Documente Academic
Documente Profesional
Documente Cultură
intrusion
FBI arrests alleged attacker who tweeted seizure-inducing strobe at Kurt
Eichenwald
How wiretaps actually work and whats really going on here
Digital Privacy at the U.S Border: A New How-To Guide from EFF
Facebook says police cant use its data for surveillance
That CIA exploit list in full: The good, the bad, and the very ugly
What the CIA WikiLeaks dump tells us: Encryption works
MAC randomization: A massive failure that leaves iPhones, Android mobes open
to tracking
Googles reCAPTCHA turns invisible, will separate bots from people without
challenges
Ransomware for Dummies: Anyone Can Do It
A U.S. ally fired a $3 million Patriot missile at a $200 drone.
1.Justice Department charges Russian spies and
criminal hackers in Yahoo intrusion
The Justice Department announced Wednesday the indictments of two Russian spies and two
criminal hackers in connection with the heist of 500 million Yahoo user accounts in 2014,
marking the first U.S. criminal cyber charges ever against Russian government officials.
The indictments target two members of the Russian intelligence agency FSB, and two hackers
hired by the Russians.
The charges include hacking, wire fraud, trade secret theft and economic espionage, according
to officials. The indictments are part of the largest hacking case brought by the United States.
The charges are unrelated to the hacking of the Democratic National Committee and the FBIs
investigation of Russian interference in the 2016 presidential campaign. But the move reflects
the U.S. governments increasing desire to hold foreign governments accountable for malicious
acts in cyberspace.
The United States does not have an extradition treaty with Russia, but officials have said that
taking steps such as charges and imposing sanctions can be a deterrent. People also
sometimes slip up and travel to a country that is able and willing to transfer them to the United
States for prosecution.
Yahoo reported the 2014 hack last fall in what was then considered the largest data breach
in history. The company later disclosed another intrusion affecting more than 1 billion user
accounts in 2013, far surpassing the 2014 event. Officials have not determined whether there is
a link between the two.
The twin hacks clouded the prospects for the sale of Yahoos core business to
telecommunications giant Verizon. The deal is proceeding after Verizon negotiated the price
down in the wake of the breaches.
The compromised accounts may have affected more than just email. Breaking into a Yahoo
account would give the hackers access to users activity on Flickr, Tumblr, fantasy sports and
other Yahoo applications.
In the 2014 hack, the FSB Russias Federal Security Service, and a successor to the KGB
allegedly sought the information for intelligence purposes, targeting journalists, dissidents and
U.S. government officials, but allowed the criminal hackers to use the email cache for the
officials and the hackers financial gain, through spamming and other operations.
The charges illustrate the murky world of Russian intel services using criminal hackers in a
wide variety of ways, said Milan Patel, a former FBI Cyber Division supervisory special agent
who is now a managing director at K2 Intelligence, a cyber firm.
Although FBI agents have long suspected that the Russians have used cyber mercenaries to do
their work, this case is among the first in which evidence is offered to show that.
The indicted FSB officers are Dmitry Dokuchaev and Igor Sushchin, his superior. Particularly
galling to U.S. officials is that the men worked for the cyber investigative arm of the FSB a
rough equivalent of the FBIs Cyber Division. That the agency that is supposed to investigate
computer intrusions in Russia is itself engaged in hacking is pretty sad, one official said.
Dokuchaev, whose hacker alias was Forb, was arrested in December in Moscow, according to
the news agency Interfax, on charges of state treason for passing information to the CIA. He
had reportedly agreed to work for the FSB to avoid prosecution for bank card fraud.
Another man indicted in the case is Alexsey Belan, who is on the list of most-wanted cyber
criminals and has been charged twice before, in connection with intrusions into three major tech
firms in Nevada and California in 2012 and 2013. He was in custody in Greece for a time but
made his way back to Russia, where he is being protected by authorities, officials said.
The other hacker-for-hire is Karim Baratov, who was born in Kazakhstan but has Canadian
citizenship. He was arrested in Canada on Tuesday.
