12 February 2020
We are at a strange junction of history. We have unprecedented access to technology. The number and capability of single board computers, sensor chips, even things like FPGAs that are available to the hobbiest, is amazing.
At the same time we have a massive removal of normal consumer rights from the ability and the right to access their own technology. Consumer devices are sealed shut with glues, special screws, warning stickers that threaten the user with dire consequences should they have the tenacity to break them. But the main method of sealing goods is to do it with software, and the aid of copyright protections.
The Digital Millennium Copyright act in the US and many similar laws make it a crime to break a software lock that is protecting a copyright work, even if the reason is legal. So we have seen a explosion of software in devices, and as software is a copyrightable work, all a manufacturer need to do is put a lock on that and they have the law to stop anyone using the device they sold to you in ways that they don’t like.
Apart from this being a horrible business practice, it is changing our society into that consumerist culture. In a time of climate change we should be conserving resources and minimising carbon footprints. Most of the carbon footprints of devices comes from their manufacture not operation, so extending the useful life makes a large contribution.
There is substantial support for the “Right to Repair” across Europe and the US at the moment. There are a number of right to repair acts at state level in the US some making progress, some not. In Europe we recently got repair legislation for some appliances in terms of requiring the supply of parts from manufacturers for 10 years.
The battleground is now about mobile phones, though other electronic devices are also in the mix. So go to repair.eu and sign the petition. Or in the US repair.org and lobby your state senators about the Right to Repair.
12 February 2020
Using a text message (SMS) to deliver a authentication or security token to a user has been useful in the past. It is still used in many systems, but we need to phase this method out.
Messages are transmitted across the global SS7 network, there is no encryption, authentication, or integrity protection on the SS7 network. Access is limited (Mainly telecom operators, but wider access is developing) There have been a few malicious actors detected on this network, but this threat is growing.
The more common attack method at the moment is to Social Engineer the mobile operator to do a SIM swap, and while Mobile Operators have a poor security record in protecting customers against number takeover attacks.
While the Mobile Operator is attacked in this there is little incentive for them to protect customers against this as their business is not affected. This has been the main mechanism of SMS OTP compromise so far.
The responsibility falls to system designers not to rely on SMS to securely deliver these messages.
You can use of email to transport the OTP, or the use of an encrypted messaging service such as Whatsapp, signal, telegram as an alternative to SMS.
The use of a Time based OTP is recommended, this should conform to the RFC-6238 standard. Google Authenticator is widely assessed and recommended tool for using this.
Attacks and exploitations reported
PCI DSS Standards
Use of SMS for Authentication
PCI DSS relies on industry standards—such as NIST, ISO, and ANSI—that cover all industries, not just the payments industry. While NIST currently permits the use of SMS, they have advised that out-of-band authentication using SMS or voice has been deprecated and may be removed from future releases of their publication.