fbpx

Security flaws smash worthless privacy protection

Analysis To protect mobile devices from being tracked as they move through Wi-Fi-rich environments, there's a technique known as MAC address randomization. This replaces the number that uniquely identifies a device's wireless hardware with randomly generated values.

In theory, this prevents scumbags from tracking devices from network to network, and by extension the individuals using them, because the devices in question call out to these nearby networks using different hardware identifiers.

 

It's a real issue because stores can buy Wi-Fi equipment that logs smartphones' MAC addresses, so that shoppers are recognized by their handheld when they next walk in, or walk into affiliate shop with the same creepy system present. This could be used to alert assistants, or to follow people from department to department, store to store, and then sell that data to marketers and ad companies.

Public wireless hotspots can do the same. Transport for London in the UK, for instance, used these techniques to study Tube passengers.

Regularly changing a device's MAC address is supposed to defeat this tracking.

But it turns out to be completely worthless, due to a combination of implementation flaws and vulnerabilities. That and the fact that MAC address randomization is not enabled on the majority of Android phones.

 

In a paper published on Wednesday, US Naval Academy researchers report that they were able to "track 100 per cent of devices using randomization, regardless of manufacturer, by exploiting a previously unknown flaw in the way existing wireless chipsets handle low-level control frames."

Beyond this one vulnerability, an active RTS (Request to Send) attack, the researchers also identify several alternative deanonymization techniques that work against certain types of devices.

Cellular radio hardware has its own set of security and privacy issues; these are not considered in the Naval Academy study, which focuses on Android and iOS devices.

Each 802.11 network interface in a mobile phone has a 48-bit MAC address layer-2 hardware identifier, one that's supposed to be persistent and globally unique.

Hardware makers can register with the Institute of Electrical and Electronics Engineers (IEEE) to buy a block of MAC addresses for their networking products: the manufacturer is assigned a three-byte Organizationally Unique Identifier, or OUI, with is combined with an additional three-byte identifier that can be set to any value. Put those six bytes together, and you've got a 48-bit MAC address that should be globally unique for each device.

 

The IEEE's registration system makes it easy to identify the maker of a particular piece of network hardware. The IEEE also provides the ability to purchase a private OUI that's not associated with a company name, but according to the researchers "this additional privacy feature is not currently used by any major manufacturers that we are aware of."

Alternatively, the IEEE offers a Company Identifier, or CID, which is another three-byte prefix that can be combined with three additional bytes to form 48-bit MAC addresses. CID addresses can be used in situations where global uniqueness is not required. These CID numbers tend to be used for MAC address randomization and are usually transmitted when a device unassociated with a specific access point broadcasts 802.11 probe requests, the paper explains.

The researchers focused on devices unassociated with a network access point – as might happen when walking down the street through various Wi-Fi networks – rather than those associated and authenticated with a specific access point, where the privacy concerns differ and unique global MAC addresses come into play.

Unmasking

Previous security research has shown that flaws in the Wi-Fi Protected Setup (WPS) protocol can be used to reverse engineer a device's globally unique MAC address through a technique called Universally Unique IDentifier-Enrollee (UUID-E) reversal. The US Naval Academy study builds upon that work by focusing on randomized MAC address implementations.

 

The researchers found that "the overwhelming majority of Android devices are not implementing the available randomization capabilities built into the Android OS," which makes such Android devices trivial to track. It's not clear why this is the case, but the researchers speculate that 802.11 chipset and firmware incompatibilities might be part of it.

Samsung v Apple

Surprisingly, Samsung devices, which accounted for 23 per cent of the researcher's Android data set, show no evidence of implementing MAC address randomization.

Apple, meanwhile, introduced MAC address randomization in iOS 8, only to break it in iOS 10. While the researchers were evaluating devices last year, Apple launched iOS 10 and changed its network probe broadcasts to include a distinct Information Element (IE), data added to Wi-Fi management frames to extend the Wi-Fi protocol.

"Inexplicably the addition of an Apple vendor-specific IE was added to all transmitted probe requests," the paper explains. "This made identification of iOS 10 Apple devices trivial regardless of the use of MAC address randomization."

 

This shortcoming aside, Apple handles randomization correctly, in the sense that it properly randomizes the full 48-bits available for MAC addresses (with the exception of the Universal/Local bit, set to distinguish between global MAC addresses and the local ones used for randomization, and the Unicast/Multicast Bit).

The researchers find this interesting because the IEEE charges a fee for using the first three bytes of that space for CID prefixes, "meaning that Apple is freely making use of address space that other companies have paid for."