The indictments grew out of a nearly two-year investigation by the FBIs San Francisco office
with the aid of international law enforcement, officials said. Sanctions and criminal charges are
two tools that the Obama administration began using to punish and deter nation state hackers.
They have the effect of galvanizing other countries that are watching whats happening, said
Luke Dembosky, a former deputy assistant attorney general for national security. They show
that we have the resources and capabilities to identify the people at the keyboard, even in the
most sophisticated cases.
Three years ago, the United States charged five Chinese military hackers with economic
espionage, marking the first time cyber-related charges were levied against foreign government
officials.
After the Chinese military hackers were indicted, officials said their activity seemed to dwindle.
And the indictments, Dembosky said, helped wrest a pledge in 2015 from the Chinese to stop
economic cyberespionage against U.S. firms.
In early 2015, the Obama administration imposed economic sanctions on North Korea for its
cyberattack on Sony Pictures systems.
And in late December, the Obama administration levied economic sanctions on Moscow for its
election-year meddling. At the same time, the government sanctioned two Russian criminal
hackers with no apparent connection to the Kremlins interference campaign. They included
Belan, who is one of the four indicted in the Yahoo case.
The suspect, John Rayne Rivello, 29, of Salisbury, Maryland allegedly sent a message to
Eichenwald saying, You deserve a seizure for your post. That message included the strobe.
After pursuing a search warrant, police say they found Twitter direct messages in which Rivello
discussed Eichenwald and said he hoped his message would send him into a seizure and that
he was waiting to see if the writer dies. He additionally had a screenshot of a Wikipedia page for
Eichenwald in which he altered it to say that the victim died on December 16, 2016 (the day
after he sent the strobe).
It isnt clear whether these different charges relate to similar online harassment incidents or
something else entirely. Weve reached out to Eichenwalds lawyer for comment and will update
when we hear back. The
This wasnt the first time Eichenwald was allegedly targeted with a strobe. He claims to have
been attacked two other times last year. Eichenwald says that in October, a Trump supporter
attempted to induce a seizure by sending him an epileptogenic cartoon. In that case, he says he
dropped his iPad before a seizure was triggered.
The most recent attack on Eichenwald followed a spat between his employer, Vanity Fair, and
President Trump. After the magazine eviscerated Trump Grill in a review, the president tweeted
that the magazine was dead.
Eichenwald extensively covered Trump both during the election season and prior to his political
rise.
But the social networks have come under fire for working with third parties who market the data
to law enforcement. Last year, Facebook, Instagram and Twitter cut off access to Geofeedia, a
start-up that shared data with law enforcement, in response to an investigation by the American
Civil Liberties Union. The ACLU published documents that made references to tracking activists
at protests in Baltimore in 2015 after the death of a black man, Freddie Gray, while in police
custody and also to protests in Ferguson, Mo., in 2014 after the police shooting of Michael
Brown, an unarmed black 18-year-old.
On Monday, Facebook updated its instructions for developers to say that they cannot use data
obtained from us to provide tools that are used for surveillance.
The company also said, in an accompanying blog post, that it had kicked other developers off
the platform since it had cut ties with Geofeedia.
Until now, Facebook hasnt been explicit about who can use information that users post publicly.
This can include a persons friend list, location, birthday, profile picture, education history,
relationship status and political affiliation if they make their profile or certain posts public.
Some departments have praised the tools, which they say helps them fight crime for
example, if gang leaders publicly post references to their crimes.
In a statement about the changes, which were the results of several months of conversations
with activists, the ACLU and other groups lauded Facebooks move as a first step.
We depend on social networks to connect and communicate about the most important issues in
our lives and the core political and social issues in our country, Nicole Ozer, technology and
civil liberties director at the ACLU of California, said in the statement. Now more than ever, we
expect companies to slam shut any surveillance side doors and make sure nobody can use their
platforms to target people of color and activists.
