Archive for the ‘Electronics’ Category

Building control systems can be pathway to Target-like attack

Tuesday, February 11th, 2014

Credentials stolen from automation and control providers were used in Target hack

Companies should review carefully the network access given to third-party engineers monitoring building control systems to avoid a Target-like attack, experts say.

Security related to providers of building automation and control systems was in the spotlight this week after the security blog KrebsonSecurity reported that credentials stolen from Fazio Mechanical Services, based in Sharpsburg, Penn, were used by hackers who snatched late last year 40 million debit- and credit-card numbers from Target’s electronic cash registers, called point-of-sale (POS) systems.

The blog initially identified Fazio as a provider of refrigeration and heating, ventilation and air conditioning (HVAC) systems. The report sparked a discussion in security circles on how such a subcontractor’s credentials could provide access to areas of the retailer’s network Fazio would not need.

On Thursday, Fazio released a statement saying it does not monitor or control Target’s HVAC systems, according to KrebsonSecurity. Instead it remotely handles “electronic billing, contract submission and project management,” for the retailer.

In light of its work, Fazio having access to Target business applications that could be tied to POS systems is certainly possible. However, interviews with experts before Fazio’s clarification found that subcontractors monitoring and maintaining HVAC and other building systems remotely often have too much access to corporate networks.

“Generally what happens is some new business service needs network access, so, if there’s time pressure, it may be placed on an existing network, (without) thinking through all the security implications,” Dwayne Melancon, chief technology officer for data security company Tripwire, said.

Most building systems, such as HVAC, are Internet-enabled so maintenance companies can monitor them remotely. Use of the Shodan search engine for Internet-enabled devices can reveal thousands of systems ranging from building automation to crematoriums with weak login credentials, researchers have found.

Using homegrown technology, Billy Rios, director of threat intelligence for vulnerability management company Qualys, found on the Internet a building control system for Target’s Minneapolis-based headquarters.

While the system is connected to an internal network, Rios could not determine whether it’s a corporate network without hacking the system, which would be illegal.

“We know that we could probably exploit it, but what we don’t know is what purpose it’s serving,” he said. “It could control energy, it could control HVAC, it could control lighting or it could be for access control. We’re not sure.”

If the Web interface of such systems is on a corporate network, then some important security measures need to be taken.

All data traffic moving to and from the server should be closely monitored. To do their job, building engineers need to access only a few systems. Monitoring software should flag traffic going anywhere else immediately.

“Workstations in your HR (human resources) department should probably not be talking to your refrigeration devices,” Rios said. “Seeing high spikes in traffic from embedded devices on your corporate network is also an indication that something is wrong.”

In addition, companies should know the IP addresses used by subcontractors in accessing systems. Unrecognized addresses should be automatically blocked.

Better password management is also a way to prevent a cyberattack. In general, a subcontractor’s employees will share the same credentials to access a customer’s systems. Those credentials are seldom changed, even when an employee leaves the company.

“That’s why it’s doubly important to make sure those accounts and systems have very restricted access, so you can’t use that technician login to do other things on the network,” Melancon said.

Every company should do a thorough review of their networks to identify every building system. “Understanding where these systems are is the first step,” Rios said.

Discovery should be followed by an evaluation of the security around those systems that are on the Internet.

Source:  csoonline.com

The case for Wi-Fi in the Internet of Things

Tuesday, January 14th, 2014

Whether it’s the “connected home” or the “Internet of Things,” many everyday home appliances and devices will soon feature some form of Internet connectivity. What form should that connectivity take? We sat down with Edgar Figueroa, president and CEO of the Wi-Fi Alliance, to discuss his belief that Wi-Fi is the clear choice.

Options are plentiful when it comes to the Internet, but some are easily disregarded for most Internet of Things designs. Ethernet and other wired solutions require additional equipment or more cabling than what is typically found in even a modern home. Cellular connectivity is pointless for stationary home goods and still too power-hungry for wearable items. Proprietary and purpose-built solutions, like ZigBee, are either too closed off or require parallel paths to solutions that are already in our homes.

Bluetooth makes a pretty good case for itself, though inconsistent user experiences remain the norm for several reasons. The latest Bluetooth specifications provide very low power data transfers and have very low overhead for maintaining a connection. The result is that the power profile for the connection is low whether you’re transacting data or not. Connection speeds are modest compared to the alternatives. But the biggest detractor for Bluetooth is inconsistency. Bluetooth has always felt kludgy; it’s an incomplete solution that will suffice until it improves. It’s helpful that Bluetooth devices can often have their performance, reliability, and features improved upon through software updates, but the experience can still remain frustrating.

Then there’s Wi-Fi.

Figueroa wanted to highlight a few key points from a study the Alliance commissioned. “Of those polled, more than half already have a non-traditional device with a Wi-Fi radio,” he said. Here, “non-traditional” falls among a broad swath of products that includes appliances, thermostats, and lighting systems. Figueroa continued, “Ninety-one percent of those polled said they’d be more likely to buy a smart device if it came equipped with Wi-Fi.” Alliance’s point: everyone already has a Wi-Fi network in their home. Why choose anything else?

One key consideration the study seems to ignore is power draw, which is one of Bluetooth’s biggest assets. Wi-Fi connections are active and power-hungry, even when they aren’t transacting large amounts of data. A separate study looking at power consumption per bit of data transferred demonstrated that Wi-Fi trumps Bluetooth by orders of magnitude. Where Wi-Fi requires large amounts of constant power, Bluetooth requires almost no power to maintain a connection.

In response to a question on the preference for low-power interfaces, Figueroa said simply, “Why?” In his eyes, the connected home isn’t necessarily a battery-powered home. Devices that connect to our Wi-Fi networks traditionally have plugs, so why must they sip almost no power?

Bluetooth has its place in devices whose current draw must not exceed the capabilities of a watch battery. But even in small devices, Wi-Fi’s performance and ability to create ad hoc networks and Wi-Fi Direct connections can better the experience, even if it’s at the risk of increasing power draw and battery size.

In the end, the compelling case for Wi-Fi’s use in the mobile space has more to do with what we want from our experiences than whether one is more power-hungry. Simplicity in all things is preferred. Even after all these years, pairing Bluetooth is usually more complex than connecting a new device to your existing Wi-Fi network. Even in the car, where Bluetooth has had a long dominance, the ability to connect multiple devices over Wi-Fi’s wide interface may ultimately be preferred. Still, despite Figueroa’s confidence, it’s an increasingly green (and preferably bill-shrinking) world looking to adopt an Internet of Things lifestyle. Wi-Fi may ultimately need to complete its case by driving power down enough to reside in all our Internet of Things devices, from the biggest to the smallest.

Source:  arstechnica.com

Computers share their secrets if you listen

Friday, December 20th, 2013

Be afraid, friends, for science has given us a new way in which to circumvent some of the strongest encryption algorithms used to protect our data — and no, it’s not some super secret government method, either. Researchers from Tel Aviv University and the Weizmann Institute of Science discovered that they could steal even the largest, most secure RSA 4096-bit encryption keys simply by listening to a laptop as it decrypts data.

To accomplish the trick, the researchers used a microphone to record the noises made by the computer, then ran that audio through filters to isolate the vibrations made by the electronic internals during the decryption process. With that accomplished, some cryptanalysis revealed the encryption key in around an hour. Because the vibrations in question are so small, however, you need to have a high powered mic or be recording them from close proximity. The researchers found that by using a highly sensitive parabolic microphone, they could record what they needed from around 13 feet away, but could also get the required audio by placing a regular smartphone within a foot of the laptop. Additionally, it turns out they could get the same information from certain computers by recording their electrical ground potential as it fluctuates during the decryption process.

Of course, the researchers only cracked one kind of RSA encryption, but they said that there’s no reason why the same method wouldn’t work on others — they’d just have to start all over to identify the specific sounds produced by each new encryption software. Guess this just goes to prove that while digital security is great, but it can be rendered useless without its physical counterpart. So, should you be among the tin-foil hat crowd convinced that everyone around you is a potential spy, waiting to steal your data, you’re welcome for this newest bit of food for your paranoid thoughts.

Source:  engadget.com

Scientist-developed malware covertly jumps air gaps using inaudible sound

Tuesday, December 3rd, 2013

Malware communicates at a distance of 65 feet using built-in mics and speakers.

Computer scientists have developed a malware prototype that uses inaudible audio signals to communicate, a capability that allows the malware to covertly transmit keystrokes and other sensitive data even when infected machines have no network connection.

The proof-of-concept software—or malicious trojans that adopt the same high-frequency communication methods—could prove especially adept in penetrating highly sensitive environments that routinely place an “air gap” between computers and the outside world. Using nothing more than the built-in microphones and speakers of standard computers, the researchers were able to transmit passwords and other small amounts of data from distances of almost 65 feet. The software can transfer data at much greater distances by employing an acoustical mesh network made up of attacker-controlled devices that repeat the audio signals.

The researchers, from Germany’s Fraunhofer Institute for Communication, Information Processing, and Ergonomics, recently disclosed their findings in a paper published in the Journal of Communications. It came a few weeks after a security researcher said his computers were infected with a mysterious piece of malware that used high-frequency transmissions to jump air gaps. The new research neither confirms nor disproves Dragos Ruiu’s claims of the so-called badBIOS infections, but it does show that high-frequency networking is easily within the grasp of today’s malware.

“In our article, we describe how the complete concept of air gaps can be considered obsolete as commonly available laptops can communicate over their internal speakers and microphones and even form a covert acoustical mesh network,” one of the authors, Michael Hanspach, wrote in an e-mail. “Over this covert network, information can travel over multiple hops of infected nodes, connecting completely isolated computing systems and networks (e.g. the internet) to each other. We also propose some countermeasures against participation in a covert network.”

The researchers developed several ways to use inaudible sounds to transmit data between two Lenovo T400 laptops using only their built-in microphones and speakers. The most effective technique relied on software originally developed to acoustically transmit data under water. Created by the Research Department for Underwater Acoustics and Geophysics in Germany, the so-called adaptive communication system (ACS) modem was able to transmit data between laptops as much as 19.7 meters (64.6 feet) apart. By chaining additional devices that pick up the signal and repeat it to other nearby devices, the mesh network can overcome much greater distances.

The ACS modem provided better reliability than other techniques that were also able to use only the laptops’ speakers and microphones to communicate. Still, it came with one significant drawback—a transmission rate of about 20 bits per second, a tiny fraction of standard network connections. The paltry bandwidth forecloses the ability of transmitting video or any other kinds of data with large file sizes. The researchers said attackers could overcome that shortcoming by equipping the trojan with functions that transmit only certain types of data, such as login credentials captured from a keylogger or a memory dumper.

“This small bandwidth might actually be enough to transfer critical information (such as keystrokes),” Hanspach wrote. “You don’t even have to think about all keystrokes. If you have a keylogger that is able to recognize authentication materials, it may only occasionally forward these detected passwords over the network, leading to a very stealthy state of the network. And you could forward any small-sized information such as private encryption keys or maybe malicious commands to an infected piece of construction.”

Remember Flame?

The hurdles of implementing covert acoustical networking are high enough that few malware developers are likely to add it to their offerings anytime soon. Still, the requirements are modest when measured against the capabilities of Stuxnet, Flame, and other state-sponsored malware discovered in the past 18 months. And that means that engineers in military organizations, nuclear power plants, and other truly high-security environments should no longer assume that computers isolated from an Ethernet or Wi-Fi connection are off limits.

The research paper suggests several countermeasures that potential targets can adopt. One approach is simply switching off audio input and output devices, although few hardware designs available today make this most obvious countermeasure easy. A second approach is to employ audio filtering that blocks high-frequency ranges used to covertly transmit data. Devices running Linux can do this by using the advanced Linux Sound Architecture in combination with the Linux Audio Developer’s Simple Plugin API. Similar approaches are probably available for Windows and Mac OS X computers as well. The researchers also proposed the use of an audio intrusion detection guard, a device that would “forward audio input and output signals to their destination and simultaneously store them inside the guard’s internal state, where they are subject to further analyses.”

Source:  arstechnica.com

This new worm targets Linux PCs and embedded devices

Wednesday, November 27th, 2013

A new worm is targeting x86 computers running Linux and PHP, and variants may also pose a threat to devices such as home routers and set-top boxes based on other chip architectures.

According to security researchers from Symantec, the malware spreads by exploiting a vulnerability in php-cgi, a component that allows PHP to run in the Common Gateway Interface (CGI) configuration. The vulnerability is tracked as CVE-2012-1823 and was patched in PHP 5.4.3 and PHP 5.3.13 in May 2012.

The new worm, which was named Linux.Darlloz, is based on proof-of-concept code released in late October, the Symantec researchers said Wednesday in a blog post.

“Upon execution, the worm generates IP [Internet Protocol] addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability,” the Symantec researchers explained. “If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target.”

The only variant seen to be spreading so far targets x86 systems, because the malicious binary downloaded from the attacker’s server is in ELF (Executable and Linkable Format) format for Intel architectures.

However, the Symantec researchers claim the attacker also hosts variants of the worm for other architectures including ARM, PPC, MIPS and MIPSEL.

These architectures are used in embedded devices like home routers, IP cameras, set-top boxes and many others.

“The attacker is apparently trying to maximize the infection opportunity by expanding coverage to any devices running on Linux,” the Symantec researchers said. “However, we have not confirmed attacks against non-PC devices yet.”

The firmware of many embedded devices is based on some type of Linux and includes a Web server with PHP for the Web-based administration interface. These kinds of devices might be easier to compromise than Linux PCs or servers because they don’t receive updates very often.

Patching vulnerabilities in embedded devices has never been an easy task. Many vendors don’t issue regular updates and when they do, users are often not properly informed about the security issues fixed in those updates.

In addition, installing an update on embedded devices requires more work and technical knowledge than updating regular software installed on a computer. Users have to know where the updates are published, download them manually and then upload them to their devices through a Web-based administration interface.

“Many users may not be aware that they are using vulnerable devices in their homes or offices,” the Symantec researchers said. “Another issue we could face is that even if users notice vulnerable devices, no updates have been provided to some products by the vendor, because of outdated technology or hardware limitations, such as not having enough memory or a CPU that is too slow to support new versions of the software.”

To protect their devices from the worm, users are advised to verify if those devices run the latest available firmware version, update the firmware if needed, set up strong administration passwords and block HTTP POST requests to -/cgi-bin/php, -/cgi-bin/php5, -/cgi-bin/php-cgi, -/cgi-bin/php.cgi and -/cgi-bin/php4, either from the gateway firewall or on each individual device if possible, the Symantec researchers said.

Source:  computerworld.com

Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps

Friday, November 1st, 2013

Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused. He also found that the machine could delete data and undo configuration changes with no prompting. He didn’t know it then, but that odd firmware update would become a high-stakes malware mystery that would consume most of his waking hours.

In the following months, Ruiu observed more odd phenomena that seemed straight out of a science-fiction thriller. A computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting. His network transmitted data specific to the Internet’s next-generation IPv6 networking protocol, even from computers that were supposed to have IPv6 completely disabled. Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux.

“We were like, ‘Okay, we’re totally owned,’” Ruiu told Ars. “‘We have to erase all our systems and start from scratch,’ which we did. It was a very painful exercise. I’ve been suspicious of stuff around here ever since.”

In the intervening three years, Ruiu said, the infections have persisted, almost like a strain of bacteria that’s able to survive extreme antibiotic therapies. Within hours or weeks of wiping an infected computer clean, the odd behavior would return. The most visible sign of contamination is a machine’s inability to boot off a CD, but other, more subtle behaviors can be observed when using tools such as Process Monitor, which is designed for troubleshooting and forensic investigations.

Another intriguing characteristic: in addition to jumping “airgaps” designed to isolate infected or sensitive machines from all other networked computers, the malware seems to have self-healing capabilities.

“We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD,” Ruiu said. “At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we’re using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys.”

Over the past two weeks, Ruiu has taken to Twitter, Facebook, and Google Plus to document his investigative odyssey and share a theory that has captured the attention of some of the world’s foremost security experts. The malware, Ruiu believes, is transmitted though USB drives to infect the lowest levels of computer hardware. With the ability to target a computer’s Basic Input/Output System (BIOS), Unified Extensible Firmware Interface (UEFI), and possibly other firmware standards, the malware can attack a wide variety of platforms, escape common forms of detection, and survive most attempts to eradicate it.

But the story gets stranger still. In posts here, here, and here, Ruiu posited another theory that sounds like something from the screenplay of a post-apocalyptic movie: “badBIOS,” as Ruiu dubbed the malware, has the ability to use high-frequency transmissions passed between computer speakers and microphones to bridge airgaps.

Bigfoot in the age of the advanced persistent threat

At times as I’ve reported this story, its outline has struck me as the stuff of urban legend, the advanced persistent threat equivalent of a Bigfoot sighting. Indeed, Ruiu has conceded that while several fellow security experts have assisted his investigation, none has peer reviewed his process or the tentative findings that he’s beginning to draw. (A compilation of Ruiu’s observations is here.)

