The Dr. Who Conundrum
Dr. Who, the eponymous hero of the BBC’s long-running cult-favorite television series, put high technology to good use but was never naïve about its limitations. In one episode, for example, he used a hairpin to quickly open a high-tech lock placed in his path by the bad guys. “The more sophisticated the technology, the more vulnerable it is to primitive attack. People often overlook the obvious,” Dr. Who commented.
Security managers should take a clue from Dr. Who and recognize that the latest technology is not an automatic panacea. The following is a look at some general issues to be aware of before purchasing high-tech devices as well as a discussion of some specific technologies and their vulnerabilities that have been discovered through research conducted by the Vulnerability Assessment Team at Los Alamos National Laboratory.
Most high-tech devices are vulnerable to simple attacks for several reasons. First, they must be physically coupled to less sophisticated devices, which can often be the source of exploitable vulnerabilities. Second, their design often fails to address the critical vulnerability issues in any given security application. Third, their sophisticated features can prove to be a distraction to the staff trying to operate them.
Vulnerabilities also arise because of specific issues related to users, manufacturers, vendors, and what might be called mission creep. Let's look at each of these vulnerability vectors.
User problems. All security measures, whether high- or low-tech, depend on the loyalty and effectiveness of the users. Malicious insiders or adversaries can usually bypass any measures once they know how they work.
Given that insider—and outsider—risk exists without the technology, one might expect that technology makes an adversary’s job more difficult. But high-tech devices allow users an increased standoff distance from the assets being protected, often resulting in a decrease in personal attention to detail by security personnel. This simplifies an adversary’s task.
Another problem is that users often don’t understand the technological devices or systems they are using. This is not conducive to good security. Moreover, the extensive training needed for security personnel to use these devices properly is often not provided. Even when staff time is devoted to training, the documentation and training programs that are offered by manufacturers and vendors may not be sufficient.
For example, of the companies we’ve seen that make or sell tamper-indicating seals (20 are listed in the 2005 edition of the ASIS Security Buyers Guide alone), only two offer any educational material for purchasers about how to best use the seals, and what types of potential attacks to look for. Other companies “guarantee” that their seals are “tamperproof,” thus undercutting any potential training information they may offer. Similarly, none of the manufacturers or vendors of radiofrequency identification (RFID) tags and contact memory buttons that we’ve seen tell users how to properly use the devices or what kinds of problems or attacks to look for.
Vendor problems. The design and engineering staffs of developers and manufacturers of high-tech security devices may be experts in electronics, software, or encryption, but they typically lack practical, holistic experience with real-world security. Thus, they may not focus enough or at all on how operators will interact with the equipment, how other users will react to it, and how adversaries will be able to defeat it.
RFID tags and contact memory buttons, for example, are often manufactured not by security firms but by semiconductor companies who seem to have little interest or experience in security. The problem seems to be getting worse as companies become increasingly specialized. The ease with which we’ve been able to find simple ways of compromising high-tech devices at the lab demonstrates that many companies are not taking the time to consider and counter even the most basic threats.
Vendors, manufacturers, and even users are also prone to what is known as the “Titanic Effect.” This is overconfidence in, and arrogance about, advanced technology.
Vendors contribute to this problem by avoiding any discussion of product vulnerabilities and countermeasures for fear of harming sales. They exacerbate the problem by describing product capabilities in ways that make comparisons by end users difficult.
Another problem is the lack of common standards regarding performance, vulnerabilities, and device testing. Developing such standards would be a significant challenge given the unique mix of technical and psychological issues involved, especially considering that a fundamental theoretical basis and sufficient research and development for such standards are lacking.
Mission creep. Some products are made with one use, or mission, in mind, but then they are sold as being a solution for another. That can cause problems. Many of the technologies discussed below are problematic for security applications because they are fundamentally inventory, not security, technologies.
Inventory involves locating and counting our “stuff,” and inventory applications will typically detect innocent errors by insiders. However, they are not designed to counter nefarious intent. That is the job of security devices that are specifically designed (or at least should be) from the start to prevent or mitigate the actions of the bad guys.
