Threat modelling connected and autonomous vehicle cybersecurity: an overview of available tools

Copper Horse’s automotive cybersecurity posts, including Threat modelling connected and autonomous vehicle cybersecurity: an overview of available tools, can now be found on the Secure-CAV microsite.

Secure-CAV is an ambitious collaborative project that aims to improve the safety and security of tomorrow’s connected and autonomous vehicles through a combination of cybersecurity monitoring, hardware solutions, machine learning and functional demonstrators.

About the author

James Tyrrell is a Threat Modelling Analyst at Copper Horse.

What is SIM swap?

Over the past couple of years, there has been a lot of awareness raising in the press about the issue of ‘SIM swap’. David Rogers explores the problem.

Customer chips: subscriber identity modules (SIMs) for use in mobile devices. Image credit – James Tyrrell

An unauthorised individual gets a victim’s SIM reassigned to them in order to gain access to the victim’s mobile phone account. In the past this would have been practiced by fraudsters who might want to run up calls against the victim’s account, perhaps in a more organised fashion combined with other types of fraud and criminality.

New incentive

Steadily this began to change. In sub-Saharan Africa, SIM swaps started to occur against users of mobile money services; a new incentive to make money using this method. There was a rise in password compromises in online accounts, led by large-scale data breaches, leading to credential stuffing — the automated injection of breached username/password pairs — based on the leaked information as well as weak implementations of access control. This meant that there was an increasing need to have ‘out-of-band’ methods of validating users that would be acceptable as a ‘second factor’ to passwords, increasing security. The most common and straightforward to implement solution to this was to use the mobile phone and SMS – it was the thing that most people carry and there was commonality in the means by which users could receive the message, almost instantaneously. The user could then, with relative ease, get access to their account. The company providing the service – be it a bank or social media app, could also have reasonable confidence that the user was genuine, raising the bar significantly against attacks on users, their passwords and individual transactions protected by the second factor.

Targeting two-factor authentication

Nothing in security remains static and it should be no surprise to anyone that criminals looked to target the two-factor authentication (2FA) mechanisms being used to protect accounts. The first serious attempt on SMS-based 2FA was against banks in Europe that used mTANs (codes for banking transactions) in late 2010 as part of the ZeuS banking trojan. The attack was relatively sophisticated and used a combination of social engineering and already compromised desktop machines to manipulate users into installing malware on Android devices which would intercept the SMSs and divert them to criminals. The attackers struggled with some of the security controls on the handsets, such as digital signing and the attack was not wholly successful, however it clearly demonstrated their intent.

By the late 2000s and following the Edward Snowden revelations, attackers were beginning to look at the network side. The legacy Signalling System No.7 network (SS7), originally designed in the 1970s, was an integral part of how mobile phones communicate to each other on both 2G and 3G networks. As networks became more open to the internet and the knowledge of how SS7 worked became more widely known, fraudsters and other criminals began to take advantage. Simply ripping out legacy networks is not an option in the mobile world, given the huge scale and reliance on mobile telephony services. Mobile network operators worked together with the security research community to build in monitoring and filtering mechanisms, together with signalling firewalls in order to prevent, detect and deter this vector.

Engineering account takeovers

Finally, social engineering of call centres has been a problem. This is an issue for all organisations that are required to service users directly. Indeed this form of “account takeover” is seen in many different sectors. With the prevalence of information available on the internet for most people, building up a legitimate picture of a user can be done with relative ease or with some initial social engineering against the user themselves. Whilst network operators need to ensure their call centre staff are trained to detect social engineering attempts, this is a tall order given that the whole aim of the social engineer is to convince the person at the other end of the phone that they’re legitimate. Phasing out legacy methods of authentication such as usage of secret information like mother’s maiden name and usage of user-selected passwords that need to be spoken is just part of the solution. Some network operators are now providing APIs (technical interfaces) for services such as banks to be able to connect to in order to establish whether a SIM swap has occurred recently.

This is the real heart of the issue for SIM swap – the target is now not really the network operator’s services, it is something else entirely. It’s a service that uses 2FA SMSs for which the only mechanism to compromise is to arrange for the SIM to be swapped. And there are lots of them – banks, messaging applications, social media apps, email accounts, bitcoin wallets – the list is ever-increasing. An increasing number of people are seeing ‘whole life takeovers’ – starting with a SIM swap, the user’s email account is compromised, followed by a succession of accounts for everything they interact with, from airlines to ride-sharing to shops leaving the user without money or even the ability to communicate. This is often a method of punishing someone or ‘taking them out’, a risk for people in the public domain such as journalists.