Also unexplained is why Ruiu would be on the receiving end of such an advanced and exotic attack. As a security professional, the organizer of the internationally renowned CanSecWest and PacSec conferences, and the founder of the Pwn2Own hacking competition, he is no doubt an attractive target to state-sponsored spies and financially motivated hackers. But he’s no more attractive a target than hundreds or thousands of his peers, who have so far not reported the kind of odd phenomena that has afflicted Ruiu’s computers and networks.

In contrast to the skepticism that’s common in the security and hacking cultures, Ruiu’s peers have mostly responded with deep-seated concern and even fascination to his dispatches about badBIOS.

“Everybody in security needs to follow @dragosr and watch his analysis of #badBIOS,” Alex Stamos, one of the more trusted and sober security researchers, wrote in a tweet last week. Jeff Moss—the founder of the Defcon and Blackhat security conferences who in 2009 began advising Department of Homeland Security Secretary Janet Napolitano on matters of computer security—retweeted the statement and added: “No joke it’s really serious.” Plenty of others agree.

“Dragos is definitely one of the good reliable guys, and I have never ever even remotely thought him dishonest,” security researcher Arrigo Triulzi told Ars. “Nothing of what he describes is science fiction taken individually, but we have not seen it in the wild ever.”

Been there, done that

Triulzi said he’s seen plenty of firmware-targeting malware in the laboratory. A client of his once infected the UEFI-based BIOS of his Mac laptop as part of an experiment. Five years ago, Triulzi himself developed proof-of-concept malware that stealthily infected the network interface controllers that sit on a computer motherboard and provide the Ethernet jack that connects the machine to a network. His research built off of work by John Heasman that demonstrated how to plant hard-to-detect malware known as a rootkit in a computer’s peripheral component interconnect, the Intel-developed connection that attaches hardware devices to a CPU.

It’s also possible to use high-frequency sounds broadcast over speakers to send network packets. Early networking standards used the technique, said security expert Rob Graham. Ultrasonic-based networking is also the subject of a great deal of research, including this project by scientists at MIT.

Of course, it’s one thing for researchers in the lab to demonstrate viable firmware-infecting rootkits and ultra high-frequency networking techniques. But as Triulzi suggested, it’s another thing entirely to seamlessly fuse the two together and use the weapon in the real world against a seasoned security consultant. What’s more, use of a USB stick to infect an array of computer platforms at the BIOS level rivals the payload delivery system found in the state-sponsored Stuxnet worm unleashed to disrupt Iran’s nuclear program. And the reported ability of badBIOS to bridge airgaps also has parallels to Flame, another state-sponsored piece of malware that used Bluetooth radio signals to communicate with devices not connected to the Internet.

“Really, everything Dragos reports is something that’s easily within the capabilities of a lot of people,” said Graham, who is CEO of penetration testing firm Errata Security. “I could, if I spent a year, write a BIOS that does everything Dragos said badBIOS is doing. To communicate over ultrahigh frequency sound waves between computers is really, really easy.”

Coincidentally, Italian newspapers this week reported that Russian spies attempted to monitor attendees of last month’s G20 economic summit by giving them memory sticks and recharging cables programmed to intercept their communications.

Eureka

For most of the three years that Ruiu has been wrestling with badBIOS, its infection mechanism remained a mystery. A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it. He soon theorized that infected computers have the ability to contaminate USB devices and vice versa.

“The suspicion right now is there’s some kind of buffer overflow in the way the BIOS is reading the drive itself, and they’re reprogramming the flash controller to overflow the BIOS and then adding a section to the BIOS table,” he explained.

He still doesn’t know if a USB stick was the initial infection trigger for his MacBook Air three years ago, or if the USB devices were infected only after they came into contact with his compromised machines, which he said now number between one and two dozen. He said he has been able to identify a variety of USB sticks that infect any computer they are plugged into. At next month’s PacSec conference, Ruiu said he plans to get access to expensive USB analysis hardware that he hopes will provide new clues behind the infection mechanism.

He said he suspects badBIOS is only the initial module of a multi-staged payload that has the ability to infect the Windows, Mac OS X, BSD, and Linux operating systems.

“It’s going out over the network to get something or it’s going out to the USB key that it was infected from,” he theorized. “That’s also the conjecture of why it’s not booting CDs. It’s trying to keep its claws, as it were, on the machine. It doesn’t want you to boot another OS it might not have code for.”

To put it another way, he said, badBIOS “is the tip of the warhead, as it were.”

“Things kept getting fixed”

Ruiu said he arrived at the theory about badBIOS’s high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine’s power cord so it ran only on battery to rule out the possibility that it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.

With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on.

“The airgapped machine is acting like it’s connected to the Internet,” he said. “Most of the problems we were having is we were slightly disabling bits of the components of the system. It would not let us disable some things. Things kept getting fixed automatically as soon as we tried to break them. It was weird.”

It’s too early to say with confidence that what Ruiu has been observing is a USB-transmitted rootkit that can burrow into a computer’s lowest levels and use it as a jumping off point to infect a variety of operating systems with malware that can’t be detected. It’s even harder to know for sure that infected systems are using high-frequency sounds to communicate with isolated machines. But after almost two weeks of online discussion, no one has been able to rule out these troubling scenarios, either.

“It looks like the state of the art in intrusion stuff is a lot more advanced than we assumed it was,” Ruiu concluded in an interview. “The take-away from this is a lot of our forensic procedures are weak when faced with challenges like this. A lot of companies have to take a lot more care when they use forensic data if they’re faced with sophisticated attackers.”

Source:  arstechnica.com

Researchers create nearly undetectable hardware backdoor

Thursday, September 26th, 2013

University of Massachusetts researchers have found a way to make hardware backdoors virtually undetectable.

With recent NSA leaks and surveillance tactics being uncovered, researchers have redoubled their scrutiny of things like network protocols, software programs, encryption methods, and software hacks. Most problems out there are caused by software issues, either from bugs or malware. But one group of researchers at the University of Massachusetts decided to investigate the hardware side, and they found a new way to hack a computer processor at such a low-level, it’s almost impossible to detect it.

What are hardware backdoors?

Hardware backdoors aren’t exactly new. We’ve known for a while that they are possible, and we have examples of them in the wild. They are rare, and require a very precise set of circumstances to implement, which is probably why they aren’t talked about as often as software or network code. Even though hardware backdoors are rare and notoriously difficult to pull off, they are a cause of concern because the damage they could cause could be much greater than software-based threats. Stated simply, a hardware backdoor is a malicious piece of code placed in hardware so that it cannot be removed and is very hard to detect. This usually means the non-volatile memory in chips like the BIOS on a PC, or in the firmware of a router or other network device.

A hardware backdoor is very dangerous because it’s so hard to detect, and because it typically has full access to the device it runs on, regardless of any password or access control system. But how realistic are these threats? Last year, a security consultant showcased a fully-functioning hardware backdoor. All that’s required to implement that particular backdoor is flashing a BIOS with a malicious piece of code. This type of modification is one reason why Microsoft implemented Secure Boot in Windows 8, to ensure the booting process in a PC is trusted from the firmware all the way to the OS. Of course, that doesn’t protect you from other chips on the motherboard being modified, or the firmware in your router, printer, smartphone, and so on.

New research

The University of Massachusetts researchers found an even more clever way to implement a hardware backdoor. Companies have taken various measures for years now to ensure their chips aren’t modified without their knowledge. After all, most of our modern electronics are manufactured in a number of foreign factories. Visual inspections are commonly done, along with tests of the firmware code, to ensure nothing was changed. But in this latest hack, even those measures may not be enough. The way to do that is ingenious and quite complex.

The researchers used a technique called doping transistors. Basically, a transistor is made of a crystalline structure which provides the needed functionality to amplify or switch a current that goes through it. Doping a transistor means changing that crystalline structure to add impurities, and change the way it behaves. The Intel Random Number Generator (RNG) is the basic building block of any encryption system since it provides those important starting numbers with which to create encryption keys. By doping the RNG, the researchers can make the chip behave in a slightly different way. In this case, they simply changed the transistors so that one particular number became a constant instead of a variable. That means a number that was supposed to be random and impossible to predict, is now always the same.

By introducing these changes at the hardware level, it weakens the RNG, and in turn weakens any encryption that comes from keys created by that system, such as SSL connections, encrypted files, and so on. Intel chips contain self tests that are supposed to catch hardware modifications, but the researchers claim that this change is at such a low level in the hardware, that it doesn’t get detected. Fixing this flaw isn’t easy either, even if you could detect it. The RNG is part of the security process in a CPU, and for safety, it is isolated from the rest of the system. That means there is nothing a user or even administrator can do to correct the problem.

There’s no sign that this particular hardware backdoor is being used in the wild, but if this type of change is possible, then it’s likely that groups with a lot of technical expertise could find similar methods. This may lend more credence to moves from various countries to ban certain parts from some regions of the world. This summer Lenovo saw its systems being banned from defense networks in many countries after allegations that China may have added vulnerabilities in the hardware of some of its systems. Of course, with almost every major manufacturer having their electronics part made in China, that isn’t much of a relief. It’s quite likely that as hardware hacking becomes more cost effective and popular, we may see more of these types of low level hacks being performed, which could lead to new types of attacks, and new types of defense systems.

Source:  techrepublic.com

SSDs maturing, but new memory tech still 10 years away

Monday, August 26th, 2013

Solid-state drive adoption will continue to grow and it will be more than 10 years before it is ultimately replaced by a new memory technology, experts said.

SSDs are getting more attractive as NAND flash gets faster and cheaper, as it provides flexibility in usage as a RAM or hard-drive alternative, said speakers and attendees at the Hot Chips conference in Stanford, California on Sunday.

Emerging memory types under development like phase-change memory (PCM), RRAM (resistive random-access memory) and MRAM (magnetoresistive RAM) may show promise with faster speed and durability, but it will be many years until they are made in volume and are priced competitively to replace NAND flash storage.

SSDs built on flash memory are now considered an alternative to spinning hard-disk drives, which have reached their speed limit. Mobile devices have moved over to flash drives, and a large number of thin and light ultrabooks are switching to SSDs, which are smaller, faster and more power efficient. However, the enterprise market still relies largely on spinning disks, and SSDs are poised to replace hard disks in server infrastructure, experts said. One of the reasons: SSDs are still more expensive than hard drives, though flash price is coming down fast.

“It’s going to be a long time until NAND flash runs out of steam,” said Jim Handy, an analyst at Objective Analysis, during a presentation.

Handy predicted that NAND flash will likely be replaced by 2023 or beyond. The capacity of SSDs is growing as NAND flash geometries get smaller, so scaling down flash will become difficult, which will increase the need for a new form of non-volatile memory that doesn’t rely on transistors.

Many alternative forms of memory are under development. Crossbar has developed RRAM (resistive random-access memory) that the company claims can replace DRAM and flash. Startup Everspin is offering its MRAM (magnetoresistive RAM) products as an alternative to flash memory. Hewlett-Packard is developing memristor, while PCM (phase-change memory) is being pursued by Micron and Samsung.

But SSDs are poised for widespread enterprise adoption as the technology consumes less energy and is more reliable. The smaller size of SSDs can also provide more storage in fewer servers, which could cut licensing costs, Handy said.

“If you were running Oracle or some other database software, you would be paying license fee based on the number of servers,” Handy said.

In 2006, famed Microsoft researcher Jim Gray said in a presentation “tape is dead, disk is tape, flash is disk, RAM locality is king.” And people were predicting the end of flash 10 years ago when Amber Huffman, senior principal engineer at Intel’s storage technologies group, started working on flash memory.

Almost ten years on, flash is still maturing and could last even longer than 10 years, Huffman said. Its adoption will grow in enterprises and client devices, and it will ultimately overtake hard drives, which have peaked on speed, she said.

Like Huffman, observers agreed that flash is faster and more durable, but also more expensive than hard drives. But in enterprises, SSDs are inherently parallel, and better suited for server infrastructures that need better throughput. Multiple SSDs can exchange large loads of data easily much like memory, Huffman said. SSDs can be plugged into PCI-Express 3.0 slots in servers for processing of applications like analytics, which is faster than hard drives on the slower SATA interface.

The $30 billion enterprise storage market is still built on spinning disks, and there is a tremendous opportunity for SSDs, said Neil Vachharajani , software architect at Pure Storage, in a speech.

Typically, dedicated pools of spinning disks are needed for applications, which could block performance improvements, Vachharajani said.

“Why not take SSDs and put them into storage arrays,” Vachharajani said. “You can treat your storage as a single pool.”

Beyond being an alternative primary storage, NAND could be plugged into memory slots as a slower form of RAM. Facebook replaced DRAM with flash memory in a server called McDipper, and is also using SSDs for long-term cold storage. Ultrabooks use SSDs as operating system cache, and servers use SSDs for temporary caching in servers before data is moved to hard drives for long-term storage.

Manufacturing enhancements are being made to make SSDs faster and smaller. Samsung this month announced faster V-NAND flash storage chips that are up to 10 times more durable than the current flash storage used in mobile devices. The flash memory employs a 3D chip structure in which storage modules are stacked vertically.

Intel is taking a different approach to scaling down NAND flash by implementing high-k metal gate to reduce leakage, according to Krishna Parat, a fellow at the chip maker’s nonvolatile memory group. As flash scales down in size, Intel will move to 3D transistor structuring, much like it does in microprocessors today on the 22-nanometer process.

But there are disadvantages. With every process shrink, the endurance of flash may drop, so steps need to be taken to preserve durability. Options would be to minimize writes by changing algorithms and controllers, and also to use compression, de-duplication and hardware encryption, attendees said.

Smarter controllers are also needed to maintain capacity efficiency and data integrity, said David Flynn, CEO of PrimaryData. Flynn was previously CEO of Fusion-io, which pioneered SSD storage in enterprises.

“Whatever Flash’s successor is, it won’t be as fast as RAM,” Flynn said. “It takes longer to change persistent states than volatile states.”

But Flynn is already looking beyond SSD into future memory types.

“The faster it gets the better,” Flynn said. “I’m excited about new, higher memories.”

But SSDs will ultimately match hard drives on price, and the newer memory and storage forms will have to wait, said Huffman, who is also the chairperson for the NVM-Express organization, which is the protocol for current and future non-volatile memory plugging into the PCI-Express slot.

“Hard drives will become the next tape,” Huffman said.

Source:  computerworld.com

Intel plans to ratchet up mobile platform performance with 14-nanometre silicon

Friday, August 23rd, 2013

Semiconductor giant Intel is to start producing mobile and embedded systems using its latest manufacturing process technology in a bid to muscle in on a market that it had previously ignored.

The company is planning to launch a number of platforms this year and next intended to ratchet up the performance of its offerings, according to sources quoted in the Far Eastern trade journal Digitimes.

By the end of 2013, a new smartphone system-on-a-chip (SoC) produced using 22-nanometre process technology, codenamed “Merrifield”, will be introduced, followed by “Moorefield” in the first half of 2014. “Morganfield”, which will be produced on forthcoming 14-nanometre process manufacturing technology, will be available from the first quarter of 2015.

Merrifield ought to offer a performance boost of about 50 per cent combined with much improved battery life compared to Intel’s current top-end smartphone platform, called Clover Trail+.

More immediately, Intel will be releasing “Bay Trail-T” microprocessors intended for Windows 8 and Android tablet computers. The Bay Trail-T architecture will offer a battery life of about eight hours in use, but weeks when it is idling, according to Digitimes sources.

The Bay Trail-T may be unveiled at the Intel Developer Forum in September, when Intel will also be unveiling “Bay Trail” on which the T-version is based. Bay Trail will be produced on the 22-nanometre Silvermont architecture.

Digitimes was quoting sources among Taiwan-based manufacturers.

Intel’s current Intel Atom microprocessors for mobile phones – such as the Motorola Raxr-I and the Prestigio MultiPhone – are based on 32-nanometre technology, a generation behind the manufacturing process technology that it is using to produce its latest desktop and laptop microprocessors.

However, the roadmap suggests that Intel is planning to produce its high-end smartphone and tablet computer microprocessors and SoC platforms using the same manufacturing technology as desktop and server products in a bid to gain an edge on ARM-based rivals from Samsung, Qualcomm, TSMC and other producers.

Manufacturers of ARM-based microprocessors, which currently dominate the high-performance market for mobile and embedded microprocessors, trail in terms of the manufacturing technology that they can build their systems with, compared to Intel.

Intel, though, has been turning its attention to mobile and embedded as laptop, PC and server sales have stalled.

Source:  computing.com

Researchers send data without battery, transmitter

Friday, August 16th, 2013

The system could form the basis of communication between wearable electronics devices

Engineers at the University of Washington have developed a way to communicate over short distances using devices that don’t require batteries or transmit any signals.