Let's look at how these vulnerability vectors come into play for some of the specific technologies being widely adopted today. These include RFID, memory buttons, tags, seals, and Global Positioning System-based products.
RFIDs. RFIDs, or radio-frequency identification devices, are transponders that transmit a unique serial number using radio waves. Some have batteries, but most are passive and rely instead on being energized by a high-energy radio signal from a reader. The stored energy from this radio burst is quickly used by the RFID to transmit its identification or serial number over a short distance where it is picked up by a reader.
RFIDs are excellent for inventory purposes. They can help to quickly identify and track products moving through the supply chain in a noncontact manner. Unfortunately, however, RFIDs have been highly touted as security devices that can deter product counterfeiting and detect product tampering. The fact is, they are a silver bullet for neither.
One reason is that RFIDs themselves are relatively easy and cheap to counterfeit (for more on counterfeiting, see box). When we first studied RFIDs at Los Alamos, we were able to counterfeit any design we investigated within two days on average. This was done without the need to involve a single electrical engineer or expert in RFIDs.
What’s more, our counterfeits cost only a few dollars. This means that a clever home-electronics hobbyist could easily and cheaply counterfeit low-end RFIDs, which are the only ones that most security applications can afford. Serious counterfeiters and cargo thieves will not be deterred by these devices.
Readers. It is also fairly easy to defeat an RFID system without counterfeiting the RFID tags themselves. This can be done by tampering with or replacing the reader.
You might be surprised how easy it is to replace a reader. If it is a portable, hand-held device, it typically requires less than three seconds for someone to “palm” the real reader and swap it out for an adversary’s version. This is why it is imperative to maintain a secure, continuous chain of custody for the reader, even when it is not in use.
The adversary may have the fake or modified reader automatically accept all RFIDs as valid or perhaps just special ones that he or she has chosen. An adversary may also attempt to control the reader from a distance using inexpensive radio-frequency electronics, which are now readily available.
To combat these types of attack, organizations must occasionally verify that an invalid RFID number will actually be rejected. These checks should be performed at unpredictable times.
Another type of attack, tampering with a reader’s data, involves changing the RFID number stored in the reader’s database and replacing it with one of the criminal’s choice, allowing the criminal to remove the original RFID and replace it with a different RFID.
Lifting. In addition to being easy to counterfeit, RFID tags are easy to remove (or lift) from one object, container, or seal and place on another without being detected. Nearly anyone moderately skilled with their hands can quickly saw, undercut, grind, etch away, or dissolve with reactive chemicals whatever mechanical, adhesive, or potting method is used to attach the RFID to the object or container of interest.
Reattaching the RFID is also usually simple. The ease with which lifting can be accomplished limits the usefulness of RFIDs for security applications.
RFID radio signals are also very easy to block or jam. This makes certain kinds of denial-of-service attacks on these devices trivial to execute.
Some high-end RFIDs attempt to improve security through the use of cryptography, challenge-response protocols, rotating passwords, and/or tamper detection technology. These devices are typically quite expensive, however, and require a battery.
Moreover, while they may somewhat complicate the job of an adversary, they are still not generally immune to relatively straightforward attacks. More to the point, we haven’t spent much time trying to defeat these devices because they are used infrequently, even by government agencies with critical-security missions, due to their high price.
Contact memory buttons. Contact memory buttons are a lot like RFIDs except that they have no radio frequency emanations. Instead, they communicate electrically through mechanical contact. Typically, these are passive devices that get their power from electrical contact with the reader. The button then sends an electronic signal with its unique serial number.
Contact memory buttons have proven easy to counterfeit. When we first analyzed them at Los Alamos, we had a working counterfeit within two hours. (The first hour was spent reading the manufacturer’s publicly available literature to see how they work.) Some of our counterfeits actually cost less than the original products and produce better quality signals. Typically, readers are also fairly easy to spoof.
When counterfeiting a contact memory button, the entire button may be counterfeited, or else another button can be purchased or stolen, then modified to look—at least on the outside—like the original, but with a counterfeit circuit placed inside.