In a phone interview with The Register, Travis Mayberry, assistant professor at the US Naval Academy and one of the paper's co-authors, expressed surprise that something like 70 per cent of Android phones tested did not implement MAC address randomization.

"It's strange that Android was so vulnerable," he said. "It's just really bad at doing what it was supposed to do."

'Closest to being pretty good'

Apple, meanwhile, fared better in terms of effort, though not results. "Apple is the closest to being pretty good," Mayberry said, but noted that Apple devices, despite the advantage of hardware consistency, are still vulnerable to an RTS (Request to Send) attack. Sending RTS frames to an Apple phone forces the device to reveal its global unique MAC address, rather than the randomized one normally presented to the hotspot.

 

"No matter how hard you try, you can't defend against that because it's a property of the wireless chip itself," said Mayberry.

There was single Android phone that fared well. "The one Android phone that was resistant to our passive attacks was the CAT S60 which is some kind of 'tough' phone used on construction sites and the like," Mayberry explained in an email. "It did not have a recognizable fingerprint and did not ever transmit its global MAC except when associating. It was still vulnerable to our active RTS attack though, since like I said, that is a problem with the actual chips and effects every phone."

Mayberry was at a loss to explain why Apple shot itself in the foot by adding a trackable identifier to a system that previously worked well.

"I initially thought it might be to support some of the 'continuity' features where multiple apple devices can discover and exchange stuff like open browser tabs and clipboard contents but that came out in earlier versions of iOS," he said. "It also might be linked to the HomeKit features that they added in iOS to control IoT devices. Basically it would have to be to purposefully identify and discover other Apple devices that are not associated, otherwise we wouldn't see it in probe requests. All of this is pure speculation though and we really don't have a strong reason for it."

Mayberry said he hoped the research would help the industry understand the consequences of everyone doing things differently. There's no generally accepted way to handle MAC address randomization. "There are so many phones not using it," he said. "There should be a standard." ®

Source: This article was published on theregister.co.uk

Categorized in Internet Privacy

Android still tends to be the default platform although iOS versions are usually available after a short delay. The issue of platform support is more important that it might appear. Even if you don’t personally use an iPhone, say, the fact that your favoured contacts do will render any app that doesn’t support both platforms useless if the same app is needed at both ends. Some apps integrate with third-party applications, for instance email clients. That can be important for businesses – can the app support the preferred communications software used by an organisation and will it work across desktop as well as mobile? Some can, some can’t.

Not WhatsApp 

Facebook-owned WhatsApp is to incrementally introduce two-factor authentication to all of its users as an optional added layer of security.

Two-factor authentication essentially means verifying your identity twice – and in this case users will choose to access their account through a six-digit number. WhatsApp users will need to enable the feature through their settings and once switched on, the passcode will remain on the associated account, no matter which device it's being accessed through.

The feature first appeared in beta late last year, and the app will require users to enter the passcode about once every week. Users will be able to set up a backup email in case they forget the passcode.

It's unlikely to inspire enormous confidence in WhatsApp as a secure platform, but it is a small nod towards security for personal use.

Earlier this year, a Guardian report claimed that a security vulnerability in WhatsApp meant Facebook – WhatsApp’s parent company – could read encrypted messages sent through the service. Security researcher Tobias Boelter told the paper that WhatsApp is able to create new encryption keys for offline users, unknown to the sender or recipient, meaning that the company could generate new keys if it’s ordered to.

 

And although Facebook insists that it couldn’t read your WhatsApp messages even if it wanted to, critics have been suspicious since the buy – since Facebook’s entire platform depends on data and advertising, and its own Messenger service is infamously intrusive.

In terms of security, it’s important to distinguish pure secure messaging apps from apps that happen to have some security, for instance the hugely popular WhatsApp and SnapChat. Many use encryption but operate using insecure channels in which the keys are stored centrally and hide behind proprietary technologies that mask software weaknesses.

As it happens, earlier in 2015 Facebook’s WhatsApp started using the TextSecure platform (now called Signal – see below) from the Open Whisper Systems which improves security by using true end-to-end encryption with perfect forward secrecy (PFS). This means the keys used to scramble communication can’t be captured through a server and no single key gives access to past messages. It was presumably this sort of innovation that so upset British Prime Minister David Cameron when in early 2015 he started making thinly-veiled references to the difficulty security services were having in getting round the message encryption being used by intelligence targets.

In April 2016, the Signal protocol was rolled out as a mandatory upgrade to all WhatsApp users across all mobile platforms, an important moment for a technology that has spent years on the fringes. At a stroke it also made Open Whisper Systems the most widely used encryption platform on earth, albeit one largely used transparently without the user realising it.

It's fair to say that police and intelligence services are now worried about the improved security on offer from these apps, which risks making them favoured software for terrorists and criminals. That said, they are not impregnable. Using competent encryption secures the communication channel but does not necessarily secure the device itself. There are other ways to sniff communications than breaking encryption.

 

Most recent apps will, in addition to messaging, usually any combination of video, voice, IM, file exchange, and sometimes (though with a lot more difficulty because mobile networks work differently) SMS and MMS messaging. An interesting theme is the way that apps in this feature often share underlying open source technologies although this doesn’t mean that the apps are identical to one another. The user interface and additional security features will still vary.

For further background, the Electronic Frontier Foundation (EFF) published a comparison in 2014 of the of the sometimes confusing levels of security on offer from the growing population of apps on the market. All mobile messaging apps claim to use good security but this is a useful reminder that definitions of what ‘secure’ actually means are starting to change.

The future? There are two trends to watch out for. First, business-class secure messaging systems have started to appear, including ones that operate as services or using centralised enterprise control. A second and intriguing direction is the morphiing of static messaging apps into complete broadcasting systems that can distribute different types of content and then erase all traces of this activity once it has been read. This latter capability is likely to prove another contentious development for governments and the police. 

Best secure mobile messaging apps - Signal 

Signal (formerly TextSecure Private Messenger) is arguably the pioneering secure mobile messaging platform that kickstarted the whole sector. Originally created by Moxie Marlinspike and Trevor Perrin’s Whisper Systems, the firm was sold to Twitter in 2011, at which point things looked uncertain. In 2013, however, TextSecure re-emerged as an open source project under the auspices of a new company, Open Whisper Systems since when it and has gained endorsements from figures such as Bruce Schneier and Edward Snowden.

We call it a platform because Signal is more than an app, which is simply the piece that sits on the Android or iOS device and which holds encryption keys. The App itself can be used to send and receive secure instant messages and attachments, set up voice calls, and has a convenient group messaging function. It is also possible to use Signal as the default SMS app but this no longer uses encryption for a host of practical and security reasons.

Signal was designed as an independent end-to-end platform that transports messages across its own data infrastructure rather than, as in the past, Google’s Google Cloud Messaging (GCM) network. The Axolotl protocol underlying the platform’s security is also used by G Data (see below) as well as Facebook’s WhatsApp, which isn’t to say that Facebook’s implementation won’t have other vulnerabilities – as ever use with care.

Using the app is pretty straightforward. Installation begins with the phone number verification after which the software will function standalone or as the default SMS messaging app after offering to import existing texts. The most secure way to use it is probably as the default messaging app, so that an insecure message doesn’t get sent by accident.

Interestingly, Signal just launched encrypted video calls, stepping up its current level of encryption. The app previously supported voice call end-to-end encryption but this update will ensure video capabilities hold the same level of security as its chat functionality.

Additional security features include an app password and with a blocker that stops screen scraping. It is also possible to control what types of data are exchanged over Wi-Fi and mobile data. Obviously both sender and receiver need to have the app installed, which worked simply by entering the phone number of any other registered user.

Security: based on OTR protocol, uses AES-256, Curve25519 and HMAC-SHA256; voice security (formerly RedPhone app) based on ZRTP

Pro: Android and iOS, handles voice as well as messaging, Edward Snowden said to use this app

Con: None although service reportedly not always the fastest

Next: Secure Chat

Best secure mobile messaging apps - G Data Secure Chat

Built on Whisper Systems’ open source Axolotl protocol (see above), the recently-launched Secure Chat is a well-designed free app with the drawback of being Android only for the time being. Despite its open source underpinnings, the app won’t operate securely with anything other than another Secure Chat app at the other end.

The app sets out to replace your existing messaging and texting apps, offering to import and encrypt existing messaging data for safe keeping. As with Signal, enrolling users (including in groups) happens by firing up the app and performing number verification for each account. One feature we liked about the app was the simple way users could switch between secure chat (free messaging across secure infrastructure), secure SMS (across carrier infrastructure at the user’s cost) and insecure SMS. Conventional phone calls can also be launched from inside the app – this really does aim to replace the communication functions in one go although it can also be used more occasionally for the odd message if that is preferable.

So that receivers can be sure that a message comes from the genuine contact, the app provides a QR ‘verify identity’ code which the other contact can scan (they san yours, you scan theirs). What happens if the users are far apart from one another? We’re not sure.

