Hacker or hooker?

~ Nate Lawson ~ 5 Comments

Well-funded and motivated attackers are typically the hardest to defend against when designing a system.  Governments can attack systems in different ways and with more resources than a typical threat.  Consider a recent example where a British aide lost his Blackberry after spending the night with a woman who approached him in a Chinese disco.  While it’s possible he just lost it while drunk, this is a good example of how unconventional threats need to be carefully considered.

Let’s analyze the cost of two routes to getting this same information: hacker or hooker.  The hacker might try to crack passwords or develop a 0-day exploit against the Blackberry server.  Or, build a custom trojan and send it via a forged email that appears to come from the Prime Minister.  The hooker would try to get to his hotel room and steal the phone.  It would actually suffice to just borrow it for a few minutes and dump the RAM since passwords are often cached there.  This has the added advantage that he might never know anything had happened.

A 0-day exploit could be in the $20,000 range.  Hiring someone to develop and target a trojan at this aide would be less, but the chance of succeeding would be lower.  According to the stories about Eliot Spitzer, a high-end call girl is $1,500 per hour.  Assuming it takes four hours, the total cost would be $6,000.  The fact that both these approaches could be done in China means the actual cost would be lower but probably still a similar ratio.

There are a lot of other advantages to the hooker approach besides cost.  There is good deniability if the call girl gets caught.  Since the call girl remains within the attacking country’s jurisdiction, the police can be used to recover the Blackberry if she makes an extortion attempt.  The hacker approach has a lot more uncertainty as flaws could be patched or blocked, making the exploit useless.

I also think this gives good support to my claim that software protection techniques are on the verge of wider adoption.  With cold boot attacks and growing news of governments seizing laptops or stealing cell phones, systems must remain secure even when an attacker has physical possession of a powered-up device.  The only way to do this is to adopt software and hardware techniques that are already used to protect games, DRM, and satellite TV.  Traditional approaches like those used in network security are no longer enough.

I’ll be speaking on this topic along with Thomas Ptacek at WOOT, co-hosted at USENIX on July 28th in San Jose.  Since this event is invite-only, send me email if you’re a security researcher who would like to attend.  Please include a brief summary of your background.

Next Baysec: July 17th at Pete’s Tavern

~ Nate Lawson

The next Baysec meeting is Thursday at Pete’s Tavern. Come out and meet fellow security people from all over the Bay Area.  As always, this is not a sponsored meeting, there is no agenda or speakers, and no RSVP is needed.  Thanks go to Ryan and Rick Wesson for planning all this.

See you on Thursday, July 17th, 7-11 pm.

Pete’s Tavern
128 King St. (at 2nd)
San Francisco

RFID industry tries to spin toll findings

~ Nate Lawson ~ 6 Comments

I was interviewed today regarding my findings regarding the Fastrak electronic toll collection system.  It seems that the industry PR spin machine has already begun responding.

First, this article questions my credibility and claims that the Fastrak transponder is read-only.

‘If Lawson has not even established that FasTrak transponders are a read-only device (best called a “tag”) rather than read-write, then he’s totally unqualified to be talking about potential misuse.’

Apparently the author of the article has not even opened the cover on a Fastrak transponder.  They use an MSP430F1111A microcontroller, which is flash-based.  The firmware and all the data (i.e., your unique ID) are stored in flash.  I can easily authenticate this claim by revealing that your 32-bit ID appears at address 0x1002, which is part of the full “0x0001” Title 21 response packet.

Also reverse engineering this device is hardly much of an accomplishment since all the specifications and protocols of Title 21 are open source.

The base specification for Title 21 is freely available, but the extensions to it are not.  On disassembling a firmware dump from a transponder, I found some surprising things, including messages that allow a reader to update the transponder flash in the field.  Again, I can back up this claim with the message IDs that start this update process: 0x00DE and 0x0480.  To unlock the update process, you need to provide a global key that I will not reveal.

Second, I’ve heard that a vendor plans to issue a press release.  Expect the standard claims that privacy is protected because they “encrypt” your unique ID in their database and data is not retained for very long.  What they mean by “encrypt” is “replace each unique ID with a different one”.  The problem is, replacing the unique ID “CAR-A” with “WXYZ” does not change much.  There is still a unique ID that is stored which always corresponds to the same car, enabling tracking.  Somehow, that information is subject to subpoena, something few Fastrak users are aware of.  Corporations issue privacy policies describing exactly what information is collected and how long it is stored.  Where can I find that information about Fastrak?

Finally, I spoke last week to a consultant to Caltrans who offered to get the local MTC agency technical staff in touch with me.  I explained that I’d be happy to describe my findings and recommendations to them in advance of my Blackhat talk at no charge.  Anyone from those agencies can contact me via my company website here.

Dead-listing while on vacation

~ Nate Lawson ~ 5 Comments

I just got back from a nice vacation with no laptop.  What do I do on long plane rides or while listening to the waves lap against the beach?  Dead-listing.

Dead-listing is analyzing the raw disassembly of some target software and figuring it out using only pen and paper.  This is great for vacations because your laptop won’t get sand in it.  You usually have a long period of time to muse about the code in question without interruptions, something hard to find at home these days.  And I’ve gotten some of my best ideas after setting aside my papers for a while and going for a long swim.