Rising rewards

The value of success is increasing too. In some cases millions of dollars of bitcoins have been swiped from wallets because the SIM was swapped. The motivation is high and the cost of attack is relatively low, but the gains are potentially life-changing for attackers. Recent attacks have seen technical attempts combined with social engineering to install remote desktop access so that criminals can initiate the SIM swaps themselves. Mobile network operators around the world need to ensure they’re on top of all aspects of the problem, implementing best practice and doing as much as they can to raise the bar of defence against such attacks. There is no boundary between human, telecoms and cyber security – it is all one big attack surface now.

Further reading

About the author

David Rogers is the founder and CEO of Copper Horse.

Computers on wheels and networks in the fast lane

Copper Horse’s automotive cybersecurity posts, including Computers on wheels and networks in the fast lane, can now be found on the Secure-CAV microsite.

Secure-CAV is an ambitious collaborative project that aims to improve the safety and security of tomorrow’s connected and autonomous vehicles through a combination of cybersecurity monitoring, hardware solutions, machine learning and functional demonstrators.

About the author

James Tyrrell is a Threat Modelling Analyst at Copper Horse.

Copper Horse and Arm launch white paper on IoT security by design

“If you’re looking to deploy IoT, you need to do it right from the start and you need to think about what happens with that product throughout its lifetime, until you sunset it,” David Rogers MBE – founder of Copper Horse and author of the UK’s Code of Practice for Consumer IoT Security – told listeners at yesterday’s launch webinar (available to watch on-demand). “That means working with suppliers and partners who you can trust will take the right approach to security and platforms.”

Arm commissioned Copper Horse to offer an impartial guide to IoT security by design, and the 19 page white paper guides readers on how to appropriately and securely manage solutions at scale.

“If you’re deploying IoT in any kind of environment – for example, consumer, automotive, agricultural, industrial or medical, you need to consider security from the beginning,” David reiterates. “Regulation is coming so it can’t be ignored.”

Topics covered in the briefing include: the threat landscape; future regulation; software updates and device management; public key infrastructure (PKI); end-of-life and decommissioning; and a reminder on identifying and eliminating bad practices.

Full details can be found at – https://learn.arm.com/securingiotbydesign.html.

Copper Horse CEO David Rogers Receives MBE from the Queen at Windsor Castle

Mr. David Rogers is made an MBE (Member of the Order of the British Empire) by Queen Elizabeth II at Windsor Castle. This picture is not for use after 25 December 2019, without Buckingham Palace approval. PA Photo. Picture date: Friday October 25, 2019. See PA story ROYAL Investitures. Photo credit should read: Jonathan Brady/PA Wire

David Rogers, Copper Horse’s CEO was made a Member of the Order of the British Empire (MBE) for services to Cyber Security by Her Majesty the Queen on Friday the 25th of October 2019. The investiture took place at Windsor Castle.

After the ceremony, David said “It was a delight and honour to meet Her Majesty the Queen. I have accepted this award on behalf of everyone involved with securing connected products in the ‘Internet of Things’ and working to protecting people from online harms. This includes the security research and hacking community, government departments and academia. There is some truly great work going on and there are some fantastic, passionate individuals working on this all across the world.”

More details on David’s work can be found here. Copper Horse provides IoT security consultancy and engineering expertise worldwide from its home in Windsor, UK.

Mapping New IoT Security Recommendations

In late 2018, to coincide with the launch of the UK’s Code of Practice for Consumer IoT Security we launched a website: iotsecuritymapping.uk which mapped IoT recommendations and standards from around the world. Our previous blog explains more of the detail. Earlier this year, we updated the site to include the European Telecommunications Standards Institute (ETSI) Technical Specification, TS 103 645 (pdf) which originated from the Code of Practice.

Today we have launched an updated version of the mapping site which stretches the landscape further with a number of new recommendations from around the world. These have either been sent to us as a result of people hearing about the original mapping work or work that we’ve seen launched since then.

The Windsor landscape towards the Copper Horse

The following additional recommendations are added, from all over the globe including Japan, South Korea and the USA:

Some recommendations we looked at had been updated, but these were either minor editorial changes or had changes not relevant to mapping against the Code of Practice, in these cases, the mapping was not updated.

Updating the External References

One useful thing we created last time was a mapping of external references from the recommendations – it is quite useful to understand where things are happening, which bodies are at least judged to be the most relevant. We’ve further updated this and it is no surprise that organisations like the IETF with massive contribution from industry are the most referenced and essentially used while other organisations like the ITU who try and lay claim to IoT are hardly referenced. We believe this work is the first time that any organisation has attempted to lay out these relationships, to break open the marketing hyperbole with real, factual data.

What are we observing and what does it mean?