Some said Facebook hadnt gone far enough. When technology companies allow their
platforms and devices to be used to conduct mass surveillance of activists and other targeted
communities, it chills democratic dissent and gives authoritarianism a license to thrive, Malkia
Cyril, executive director and founder of the Center for Media Justice, said in the statement. It's
clear there is more work to be done to protect communities of color from social media spying,
censorship and harassment.
The new policy language does not kick law enforcement off the platform. For one, the company
cooperates with law enforcement on a case-by-case basis for help in solving crimes.
Police and federal agencies may still siphon peoples feeds in cases of national disasters and
emergencies, Facebook officials said. It was unclear how Facebook would decide which
emergencies and public events would warrant monitoring citizens data and which would
constitute unreasonable surveillance. Surveillance was also not defined in the blog post, a
potential gray area that outsiders can exploit. Facebook said it would continue to audit third
parties for policy violations and require that developers disclose what they plan to do with data
they are requesting access to.
Local police departments across the United States have spent roughly $5 million on social
media monitoring over the past several years, according to the Brennan Center for Justice. The
relatively small amount shows how it is inexpensive to track and monitor the behavior of large
numbers of people.
6. That CIA exploit list in full: The good, the bad, and
the very ugly
We're still going through the 8,761 CIA documents published on Tuesday by WikiLeaks for
political mischief, although here are some of the highlights.
First, though, a few general points: one, there's very little here that should shock you. The CIA is
a spying organization, after all, and, yes, it spies on people.
Two, unlike the NSA, the CIA isn't mad keen on blanket surveillance: it targets particular people,
and the hacking tools revealed by WikiLeaks are designed to monitor specific persons of
interest. For example, you may have seen headlines about the CIA hacking Samsung TVs. As
we previously mentioned, that involves breaking into someone's house and physically
reprogramming the telly with a USB stick. If the CIA wants to bug you, it will bug you one way or
another, smart telly or no smart telly. You'll probably be tricked into opening a dodgy attachment
or download.
That's actually a silver lining to all this: end-to-end encrypted apps, such as Signal and
WhatsApp, are so strong, the CIA has to compromise your handset, TV or computer to read
your messages and snoop on your webcam and microphones, if you're unlucky enough to be a
target. Hacking devices this way is fraught with risk and cost, so only highly valuable targets will
be attacked. The vast, vast majority of us are not walking around with CIA malware lurking in
our pockets, laptop bags, and living rooms.
Thirdly, if you've been following US politics and WikiLeaks' mischievous role in the rise of
Donald Trump, you may have clocked that Tuesday's dump was engineered to help the
President pin the hacking of his political opponents' email server on the CIA. The leaked
documents suggest the agency can disguise its operations as the work of a foreign government.
Thus, it wasn't the Russians who broke into the Democrats' computers and, by leaking the
emails, helped swing Donald the election it was the CIA all along, Trump can now claim.
That'll shut the intelligence community up. The President's pet news outlet Breitbart is already
running that line.
Back to the leaked files. One amusing page gives details of discussions within the CIA on how
to avoid having its secrets leak in the wake of the theft of the NSA Equation Group's hacking
tools. Along with a detailed report [PDF] on the Equation Group hack, there are suggestions on
how to protect resources.
The CIA and the White House have yet to comment on the veracity of the leaked material and
are unlikely to do so. But at least one former intelligence worker with knowledge of such matters
seems convinced they are real.
So here's a rundown of the highlights so far. With so much material to go through, some
important things will have been missed. Feel free to add your own insights in the comments
section. We note that a good number of these cyber-weapons were obtained from the NSA,
GCHQ or private computer security researchers, and hoarded without warning vendors in case
vulnerabilities are patched we've covered this subject over and over.
Windows: The CIA's UMBRAGE team has a modest collection of attack tools for
systems powered by Microsoft's widely used operating system, all listed here. These
tools include keystroke loggers, sandbox escape ropes, and antivirus avoidance
mechanisms. The CIA analysts found flaws in Control Panel, and the ability to add data
streams to NTFS without detection to smuggle data onto storage drives. Windows library
files are useful stepping stones to malicious code execution, as are Windows Theme
files.
