYOPS, rather than to real military operations. A simple screenshot of twitter may give a dramatic evidence of this, simply searching the #LibyanDictator term.

It looks like twitter was used by rebels to provide NATO with coordinates of the enemy forces.

More in general, think to have a Mobile device with a GPS, and an Internet Connection, and you may “simply” pass the coordinates of the enemy troops to allied forces…

On the opposite front: think to make mobile devices unusable or, worst case, to alter their GPS with a malware and you may avoid to pass precious information to enemy, or worst, provide him with false coordinates (and watch him bombing his allies in few minutes)…

Probably I am going too much far with my imagination, anyway is clear that war strategists will have to become more and more familiar with virtual (that is made of bit and bytes) mobile (and social networks) battlefields.

Relazione Tavola Rotonda Mobile Security

Ho pubblicato su Slideshare la relazione da me redatta della Tavola Rotonda “Mobile Security: Rischi, Tecnologie, Mercato” tenutasi il 14 marzo a Milano all’interno del Security Summit 2011.

La relazione, che ho inserito all’interno di un thread del gruppo Linkedin Italian Security Professional, è visibile al link sottostante. Ancora un grazie al gruppo che ha ospitato questo interessantissimo appuntamento!

Mobile Warfare

March 23, 2011 13 comments

It has been recognized that mobile technologies have had a significant impact on the events that occurred in North Africa. In my opinion, their impact was so impressive that I refer to them with the term of “mobile warfare” indicating with this term the fact that they are going to play a crucial role in the (let us hope fewer and fewer) wars of the future.

Since the Wikileaks affaire, and the consequent possibility to convert an Android Device into a Wikileaks Mirror during the attempt to put the main site off-line by mean of massive DDoS Attacks, it was clear to me that Mobile Technologies would have played a very important (never uncovered before) role in 2011, not only in Hacktivism, but, more in general, in human rights related issues.

I had a dramatic confirmation of this role during the Jasmin Revolution in Tunisia, where mobile technologies made every single citizen a reporter, capable of sharing in real time with the rest of the world information such as images, videos and  tweets pertaining the dramatic events happening inside the country.

But it was with the #Jan25 and #Egypt tweets that the World discovered for the first time the power of the mobile warfare.  In those dramatic days every single person of the planet only needed to access her Twitter account in order to become a virtual witness of the events; dramatic facts reported in great detail by hundreds of extemporaneous reporters “armed” only with a Smartphone, and made available in real time to the rest of the world thanks to the “six degrees of separation allowed by Social Networks”. The strength and the impact of this mobile warfare were so huge to force the declining Egyptian Government to shut the internet off for several days starting from January, the 27th.

Can we really understand what does it mean for a country to shut the Internet off? As single persons we are so used to the Web that we could not resist a single hour without checking the status of our mates. But for a country, an Internet connection disruption means a nearly complete stop for all economic and financial activities, including banking, trading, and so on. The only fact to have enforced such a dramatic decision (and the upcoming consequences) is particularly meaningful of the threat led by the Mobile Warfare and perceived by the Egyptian Government. But to have a clear understanding, we must also consider the fact that, at the same time, also the Egyptian Government tried to unleash the power of the mobile warfare with its clumsy attempt to stop the revolution by broadcasting Pro-Government SMS, thanks to country’s emergency laws, causing the following protests of Vodafone.

And what about Libya? I have a direct experience since I was in Tripoli for work at the beginning of last February (so one month and half ago even if it looks like a century has passed since then). I was not even completely out of the finger leading me from the aircraft to the airport facility, that I was impressed in noticing so many Libyan pepole playing with their iPhones. Since I just could not help thinking  to the Egyptian situation, I asked to some of them if they had the feeling that something similar to Egypt could happen in Libya. Guess what they answered? They all simply agreed on the fact that, due to the different economic and political situation, it was impossible! Of course the point is not their answer rather than the fact that I was surprised to see so many smartphones (ok we are speaking about the airport which maybe is not so meaningful in terms of statistics) and more in general so many devices capable to provide an high level internet user experience (even if with the bottleneck of the local mobile networks) and be potentially used as a mobile warfare.

That event was just a kind of premonition since, a couple of weeks later, during the first days of the protests, and in particular during the reaction of the regime, smartphones and social networks once again played a leading role, allowing the world to witness in real time those dramatic events with a spreading rate unknown before. For the second time, approximately three weeks after Egypt, a country decided to disconnect the Internet in order to prevent the spread of information via the Social Networks. This time it was Libya’s turn, which decided to unplug the Web on February, the 18th. Once again the power of the mobile warfare was unleashed, disconnecting a country from the Internet in few minutes (how long would a real army have taken to do a similar sabotage?).

Is mobile warfare the cause or effect?

