Been Caught Stealin'

Emergence of machine to machine (M2M) devices makes life easier for thieves and hackers -- and more dangerous for victims

Don Bailey, Founder & CEO, Lab Mouse Security

February 14, 2012

5 Min Read

Everyone remembers that moment when, as a small child, they learned an extremely important social or ethical lesson. For me, it was theft: I must have been all of 8 years old and on a field trip at a museum in Flint, Mich., to see a modern art exhibit. I still remember the glow of one particular installation. It was made of thick pieces of what must have been plastic made to look like shattered glass. Each piece was about the size of a penny, and sat in a medium-sized black cauldron. All I can remember was how pretty I thought the glass looked and how I wanted to take a piece of that artwork home for myself. So after waiting until the rest of my school group passed by the exhibit, I snatched a small shard of plastic and shoved it into my pocket. My heart raced. The palms of my hands started to sweat. I walked right through the door.

I had possibly -- and unintentionally -- become the world’s youngest art thief.

Unfortunately for my young self, and fortunately for my adult self, the thrill of success was short-lived. Like every criminal, I took time to bask in the glory of my own misdeeds. I foolishly took out the plastic shard on the way back to school, thinking no one was looking and, of course, someone noticed and word quickly got around that I had something that I wasn't supposed to have.

My mother was a wise woman. I didn't get grounded. I didn't get spanked. But I did get my butt thrown back into the car to head back to the Sloan Museum. Facing my mother was horror enough, but then facing the learned and established museum curators was an entirely different story. However, I learned an important lesson: Theft is a dangerous game. Not only can you rise to the Olympian heights of the youngest art thief in northern America, but you also can plummet to the depths of suffering travel through Flint during the mid 1980s.

Sadly, others do not learn so quickly. Last May, a woman in Tasmania was sentenced to 18 months in jail for using a stolen SIM card. Why? Her abuse ran up a bill of more than $193,000, which she was ordered to pay back. What was little-known about the issue is that the woman, or a mysterious Internet accomplice, had apparently stolen a SIM card out of a smart meter somewhere in the country. As is often the case with machine 2 machine (M2M) systems, the SIM card can simply be moved to another system and used to immediately gain telephony and data access. The issue was reportedly fixed, but this highlights a common issue with mobile systems: identifying abuse.

In 2011, thieves performed a similar attack against traffic lights in South Africa. Traffic lights were augmented with cellular modules, enabling these systems to be controlled and monitored remotely. Thieves broke open these traffic control units, stole the SIM cards, and began making phone calls deemed "untraceable" by South African press.

This is likely to occur in the U.S. as well, if it hasn't already. To date, AT&T's M2M network has 1,194 approved unique devices. If each device has at least 1,000 users, that's potentially a little more than 1 million unique devices carrying a SIM card in North America. What does this mean for the security engineer at Joe Co.? It means a lot.

Emerging devices, also known as M2M, are everywhere. Point-of-sale systems are already using M2M. Building security systems, including motion detectors, gate entry, and cameras, are all using M2M. Even the smart meters and environmental monitoring systems in office buildings are enabled with M2M technology, and sometimes even capillary M2M technologies such as Bluetooth and Zigbee. Bluetooth is the most interesting capillary technology because it's so ubiquitous in modern offices. If an attacker can compromise a building environmental sensor over a cellular network, then can he abuse the Bluetooth chip on the same sensor to attack laptops, phones, or other mobile devices in the surrounding offices?

Sometimes the thieves aren't just poised to enter your network. Sometimes, like smart meter SIM thieves, they're simply after your technology. Thankfully, smartphone security is quickly improving. There are many options for maintaining access restrictions, secure containers, and backup management on modern phones. The first product I turn to for control over a smartphone is Lookout. While there are quite a few stellar solutions for mobile protection, Lookout has certainly emerged as a leader not only for the individual, but also for the enterprise.

Lookout's mobile security technology can safely back up your phone's data remotely. It can also scan your Android smartphone for malware, spyware, and other icky executables. Lookout often can even detect whether a URL presented to the user is malicious, preventing possible phishing or malware attacks. Last, but certainly not least, is my favorite feature: the location service. This security software can remotely locate your device's physical location, easily guiding you to the lost item. This is exceptional if you're like me and you keep losing your phone around a messy apartment.

It's even more important if you're like Anthony Lineberry, a friend of mine and software engineer at Lookout. Anthony's phone was stolen at gunpoint last July. During a difficult time, he was able to remotely locate his stolen phone using his own company's software. Once the location was identified, police raided the house where the device was pinpointed. While police didn't recover all of Anthony's belongings, they did retrieve his phone. Score one for technology.

The teenager who stole the smartphone made the same mistake I made. He paraded his ill-gotten goods around like a trophy, not realizing that Big Brother is always watching. As our mobile market grows exponentially in these coming years, we have to imagine the potential haul for miscreants and hackers. Is it an NFC bug that will net the first multimillion-dollar mobile heist? A device like a SIM card that can be easily ripped out of unmanned hardware? What about mobile wallet technology, like Google Wallet? The threat surface is vast, and the potential is high.

And, besides, some people enjoy stealin'. It's just as simple as that.

Don Bailey is director of research at iSEC Partners.

About the Author(s)

Don Bailey

Founder & CEO, Lab Mouse Security

Don A. Bailey is a pioneer in security for mobile technology, the Internet of Things, and embedded systems. He has a long history of ground-breaking research, protecting mobile users from worldwide tracking systems, securing automobiles from remote attack, and mitigating crippling IoT risks. He has given almost a dozen talks at various Black Hat events, demonstrating new risks and weaknesses in next-generation technology, along with their solutions. His expertise has been used by energy companies, mobile engineering firms, and other corporations worldwide to build safer prototypes, and to strengthen existing products. Mr. Bailey's goal is to build systems and methodologies for securing the next generation of Internet technologies, such as mobile and IoT systems that bridge the physical and digital worlds together. 

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights