Secure-CAV is an ambitious collaborative project that aims to improve the safety and security of tomorrow’s connected and autonomous vehicles through a combination of cybersecurity monitoring, hardware solutions, machine learning and functional demonstrators.
About the author
James Tyrrell is a Threat Modelling Analyst at Copper Horse.
Secure-CAV is an ambitious collaborative project that aims to improve the safety and security of tomorrow’s connected and autonomous vehicles through a combination of cybersecurity monitoring, hardware solutions, machine learning and functional demonstrators.
About the author
James Tyrrell is a Threat Modelling Analyst at Copper Horse.
Over the past couple of years, there has been a lot of
awareness raising in the press about the issue of ‘SIM swap’. David Rogers
explores the problem.
Customer chips: subscriber identity modules (SIMs) for use in mobile devices. Image credit – James Tyrrell
An unauthorised individual gets a victim’s SIM reassigned to
them in order to gain access to the victim’s mobile phone account. In the past
this would have been practiced by fraudsters who might want to run up calls
against the victim’s account, perhaps in a more organised fashion combined with
other types of fraud and criminality.
New incentive
Steadily this began to change. In sub-Saharan Africa, SIM swaps started to occur against users of mobile money services; a new incentive to make money using this method. There was a rise in password compromises in online accounts, led by large-scale data breaches, leading to credential stuffing — the automated injection of breached username/password pairs — based on the leaked information as well as weak implementations of access control. This meant that there was an increasing need to have ‘out-of-band’ methods of validating users that would be acceptable as a ‘second factor’ to passwords, increasing security. The most common and straightforward to implement solution to this was to use the mobile phone and SMS – it was the thing that most people carry and there was commonality in the means by which users could receive the message, almost instantaneously. The user could then, with relative ease, get access to their account. The company providing the service – be it a bank or social media app, could also have reasonable confidence that the user was genuine, raising the bar significantly against attacks on users, their passwords and individual transactions protected by the second factor.
Targeting two-factor authentication
Nothing in security remains static and it should be no
surprise to anyone that criminals looked to target the two-factor
authentication (2FA) mechanisms being used to protect accounts. The first
serious attempt on SMS-based 2FA was against banks in Europe that used mTANs
(codes for banking transactions) in late 2010 as part of the ZeuS banking
trojan. The attack was relatively sophisticated and used a combination of
social engineering and already compromised desktop machines to manipulate users
into installing malware on Android devices which would intercept the SMSs and
divert them to criminals. The attackers struggled with some of the security
controls on the handsets, such as digital signing and the attack was not wholly
successful, however it clearly demonstrated their intent.
By the late 2000s and following the Edward Snowden
revelations, attackers were beginning to look at the network side. The legacy
Signalling System No.7 network (SS7), originally designed in the 1970s, was an
integral part of how mobile phones communicate to each other on both 2G and 3G
networks. As networks became more open to the internet and the knowledge of how
SS7 worked became more widely known, fraudsters and other criminals began to
take advantage. Simply ripping out legacy networks is not an option in the
mobile world, given the huge scale and reliance on mobile telephony services.
Mobile network operators worked together with the security research community
to build in monitoring and filtering mechanisms, together with signalling
firewalls in order to prevent, detect and deter this vector.
Engineering account takeovers
Finally, social engineering of call centres has been a
problem. This is an issue for all organisations that are required to service
users directly. Indeed this form of “account takeover” is seen in many
different sectors. With the prevalence of information available on the internet
for most people, building up a legitimate picture of a user can be done with
relative ease or with some initial social engineering against the user
themselves. Whilst network operators need to ensure their call centre staff are
trained to detect social engineering attempts, this is a tall order given that
the whole aim of the social engineer is to convince the person at the other end
of the phone that they’re legitimate. Phasing out legacy methods of
authentication such as usage of secret information like mother’s maiden name
and usage of user-selected passwords that need to be spoken is just part of the
solution. Some network operators are now providing APIs (technical interfaces)
for services such as banks to be able to connect to in order to establish
whether a SIM swap has occurred recently.
This is the real heart of the issue for SIM swap – the target is now not really the network operator’s services, it is something else entirely. It’s a service that uses 2FA SMSs for which the only mechanism to compromise is to arrange for the SIM to be swapped. And there are lots of them – banks, messaging applications, social media apps, email accounts, bitcoin wallets – the list is ever-increasing. An increasing number of people are seeing ‘whole life takeovers’ – starting with a SIM swap, the user’s email account is compromised, followed by a succession of accounts for everything they interact with, from airlines to ride-sharing to shops leaving the user without money or even the ability to communicate. This is often a method of punishing someone or ‘taking them out’, a risk for people in the public domain such as journalists.
Rising rewards
The value of success is increasing too. In some cases
millions of dollars of bitcoins have been swiped from wallets because the SIM
was swapped. The motivation is high and the cost of attack is relatively low,
but the gains are potentially life-changing for attackers. Recent attacks have
seen technical attempts combined with social engineering to install remote
desktop access so that criminals can initiate the SIM swaps themselves. Mobile
network operators around the world need to ensure they’re on top of all aspects
of the problem, implementing best practice and doing as much as they can to
raise the bar of defence against such attacks. There is no boundary between
human, telecoms and cyber security – it is all one big attack surface now.
Secure-CAV is an ambitious collaborative project that aims to improve the safety and security of tomorrow’s connected and autonomous vehicles through a combination of cybersecurity monitoring, hardware solutions, machine learning and functional demonstrators.
About the author
James Tyrrell is a Threat Modelling Analyst at Copper Horse.
“If you’re looking to deploy IoT, you need to do it right from the start and you need to think about what happens with that product throughout its lifetime, until you sunset it,” David Rogers MBE – founder of Copper Horse and author of the UK’s Code of Practice for Consumer IoT Security – told listeners at yesterday’s launch webinar (available to watch on-demand). “That means working with suppliers and partners who you can trust will take the right approach to security and platforms.”
Arm commissioned Copper Horse to offer an impartial guide to IoT security by design, and the 19 page white paper guides readers on how to appropriately and securely manage solutions at scale.
“If you’re deploying IoT in any kind of environment – for example, consumer, automotive, agricultural, industrial or medical, you need to consider security from the beginning,” David reiterates. “Regulation is coming so it can’t be ignored.”
Topics covered in the briefing include: the threat landscape; future regulation; software updates and device management; public key infrastructure (PKI); end-of-life and decommissioning; and a reminder on identifying and eliminating bad practices.