Millions of smartphones could have potential security and privacy issues
Nov. 30, 2011
An Android mobile application developer has wrote about what he thinks could be a conclusive proof that millions of smartphones all over the globe are secretly monitoring key presses, geographic locations, and received messages of its users. If true, this is a serious security risk, and one that needs to be rapidly addressed and corrected by all phone makers.
Trevor Eckhart demonstrated Monday how software from a Silicon Valley company known as Carrier IQ recorded in real time the keys he pressed into a stock HTC EVO mobile handset, which he had reset to factory settings just prior to the demonstration.
Using a network packet sniffer while his device was in airplane mode, he demonstrated how each numeric tap and every received text message is logged automatically by the software without the user's consent or even him or her knowing about it.
Ironically, Eckhart says, the Carrier IQ software recorded the hello world dispatch even before it was displayed on his handset, confirming that what he says is a serious security problem.
Eckhart then connected the smartphone to a Wi-Fi network and pointed his browser at Google. Even though he denied Google's request that he share his physical location, the Carrier IQ software recorded it nevertheless, and without his approval.
The secret app then recorded the precise input of his search query – again, “hello world” – even though he typed it into a page that uses the SSL, or secure sockets layer, protocol to encrypt data sent between the device and the servers!
“We can easily see that Carrier IQ is querying these strings over my wireless network with no 3G connectivity and it is reading HTTPS,” the 25-year-old Eckhart said.
The news was posted on Eckart's blog four days after Carrier IQ withdrew legal threats against Eckhart for calling its software a rootkit. The Connecticut-based programmer said the characterization is accurate because the software is designed to obscure its presence by bypassing typical operating-system functions.
In an interview last week, Carrier IQ vice-president of Marketing Andrew Coward rejected claims the software posed a security and privacy threat because it never captured key presses.
“Our technology isn't real time,” he said at the time. "It's not constantly reporting back. It's simply gathering data and is usually transmitted in small doses.”
Coward went on to say that Carrier IQ was a diagnostic tool designed to provide wireless network carriers and device makers detailed information about the exact causes of dropped calls and several other performance issues.
Eckhart added that he chose the HTC EVO smartphone purely for demonstration purposes, and said that his choice was just a random one since he could have picked any other of the hundreds of smartphones that are now readily available on the market.
But wait, it gets worse! Most BlackBerrys, many other Android-powered handsets and most smartphones from Nokia also contain the same snooping software, he says.
His blog post concluded with some questions, including “Why does SMS Notify get called and show to be dispatching text messages to Carrier IQ?” and “Why is my browser data being read, especially HTTPS on my Wi-Fi?”
And Internet-Security.ca has placed the same questions to Carrier IQ, and will update this post if and when the company responds.
In other internet security news
While the overall majority of computer users tend to think of printers as unintelligent boxes sitting by your desk, new research performed by Columbia University researchers has found that they may be surprisingly vulnerable to sophisticated hacking attacks.
The researchers said that Internet-connected printers could be used to steal personal data, access supposedly secure corporate networks, or worse, cause a fire through deliberate overheating of the device.
The researchers, who studied HP's networked LaserJet printers, say that the printers' "Remote Firmware Update" feature is acutely vulnerable to attacks from the outside, and it's a lot easier than some initially believed.
That feature, which checks for software updates whenever a new printing job starts, could allow hackers to install customized firmware that would grant them full control of the printer. The printers studied by the Columbia team lack digital signatures and thus don't check the source of a firmware update, which makes it relatively easy for hackers to spoof the printer with malicious firmware.
And the stakes are very high in deed. And it gets worse-- according to the researchers, there is no easy way to initially detect the breach in the first place, and since security software doesn't analyze printers, hackers could have near-complete freedom of action after seizing control of a printer.
And further compounding matters, removing the malicious firmware is nearly impossible. As worrisome as that might sound, printer security woes have been around for years-- many years in fact. So much time is devoted to securing the computers themselves, laptops and then servers, but no attention is ever given to printers, and hackers know that, and they are capitalizing on it in a very big way.
Just five short years ago at the Black Hat security conference, security expert Brendan O'Connor demonstrated how easy it is for hackers to gain access to a printer and cause several security issues in a typical office setting. O'Connor demonstrated how just two hackers, within minutes, can perform all kinds of tasks, including mapping an organization's network and accessing previously printed documents.
"Stop treating them as printers," O'Connor warned IT managers during his presentation. "Treat them as servers, as workstations and as any other computer connected to your network. Look at them in the same way you do any other peripheral that is attached to your corporate network, because that's exactly what they are, plain and simple."
O'Connor's findings came at a time when networked printers were mostly found in the enterprise segment. Nowadays, they're just about everywhere. And the Columbia researchers say that due to the sheer number of networked printers in the wild, the flaw it discovered could affect millions of people around the globe, not just in your office. After all, remember that your printer is directly connected to the public internet, so just about anything is possible.
But before you jump to turn off your printer, the security hole that the researchers found is only an issue in older printer models. Since 2009, printers have included digital signature technology, which addresses the flaw.
But that still doesn't make the researchers feel any safer, nevertheless. As they pointed out, the number of printers suffering from the flaw "could be much more than 100 million. That's a LOT of printers."