Before you leave, pick an interesting target: not too big, not too small.  Not just x86 either — ever wondered how one of your cellphone’s applications worked?  Never looked at a familiar application’s Java bytecode?  Then, get a copy of a disassembler for your target and run it.  I often use IDA but for less common CPU architectures, any one will do.  Remember that you don’t need full analysis at this point, although it’s useful to be able to separate data from instructions and get basic symbols resolved.

Search the assembly code for any external libraries that might be important.  Disassemble them too.  While you’re at it, see if you can find the source code or API reference for any of those files.  Code reuse helps you reduce the amount you have to reverse yourself.

Now take the listing file and do some cleanup.  I like to use a small font that prints well and convert all the call (subroutine) instructions to bold.  I insert some extra empty lines before each call target to allow me room to write notes.  Finally, I print the listing in landscape with two columns per page.  This leaves room for notes on the righthand side of each column and some at the bottom.  A binder clip makes it easy to keep pages in order or remove them to compare.

Since you won’t have access to the Internet, you’ll need to find some basic reference materials.  The key is to get the basics without carrying a ream of paper.  For an embedded system, I usually find or make a small instruction set reference sheet including status flags, I/O port table, PCB layout photos, and any integrated peripherals I find during a brief search of the data accesses.  Print these out and put a full copy of all the files on a USB flash drive.  You might stop by an Internet cafe if you find you really need to read a missing page.  I’ve never found that necessary though.  If I can’t infer the function of a particular I/O access, I’ll just look at the whole block’s general effect and take a guess.

The most important part is to stay light.  You don’t need exhaustive manuals (e.g., instruction timing).  Instead, treat these barriers as a challenge.  For example, most timing loops are relative to each other.  You can figure out that one loop is twice as slow as the other without knowing its exact delay in nanoseconds.  Doing hexadecimal conversions on paper builds character.

Once you’re away, enjoy doing a little bit at a time.  I’d often work through a subroutine or lay out a switch statement over coffee before the family gets moving, then set it aside for the rest of the day.  Before putting it down, keep a separate log of open questions and tasks, marking them off as you solve them.  I usually reserve a page in this notebook as my “symbol table”, marking down function names/addresses as I finalize them.

I mostly work through the code in two modes: looking for high level blocks or walking through a single subroutine in detail.  Was this compiled C or C++?  How does the optimizer work?  When accessing hardware, where did the author use inline assembly?  Draw arrows, bracket blocks, use highlighters if that’s your style.  Since it’s more free-form than working on a computer, you’ll find new ways to annotate it.  The amount of marks per page gives a good idea as to code coverage so you can start a day by refining an existing page or try to take a broad guess what a blank page does.

I am always surprised how much I accomplish in only a little bit of time using this method.  It’s also so much fun.  Throw in reading a few interesting but unrelated books and you may wax philosophical on the meaning of life or why the compiler suddenly switched to byte instead of word operations for a single function.

I hope you have a great summer.  Be sure to stop by my Blackhat 2008 talk, “Highway to Hell: Hacking Toll Systems“.  I’ll be posting more details about it here in the coming weeks.

Next Baysec: June 19th at Pete’s Tavern

~ Nate Lawson

The next Baysec meeting is Thursday at Pete’s Tavern. Come out and meet fellow security people from all over the Bay Area.  As always, this is not a sponsored meeting, there is no agenda or speakers, and no RSVP is needed.  Thanks go to Ryan for planning all this.

See you on Thursday, June 19th, 7-11 pm.

Pete’s Tavern
128 King St. (at 2nd)
San Francisco

China hax0rs US

~ Nate Lawson ~ 3 Comments

Like any mainstream article on security, this recent AP article sensationalizes China’s response to multiple accusations of state-sponsored hacking. First, the money quote:

“Is there any evidence? … Do we have such advanced technology? Even I don’t believe it.”
— Foreign Ministry spokesman Qin Gang

Is this supposed to play into some pompous Western belief that China is a backwater and thus incapable of hacking computers? Does anyone believe it takes advanced technology to break into PCs?

Next we have the meaningless numbers. The Pentagon claims its network is scanned or attacked 300 million times a day. For this to be true, that would be an average of 3400 times per second. If we consider every packet to be a scan, that is about 200 KB/second. However, the entire port scan should be considered a single attempt. Of course, bigger numbers sound more scary and justify a higher budget. Perhaps each TCP option in the header of each packet could be considered a separate attempt since they could be attacking both timestamp and window scaling implementations!

The more interesting allegations are that China copied the contents of a laptop of the visiting U.S. Commerce Secretary and hacked into the office computers of two House representatives. The laptop incident is more interesting since it seems easier to prove. Did they confiscate the laptop and take it to another room? Did the file access times change or was it powered off? I assume he continued using the laptop during the trip and thus it would be harder to tell. Was he using disk encryption? Why not?

The allegations regarding the two House members are much less provable. The FBI investigated their computers and said they’d been accessed by people in China. How did they first decide they should call the FBI? Porn popups? Without more evidence showing a clear intent, this is more likely a malware incident. It is surprisingly convenient that their allegations appear alongside House Intelligence committee meetings on hacking.