There is a broad consensus on what needs to be done in IoT security, which is quite nice to see. Pretty much everyone who is looking at the problem is saying the same thing in different ways. The consumer space seems to be a common starting point because that is where the problem is most visible, but clearly the majority of this work provides a common foundation which is applicable across all IoT ‘verticals’ from industrial IoT, to connected cars.

There are differences in the level of abstraction in recommendations – some are very detailed, others at a high level. This is not a massive problem, it is just that more detailed and specific recommendations can be a real barrier to adoption. It can also affect innovation because detailed specifications tend to deal with the status quo of what exists now. They fail to consider or accommodate the possibility that someone could create something securely without doing exactly what has been put into a bit-level recommendation or standard. It can also affect organisations implementing security in the first place because detailed specifications look daunting. A high level recommendation is easier to access and implement (within the spirit of what is being asked), however it suffers from the fact that people could pay lip service to it or that more detail may be necessary to stop people doing something insecure. We need to find a happy medium between the two approaches for real security success in such a varied market as IoT.

The gaps between the specifications are going to get interesting – where is there divergence and why is that? This looks to be a key piece of work for the future and we may explore that in the coming year.

Keeping the site updated

We’ll keep updating the mapping site until there is a natural end. There is work ongoing which will rationalise these efforts at an international standards level. Once that has happened and there is consensus, we’ll have hopefully achieved what we set out to do – unification and defragmentation of IoT security; at least for the fundamental foundations. We hope you find the latest update useful and do please keep sending your feedback to us.

David Rogers awarded MBE in the Queen’s Birthday Honours list 2019 for services to cyber security

London – Saturday 8th June 2019: Copper Horse, a mobile and IoT security company, today announced that its CEO David Rogers, has been awarded an MBE in recognition of his services to cyber security, in The Queen’s Birthday Honours List 2019.

David is the author of the UK’s Code of Practice for Consumer IoT Security. Published in October 2018 it provides invaluable guidance, for all parties involved in the development, manufacturing and retail of consumer Internet of Things (IoT). The Code was developed as part of the Secure by Design initiative, which was developed in response to the increasing importance of cyber security in the home brought about by the exponential growth of technologies related to the IoT.

David has worked closely with UK Government departments including the Department for Digital, Culture, Media & Sport (DCMS) and the National Cyber Security Centre (NCSC), as well as leading manufacturers, industry associations and the security research community to create the Code.

In addition to his work on the Code of Practice for Consumer IoT Security, David chairs the mobile industry’s GSMA Fraud and Security Group and sits on the Executive Board of the IoT Security Foundation. He teaches part-time at two universities, lecturing on Mobile System Security at the University of Oxford and as a Visiting Professor in Cyber Security and Digital Forensics at York St John University.

Over the course of his career David has been central to the development and execution of industry-level efforts to reduce handset theft, pioneered hardware security recommendations for mobile devices and software update security, as well as introducing vulnerability disclosure to the mobile and IoT industries.

David Rogers, CEO at Copper Horse explained: “There are many talented and passionate individuals involved in cyber security around the globe. From the security researcher community – the hackers of the world – to those in government departments, academia and my own company, Copper Horse. Much of this work goes unsung, yet it doesn’t go unnoticed. All these people are collectively working to highlight insecurity and trying to improve technology around IoT. By helping to secure future products and services, they are protecting the wider public, allowing consumers to reap all the benefits the Internet of Things can bring to their daily lives.

“My role in securing technology is only a tiny part of that overall effort. I am delighted and honoured to be awarded this MBE for services to cyber security.”

For further information, please contact Simpatico PR:

Niki Hutchinson, Director B2B Technology

Tel: +44 (0)7790 776128

Email: niki.hutchinson@simpaticopr.co.uk

About Copper Horse

Copper Horse is based in Windsor, UK and was established in 2011 by mobile security expert David Rogers. The company primarily focuses on mobile and IoT security topics. With a range of world-renowned experts on hand, Copper Horse works on interesting and challenging security and software projects. The company provides consultancy, development and training for subjects ranging from mobile devices and networks, to the connected home. More information can be found at: https://www.copperhorse.co.uk

ETSI publishes European Standard on Consumer IoT Security


David Rogers writes about the launch of the specification: ‘Cyber Security for Consumer Internet of Things’ from ETSI’s TC Cyber group.

Today the European Telecommunications Standards Institute (ETSI) announced the publication of their ETSI Technical Specification, TS 103 645 (pdf).

This work builds on the UK Code of Practice for IoT Security and has had input from experts around the world. It is great that this work has been elevated up to European level and published as a standard. This means a much wider technical audience and crucially, official endorsement at European level by companies and governments.