We must not make the mistake to consider the mobile warfare as an effect of the movements raised first in Tunisia, than in Egypt, and finally in Libya. Mobile warfare is simply the cause, since it is just for the action of mobile warfare that events could spread rapidly inside a single country, and later among different countries (in both cases with an unprecedented speed), encouraging other people to follow the example and acting, in turn, as a powerful catalyzer for the movements. As an example, consider the following article, which in my opinion is particular meaningful: it shows the Middle East Internet Scorecard, that is the dips of Internet connections registered in different countries belonging to Middle East in the week between February 11 and February 17 (that is when the social temperature in Libya was getting extremely hot): one can clearly recognize a viral spread of the “unplugging infection”.

What should we expect for the future?

Mobile Warfare has played and is still playing a significant role in the wind of changes that are blowing in North Africa.  Thanks (also) to mobile technologies, people (most of all students) living in countries where human rights suffer some kind of limitations, have the possibility to keep continuously in touch with people living in different countries, learning their habits, and, in turn being encouraged to “fight” for achieving (or at least for attempting to achieve) a comparable condition. This revolution is not only technological but it is most of all cultural since it is destroying all the barriers that kept many countries separated each other and that allowed many population to live (apparently) in peace simply because they completely ignored the existence of a world outside: we could consider this as the equivalent of the old infosec paradigm (Homeland) Security Through Obscurity”.

At the opposite side, it is likely that all those Governments, having a peculiar idea about what human rights are, will deploy some kind of countermeasure to fight the mobile warfare and its inseparable companion: the social network. I do not think that completely preventing the use of mobile technologies is an applicable weapon, since they became too many important for a country (politics, economics, finance, etc.): nowadays each kind of information flows in real time, consequently no country may allow to go slower.

Moreover,  for the reasons I explained above, the Internet disconnection is not a sustainable countermeasure as well, since no government in the world may allow to be cut-out for too long, in order to simply prevent people from tweeting or sharing ideas or videos on social networks. Even because, for instance, U.S. has secret tools to force Internet in case of disruption, which include the Commando Solo, the Air Force’s airborne broadcasting center, capable to get back to full strength the Wi-Fi signal in a bandwidth-denied area; satellite- and nonsatellite-based assets that can provide access points to get people back online; and finally cell towers in the sky, hooking up cellular pods to the belly of a drone, granting 3G coverage for a radius of a few kilometers on the ground would have 3G coverage underneath the drone. Would be interesting to verify if any of these technologies are currently being used in the Odissey Dawn operation.

For all the above quoted reasons, according to my personal opinion the countermeasures will aim to make unusable the resources of information collection (that is mobile devices), and the resources of information sharing (that is social networks).

So this new generation of Cyber-warfare will involve:

  • A preventive block of Social Network in order to prevent whatever attempt to preventively share information. For the above quoted reason a total block will damage the whole economy (even if I must confess a preventive block of this kind will be quite easily bypassable by external proxies);
  • A massive Denial of Service for mobile devices through massive exploit of vulnerabilities (more and more common and pervasive on this kind of devices), through massive mobile malware deployment or also by mean of massive execution of mobile malware (as, for instance, Google did in order to remotely swipe the DroidDream malware). Honestly speaking I consider the latter option the less likely since I can easily imagine that no manufacturer will provide cooperation on this (but this does not prevent the fact that a single country could consider to leverage this channel).
  • Spoofing the mobile devices in order to make them unreachable or also in order to discredit them as source of reputable information.
  • A “more traditional” Denial Of Service in order to put Social Networks offline (even if this would need a very huge DDoS due to the distribution of the resources of the Social Network providers.

In all the above quoted cases would be legitimate to expect a reaction, as done for instance, by the infamous Anonymous group.

L’Androide Minacciato Alla Radice

Questa mattina, il buongiorno non ce lo porta l’aroma di caffè e un bel croissant al burro, ma l’ennesima nota di Lookout che segnala l’ennesimo malware per il mai troppo cagionevole Androide. La minaccia viene ancora dall’Estremo Oriente, ed in particolare dalla Cina che si conferma terra ostica per la salute virtuale del Sistema Operativo di Mountain View (mi verrebbe da dire che l’Androide è proprio sensibile alla Cinese).

I sintomi usuali ci sono tutti: il Market Parallelo ed un eseguibile chiamato zHash, che ricalca l’orma del predecessore DroidDream, in grado di rootare (non è una parolaccia ma un improbabile improvvisato neologismo a cui dovremo purtroppo abituarci) il dispositivo mediante il medesimo exploit exploid.

Naturalmente, per non farsi mancare niente, è stata registrata una versione della stessa applicazione anche nel Market Ufficiale, con lo stesso nome, contenente quindi lo stesso exploit, ma priva del codice necessario per invocarlo. Magra consolazione in quanto è sempre meglio non avere il nemico in casa anche se dormiente.