They’ve developed a pair of devices that can successfully exchange data at speeds of up to 10kbps over a distance of up to 1 meter, which could be useful in applications as varied as wearable devices or building sensors.

The secret to the unusual communications method is the TV broadcasting signals that fill the airwaves of cities and towns across most of the world.

University of WashingtonThe signals are some of the strongest on the air but reception can be degraded as reflections from buildings, trees and even aircraft affect the signal level received by an antenna. The researchers have taken advantage of the difference reflection can make as the basis for their system.

They’ve developed a couple small devices that can communicate by reflecting or absorbing TV signals.

Both devices are tuned to work over channels 22 to 29 of the UHF TV broadcasting band and the TV signals are used in two ways, said Joshua Smith, an associate professor at the University of Washington and co-author of a paper on the system.

First, a few 10s or 100s of microwatts can be induced from the over-the-air signals to charge up a small capacitor that acts as a battery for the simple circuitry.

Second, data transmission works by having one of the devices reflect or absorb the received TV signal while the other watches for changes in the received signal level of the TV broadcast. When the first device is reflecting, the level of signal received at the second device should be higher and when it’s absorbing the signal level should fall. By detecting the difference between the two, the system has the basics for binary data transmission.

Data can be sent as fast as 10kbps when the two devices are about 30 centimeters apart. This falls to around 100bps at one meter, but the researchers believe it should be possible to increase the speed and distance with additional error detection.

And because the devices are looking for fast, momentary changes in signal level occurring hundreds of times per second, they are not affected by signal level changes at slower speeds, such as that might happen when a car drives nearby.

(A video demonstration of the technology can be found on YouTube.)

Researchers see the system as potentially useful for short-range communication between wearable electronics devices or for sensor networks in construction or agriculture. They have also hypothesized use of the technology in near-field communications applications.

Details of the research were published at the Association for Computing Machinery’s Special Interest Group on Data Communication 2013 conference in Hong Kong this week. It won the conference’s best-paper award.

Source:  computerworld.com

RAM wars: RRAM vs. 3D NAND flash, and the winner is … us

Friday, August 9th, 2013

You may soon have a smartphone or tablet with more than a terabyte of high-speed storage

In fact, Crossbar expects to see mass production of its RRAM chip in two years. Minassian said his company has already penned an agreement with a flash fabrication plant in the automotive industry to manufacture the chips. He also said an agreement with a much Within a few years, you’ll likely be carrying a smartphone, tablet or laptop with hundreds of gigabytes or even terabytes of hyper fast, non-volatile memory, thanks to two memory developments unveiled this week.

First, Samsung announced it is now mass producing three-dimensional (3D) Vertical NAND (V-NAND) chips; then start-up Crossbar said it has created a prototype of its resistive random access memory (RRAM) chip.

Three-dimensional NAND takes today’s flash, which is built on a horizontal plane, and turns it sideways. Then, like microscopic memory skyscrapers, it stacks them side-by-side to create a vastly more dense chip with twice the write performance and 10 times the reliability of today’s 2D, or planar, NAND.

The most-dense process for creating silicon flash memory cells to store data on planar NAND is between 10 nanometer (nm) and 19nm in size. To give some idea of how small that is, a nanometer is one-billionth of a meter — a human hair is 3,000 times thicker than NAND flash made with 25nm process technology. There are 25 million nanometers in an inch.

NAND flash uses transistors or a charge to trap (also known as Charge Trap Flash) to store a bit of data in a silicon cell, while RRAM uses tiny conductive filaments that connect silicon layers to represent a bit of data – a digital one or a zero.

In RRAM, the top layer of silicon nitrate creates a conductive electrode, while the lower layer is non-conductive silicon oxide. A positive charge creates a filament connection between the two silicon layers, which represents a one; a negative charge breaks that filament, creating a resistive layer or a zero.

So, which memory tech wins?

Which of the two memories will dominate the non-volatile memory marketplace in five years isn’t certain, as experts have mixed opinions about how much 3D (or stackable) NAND flash can extend the life of current NAND flash technology. Some say it will grow beyond Samsung’s current 24 layers to more than 100 in the future; others believe it has only two to three generations to go, meaning the technology will hit a wall when it gets to 64 layers or so.

By contrast, RRAM starts out with an advantage. It is denser than NAND, with higher performance and endurance. That means RRAM will be able to use silicon wafers that are half the size used by current NAND flash fabricators. And, best of all, current flash fabrication plants won’t need to change their equipment to make it, according to Crossbar CEO George Minassian.

“It will cost maybe a couple million dollars in engineering costs for plants to introduce it. That’s what it is in our plan,” Minassian said. “It’s about the same cost as introducing a new [NAND flash] node, like going from 65 to 45 nanometer node.”

Crossbar claims its RRAM technology has a 30 nanosecond latency time. Samsung’s top-rated flash, the 840 Pro SSD, has a 0.057 millisecond latency. A millisecond is one-thousandth of a second, a nanosecond is one billionth of a second – a million times faster.

According to Minassian, RRAM can natively withstand 10,000 write-erase cycles, which is a little more than typical consumer-grade MLC (multi-cell level) NAND flash can withstand today – and that’s without any error correction code. ECC is used to upgrade today’s MLC NAND flash to enterprise-class flash cards and solid-state drives (SSDs).

In fact, Crossbar expects to see mass production of its RRAM chip in two years. Minassian said his company has already penned an agreement with a flash fabrication plant in the automotive industry to manufacture the chips. He also said an agreement with a much larger fab is nearing an agreement.

Both RRAM and 3D NAND herald an enormous leap in memory performance and storage capacity. Crossbar’s RRAM promises 20 times faster write performance and 10 times the durability of today’s planar NAND flash. Like 3D NAND, RRAM memory chips will be stacked, and a 1TB module will be roughly half the size of a NAND flash module with similar storage, Minassian said.

Three-dimensional NAND offers multiples more capacity. With every NAND flash “skyscraper” comes a doubling of capacity. Samsung said its V-NAND will initially only boast capacities ranging from 128GB to 1TB in embedded systems and SSDs, “depending on customer demand.” So, Samsung appears to be betting on a manufacturing cost reduction – price per bit — and not a capacity increase to drive V-NAND sales.

Crossbar’s initial RRAM chip will also be capable of storing up to 1TB of data, but it can do that on a chip smaller than a postage stamp; that amounts to 250 hours of hi-def movies on a 200mm square surface.

When it comes to performance, RRAM brings yet another advantage. A NAND flash chip today has about 7MB/sec write speeds. SSDs and flash cards can achieve 400MB/sec speeds by running multiple chips in parallel.

A RRAM chip boasts 140MB/sec write speeds, and that’s without parallel interconnects to multiple chips, Minassian said.

Both 3D NAND and RRAM’s purported performance gains mean that storage devices will no longer be the system bottlenecks they are now. In the future, the bottleneck will be the bus — the communication layer between computer components. In other words, if NAND flash is a 100 mph car and RRAM is a 200 mph car, it doesn’t matter how fast they can go if the road they’re on has a curve that limits speeds to 50 mph.

On top of performance, RRAM uses a fraction of the power to store data that NAND flash uses, meaning it will help extends battery life “to weeks, months or years,” according to Crossbar.

For example, NAND flash requires about 20 volts of electricity to write a bit of data into a silicon chip. RRAM requires just 4 microamps to write a bit of data.

Crossbar is not alone in its development of RRAM. Both Hewlett-Packard and Panasonic have developed their own versions of resistive memory, but according to Jim Handy, principal analyst at Objective Analysis, Crossbar has a huge leg up on other developers.

“One very big advantage of this technology is that the selection device is built into the cell. In other RRAMs it is not, so something external (a diode or transistor) has to be built in. This is an area that has received a lot of research funding but is still a thorny issue for many other technologies,” he said in an email reply to Computerworld

Handy said the market for alternative technologies to RRAM is limited, as flash manufacturers tend to use the cheapest technology they can get away with, even though other technologies offer better performance.

RRAM has the advantage

RRAM isn’t the only memory advance in sight. Alternative forms of non-volatile memory that could be future rivals to NAND and DRAM include Everspin’s magnetoresistive RAM (MRAM) and phase-change memory (PCM), a memory type being pursued by Samsung and Micron. There is also Racetrack Memory, Graphene Memory and Memristor, HP’s own type of RRAM.

Gregory Wong, founder and principal analyst at research firm Forward Insights, believes Crossbar’s RRAM is a viable product that may someday challenge NAND, “and when I say NAND, I mean 3D NAND, too,” he said.