Manufacturers often etch the serial number on the outer case of the contact memory button. This does not, as some manufacturers claim, increase security. It simply makes it possible for an adversary to tell from a distance what serial number to counterfeit without having to touch or electronically read the memory button. A 3-inch telescope can be used to view the serial number from 60 feet away, while it can be read from five feet away with the naked eye.
Like RFIDs, high-end (and thus expensive) memory buttons are available that use batteries, cryptography, challenge-response protocols, rotating passwords, and/or tamper detection to try to improve security. Unfortunately, none of these measures are particularly effective at stopping a determined adversary who has taken time to understand the devices.
Tags. A tag is a device or intrinsic feature used to uniquely identify an object or container; for example, an RFID or even the license plate on your car, would be considered a tag. Inventory tags are strictly for inventory purposes and, as there is no nefarious adversary to worry about, neither lifting nor counterfeiting are concerns.
With security tags, on the other hand, both counterfeiting and lifting are great concerns, as has already been noted. Few, if any, high-tech (or even low-tech) security tags have been successful in solving the lifting problem. Lifting is usually relatively easy to achieve if the adversary has skilled hands—and sometimes, even if he does not.
For anticounterfeiting tags, which are tags affixed to products to show their authenticity, only counterfeiting is an issue. Lifting is not of concern because the product counterfeiter has no economic interest in buying the authentic product so that he can move the security tag to his fake product.
Unfortunately, current generation anticounterfeiting tags are not effective in the marketplace because criminals can make knockoffs that have the same appearance, even if they do not have the same capabilities. Store clerks cannot spot the fakes.
That’s because stores do not typically have on hand an inexpensive reader that can be operated by nontechnical personnel. These tags require an analysis by sophisticated laboratory methods. Thus, while they can certainly be used to reliably detect counterfeiting, the high cost and delay in getting results usually makes them impractical to use.
Most new tags are the result of an inventor or manufacturer trying to force-fit a technology onto tag applications. Few researchers appear to be trying to develop effective tags from basic principles.
Seals. Tamper-indicating seals are used to detect unauthorized access and tampering. There are many applications for seals, including cargo security, records integrity, law enforcement, courier bags, utility meters, nuclear safeguards, securing forensics evidence or election ballots, and protecting pharmaceuticals and consumer products.
Unlike locks, seals do not try to resist or delay unauthorized access; they simply create a record that access took place. Nobody is alerted about an intrusion. The trespassing is detected only after the fact, at the time the seal is inspected.
There is currently a great deal of interest in using high-tech electronic seals for cargo security and counterterrorism. These applications include seals that use RFIDs, contact memory buttons, and/or encryption. Many of the proponents of such high-tech seals seem, again, to be confusing inventory with security.
We have studied hundreds of seals in detail at Los Alamos, and found them all easy to defeat quickly using only low-tech, inexpensive methods available to almost anyone. These include seals that are used for nuclear applications, as well as seals used extensively for cargo security applications.
We find that high-tech seals are often easier to defeat than low-tech seals. For example, some can be picked open without leaving any evidence. This does not, however, necessarily have to be the case. If the high-tech seals were better designed or used in a more educated or sophisticated manner, they could provide better security.
(A note on terminology. To defeat a seal means to remove it and then replace it with a counterfeit or the original seal in a manner that avoids detection. Simply yanking a seal off a container is not defeating it, because the fact that the seal is missing or damaged will be noted at the time of inspection.)
At Los Alamos, we’ve categorized all the methods for defeating seals into 105 general categories. There are many possible variations within each category. As with RFIDs and memory buttons, both lifting and reader attacks are usually viable for seals.
It is clear that much better seal designs (both low-tech and high-tech) are necessary and possible. As far as the authors can determine, however, very little research is underway towards this goal.
While there are efforts being made toward “smart containers” by the Department of Homeland Security (DHS), in our opinion these seem to focus on conventional approaches and existing commercial products that don’t appear to be up to the challenge, though certainly any work on cargo security is better than none.