The app blocks screen scraping by external apps and can be secured behind a password. One interesting feature is self-destructing messages activated by clicking a small icon on the composition screen, which open on the receiver’s phone with a countdown timer of up to 6- seconds after which each is deleted. The user can also have hidden contacts that are accessed with a password.

Security: Not disclosed but will be similar to Signal, Germany-based servers

 

 

Pro: incredibly easy to set up and use – very similar to Signal but lacks the voice support that has now been added to that product

Con: none really although this is oriented towards messaging only

Next: Telegram

Best secure mobile messaging apps - Telegram

Launched by two Germany-based brothers in 2013 Telegram’s distinctiveness is its multi-platform support, including not only and Android and iPhone but Windows Phone as well as Windows OS X and even Linux. With the ability to handle a wide range of attachments, it looks more like a cloud messaging system replacing email as well as secure messaging for groups up to 200 users with unlimited broadcasting.

There are some important differences between Telegram and the other apps covered here, starting with the fact that users are discoverable by user name and not only number. This means that contacts don’t ever have to know a phone number when using Telegram, a mode of communication closer to a social network. The platform is also open to abuse, if that's the correct term, including reportedly being used by jihadists for propaganda purposes, which exploit its broadcasting capablity. This is not the fault of the developer but does bring home how such apps can be mis-used in ways that are difficult to control.  

The sign up asks for an optional user name in addition to the account mobile number, and requires the user verify the number by receiving and entering an SMS code. The app is polite enough to ask for access to the user’s phone book and other data, which can be refused, and handily notices which contacts within that list already have signed up for the app.

 

Security: uses the MTProto protocol, 256-bit symmetric AES encryption, RSA 2048 encryption and Diffie–Hellman secure key exchange

Pro: multi-platform support including desktop computers, access files from anywhere

Con: More a cloud platform than an app, also reportedly been abused by violent jihadists which could spell an image problem for the app

Next: Ceerus

Best secure mobile messaging apps - Ceerus

Ceerus is a new secure Android voice, video and messaging app from UK startup SQR Systems, one of a small group of mostly early-stage firms of that participated in the Cyber London accelerator, separately covered by Techworld. This makes the app sound immature but its origins go back to the company’s origins in 2010 as a University of Bristol research project funded by the UK Ministry of Defence.

Designed to secure voice and video as well as messaging, Ceerus is a step up in from some of the free apps looked here in that it can scale to departmental, enterprise, and government use and can cite a British defence giant as a trial customer. It costs £10 ($15) per month after a free trial period of one month has expired which implies a different level of development and support.

We encountered a hiccup getting it running on one of our test smartphones, a Nexus 5 running Android 6.0, so will have to report back when we’ve done full end-to-end testing.

Features: enrolment is more involved than for a free app because the user is setting up a fully account - a name and password (not easy to reset for the time being so don’t forget it) is required for each SIM/number. Key exchange uses the UK CESG-approved Mikey-Sakke scheme with compression applied to banish latency issues that have plagued encrypted real-time communications from mobile devices. An API is also available to allow integration of the underlying technology with third-party applications.

 

Security: undisclosed but includes end-to-end encryption with perfect forward secrecy

Pro: designed for business users, adds compression, handles video and voice as well as messaging

Con: aimed at businesses rather than individuals, no iOS version yet which could be an issue in mixed environments, not yet compatible with Android 6.0

Next: Pryvate 

Best secure mobile messaging apps - Pryvate

Launched in November 2015, Cryptique’s Pryvate is intended for use by businesses as competition for high-end mobile security such as the Blackphone/Silent Circle which embeds software inside a secured version of Android. As with that service, Pryvate is another do-it-all voice, video, messaging, IM, secure file transfer, and secure storage app (integrating with Dropbox, One drive, BOX) and will integrate with third-party email clients for added convenience.

On the subject of Silent Circle, the underlying voice and IM protocol used by Pryvate is Phil Zimmermann’s ZRTP perfect forward secrecy encryption. Other features is IP shielding whereby uses can bypass VoIP and IM blocking without giving away their real IP address – the app tunnels across the Internet using Pryvate’s own UK Jersey-based servers.

The mobile service costs £4.68 (about $7) per month as a subscription but can be used after the one-month trial in the form of PryvateLite, which allows full secure IM and picture sharing with unlimited phone calls up to a duration of 1 minute. We’re not sure how practical that would be to use but it’s an option. A version including desktop capability is available for $9.99 (about $14) per month.

We weren’t able to organise a subscription in time for this article but will test this app more thoroughly in future and update this feature.