Racetrack memory still has at least five years go to go before it is even viable. “Right now, it looks like an interesting concept. Whether it eventually becomes commercialized or not is far out in the future,” Wong said.

“Phase change…, well, there is some out there, but the question is, where does it fit in the memory market? Right now, it’s a NOR replacement,” Wong continued. “Its performance and endurance is like NOR, not NAND.

“Generally, when you look at…others touting RRAM, there’s a lot of skepticism, but when we looked at Crossbar and its technology, we found it interesting,” he said.

Handy also believes memory made with silicon, like Crossbar’s RRAM, will continue to dominate the memory market because fabs are already outfitted to use it and it’s an inexpensive material.

“Silicon will retain its dominance over newer materials for as long as it can, and technologies like Crossbar’s will play a niche role until 3D NAND runs out of steam, which currently looks like it will happen two to three generations after 2D runs out of steam, which is two to three process generations away from where the market is today,” Handy said.

NAND flash process technology has been advancing every 12 months or so. For example, Intel is about to move from 19nm process node to 14nm. That means it may run out of steam in two to three years.

Not everyone agrees 3D NAND has such a limited lifespan.

Gill Lee, senior director and principal member of the technical staff at Applied Materials, believes 3D NAND could grow to more than 100 layers deep. Applied Materials provides the machines for the semiconductor industry to make both NAND flash and RRAM.

“Moving to 3D allows for the NAND technology to continue to scale down. How far can it go? I think it can go quite far,” he said.

Lee said he’s already seen fabrication plant roadmaps that take 3D NAND out to 128 pairs or layers.

The first generation of 3D NAND, 24-layers deep, comes on heels of sub-20nm node 2D NAND, but because it is more dense, 3D NAND will reduce the cost per bit to manufacture memory by about 30%, Lee said.

Whether consumers will see NAND flash with greater densities, or fabrication plants will simply continue creating the same memory capacities at lower costs, will be up to the industry, Lee added.

Source:  networkworld.com

High court bans publication of car-hacking paper

Tuesday, July 30th, 2013

A high court judge has ruled that a computer scientist cannot publish an academic paper over fears that it could lead to vehicle theft.

Flavio Garcia, from the University of Birmingham, has cracked the algorithm behind Megamos Crypto—a system used by several luxury car brands to verify the identity of keys used to start the ignition. He was intending to present his results at the Usenix Security Symposium.

But Volkswagen’s parent company, which owns the Porsche, Audi, Bentley and Lamborghini brands, asked the court to prevent the scientist from publishing his paper. It said that the information could “allow someone, especially a sophisticated criminal gang with the right tools, to break the security and steal a car.”

The company asked the scientists to publish a redacted version of the paper without the crucial codes, but the researchers declined, claiming that the information is publicly available online.

Instead, they protested that “the public have a right to see weaknesses in security on which they rely exposed,” adding that otherwise, “industry and criminals know security is weak but the public do not.”

The judge, Colin Birss, ultimately sided with the car companies, despite saying he “recognized the importance of the right for academics to publish.”

Source:  arstechnica.com

Oil, gas field sensors vulnerable to attack via radio waves

Friday, July 26th, 2013

Researchers with IOActive say they can shut down a plant from up to 40 miles away by attacking industrial sensors

Sensors widely used in the energy industry to monitor industrial processes are vulnerable to attack from 40 miles away using radio transmitters, according to alarming new research.

Researchers Lucas Apa and Carlos Mario Penagos of IOActive, a computer security firm, say they’ve found a host of software vulnerabilities in the sensors, which are used to monitor metrics such as temperature and pipeline pressure, that could be fatal if abused by an attacker.

Apa and Penagos are scheduled to give a presentation next Thursday at the Black Hat security conference in Las Vegas but gave IDG News Service a preview of their research. They can’t reveal many details due to the severity of the problems.

“If you compromise a company on the Internet, you can cause a monetary loss,” Penagos said. “But in this case, [the impact] is immeasurable because you can cause loss of life.”

The U.S. and other nations have put increased focus in recent years on the safety of industrial control systems used in critical infrastructure such as nuclear power plants, energy and water utilities. The systems, often now connected to the Internet, may have not had thorough security audits, posing a risk of life-threatening attacks from afar.

Apa and Penagos studied sensors manufactured by three major wireless automation system manufacturers. The sensors typically communicate with a company’s home infrastructure using radio transmitters on the 900MHz or 2.4GHz bands, reporting critical details on operations from remote locations.

Apa and Penagos found that many of the sensors contained a host of weaknesses, ranging from weak cryptographic keys used to authenticate communication, software vulnerabilities and configuration errors.

For example, they found some families of sensors shipped with identical cryptographic keys. It means that several companies may be using devices that all share the same keys, putting them at a greater risk of attack if a key is compromised.

They tested various attacks against the sensors using a specific kind of radio antennae the sensors use to communicate with their home networks. They found it was possible to modify readings and disable sensors from up to 40 miles (64 kilometers) away. Since the attack isn’t conducted over the Internet, there’s no way to trace it, Penagos said.

In one scenario, the researchers concluded that by exploiting a memory corruption bug, all sensors could be disabled and a facility could be shut down.

Fixing the sensors, which will require firmware updates and configuration changes, won’t be easy or quick. “You need to be physically connected to the device to update them,” Penagos said.

Apa and Penagos won’t identify the vendors of the sensors since the problems are so serious. They’ve handed their findings to the U.S. Computer Emergency Readiness Team, which is notifying the affected companies.

“We care about the people working in the oil fields,” Penagos said.

Source:  computerworld.com

Crypto flaw makes millions of smartphones susceptible to hijacking

Tuesday, July 23rd, 2013

New attack targets weakness in at least 500 million smartphone SIM cards.

Millions of smartphones could be remotely commandeered in attacks that allow hackers to clone the secret encryption credentials used to secure payment data and identify individual handsets on carrier networks.

The vulnerabilities reside in at least 500 million subscriber identity module (SIM) cards, which are the tiny computers that store some of a smartphone’s most crucial cryptographic secrets. Karsten Nohl, chief scientist at Security Research Labs in Berlin, told Ars that the defects allow attackers to obtain the encryption key that safeguards the user credentials. Hackers who possess the credentials—including the unique International Mobile Subscriber Identity and the corresponding encryption authentication key—can then create a duplicate SIM that can be used to send and receive text messages, make phone calls to and from the targeted phone, and possibly retrieve mobile payment credentials. The vulnerabilities can be exploited remotely by sending a text message to the phone number of a targeted phone.

“We broke a significant number of SIM cards, and pretty thoroughly at that,” Nohl wrote in an e-mail. “We can remotely infect the card, send SMS from it, redirect calls, exfiltrate call encryption keys, and even hack deeper into the card to steal payment credentials or completely clone the card. All remotely, just based on a phone number.”

Nohl declined to identify the specific manufacturers or SIM models that contain the exploitable weaknesses. The vulnerabilities are in the SIM itself and can be exploited regardless of the particular smartphone they manage.

The cloning technique identified by the research team from Security Research Labs exploits a constellation of vulnerabilities commonly found on many SIMs. One involves the automatic responses some cards generate when they receive invalid commands from a mobile carrier. Another stems from the use of a single Data Encryption Standard key to encrypt and authenticate messages sent between the mobile carrier and individual handsets. A third flaw involves the failure to perform security checks before a SIM installs and runs Java applications.

The flaws allow an attacker to send an invalid command that carriers often issue to handsets to instruct them to install over-the-air (OTA) updates. A targeted phone will respond with an error message that’s signed with the 1970s-era DES cipher. The attacker can then use the response message to retrieve the phone’s 56-bit DES key. Using a pre-computed rainbow table like the one released in 2009 to crack cell phone encryption keys, an attacker can obtain the DES key in about two minutes. From there, the attacker can use the key to send a valid OTA command that installs a Java app that extracts the SIM’s IMSI and authentication key. The secret information is tantamount to the user ID and password used to authenticate a smartphone to a carrier network and associate a particular handset to a specific phone number.

Armed with this data, an attacker can create a fully functional SIM clone that could allow a second phone under the control of the attacker to connect to the network. People who exploit the weaknesses might also be able to run unauthorized apps on the SIM that redirect SMS and voicemail messages or make unauthorized purchases against a victim’s mobile wallet. It doesn’t appear that attackers could steal contacts, e-mails, or other sensitive information, since SIMs don’t have access to data stored on the phone, Nohl said.