DLL files [PDF] are a popular attack vector for the CIA PDF]. They are also handy for
concealing malware in applications, and the documents show that common apps have
been used for spying by exploiting DLL weaknesses.
One DLL attack technique shows that someone at the agency is a bit of a Will Ferrell
fan. The RickyBobby program, named after the character in the film Talladega Nights,
uses several .NET DLLs and a Windows PowerShell script to implant a "listening post"
on a target Windows PC.
A version has been used in the field on USB drives, according to this document. The
software, with attack tools dubbed Fight Club, was put onto six thumb drives and
"inserted into the supply chain of a target network/group."
If you're using Windows Exchange 2010, the CIA has a tool for that, dubbed
ShoulderSurfer. This performs a code injection attack against the Exchange Datastore
manager process that would allow an agent to collect emails and contacts at will and
without the need for an individual's credentials.
Exchange 2007 is even easier to crack, according to the CIA. For a detailed rundown on
Exchange and all its flaws, this document [PDF] should be helpful to Microsoft engineers
looking to fix the problems.
OS X: Users of Apple's OS X shouldn't look too smug, however. The CIA has tools for
you too pages of them.
A lot of hacking tools cover OS X El Capitan, but presumably these have been updated
to subvert new versions of the operating system. That said, it does seem through
reading these files that Apple poses a significantly more difficult challenge for the CIA
than Redmond's code.
Analysts note that the operating system can be resilient to applications that try to slip
malware onto a Mac. But it's still possible to whitelist spying software; subvert NetInstall
images, creating zombie programs; and surreptitiously get at the kernel.
One interesting project the files touch on is dubbed QuarkMatter. This is a technique for
hiding spying software persistently on an OS X system by using an EFI driver stored on
the EFI system partition. Another, dubbed SnowyOwl, uses a pthread in an OpenSSH
client to potentially pull off remote monitoring of a target system.
The documents also show a project called HarpyEagle that analyzed Apple's Airport
Extreme firmware for private keys, and also Time Capsule systems.
iOS: The CIA files show an extensive list of iOS exploits. Some of these were developed
in-house, some obtained from the NSA or Britain's GCHQ, and others were purchased
from private vendors. It looks as though at least some of the security bugs were fixed by
Apple in recent iOS updates versions 8 and later or are otherwise no longer
exploitable. For instance, the Redux sandbox workaround and Xiphos kernel exploit
were both used to hack "iPhone 4S and later, iPod touch (5th generation) and later, iPad
2 and later," but both flaws were fixed after being publicized by the Chinese jailbreaker
Pangu.
While it's likely the exploit list is an old one, a lot of them may still work. iOS 8 appears to
have killed off a few, but most of the exploits don't have death dates listed.
The Dyonedo exploit, developed by GCHQ, allows unsigned code to run on iOS devices,
while the CIA's homegrown Persistence tool allows "a symbolic link [to] be created (on
iOS 7.x) or an existing file can be overwritten (iOS 8.x) that will run our bootstrapper,
giving [users] initial execution on every boot."
While full root is a goal, the documents also detail an attack known as Captive Portal.
This sets up the browser to route all web use through a server run by the CIA.
Android: There's a much longer list for Android exploits than that for its Cupertino
cousin's operating system.
There are exploits such as Chronos and Creatine that attack specific flaws in Qualcomm
Adreno GPU drivers, and others like Starmie and Snubble only work against specific
Samsung handsets. There are also a lot of Chrome-based attacks for Android that will
only work on older versions of the browser. There's a full list of version histories here.
There are also three implants listed Bowtie, SuckerPunch, and RoidRage. The release
notes for RoidRage show it can monitor all radio functions and allows SMS stealing.
While the bulk of the exploits listed allow for escalation of privileges, allowing malicious
apps to gain more or total control of the infected device, there are some like
BaronSamedi, Dugtrio, and Salazar that allow for remote access. Many of these have
been shut down on phones running Android version 4.4 and higher, but bear in mind this
list is three years old and the revised grab bag of exploits currently in use could be more
effective against more modern Android builds.
Antivirus: The CIA stash contains rundowns on most of the popular antivirus systems
and how to defeat them. Much of the information has been redacted but there are a few
snippets left.
The documents note that evading F-Secure's detection mechanisms is possible, but that
the software has a pretty good heuristics engine that can pick up Trojan software. The
agency has devised two ways around this using RAR file string tables or cloning a RAR
file manifest file.
Avira has similarly good heuristics, the files note, but two similar attacks appear to work.
Avira is a high-value target, since the documentation notes that it is popular among
counter-terrorism targets.
Bitdefender's heuristic engine has also caused the CIA some problems when it comes to
detecting the agency's malware. However, one file notes: "cleartext resources or simple
RXOR-ed resources don't seem to cause Bitdefender to trip."
Comodo's code is described as a "giant PITA" for its malware detection capabilities.
However, it has a weak spot and doesn't scan the contents of the Recycle Bin. The
notes say malware can be stored safely here, but may be detected if run.
Ever since version six of Comodo's code, things have become a lot easier and the CIA
has an exploit dubbed the Gaping Hole of DOOM. That version ignores malware that it
thinks is part of the Windows core operating system.
"Anything running as SYSTEM is automatically legit under 6.X. ANYTHING," the
document states. "Let that sink in. Got a kernel-level exploit? Good, because you can
drop the kitchen sink and the contents of your garage and as long as you continue to run
as SYSTEM you are golden. Yeah."
Details on AVG are sketchy, but the CIA trove indicates at least two ways to defeat the
security software. These include a fake installer and malware that can be dropped onto a
system and activated by a specific web link.
Antivirus code and other programs can also be targeted by a series of tools developed
under the moniker WreckingCrew. The vast majority of these were under development,
but two were finished and could be used to shut down security software and to "troll
people."
Signal/WhatsApp: In some good news for privacy advocates it appears that the CIA has
had no luck in cracking the popular encrypted chat protocol created by Whisper
Systems, which is used in Signal and WhatsApp.
CD/DVD attacks: There are still plenty of people in the world using CDs and DVDs, so
the CIA has developed code called HammerDrill to exploit the storage medium.
Version two of the software allows an infected computer to log what CDs and DVDs are
being read by the user, for how long, and the data they contain. The CIA also added a
function in the second build that allows it to install a hidden Trojan in new discs being
burned, if the target is using the popular Nero burning software.
The developer notes state that a 279-byte shellcode can be burned onto the storage
medium that will run on 32-bit Windows systems. The documents note that Kaspersky
antivirus (a top choice in Russia and elsewhere) can be bypassed in this way.
Smart TVs: The CIA and the British spies at MI5 have developed an attack known as
Weeping Angel. This can put smart TVs Samsung's is mentioned into a "Fake-Off
mode," which makes the device look like it's powered down with its LEDs off. However,
it's still on and can now be used as a bugging device. The Wi-Fi keys the TV uses are
also slurpable.
The exploit was developed and the documents show areas of interest that CIA hackers
wanted to research, notably leaving Wi-Fi on and enabling video capture, get into
caches of stored audio recordings, and setting up a man-in-the-middle attack against the
television's browser.
The TV is compromised via a USB stick inserted into the device, but the documents
show that if the user has updated their operating system to firmware version 1118 and
above then the hack won't work. The documents also note that only 700MB of 1.6GB of
onboard storage is available for spying uses.
IoT devices: It's clear the CIA is looking actively at subverting Internet of Things devices
with its Embedded Development Branch.
The documents here are somewhat scant, but from meeting notes in 2014 it's clear that
the analysts are looking at self-driving cars, customized consumer hardware,
Linux-based embedded systems, and whatever else they can get their hands on.
Those Amazon Echo or Google Home devices are looking less and less attractive every
day.
Other interesting snippets are that some of the documents contain the licence keys of software
the CIA uses. These include keys for OmniGraffle graphic design software and the Sublime text
editor, but in the latter case the 10-user licence key was listed as belonging to Affinity Computer
Technology, a small computer repair shop in Sterling, Virginia.
We spoke to Affinity's manager, Bill Collins, who checked out the page and pronounced himself
baffled. They're a small computer repair shop, he said, with no links to the CIA.
There are also some amusing touches. One analyst has included his favorite ASCII characters
for conversing online with Japanese people, along with games he likes to play and some music
suggestions. He or she also appears to be a Monty Python fan.
There is no way to read the entire archive in a day. If you are a developer or a technology
vendor, it's worth going through the archive. We suspect a lot of companies have been doing
little else all day.
7. What the CIA WikiLeaks dump tells us: Encryption
works
If the tech industry is drawing one lesson from the latest WikiLeaks disclosures, it's that
data-scrambling encryption works, and the industry should use more of it.
Documents purportedly outlining a massive CIA surveillance program suggest that CIA agents
must go to great lengths to circumvent encryption they can't break. In many cases, physical
presence is required to carry off these targeted attacks.
"We are in a world where if the U.S. government wants to get your data, they can't hope to
break the encryption," said Nicholas Weaver, who teaches networking and security at the
University of California, Berkeley. "They have to resort to targeted attacks, and that is costly,
risky and the kind of thing you do only on targets you care about. Seeing the CIA have to do
stuff like this should reassure civil libertarians that the situation is better now than it was four
years ago."
MORE ENCRYPTION
Four years ago is when former NSA contractor Edward Snowden revealed details of huge and
secret U.S. eavesdropping programs. To help thwart spies and snoops, the tech industry began
to protectively encrypt email and messaging apps, a process that turns their contents into
indecipherable gibberish without the coded "keys" that can unscramble them.
The NSA revelations shattered earlier assumptions that internet data was nearly impossible to
intercept for meaningful surveillance, said Joseph Lorenzo Hall, chief technologist at the
Washington-based civil-liberties group Center for Democracy & Technology. That was because
any given internet message gets split into a multitude of tiny "packets," each of which traces its
own unpredictable route across the network to its destination.
The realization that spy agencies had figured out that problem spurred efforts to better shield
data as it transits the internet. A few services such as Facebook's WhatsApp followed the earlier
example of Apple's iMessage and took the extra step of encrypting data in ways even the
companies couldn't unscramble, a method called end-to-end encryption.
CHALLENGES FOR AUTHORITIES
In the past, spy agencies like the CIA could have hacked servers at WhatsApp or similar
services to see what people were saying. End-to-end encryption, though, makes that
prohibitively difficult. So the CIA has to resort to tapping individual phones and intercepting data
before it is encrypted or after it's decoded.
It's much like the old days when "they would have broken into a house to plant a microphone,"
said Steven Bellovin, a Columbia University professor who has long studied cybersecurity
issues.
Cindy Cohn, executive director for Electronic Frontier Foundation, a group focused on online
privacy, likened the CIA's approach to "fishing with a line and pole rather than fishing with a
driftnet."
Encryption has grown so strong that even the FBI had to seek Apple's help last year in cracking
the locked iPhone used by one of the San Bernardino attackers. Apple resisted what it
considered an intrusive request, and the FBI ultimately broke into the phone by turning to an
unidentified party for a hacking tool presumably one similar to those the CIA allegedly had at
its disposal.
On Wednesday, FBI Director James Comey acknowledged the challenges posed by encryption.
He said there should be a balance between privacy and the FBI's ability to lawfully access
information. He also said the FBI needs to recruit talented computer personnel who might
otherwise go to work for Apple or Google.
Government officials have long wanted to force tech companies to build "back doors" into
encrypted devices, so that the companies can help law enforcement descramble messages with
a warrant. But security experts warn that doing so would undermine security and privacy for
everyone. As Apple CEO Tim Cook pointed out last year , a back door for good guys can also
be a back door for bad guys. So far, efforts to pass such a mandate have stalled.