Ad ogni modo l’applicazione, che sembra abbia avuto 5000 download, è stata già rimossa da Google che ha esercitato ancora una volta (sta diventando un’abitudine troppo frequente) la possibilità di disinstallare l’applicazione da remoto (ovviamente la rimozione “coatta” è stata attuata solo per le versioni scaricate dal market ufficiale).

Per inciso la pericolosità del malware sembra relativamente bassa. Ovviamente una volta che il terminale è stato compromesso illecitamente (all’insaputa dell’utente), potrebbe poi essere vittima di altre applicazioni malevole facenti leva sui permessi di root indebitamente acquisiti.

Per ora nessuna altra informazione, rimangono comunque valide le, mai troppo citate, usuali raccomandazioni:

  • Evitare, a meno che non sia strettamente necessario, di abilitare l’opzione di installazione delle applicazioni da Sorgenti Sconosciute (pratica definita anche “sideloading”).
  • Fare attenzione in generale a ciò che si scarica e comunque installare esclusivamente applicazioni da sorgenti fidate (ad esempio l’Android Market ufficiale, le cui applicazioni non sono infette). Buona abitudine è anche quella di verificare il nome dello sviluppatore, le recensioni e i voti degli utenti;
  • Controllare sempre i permessi delle applicazioni durante l’installazione. Naturalmente il buon senso corrisponde al migliore anti-malware per verificare se i permessi sono adeguati allo scopo dell’applicazione;
  • Fare attenzione ai sintomi comportamenti inusuali del telefono (ad esempio strani SMS o una sospetta attività di rete) che potrebbero essere indicatori di una possibile infezione;
  • A questo punto, aimé (e torniamo al tema da poco discusso relativo al costo della sicurezza, valutare una applicazione anti-malware tra le molteplici offertae, destinata oramai a diventare un inseparabile companion.

Prossimo Optional in Auto? L’Antivirus!

Tra le poche certezze che “guidano” i miei gusti automobilistici vi è sicuramente l’amore incondizionato per il Biscione (anche se da troppo tempo in cerca di tempi migliori). Anche se il mio feeling con la Casa del Portello è attualmente nel bel mezzo della classica “pausa di riflessione”, questo non mi ha comunque portato ad abbandonare il Blue&Me, il sistema multimediale del Gruppo Fiat, basato su tecnologie Microsoft, al quale mi sono oramai abituato e del quale non potrei più fare a meno.

Certo mi sono chiesto tante volte le implicazioni in termini di sicurezza nell’inserire una porzione del codice a finestre di Redmond all’interno di un automobile, e più in generale nel demandare ad un sistema operativo embedded il controllo di alcuni parametri dell’automobile; ma fino ad oggi (a parte il caso della presunta infezione Toyota poi rivelatosi una bufala) non c’è stata mai occasione (e necessità) di approfondire la questione. In realtà mi è sempre rimasto il dubbio della privacy (chissà quanti proprietari di auto dotate di sistema Blue&Me si ricordano di cancellare la rubrica quando restituiscono o vendono l’auto oppure, in teoria, la lasciano in officina), ma non è niente di particolare in quanto si tratta dell’ennesima minaccia, questa volta a quattro ruote, per i nostri dati che oggigiorno vivono letteralmente circondati da occasioni di breccia.

Questo perlomeno fino a pochi giorni orsono, quando mi sono imbattuto in una di quelle notizie che certamente non passano inosservate: un gruppo di ricercatori, coordinati da Tadayoshi Kohno, professore associato al dipartimento di Informatica dell’Università di Washington, e Stefan Savage, professore di Informatica dell’informatica dell’Università di San Diego ha effettuato uno studio di due anni, presentato la settimana scorsa al National Academies Committee on Electronic Vehicle Controls and Unintended Acceleration, inerente la sicurezza dei sistemi multimediali che equipaggiano le automobili, giungendo alla  sconfortante conclusione che è possibile, sfruttando le vulnerabilità di questi, ottenere da remoto il controllo pressoché totale dell’autovettura.

I nostri, che non sono nuovi ad imprese del genere, erano già riusciti in passato a prendere il controllo remoto di una berlina con accesso fisico (ovvero mediante la porta diagnostica). Nella circostanza attuale la situazione è notevolmente diversa dal momento che il controllo è stato ottenuto mediante software malevolo iniettato nel sistema di diagnostica e, fatto ancor più sconcertante, mediante la connessione bluetooth del dispositivo (con un dispositivo già accoppiato o accoppiato illecitamente) o anche, addirittura, per mezzo di codice malevolo nascosto su una traccia audio di 18 secondi riprodotta dal lettore multimediale di bordo.

L’exploit è stato portato a compimento su berline medie appartenenti al mercato americano equipaggiate con i sistemi multimediali GM Onstar e Ford Sync, ma questo non vuol dire che la distanza che ci separa dagli States e la diversità di mercato e modelli ci possa far rimanere virtualmente tranquilli.