Keith Moore, HP's chief technologist for the company's printer division, said in an interview that although his company takes the flaw "very seriously," he's suspect that it could be as widespread as the researchers say, adding that his initial studies reveal a low likelihood that hackers would exploit it. But not everybody agrees with Moore, namely the researchers that produced the report.
"This security vulnerability is probably not as broad as what I had heard in their first announcement," Moore said, citing his assertion that, contrary to what the researchers say, HP printers don't look for new firmware on typical print jobs. "It sounds like we disagree on what the exposure might be."
In other internet security news
With the simple decrypting of a protected PayPal browser cookie at a security conference on September 23, it became official-- the internet's foundation of trust has suffered another serious fracture that will require the attention of the industry's best minds if SSL technology is to be trusted at all.
Within just a few hours of the demonstration by internet security researchers Juliano Rizzo and Thai Duong, Google researcher Adam Langley signaled his growing acceptance that SSL (secure sockets layer), the decade-old cryptographic standard that protects web sites and eCommerce sites using the https prefix, was susceptible to an attack that previously was considered impractical.
The result: by tampering with with an encryption algorithm's CBC (cipher block chaining) mode, hackers could easily and secretly decrypt portions of the encrypted traffic, representing a serious security breach to a technology that up until today was believed to be secure by everybody in the internet community.
“The CBC attacks were believed to be largely theoretical but, as Duong and Rizzo have pointed out Friday, that's no longer the case,” Langley wrote.
He went on say that, as previously reported, developers of Google's Chrome browser are currently experimenting with a work-around but are not yet sure if it will create incompatibilities with various websites that are still using SSL.
He added that Google's SSL technology is highly resistant to the attack because it favors the RC4 cipher, which doesn't use CBC, therefore it's more secure. But up to which point still isn't certain at this time.
Yesterday, both Microsoft and Mozilla acknowledged that their software were also affected. An advisory issued by Microsoft recommends that websites follow Google's lead to favor the RC4 cipher while Redmond's engineers develop a Windows update to patch the underlying weakness.
For its part, Mozilla made public a three-month old discussion of the underlying security vulnerability and the best way to repair it without breaking a huge numbers of websites that have been running for so many years.
And Duong and Rizzo's exploit isn't the easiest to pull off either. Attackers must already control the network used by the intended victim, and they can only recover secret information that's transmitted repeatedly and in a predictable location of the encrypted data stream.
Then they must also have a means to subvert a safety mechanism built into the internet known as the SOP (same-origin policy), which dictates that a data set by one domain name can't be read or modified by a different IP address.
To get around the SOP, the security researchers used a specific Java applet, but they said there are other methods for achieving the same purpose.
But as Duong and Rizzo demonstrated Friday, those constraints weren't enough to stop them from revealing the plain text of a supposedly SSL-protected browser cookie transmitted with each request that a logged-in PayPal user makes on the payments website.
Using what is presumed to be a broadband connection somewhere in Mountain View, California, Duong was able to recover the authentication in about two minutes, giving him everything he needed to gain unauthorized access to someone else's account.
Moxie Marlinspike, a security researcher who has repeatedly made some holes in the SSL protocol and its transport-layer security successor, put it this way: “As it stands now, given the number of difficult conditions necessary for deploying such an attack, as well as the dependency on leveraging a Java applet for violating SOP, it seems extremely unlikely that individual browser users will be personally affected by this vulnerability.”
BEAST, short for Browser Exploit Against SSL/TLS, isn't the only reason to question the adequacy of the SSL cryptographic system the entire internet uses to prevent eavesdroppers from accessing your private accounts. And remember that a patch introduced by OpenSSL in 2002 to fix this very vulnerability was turned off because it introduced incompatibilities in software from Microsoft, further complicating matters even more.
SSL encryption may have dodged a bullet for now, but as the recent DigiNotar debacle demonstrated, the system itself isn't immune to real-world attacks that have very real consequences for those who depend on it. As we always do, we will keep you posted on this and on other news that affect the security of the internet.
In other internet security news
The University of Sydney in Australia and technical publisher Elsevier said earlier this morning that they are holding their first official competitive hackathon for security students and professional software developers.
The Sydney Hackathon allows teams of up to five, a twenty-four hour time frame to develop an application to improve content delivery for scientific, technical and medical publisher Elsevier, publisher of The Lancet and SciVerse Science Direct.
"The hackathon is designed to encourage students and internet security professionals to build creative and innovative software applications for science, using data from open application program interfaces," said SUITS (Sydney Uni IT Society) president James Alexander.
The inaugural Sydney Hackathon is being held this weekend, and will offer cash prizes of up to $1500 AU to the winning team. What's more, competitors can even retain the official ownership of any intellectual property developed during the event.
Entrants have from 2.00 PM Saturday to develop an application of any kind as long as it's from Elsevier’s SciVerse and ScienceDirect platforms, which include over 10 million scientific publications from 2600 journals.
Application developers and security software designers, students from any University in Australia or full time programmers are invited to enter the hackathon.
Source: Trevor Eckhart.
You can link to the Internet Security web site as much as you like.