Perimeter
2/14/2012
08:47 AM
Don Bailey
Don Bailey
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Been Caught Stealin'

Emergence of machine to machine (M2M) devices makes life easier for thieves and hackers -- and more dangerous for victims

Everyone remembers that moment when, as a small child, they learned an extremely important social or ethical lesson. For me, it was theft: I must have been all of 8 years old and on a field trip at a museum in Flint, Mich., to see a modern art exhibit. I still remember the glow of one particular installation. It was made of thick pieces of what must have been plastic made to look like shattered glass. Each piece was about the size of a penny, and sat in a medium-sized black cauldron. All I can remember was how pretty I thought the glass looked and how I wanted to take a piece of that artwork home for myself. So after waiting until the rest of my school group passed by the exhibit, I snatched a small shard of plastic and shoved it into my pocket. My heart raced. The palms of my hands started to sweat. I walked right through the door.

I had possibly -- and unintentionally -- become the world’s youngest art thief.

Unfortunately for my young self, and fortunately for my adult self, the thrill of success was short-lived. Like every criminal, I took time to bask in the glory of my own misdeeds. I foolishly took out the plastic shard on the way back to school, thinking no one was looking and, of course, someone noticed and word quickly got around that I had something that I wasn't supposed to have.

My mother was a wise woman. I didn't get grounded. I didn't get spanked. But I did get my butt thrown back into the car to head back to the Sloan Museum. Facing my mother was horror enough, but then facing the learned and established museum curators was an entirely different story. However, I learned an important lesson: Theft is a dangerous game. Not only can you rise to the Olympian heights of the youngest art thief in northern America, but you also can plummet to the depths of suffering travel through Flint during the mid 1980s.

Sadly, others do not learn so quickly. Last May, a woman in Tasmania was sentenced to 18 months in jail for using a stolen SIM card. Why? Her abuse ran up a bill of more than $193,000, which she was ordered to pay back. What was little-known about the issue is that the woman, or a mysterious Internet accomplice, had apparently stolen a SIM card out of a smart meter somewhere in the country. As is often the case with machine 2 machine (M2M) systems, the SIM card can simply be moved to another system and used to immediately gain telephony and data access. The issue was reportedly fixed, but this highlights a common issue with mobile systems: identifying abuse.

In 2011, thieves performed a similar attack against traffic lights in South Africa. Traffic lights were augmented with cellular modules, enabling these systems to be controlled and monitored remotely. Thieves broke open these traffic control units, stole the SIM cards, and began making phone calls deemed "untraceable" by South African press.

This is likely to occur in the U.S. as well, if it hasn't already. To date, AT&T's M2M network has 1,194 approved unique devices. If each device has at least 1,000 users, that's potentially a little more than 1 million unique devices carrying a SIM card in North America. What does this mean for the security engineer at Joe Co.? It means a lot.

Emerging devices, also known as M2M, are everywhere. Point-of-sale systems are already using M2M. Building security systems, including motion detectors, gate entry, and cameras, are all using M2M. Even the smart meters and environmental monitoring systems in office buildings are enabled with M2M technology, and sometimes even capillary M2M technologies such as Bluetooth and Zigbee. Bluetooth is the most interesting capillary technology because it's so ubiquitous in modern offices. If an attacker can compromise a building environmental sensor over a cellular network, then can he abuse the Bluetooth chip on the same sensor to attack laptops, phones, or other mobile devices in the surrounding offices?

Sometimes the thieves aren't just poised to enter your network. Sometimes, like smart meter SIM thieves, they're simply after your technology. Thankfully, smartphone security is quickly improving. There are many options for maintaining access restrictions, secure containers, and backup management on modern phones. The first product I turn to for control over a smartphone is Lookout. While there are quite a few stellar solutions for mobile protection, Lookout has certainly emerged as a leader not only for the individual, but also for the enterprise.

Lookout's mobile security technology can safely back up your phone's data remotely. It can also scan your Android smartphone for malware, spyware, and other icky executables. Lookout often can even detect whether a URL presented to the user is malicious, preventing possible phishing or malware attacks. Last, but certainly not least, is my favorite feature: the location service. This security software can remotely locate your device's physical location, easily guiding you to the lost item. This is exceptional if you're like me and you keep losing your phone around a messy apartment.

It's even more important if you're like Anthony Lineberry, a friend of mine and software engineer at Lookout. Anthony's phone was stolen at gunpoint last July. During a difficult time, he was able to remotely locate his stolen phone using his own company's software. Once the location was identified, police raided the house where the device was pinpointed. While police didn't recover all of Anthony's belongings, they did retrieve his phone. Score one for technology.

The teenager who stole the smartphone made the same mistake I made. He paraded his ill-gotten goods around like a trophy, not realizing that Big Brother is always watching. As our mobile market grows exponentially in these coming years, we have to imagine the potential haul for miscreants and hackers. Is it an NFC bug that will net the first multimillion-dollar mobile heist? A device like a SIM card that can be easily ripped out of unmanned hardware? What about mobile wallet technology, like Google Wallet? The threat surface is vast, and the potential is high.

And, besides, some people enjoy stealin'. It's just as simple as that.

Don Bailey is director of research at iSEC Partners.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2227
Published: 2014-07-25
The default Flash cross-domain policy (crossdomain.xml) in Ubiquiti Networks UniFi Video (formerly AirVision aka AirVision Controller) before 3.0.1 does not restrict access to the application, which allows remote attackers to bypass the Same Origin Policy via a crafted SWF file.

CVE-2014-5027
Published: 2014-07-25
Cross-site scripting (XSS) vulnerability in Review Board 1.7.x before 1.7.27 and 2.0.x before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via a query parameter to a diff fragment page.

CVE-2014-5100
Published: 2014-07-25
Multiple cross-site request forgery (CSRF) vulnerabilities in Omeka before 2.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new super user account via a request to admin/users/add, (2) insert cross-site scripting (XSS) sequences via the api_key_...

CVE-2014-5101
Published: 2014-07-25
Multiple cross-site scripting (XSS) vulnerabilities in WeBid 1.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) TPL_name, (2) TPL_nick, (3) TPL_email, (4) TPL_year, (5) TPL_address, (6) TPL_city, (7) TPL_prov, (8) TPL_zip, (9) TPL_phone, (10) TPL_pp_email, (11) TPL_authn...

CVE-2014-5102
Published: 2014-07-25
SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.