Security: 4096-bit encryption, with AES 256-bit key management. Complex mini PKI design with perfect forward secrecy design.

Source: http://www.techworld.com/security/best-secure-mobile-messaging-apps-3629914/6/

Categorized in Internet Privacy

Watch out for weak in-house code, data in the cloud and the Internet of things 

Forward looking IT security pros need to better address known risks, monitor closely the value of shadow IT devices and solve the inherent weaknesses introduced by the internet of things, Gartner says.

The consulting firm has taken a look at five key areas of security concern that businesses face this year and issued predictions on and recommendations about protecting networks and data from threats that will likely arise in each.

The areas are threat and vulnerability management, application and data security, network and mobile security, identity and access management, and Internet of Things security. Gartner’s findings were revealed at its recent Security and Risk Management Summit by analyst Earl Perkins.

One overriding recommendation is that businesses must be aware that delaying security measures in an effort to avoid disrupting business can be a false economy.

He recommends that security pros should make decisions about protecting networks and resources based on the range of risks that known weaknesses represent to the business and its goals. Rather than thinking about their role purely as protecting, they should look at it as facilitating successful business outcomes. 

Here are the predictions and recommendations:

Threat and vulnerability management

Prediction: “Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.”

With attackers looking for vulnerabilities in applications as well as exploitable configurations, it’s important for businesses to patch vulnerabilities in a timely fashion. If they don’t, they stand to lose money through damage to systems and theft of data.

 

Prediction: “By 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.”

An area of growing concern is the introduction of new technologies by business units without vetting by the security team, Perkins says. Avoiding that review and the fact that many of these technologies are new and still contain vulnerabilities makes them susceptible to attacks.

Application and data security

Prediction: “By 2018, the need to prevent data breaches from public clouds will drive 20% of organizations to develop data security governance programs.”

Data security governance will be promoted by insurance companies that will set cyber premiums based on whether businesses have these programs in place. 

Prediction: “By 2020, 40% of enterprises engaged in DevOps will secure developed applications by adopting application security self-testing, self-diagnosing and self-protection technologies.”

Here Perkins looks to maturing technology called runtime application self-protection (RASP) as a way to avoid vulnerabilities in applications that might result from problems overlooked due to the rapid pace at which DevOps teams work. RASP does its work rapidly and accurately to provide protection against vulnerabilities that might be exploited, he says.

 

Network and Mobile Security

Prediction: “By 2020, 80% of new deals for cloud-based cloud-access security brokers (CASB) will be packaged with network firewall, secure web gateway (SWG) and web application firewall (WAF) platforms.”

Vendors of traditional network security products such as firewalls, SWGs and WAFs want to be in on their customers protecting their SaaS applications, which is effectively accomplished via CASBs, he says. Businesses should evaluate whether CASB services are warranted based on their plans for application deployment, and should consider offers by their current vendors of these traditional technologies, he says.

Identity and Access Management

Prediction: “By 2019, 40% of identity as a service (IDaaS) implementations will replace on-premises IAM implementations, up from 10% today.”

This increase in use of IDaaS will in part stem from the difficulty and expense of running on-premises IAM infrastructure, and the growing use of other something-as-a-service offerings will make the decision more comfortable. The ongoing introduction of more and more Web and mobile applications will create a natural opportunity for the transition from in-house IAM to IDaaS, he says. 

Prediction: “By 2019, use of passwords and tokens in medium-risk use cases will drop 55%, due to the introduction of recognition technologies.”

With the cost and accuracy of biometrics, they become a good option for continuously authenticating. In combination with use-r and entity-behavior analysis, this technology can make a difference when applied to cases that call for a medium level of trust, Perkins says.

Security for the internet of things (IoT)

Prediction: “Through 2018, over 50% of IoT device manufacturers will not be able to address threats from weak authentication practices.”

IoT devices are still being made without much consideration being given to security, and yet some are located in networks so that, if exploited, they could expose networks to harm and data to breaches, Perkins says. Businesses need a framework for determining the risks each IoT device type represents and the appropriate controls for dealing with them.

Prediction: “By 2020, more than 25% of identified enterprise attacks will involve IoT, though IoT will account for only 10% of IT security budgets.”

 

Since security pros won’t be able to determine the importance that IoT devices represent to the organization, the business unit that uses them should determine what risk they represent. Security pros should set aside 5% to 10% of IT security spending for monitoring and protecting these devices as needed, he says.

Source  : http://www.networkworld.com/article/3088084/security/gartner-s-top-10-security-predictions.html

Categorized in Internet Privacy

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media