Digital pick-pocketing risk highlighted at Kiwicon
- 09 December, 2012 22:00
An emphasis on vulnerabilities in mobile devices featured in this year’s Kiwicon hackers’ conference, says Kyle Gibson, director of Wellington security consultancy Confide; “there was a lot of discussion of email hacks on iPhone and Android,” he says.
A presentation on genetic engineering – described as DNA hacking - also featured.
However, one of the topics that most disquiets Gibson is the attention paid to near field communications.
“As a security guy I have to say it’s not a technology I like,” he says. “I don’t think it’s a good idea.”
The idea of just “bumping” phones together or passing them over a point-of-sale scanner to transfer funds without even the protection of a PIN is worrying, he says.
Programmable NFC stickers, such as the Samsung TecTiles are now available cheaply. They are designed to perform simple tasks on a mobile phone such as changing settings automatically from home to car use by putting the sticker under the phone bracket on the dashboard.
However, Kiwicon speakers showed how easy it would be to put an unobtrusive sticker on a bar, programmed to execute a malicious piece of code in any phone placed over it.
There is a rolling three-digit code on NFC-equipped phones, which has to be matched by the phone and this provides a little protection, Gibson says, but once a transaction is executed on the phone without the owner’s knowledge, the code changes.
So not only have you lost money; your phone is also locked out of the payment system. “That could ruin your evening,” he says.
It is too easy to communicate with someone else’s NFC-equipped phone just by bumping your phone against it in a crowded venue, Gibson says.
This is the digital equivalent of picking your pocket – either of money or, in the right kind of venue, confidential information. Some upmarket restaurants would be fertile ground for NFC-assisted industrial espionage, he says.
An increasing number of digital attacks in general are aimed at small and medium businesses, now that large corporations are better protected, Gibson says. But recent leaks of data from ACC and Ministry of Social Development show even large government-agency systems can have significant holes.
Well-tried exploits such as SQL injection and cross-site-scripting still catch out enough individuals and organisations to feature in the “top ten exploits” monitored by the Open Web Application Security Project (OWASP).
This year’s was the sixth Kiwicon and the fourth Gibson has attended. In the early years, he says, reputable companies were unwilling to send representatives to a hacker conference, but it’s now recognised that they give valuable intelligence to vendors and users alike and many representatives of both those groups now attend, alongside the hacking experts.
“Microsoft was there this year, talking about their patching process,” Gibson observes.
Any exploits are notified to the providers or users companies in whose systems they are found before being exposed at the conference, Gibson says.
He has never heard an exploit discussed at Kiwicon which he’s subsequently found “in the wild”.