STILL A PATCHWORK
At the moment, though, end-to-end encrypted services such as iMessage and WhatsApp are
still the exception. While encryption is far more widely used than it was in 2013, many
messaging companies encode user data in ways that let them read or scan it. Authorities can
force these companies to divulge message contents with warrants or other legal orders. With
end-to-end encryption, the companies wouldn't even have the keys to do so.
Further expanding the use of end-to-end encryption presents some challenges. That's partly
because encryption will make it more difficult to perform popular tasks such as searching years
of emails for mentions of a specific keyword. Google announced in mid-2014 that it was working
on end-to-end encryption for email, but the tools have yet to materialize beyond research
environments.
Instead, Google's Gmail encrypts messages in transit. But even that isn't possible unless it's
adopted by the recipient's mail system as well.
And encryption isn't a panacea, as the WikiLeaks disclosures suggest.
According to the purported CIA documents, spies have found ways to exploit holes in phone
and computer software to grab messages when they haven't been encrypted yet. Although
Apple, Google and Microsoft say they have fixed many of the vulnerabilities alluded to in the
CIA documents, it's not known how many holes remain open.
"There are different levels where attacks take place, said Daniel Castro, vice president with the
Information Technology and Innovation Foundation. "We may have secured one level (with
encryption), but there are other weaknesses out there we should be focused on as well."
Cohn said people should still use encryption, even with these bypass techniques.
"It's better than nothing," she said. "The answer to the fact that your front door might be cracked
open isn't to open all your windows and walk around naked, too."
___
Liedtke reported from San Francisco.
8. MAC randomization: A massive failure that leaves
iPhones, Android mobes open to tracking
Analysis To protect mobile devices from being tracked as they move through Wi-Fi-rich
environments, there's a technique known as MAC address randomization. This replaces the
number that uniquely identifies a device's wireless hardware with randomly generated values.
In theory, this prevents scumbags from tracking devices from network to network, and by
extension the individuals using them, because the devices in question call out to these nearby
networks using different hardware identifiers.
It's a real issue because stores can buy Wi-Fi equipment that logs smartphones' MAC
addresses, so that shoppers are recognized by their handheld when they next walk in, or walk
into affiliate shop with the same creepy system present. This could be used to alert assistants,
or to follow people from department to department, store to store, and then sell that data to
marketers and ad companies.
Public wireless hotspots can do the same. Transport for London in the UK, for instance, used
these techniques to study Tube passengers.
Regularly changing a device's MAC address is supposed to defeat this tracking.
But it turns out to be completely worthless, due to a combination of implementation flaws and
vulnerabilities. That and the fact that MAC address randomization is not enabled on the majority
of Android phones.
In a paper published on Wednesday, US Naval Academy researchers report that they were able
to "track 100 per cent of devices using randomization, regardless of manufacturer, by exploiting
a previously unknown flaw in the way existing wireless chipsets handle low-level control
frames."
Beyond this one vulnerability, an active RTS (Request to Send) attack, the researchers also
identify several alternative deanonymization techniques that work against certain types of
devices.
Cellular radio hardware has its own set of security and privacy issues; these are not considered
in the Naval Academy study, which focuses on Android and iOS devices.
Each 802.11 network interface in a mobile phone has a 48-bit MAC address layer-2 hardware
identifier, one that's supposed to be persistent and globally unique.
Hardware makers can register with the Institute of Electrical and Electronics Engineers (IEEE) to
buy a block of MAC addresses for their networking products: the manufacturer is assigned a
three-byte Organizationally Unique Identifier, or OUI, with is combined with an additional
three-byte identifier that can be set to any value. Put those six bytes together, and you've got a
48-bit MAC address that should be globally unique for each device.
The IEEE's registration system makes it easy to identify the maker of a particular piece of
network hardware. The IEEE also provides the ability to purchase a private OUI that's not
associated with a company name, but according to the researchers "this additional privacy
feature is not currently used by any major manufacturers that we are aware of."
Alternatively, the IEEE offers a Company Identifier, or CID, which is another three-byte prefix
that can be combined with three additional bytes to form 48-bit MAC addresses. CID addresses
can be used in situations where global uniqueness is not required. These CID numbers tend to
be used for MAC address randomization and are usually transmitted when a device
unassociated with a specific access point broadcasts 802.11 probe requests, the paper
explains.