Nohl plans to further describe the attack at next week’s Black Hat security conference in Las Vegas. He estimated that there are about seven billion SIMs in circulation. That suggests the majority of SIMs aren’t vulnerable to the attack. Right now, there isn’t enough information available for users to know if their particular smartphones are susceptible to this technique. This article will be updated if carriers or SIM manufacturers provide specific details about vulnerable cards or mitigation steps that can be followed. In the meantime, Security Research Labs has published this post that gives additional information about the exploit.

Source:  arstechnica.com

VoIP phone hackers pose public safety threat

Friday, July 19th, 2013

Hospitals, 911 call centers and other public safety agencies can be shut down by hackers using denial-of-service attacks.

The demand stunned the hospital employee. She had picked up the emergency room’s phone line, expecting to hear a dispatcher or a doctor. But instead, an unfamiliar male greeted her by name and then threatened to paralyze the hospital’s phone service if she didn’t pay him hundreds of dollars.

Shortly after the worker hung up on the caller, the ER’s six phone lines went dead. For nearly two days in March, ambulances and patients’ families calling the San Diego hospital heard nothing but busy signals.

The hospital had become a victim of an extortionist who, probably using not much more than a laptop and cheap software, had single-handedly generated enough calls to tie up the lines.

Distributed denial-of-service attacks — taking a website down by forcing thousands of compromised personal computers to simultaneously visit and overwhelm it — has been a favored choice of hackers since the advent of the Internet.

Now, scammers are inundating phone lines by exploiting vulnerabilities in the burgeoning VoIP, or Voice over Internet Protocol, telephone system.

The frequency of such attacks is alarming security experts and law enforcement officials, who say that while the tactic has mainly been the tool of scammers, it could easily be adopted by malicious hackers and terrorists to knock out crucial infrastructure such as hospitals and 911 call centers.

“I haven’t seen this escalated to national security level yet, but it could if an attack happens during a major disaster or someone expires due to an attack,” said Frank Artes, chief technology architect at information security firm NSS Labs and a cybercrime advisor for federal agencies.

The U.S. Department of Homeland Security declined to talk about the attacks but said in a statement that the department was working with “private and public sector partners to develop effective mitigation and security responses.”

In the traditional phone system, carriers such as AT&T grant phone numbers to customers, creating a layer of accountability that can be traced. On the Web, a phone number isn’t always attached to someone. That’s allowed scammers to place unlimited anonymous calls to any land line or VoIP number.

They create a personal virtual phone network, typically either through hardware that splits up a land line or software that generates online numbers instantly. Some even infect cellphones of unsuspecting consumers with viruses, turning them into robo-dialers without the owners knowing that their devices have been hijacked. In all cases, a scammer has access to multiple U.S. numbers and can tell a computer to use them to dial a specific business.

Authorities say the line-flooding extortion scheme started in 2010 as phone scammers sought to improve on an old trick in which they pretend to be debt collectors. But the emerging bulls-eye on hospitals and other public safety lines has intensified efforts to track down the callers.

Since mid-February, the Internet Crime Complaint Center, a task force that includes the FBI, has received more than 100 reports about telephony denial-of-service attacks. Victims have paid $500 to $5,000 to bring an end to the attacks, often agreeing to transfer funds from their banks to the attackers’ prepaid debit card accounts. The attackers then use the debit cards to withdraw cash from an ATM.

The hospital attack, confirmed by two independent sources familiar with it, was eventually stopped using a computer firewall filter. No one died, the sources said. But hospital staff found the lack of reliable phone service disturbing and frustrating, one source said. They requested anonymity because they were not authorized to talk about the incident.

But typical firewalls, which are designed to block calls from specific telephone numbers, are less effective against Internet calls because hackers can delete numbers and create new ones constantly. Phone traffic carried over the Internet surged 25% last year and now accounts for more than a third of all international voice traffic, according to market research firm TeleGeography.

To thwart phone-based attacks, federal officials recently began working with telecommunications companies to develop a caller identification system for the Web. Their efforts could quell more than just denial-of-service attacks.

They could block other thriving fraud, including the spoofing and swatting calls that have targeted many people, from senior citizens to celebrities such as Justin Bieber. In spoofing, a caller tricks people into picking up the phone when their caller ID shows a familiar number. In swatting, a caller manipulates the caller ID to appear as though a 911 call is coming from a celebrity’s home.

Unclassified law enforcement documents posted online have vaguely identified some victims: a nursing home in Marquette, Wis., last November, a public safety agency and a manufacturer in Massachusetts in early 2013, a Louisiana emergency operations center in March, a Massachusetts medical center in April and a Boston hospital in May.

Wall Street firms, schools, media giants, insurance companies and customer service call centers have also temporarily lost phone service because of the attacks, according to telecommunications industry officials. Many of the victims want to remain anonymous out of fear of being attacked again or opening themselves up to lawsuits from customers.

The Marquette incident is noteworthy because when the business owner involved the Marquette County Sheriff’s Department, the scammer bombarded one of the county’s two 911 lines for 3 1/2 hours.

“The few people I’ve talked to about it have said that you just have to take it and that there’s no way to stop this,” Sheriff’s Capt. Chris Kuhl said.

A Texas hospital network has been targeted several times this year, said its chief technology officer, who spoke on the condition of anonymity because the individual’s employer has not discussed the attacks publicly. One of its nine hospitals lost phone service in a nurses unit for a day, preventing families from calling in to check on patients.

As the hospital searched for answers, it temporarily created a new number and turned to backup phone lines or cellphones for crucial communications. The chain eventually spent $20,000 per hospital to install a firewall-type device that is able to block calls from numbers associated with an attack.

For all the money spent on Internet security, companies often overlook protecting their telephones, Artes said.

“It’s kind of embarrassing when a website goes down, but when you shut down emergency operations for a county or a city, that has a direct effect on their ability to respond,” he said.

The Federal Communications Commission has begun huddling with phone carriers, equipment makers and other telecommunication firms to discuss ideas that would help stem the attacks. One possibility is attaching certificates, or a secret signature, to calls.

The FCC’s chief technology officer, Henning Schulzrinne, acknowledged that though such a solution is probably a year or two away, it could put an end to most fraudulent calls.

But Jon Peterson, a consultant with network analytics firm Neustar, said such measures raise privacy worries. Some calls, such as one to a whistle-blower hotline or one originating from a homeless shelter, may need to remain anonymous. There won’t be a single fix. But the goal is clear.

“The lack of secure attribution of origins of these calls is one of the key enablers of this attack,” Peterson said. “We have to resolve this question of accountability for the present day and the future.”

Source:  latimes.com

Avoid built-in SSD encryption to ensure data recovery after failure, warns specialist

Monday, July 8th, 2013

Companies wanting to ensure their data is recoverable from solid state disk (SSD) drives should make sure they use third-party encryption tools with known keys rather than relying on devices’ built-in encryption, a data-recovery specialist has advised.

Noting that the shift from mechanical hard drives to flash RAM-based solid state disk (SSD) drives had increased the complexity of data recovery, Adrian Briscoe, general manager of data-recovery specialist Kroll Ontrack, told CSO Australia that the growing use of SSD in business servers, mobile phones, tablets, laptops and even cloud data centres had made recovering data from the devices “a very black or white situation”.

“You either get everything or you don’t get anything at all” from damaged SSD-based equipment, he explained.

“With mechanical hard drives it’s a percentage situation, particularly since large drives are typically not used to capacity. But with SSDs we spend a lot of time trying to find ways of recovering data. The major issue is interacting with the [SSD controller] chips: Although there are only six controller chip makers, there are at least 220 manufacturers of SSD devices, and the way they’re designed is different from one device to the next.”

Many manufacturers, in particular, had taken their own approaches to data security, automatically scrambling the information on SSDs with encryption keys that are stored on the device itself.

That has presented new challenges for the company’s data-recovery engineers, who work from a dedicated data-recovery clean-room in Brisbane where damaged hard drives are regularly rebuilt to the point where their data can be recovered.

The proportion of SSD and flash RAM media going to that cleanroom had grown steadily, from 2.1 per cent of all data recovery jobs in late 2008 to 6.41 per cent of jobs in Q4 2012.

Recovering data from SSDs is already more difficult than sequential-write hard drives because SSD-stored data is distributed throughout the flash RAM cells by design. Once SSD-stored keys are made inaccessible by damage to the device, however, recovering the data becomes far more complicated – and chances of getting any of it back plummet.

“SSD devices do have encryption on them, and we are recommending people not use hardware encryption on an SSD if they are wanting to ever recover data from that device,” Briscoe explained, suggesting that users instead run computer-based software like the open-source TrueCrypt, whose keys can be managed by the user rather than internally by the drive itself.