The discussions during the specification development were very rational and it also meant that some of the supporting text were promoted into provisions within the specification, making the overall work stronger. For example, wording that could be considered ambiguous from a technical standpoint has been clarified and considered at length by me and others. This means that whilst we still see this as a high level specification, we’ve also tried to further pin down what we’re trying to say, all whilst trying to ensure that we avoid unintended consequences and companies deliberately trying to avoid putting security into their products via loopholes.

These efforts will continue. During the specification process, there were some really good proposals brought forward on some deep technical aspects about IoT security and privacy that we see as being potential spin-off work items in ETSI – I’m keeping track of what those topics were. There are also things that some of us would like to bring into the Code of Practice for future revisions, such as consideration by manufacturers of issues such as coercive or controlling behaviour which can be compounded by IoT in the home. All these things are for the future, but the great thing is the enthusiasm is there from some brilliant minds both in government and industry, so watch this space!

The IoT Security Mapping site has also been updated to reflect how the ETSI specification maps to the UK Code of Practice in order to help implementers understand how it all fits together, including against other recommendations and specifications from around the world.

Investigating the State of Vulnerability Disclosure in Consumer IoT Products

 

In August 2018, we were asked by the IoT Security Foundation to look at companies across the world producing consumer focused Internet of Things products and see what the situation is for security researchers when they try to contact these businesses.

 

Security researchers often have problems when it comes to speaking to companies about their findings, but we wanted to gather some real data about the current market situation because no-one had done this before. In this process, we also tried to record what types of mechanism were in place – i.e. did the company follow best practice for vulnerability disclosure by having a webpage that researchers could report through? Was there an email address to contact the company and was there public key available to use to encrypt submitted reports? Did the company operate any kind of ‘bug bounty’ scheme?

IoT devices in the IoT Security Village at DEF CON#26

The IoT Security Foundation published our findings (pdf) today, including a full list of the companies we looked at. The data is also available on request from the Foundation in a machine-readable format (with some additional fields we didn’t include in the report).

 

Some high-level findings from the report include the following:

  • over 90% of consumer IoT product companies out of 331 companies researched, have no way for a security researcher to be able to contact them easily to report a vulnerability.
  • Of those companies which had a disclosure policy:
    • 41.9% with disclosure policies gave no indication of the expected disclosure timeline.
    • 0.9% of the companies operated with a hard deadline of 90 days for fixes to reported issues.
    • 46.9% of policies also had a bug bounty programme. Two of these programmes were however by invitation only, so were not open for general contribution.
    • 78.1% of companies with policies supplied researchers with a public key for encryption to protect their communications and report details.
    • 18.8% of companies with policies utilised a proxy disclosure service (1.8% of total companies examined).
  • 7.6% of the overall companies publicised a public PGP key for researchers to use to encrypt, protecting their communications and disclosure report details.
  • 0.9% of companies had forms for reporting vulnerabilities or contact points, but no published vulnerability disclosure policy.

 

Our CEO, David Rogers said: “The data doesn’t lie – connected product companies are woefully bad, when it comes to allowing security researchers to report issues to them. It is further evidence of the poor situation for product security in the Internet of Things. There is no need for this, there are recommendations and an international standard available for companies to adopt. There needs to be a shift of mind-set to take security seriously at the Boardroom level of connected product companies and for them to realise that regulators are starting to take action against the existing lax attitude towards product security.”

 

John Moor, the MD of the IoT Security Foundation said: “We conducted this research to better understand the contemporary status of vulnerability disclosure policy in practice,” says John Moor, Managing Director, IoTSF. “It’s part of our mission to raise awareness and help improve the situation and we hope that by highlighting this subject area, and identifying companies in the report, we can make positive progress in the future. For any company making connected products, it is fundamental to understand the importance of disclosure policy and leverage the research community to help make safer connected products.”

 

It is clear that things need to change and fast. Guidance on how to implement Coordinated Vulnerability Disclosure is available from the IoT Security Foundation (pdf).

 

Mapping IoT Security and Privacy Recommendations and Guidance

 

The UK’s work on consumer IoT security and privacy, led by the Department for Digital, Culture, Media & Sport (DCMS) has been continuing since the publication of its work on Secure by Design and the Code of Practice for Consumer IoT Security went out for public comment in March 2018. Our team has been working on mapping IoT security and privacy guidance to the Code of Practice and we’re now launching https://iotsecuritymapping.uk to support the initiative, including hosting open data files with all the various mappings contained within.

 

 

We believe this is going to be really helpful for so many companies and organisations involved in IoT. It will help to defragment the standards space and it will help companies to understand how to improve security by telling them which recommendations facilitate implementation of the UK’s Code of Practice.

 

You can read our CEO’s blog on this topic here.