Perimeter
2/14/2012
08:47 AM
Don Bailey
Don Bailey
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Been Caught Stealin'

Emergence of machine to machine (M2M) devices makes life easier for thieves and hackers -- and more dangerous for victims

Everyone remembers that moment when, as a small child, they learned an extremely important social or ethical lesson. For me, it was theft: I must have been all of 8 years old and on a field trip at a museum in Flint, Mich., to see a modern art exhibit. I still remember the glow of one particular installation. It was made of thick pieces of what must have been plastic made to look like shattered glass. Each piece was about the size of a penny, and sat in a medium-sized black cauldron. All I can remember was how pretty I thought the glass looked and how I wanted to take a piece of that artwork home for myself. So after waiting until the rest of my school group passed by the exhibit, I snatched a small shard of plastic and shoved it into my pocket. My heart raced. The palms of my hands started to sweat. I walked right through the door.

I had possibly -- and unintentionally -- become the world’s youngest art thief.

Unfortunately for my young self, and fortunately for my adult self, the thrill of success was short-lived. Like every criminal, I took time to bask in the glory of my own misdeeds. I foolishly took out the plastic shard on the way back to school, thinking no one was looking and, of course, someone noticed and word quickly got around that I had something that I wasn't supposed to have.

My mother was a wise woman. I didn't get grounded. I didn't get spanked. But I did get my butt thrown back into the car to head back to the Sloan Museum. Facing my mother was horror enough, but then facing the learned and established museum curators was an entirely different story. However, I learned an important lesson: Theft is a dangerous game. Not only can you rise to the Olympian heights of the youngest art thief in northern America, but you also can plummet to the depths of suffering travel through Flint during the mid 1980s.

Sadly, others do not learn so quickly. Last May, a woman in Tasmania was sentenced to 18 months in jail for using a stolen SIM card. Why? Her abuse ran up a bill of more than $193,000, which she was ordered to pay back. What was little-known about the issue is that the woman, or a mysterious Internet accomplice, had apparently stolen a SIM card out of a smart meter somewhere in the country. As is often the case with machine 2 machine (M2M) systems, the SIM card can simply be moved to another system and used to immediately gain telephony and data access. The issue was reportedly fixed, but this highlights a common issue with mobile systems: identifying abuse.

In 2011, thieves performed a similar attack against traffic lights in South Africa. Traffic lights were augmented with cellular modules, enabling these systems to be controlled and monitored remotely. Thieves broke open these traffic control units, stole the SIM cards, and began making phone calls deemed "untraceable" by South African press.

This is likely to occur in the U.S. as well, if it hasn't already. To date, AT&T's M2M network has 1,194 approved unique devices. If each device has at least 1,000 users, that's potentially a little more than 1 million unique devices carrying a SIM card in North America. What does this mean for the security engineer at Joe Co.? It means a lot.

Emerging devices, also known as M2M, are everywhere. Point-of-sale systems are already using M2M. Building security systems, including motion detectors, gate entry, and cameras, are all using M2M. Even the smart meters and environmental monitoring systems in office buildings are enabled with M2M technology, and sometimes even capillary M2M technologies such as Bluetooth and Zigbee. Bluetooth is the most interesting capillary technology because it's so ubiquitous in modern offices. If an attacker can compromise a building environmental sensor over a cellular network, then can he abuse the Bluetooth chip on the same sensor to attack laptops, phones, or other mobile devices in the surrounding offices?

Sometimes the thieves aren't just poised to enter your network. Sometimes, like smart meter SIM thieves, they're simply after your technology. Thankfully, smartphone security is quickly improving. There are many options for maintaining access restrictions, secure containers, and backup management on modern phones. The first product I turn to for control over a smartphone is Lookout. While there are quite a few stellar solutions for mobile protection, Lookout has certainly emerged as a leader not only for the individual, but also for the enterprise.

Lookout's mobile security technology can safely back up your phone's data remotely. It can also scan your Android smartphone for malware, spyware, and other icky executables. Lookout often can even detect whether a URL presented to the user is malicious, preventing possible phishing or malware attacks. Last, but certainly not least, is my favorite feature: the location service. This security software can remotely locate your device's physical location, easily guiding you to the lost item. This is exceptional if you're like me and you keep losing your phone around a messy apartment.

It's even more important if you're like Anthony Lineberry, a friend of mine and software engineer at Lookout. Anthony's phone was stolen at gunpoint last July. During a difficult time, he was able to remotely locate his stolen phone using his own company's software. Once the location was identified, police raided the house where the device was pinpointed. While police didn't recover all of Anthony's belongings, they did retrieve his phone. Score one for technology.

The teenager who stole the smartphone made the same mistake I made. He paraded his ill-gotten goods around like a trophy, not realizing that Big Brother is always watching. As our mobile market grows exponentially in these coming years, we have to imagine the potential haul for miscreants and hackers. Is it an NFC bug that will net the first multimillion-dollar mobile heist? A device like a SIM card that can be easily ripped out of unmanned hardware? What about mobile wallet technology, like Google Wallet? The threat surface is vast, and the potential is high.

And, besides, some people enjoy stealin'. It's just as simple as that.

Don Bailey is director of research at iSEC Partners. Don A. Bailey is a pioneer in security for mobile technology, the Internet of Things, and embedded systems. He has a long history of ground-breaking research, protecting mobile users from worldwide tracking systems, securing automobiles from remote attack, and mitigating ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.