It looks like that the Perfidious Albion is not what one should exactly define a Paradise for Mobile Security. Not only the echoes of the Scandal concerning “voicemail hacking” led the infamous tabloid News Of the World to close on Sunday, the 10th of July 2011, and Rebekah Brooks to resign as CEO of News International today; but also the flow of events has unexpectedly brought mobile security issues to the attention of a wider audience, no more confined to the sole and exclusive attention of information security professionals.
This is partially due to the relative easiness in implementing similar hacking techniques in mobile communications, which is raising doubts and misgivings in many other countries. As a matter of fact, as actually happened, voicemail hacking is relatively easy to implement and is based, as usual, on two factors:
- From the user perspective, on the poor attention for default (in)security settings;
- From the operator perspective, on the necessary trade-off between security, user experience, and convenience, (almost) always favoring the latter, which turns out not to be an optimal choice from a security perspective.
A lethal mix wich may be quite easily exploited by a balanced blend made of (little) hacking and (a lot of) social engineering. At this link a really complete and interesting description very helpful to understand how relatively easy is to perform voicemail hacking with some U.K. operators (but keep in mind that procedures vary from Operator to Operator). Accorrding to the above quoted article, in theory, it is possible to elude the meshes of the security procedures of the operators, simply calling the voicemail of the victim impersonating the legitimate user, claiming to have forgotten the PIN and voila, that’s it!
Voicemail hacking does not need further components, but unfortunately is not the only issue that may happen: in theory entire conversations may be hijacked (and unfortunately it is something we are quite familiar to, here in Italy). The Security Process of a phone conversations is an end-to-end chain, inside which technology is only a component, and the human factor is the weakest link. In this context weak means leak so that often it happens that some information that should not be disclosed are delivered to media (even if irrelevant to any ongoing investigations) with devastating aftermaths for investigations themselves and for victims’ privacy.
The scenario is further complicated with the new generation of smartphones, where technology (and the ongoing process of Consumerization of Information Technology) leaves virtually no limits to the imagination of attackers: not only voicemail hacking, but also mobile malware (a threat which does not need the unintended cooperation of the Operator) capable of extracting any information from devices. The dramatic events in U.K. involved using stolen data for squalid journalistic purposes, but, since mobile devices are nowadays indispensable companions of our everyday lives, nothing prevents, in theory, to use the same or different methods to steal other kinds of information such as confidential data, banking transaction identifiers, etc… Do you really need a confirm? For instance the recent evolution of the Infamous ZiTMo mobile malware that has just landed on Android (the continuing metamorphosis of this malware is really meaningful: born on the Windows platform, it has rapidly spread on Windows CE, Symbian, and now, last but not least, Android). Since it is expected that 5.6% of iPhones/Android handsets is going to be infected in the next 12 months, there is much to worry. In this context what happened in U.K. may constitute a dangerous precedent and a dramatic source of inspiration for organized cybercrime.
Fears that similar occurrences could happen in other countries are rapidly spreading. As a consequence some countries are moving fast to prevent them.
In the U.S., in wake of U.K. Hacking, Representative Mary Bono Mack, a California Republican who chairs the House subcommittee on commerce, manufacturing and trade, is contacting handset manufacturer companies including Apple, Google, Research in Motion, and wireless companies as well, such as AT&T, Verizon Wireless and Sprint Nextel, to determine if there are any vulnerabilities in cell phones or mobile devices which can be exploited by criminals and other unscrupulous individuals. Clearly the final target is to prevent similar events from ever happening in the United States.
For the Chronicle, on June 13 Bono Mack released draft legislation which aims to tighten data security for companies victims of data breaches. Under the proposal, companies that experience a breach that exposes consumer data would have 48 hours to contact law enforcement agencies and begin assessing the potential damage.
Immediately after U.S. Attorney General Eric Holder is considering investigation into News Corp. for the same reson.
Anyway U.S. is not the only country worried about, as similar concerns are raising in Canada, and I may easily imagine that other countries will soon deal the same stuff.
A final curious notice: a further confirm that U.K. is not the paradise for mobile security came this morning when I stumbled upon this wiki which happily shows how to hack a Vodafone femto cell (just released to public) in order to, among the other things, intercept traffic, perform call frauds (place calls or send SMS on on behalf of somebody else SIM card).
The best (or the worst, it depends on the points of view) is yet to come…
- How not to get your phone hacked (blogs.journalism.co.uk)
- Hacking into U.S., U.K. phones easier than in Canada, but remain wary (canada.com)
- Lawmakers Question Cell Phone Privacy In Wake Of Hacking Scandal (techdailydose.nationaljournal.com)
Update July 15: Reuters reports that hat a classified US military weapons system will now need to be redesigned after specs and plans for the system were stolen from a defense contractor database during the breach of March,
According to an AP Statement, on Thursday the Pentagon revelead to have suffered a breach of 24,000 documents in March, during a single intrusion. Particularly interesting is the fact that sources believe the attack was perpetrated by a Foreign Country, confirming the fact that cyberspace has really become the fifth domain of war (earlier in this year China had been charged to have hacked some gmail accounts including those of senior US and South Korean government officials, and similarly at the end of 2009 some gmail accounts belonging to dissidents).
According to the original statement by AP:
William Lynn, the deputy secretary of defense, said in a speech outlining the strategy that 24,000 files containing Pentagon data were stolen from a defense industry computer network in a single intrusion in March. He offered no details about what was taken but in an interview before the speech he said the Pentagon believes the attacker was a foreign government. He didn’t say which nation.
“We have a pretty good idea” who did it, Lynn said the interview. He would not elaborate.
For the chronicle, DoD operates over 15,000 networks and seven million computing devices across hundreds of installations in dozens of countries around the globe.
It is not a coincidence that at the beginning of the year Pentagon declared that computer sabotage coming from another country can constitute an act of war, a finding that
for the first time opened the door for the U.S. to respond using traditional military force (probably at that time they were alre
ady aware of the above attack, which explains the change in strategy).
In the same wake, yesterday the Department of Defence announced its Strategy for Operating in Cyberspace, which relies on five strategic initiatives. At first glance the strategy aims to defend and prevent with a measured, reasonable approach focused on good network hygiene and data-sharing, rather than bombing hackers into submission.
- Strategic Initiative 1: Treat cyberspace as an operational domain to organize, train, and equip so that DoD can take full advantage of cyberspace’s potential;
- Strategic Initiative 2: Employ new defense operating concepts to protect DoD networks and systems;
- Strategic Initiative 3: Partner with other U.S. government departments and agencies and the private sector to enable a whole-of-government cybersecurity strategy;
- Strategic Initiative 4: Build robust relationships with U.S. allies and international partners to strengthen collective cybersecurity;
- Strategic Initiative 5: Leverage the nation’s ingenuity through an exceptional cyber workforce and rapid technological innovation.
Honestly Speaking I must confess that, as soon as I stumbled upon this report I could not help thinking (but this is a mere personal speculation) to the RSA Breach. Details of the Pentagon breach are not known so far, but I would not be surprised if they were somehow related. On the other hand the RSA breach happened in mid-March and was followed to attacks towards three US Defense Contractors (L-3, happened at the beginning of April but disclosed at the end of May, Lockheed Martin, discovered on May, the 22nd, and Northrop Grumman on May, the 26th). Only a coincidence?