“By having encryption turned on, an SSD with a hardware key is going to fail any data recovery effort,” he continued. “We are not hackers, and we can’t get into encrypted data. Instead, we’re recommending that people use something that holds the key outside the device.”

Many users had yet to appreciate the complexity that SSD poses, with a November 2012 customer survey suggesting just 31 per cent were aware of the complexity of SSD-based encryption and 48% saying there was no additional risk posed by using SSDs. An additional 38 per cent said they didn’t know.

The SSD challenge isn’t limited to smartphone-wielding users, however: as data-centre operators increasingly turn to SSD to boost the effective speed of their data-storage operations, Briscoe warned that a growing number of the company’s recovery operations were involving data lost to cloud-computing operators.

“A lot of vendors are using hybrid solutions with a bank of SSDs in a storage area network, then write data to [conventional] drives,” he said.

“We’re seeing more and more instances of cloud providers losing data: they rely very much on snapshots, and if something happens to the data – if there is corruption to the operating system or some type of user error – we are having more and more cloud providers coming to us with data loss.”

Source:  cso.com

Ferromagnetics breakthrough could change storage as we know it

Thursday, June 20th, 2013

MIT prof says new method of writing to magnetic media should cut power consumption by a factor of 10,000.

A previously misunderstood magnetic phenomenon has been apparently explained by a paper published on Sunday in Nature Materials – and the explanation could lead to wholesale transformation in magnetic storage.

Essentially, according to MIT professor Geoffrey Beach’s team, the positive or negative “poles” of a very thin ferromagnet behave in a predictable way when placed next to specific types of materials. What this means is that, due to a complicated asymmetry created when the magnetic media is the middle layer in a sandwich of two others, it’s possible to switch a value on the disk from 1 to 0 using about 1/100th the energy as in current systems. (Since power scales with the square of the current, this represents a 10,000-fold improvement in power dissipation.)

“The idea is not to improve hard disks, but to replace them with magnetic solid-state devices. In a hard disk, bits are fixed in position on the surface of the disk, and individual bits are accessed by physically rotating the disk,” Professor Beach told Network World. “If the bits are instead stored as a series of magnetic domains arranged along a magnetic nanowire, they can be moved by shifting the domains using an electrical current, without any mechanical motion.”

This not only means increased energy efficiency, but increased speed, since the need for mechanical motion has been obviated. And since it’s non-volatile memory, it could both replace RAM and do away with the need to perform boot sequences when computers are powered on, he said.

We could see these “magnetic solid-state” devices sooner, rather than later – according to Beach, the materials involved are the same as those in present-day HDD technology.

Source:  networkworld.com

Medical Devices Hard-Coded Passwords (ICS-ALERT-13-164-01)

Friday, June 14th, 2013

SUMMARY

Researchers Billy Rios and Terry McCorkle of Cylance have reported a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors. According to their report, the vulnerability could be exploited to potentially change critical settings and/or modify device firmware.

Because of the critical and unique status that medical devices occupy, ICS-CERT has been working in close cooperation with the Food and Drug Administration (FDA) in addressing these issues. ICS-CERT and the FDA have notified the affected vendors of the report and have asked the vendors to confirm the vulnerability and identify specific mitigations. ICS-CERT is issuing this alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks. ICS-CERT and the FDA will follow up with specific advisories and information as appropriate

The report included vulnerability details for the following vulnerability

Vulnerability Type Remotely Exploitable Impact
Hard-coded password Yes, device dependent Critical settings/device firmware modification

 

The affected devices have hard-coded passwords that can be used to permit privileged access to devices such as passwords that would normally be used only by a service technician. In some devices, this access could allow critical settings or the device firmware to be modified.

The affected devices are manufactured by a broad range of vendors and fall into a broad range of categories including but not limited to:

  • Surgical and anesthesia devices,
  • Ventilators,
  • Drug infusion pumps,
  • External defibrillators,
  • Patient monitors, and
  • Laboratory and analysis equipment.

ICS-CERT and the FDA are not aware that this vulnerability has been exploited, nor are they aware of any patient injuries resulting from this potential cybersecurity vulnerability.

MITIGATION

ICS-CERT is currently coordinating with multiple vendors, the FDA, and the security researchers to identify specific mitigations across all devices. In the interim, ICS-CERT recommends that device manufacturers, healthcare facilities, and users of these devices take proactive measures to minimize the risk of exploitation of this and other vulnerabilities. The FDA has published recommendations and best practices to help prevent unauthorized access or modification to medical devices.

  • Take steps to limit unauthorized device access to trusted users only, particularly for those devices that are life-sustaining or could be directly connected to hospital networks.
    • Appropriate security controls may include: user authentication, for example, user ID and password, smartcard or biometric; strengthening password protection by avoiding hard‑coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.
  • Protect individual components from exploitation and develop strategies for active security protection appropriate for the device’s use environment. Such strategies should include timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code. Note: The FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity.
  • Use design approaches that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.”
  • Provide methods for retention and recovery after an incident where security has been compromised. Cybersecurity incidents are increasingly likely and manufacturers should consider incident response plans that address the possibility of degraded operation and efficient restoration and recovery.

For health care facilities: The FDA is recommending that you take steps to evaluate your network security and protect your hospital system. In evaluating network security, hospitals and health care facilities should consider:

  • Restricting unauthorized access to the network and networked medical devices.
  • Making certain appropriate antivirus software and firewalls are up-to-date.
  • Monitoring network activity for unauthorized use.
  • Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.
  • Contacting the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and DHS ICS-CERT may be able to assist in vulnerability reporting and resolution.
  • Developing and evaluating strategies to maintain critical functionality during adverse conditions.

ICS-CERT reminds health care facilities to perform proper impact analysis and risk assessment prior to taking defensive and protective measures.

ICS-CERT also provides a recommended practices section for control systems on the US-CERT Web site. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.a Although medical devices are not industrial control systems, many of the recommendations from these documents are applicable.

Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT and FDA for tracking and correlation against other incidents.

The FDA has also announced a safety communications that highlights the points made in this alert. For additional information see: http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm

Source:  US-CERT

China builds fastest supercomputer in the world

Monday, June 10th, 2013

supercomputer t2

China appears to have once again taken the lead from the United States in the burgeoning supercomputing wars, developing a supercomputer that is twice as fast as anything America has to offer.

The new Tianhe-2 supercomputer, nicknamed the Milkyway-2, was unveiled by China’s National University of Defense Technology (NUDT) during a conference held in late May. University of Tennessee professor Jack Dongarra confirmed this week that the Milkyway-2 operates as fast as 30.7 petaflops — quadrillions of calculations — per second.

Titan, the U.S. Department of Energy’s fastest supercomputer, has been clocked in at “just” 17.6 petaflops per second. Dongarra is also a researcher at the Oak Ridge National Laboratory which houses Titan.

The new Chinese supercomputer will provide an open, high-performance computing service for southwest China when it moves to the Chinese National Supercomputer Center in Guangzhou by the end of this year. NUDT has listed several possible uses for the Milkway-2, including simulations for testing airplanes, processing “big data,” and aiding in government security.

The Milkyway-2 will have to be officially tested, but its incredible speed will likely place it atop the biannual Top 500 supercomputer list, which is expected to be unveiled during the International Supercomputing Conference next weekend. It would mark the first time since 2010 that China topped the list — then with the Tianhe-1.

The United States only just reclaimed the top spot this past November after coming up short to Japan, China and Germany over the past three years.

The rankings earn more than bragging rights as supercomputers become increasingly important to national security. The Titan aids in American research about climate change, biofuels and nuclear energy. In May, a U.S. House subcommittee held a hearing on supercomputers where researches asked Congress to provide funding for “exascale” computers, which could operate at one quintillion flops per second.

Dongarra noted that even with sustained investment into this technology, the United States could still fall behind global leaders in the supercomputing race.

“Perhaps this is a wake up call,” he said.

Source:  CNN

Bug in Samsung S3 grabs too many images, ups data use

Friday, May 31st, 2013

Researchers of the BenchLab project at UMass Amherst have discovered a bug in the browser of the Samsung S3.

If you browse a Web page that has multiple versions of the same image (for mobile, tablet, desktop, etc…) like most Wikipedia pages for example, instead of downloading one image at the right resolution, the phone will download all versions of it. A page that should be less than 100K becomes multiple MB!  It looks like a bug in the implementation of the srcset HTML tag, but all the details are in the paper to be presented at the IWQoS conference next week.

So far Samsung didn’t acknowledge the problem though it seems to affect all S3 phones. You’d better have an unlimited data plan if you browse Wikipedia on an S3!

Source:  slashdot.org