The researchers focused on devices unassociated with a network access point as might
happen when walking down the street through various Wi-Fi networks rather than those
associated and authenticated with a specific access point, where the privacy concerns differ and
unique global MAC addresses come into play.
Unmasking
Previous security research has shown that flaws in the Wi-Fi Protected Setup (WPS) protocol
can be used to reverse engineer a device's globally unique MAC address through a technique
called Universally Unique IDentifier-Enrollee (UUID-E) reversal. The US Naval Academy study
builds upon that work by focusing on randomized MAC address implementations.
The researchers found that "the overwhelming majority of Android devices are not implementing
the available randomization capabilities built into the Android OS," which makes such Android
devices trivial to track. It's not clear why this is the case, but the researchers speculate that
802.11 chipset and firmware incompatibilities might be part of it.
Samsung v Apple
Surprisingly, Samsung devices, which accounted for 23 per cent of the researcher's Android
data set, show no evidence of implementing MAC address randomization.
Apple, meanwhile, introduced MAC address randomization in iOS 8, only to break it in iOS 10.
While the researchers were evaluating devices last year, Apple launched iOS 10 and changed
its network probe broadcasts to include a distinct Information Element (IE), data added to Wi-Fi
management frames to extend the Wi-Fi protocol.
"Inexplicably the addition of an Apple vendor-specific IE was added to all transmitted probe
requests," the paper explains. "This made identification of iOS 10 Apple devices trivial
regardless of the use of MAC address randomization."
This shortcoming aside, Apple handles randomization correctly, in the sense that it properly
randomizes the full 48-bits available for MAC addresses (with the exception of the
Universal/Local bit, set to distinguish between global MAC addresses and the local ones used
for randomization, and the Unicast/Multicast Bit).
The researchers find this interesting because the IEEE charges a fee for using the first three
bytes of that space for CID prefixes, "meaning that Apple is freely making use of address space
that other companies have paid for."
In a phone interview with The Register, Travis Mayberry, assistant professor at the US Naval
Academy and one of the paper's co-authors, expressed surprise that something like 70 per cent
of Android phones tested did not implement MAC address randomization.
"It's strange that Android was so vulnerable," he said. "It's just really bad at doing what it was
supposed to do."
When launched, the PAC-3 missile flies to an intercept point specified prior to launch by its
ground-based fire solution computer. Target trajectory data can be updated during flyout by the
means of a radio frequency uplink/downlink. Shortly before arrival at the intercept point, the
missiles on board Ka-band seeker acquires the target, selects the optimal aim point and
initiates terminal guidance. The attitude control motors, located in the missile forebody, fire
explosively to refine the PAC-3 missiles course to assure direct body-to-body impact.
While theres something laughably absurd about a retail quadcopter taking on a surface-to-air
missile designed for full-scale war, the threat of weaponized drones is no joke. In recent
months, Islamic State fighters have used consumer-grade drones loaded with explosives to
attack Iraqi security forces and Western troops in Iraq.
One of the first strikes came in October, when a drone carrying munitions detonated at a
Kurdish and French position in northern Iraq, killing two soldiers and injuring two others. Dozens
of similar attacks have been carried out since the beginning of the year when the Islamic State
announced a new Unmanned Aircraft of the Mujahideen unit, as The Washington Posts Joby
Warrick has reported.
Still, the incident related by Perkins seemed to invite a degree of mockery.
It is clearly enormous overkill, Justin Bronk, a researcher at the British defense think tank
Royal United Services Institute, told the BBC. But, he added, it certainly exposes in very stark
terms the challenge which militaries face in attempting to deal with the adaptation of cheap and
readily available civilian technology with extremely expensive, high-end hardware designed for
state-on-state warfare.
Andrew Liptak of the Verge explained the drone-versus-Patriot problem by way of analogy.
While a fly buzzing around is a nuisance, he wrote, a fly swatter is a better solution than a
shotgun.