Architettura di Windows Embedded Automotive, tratta da: “A Technical Companion to Windows Embedded Automotive 7″

Il sistema Ford infatti è parente prossimo del “nostrano” Blue&Me del Gruppone Nazionale Italo-Americano: entrambi affondano una matrice comune nelle Finestre di Redmond, ed in particolare nella declinazione automotive del Sistema Operativo Microsoft denominata Windows Embedded Automotive 7 (e versioni precedenti). Analizzando le specifiche del sistema operativo (auto)mobile si scopre infatti che l’architettura non è un semplice centro di infotainment, ma un framework completo che consente di dialogare con tutti i componenti dell’autovettura grazie ad appositi driver (nativi o di terze parti) per connettere il processore principale, o il co-processore, al bus di comunicazione dei componenti automobilistici, basato su CAN o IEEE 1394 (il firewire automobilistico) o anche di eventuali altri componenti Multimediali basato su MOST. Questo spiega perché, ad esempio, nel caso Fiat sia possibile tramite la chiavetta USB verificare i consumi e le emissioni CO2 della propria autovettura tramite l’applicazione Ecodrive, oppure, come nel caso di Ford l’applicazione Sync possa essere utilizzata anche per informazioni diagnostiche.

Le applicazioni per il sistema multimediale di bordo possono essere sviluppate mediante Visual Studio 2008 e fanno uso degli usuali cavalli di battaglia dell’ecosistema applicativo di Redmond quali Silverlight, ed il sistema di riconoscimento vocale Tellme.

Naturalmente ad oggi non ci sono ancora notizie di attacchi perpetrati sfruttando le vulnerabilità dei sistemi multimediali di ultima generazione (e l’exploit confezionato sopra descritto ha richiesto un lavoro di 10 ricercatori per ben 2 anni apparendo, allo stato attuale, difficilmente replicabile), tuttavia la notizia suona come un campanello di allarme che i costruttori farebbero bene ad ascoltare, soprattutto nel momento in cui si stanno aprendo a standard di tipo open e approntando, come nel caso di Ford, un ecosistema di applicazioni intorno al proprio sistema multimediale. D’altronde non siamo di certo abituati a pensare che l’elettronica (ABS, Airbag, ESP, etc.) di un automobile qualunque di ultima generazione può ormai contare su un numero di ECU (Unità di Controllo Elettronico governate da Microprocessore) compreso tra 50 e 70 (che scende a “sole” 30 e 50 nel caso delle utilitarie) tra loro interconnesse mediante il bus sincrono CAN sopra citato e governate da circa 100 milioni di linee di codice. Il che suona sorprendente se si considera che un F-22 Raptor, ha circa un decimo delle linee di codice (“solo” 1.7  milioni), l’F-35 Joint Strike Fighter ne avrà circa 5.7 milioni e il Boeing 787 Dreamliner a grandi inee 6.5 millioni per gestire avionica e sistemi di bordo.

I possibili scenari di attacco sono estremamente variegati e spaziano dalla possibilità di controllare a piacimento la posizione dell’autovettura dei nostri sogni (mediante il GPS integrato), con l’intenzione di rubarla alla prima occasione utile; sino al sabotaggio remoto agendo su freni, sterzo, chiusura centralizzata, etc. Il tutto magari iniziato da una traccia MP3 donataci da un ignoto (ma non troppo) benefattore (ma non si accettano mai caramelle dagli sconosciuti, nemmeno sotto forma digitale). Il quadro è presumibilmente destinato a peggiorare in quanto sono allo studio sistemi V2V (Veichle2Veichle) e V2I (Veichle2Infrastructure) che consentiranno, tramite connessione Wi-Fi e GPS, di far dialogare i veicoli tra loro (o con apposite infrastrutture) al fine di evitare collisioni e incidenti (ironia della sorte, proprio Ford ha recentemente presentato il proprio prototipo V2V). Per non volare troppo con la fantasia, ometto i veicoli elettrici in cui l’elettronica avrà un ruolo ancora maggiore (e che magari si connetteranno alle smart-grid, sulle cui implicazioni di sicurezza ho già avuto modo di discutere). Non è un caso che alcuni costruttori stiano già correndo ai ripari, ad esempio tramite il progetto EVITA (E-safety Vehicle Intrusion Protected Applications) finalizzato proprio a rendere sicure le comunicazioni V2V o V2I ed EVITAre quindi imbarazzanti intrusioni nelle stesse da parte di cybercriminali a quattro ruote.

Chissà, è possibile che nella prossima auto (spero sia un’Alfa Romeo Giulia, magari a trazione posteriore) dovrò richiedere l’antivirus come optional, o forse sarà già di serie…

Follow

Get every new post delivered to your Inbox.

Join 2,714 other followers