(In the interest of full disclosure, we should note that our laboratory has come up with different strategies and prototypes for smart-container technology that are simpler and more secure, in our view; thus, we may not be the most objective commentators on DHS smart-container efforts.)
In the meantime, the performance of tamper-indicating seals can be dramatically improved if seal users understand the vulnerabilities and look for the most likely attack scenarios for the specific seals they are using. This requires, first and foremost, recognition that seals can be defeated, followed by hands-on training with the products.
GPS. The Global Positioning System (GPS) is being used for a variety of applications, and security is increasingly among them.
GPS receivers tune into the radio signals from 27 satellites orbiting the earth. Those signals help the GPS receiver determine the current time, and where the receiver is located on the earth’s surface, typically to within about 15 yards.
Security uses include cargo tracking, truck-hijack detection, public-safety services such as police, fire, rescue, and ambulance, and time-synchronization signals for financial transactions and critical utility, computer, and telecommunications networks. The problem with using GPS for security applications is that it was never intended for such uses. Like RFIDs, it is fundamentally a technology designed for inventory uses.
Private industry, foreign nationals, and 90 percent or so of the U.S. federal government must use the civilian GPS signals. Unlike military GPS signals, civilian signals are unencrypted and unauthenticated. This makes it easy to spoof them using widely available, user-friendly GPS satellite simulators.
These simulators can be purchased, rented, or stolen; they are not export controlled. They can easily be operated by people with little understanding of GPS, electronics, or computers.
Manufacturers and vendors of GPS cargo-tracking systems like to emphasize the security of the encryption scheme used by the truck to periodically report its location back to headquarters. The most secure encryption in the world, however, won’t solve the problem that the GPS signals may be fake, and thus the truck will be reporting the wrong coordinates to headquarters.
Hijacking. There are several possible scenarios for hijacking a truck that uses GPS cargo tracking. If the driver is part of the conspiracy—which statistics tell us happens in the majority of cases—he or she can simply hard-wire a GPS satellite simulator to the antenna of the truck’s GPS receiver. (There is no need to send the fake signals through the air.) Headquarters is tricked into thinking the truck is somewhere it is not during the hijacking and cargo unloading, thus defeating the purpose of the system.
If the driver is not part of the conspiracy and the hijackers are worried about him getting off a panic call for help, they can feed his GPS cargo-tracking system fake signals remotely using radio-frequency signals. We have demonstrated how easy this is to do from a “chase” vehicle. These signals will make the truck wrongly report back to headquarters that it is 10 or 20 miles farther along, or farther behind, the planned route than it truly is.
When the hijackers then attack the driver, any panic alarm he gets off will cause the authorities to descend on the wrong location. The truck hijackers can drive the truck off without fear of being apprehended.
Wrong time. There are other GPS spoofing concerns beyond cargo hijacking. The possibility of using spoofing to crash nationwide networks that rely on GPS for time synchronization is very real. Unfortunately, the backup time standard—if there is one—is often the radio signal from the atomic clocks at the National Institute of Standards and Technology (NIST). These signals are also not encrypted or authenticated, and can also be counterfeited.
There are relatively inexpensive countermeasures that can detect the use of a GPS satellite simulator. Such countermeasures, however, are not currently in use, in part because the ease with which spoofing can be accomplished doesn’t seem to be widely understood; one problem is that it may not be evident that spoofing was used in an incident, so victims may never know when it has happened to them and may, therefore, never recognize the risk.
Jamming. It is also easy to block or jam civilian GPS signals. The satellite signals from space can be blocked by breaking the antenna on the GPS receiver or simply by covering it with aluminum foil or other metal. Jamming involves making a noisy radio-frequency circuit that broadcasts on the GPS frequency. Complete plans for doing so are easy to find on the Internet.
A jammer capable of blocking civilian GPS satellite signals over hundreds of square miles costs less than $50. Jamming, however, is not surreptitious, so it is a less sophisticated method of attack. Unlike a spoofing attack, both the user and the GPS receiver understand that satellite signals from space are not being received.
Moving ahead. The point is not to discourage the use of high-technology products, which can offer important security improvements while saving time, money, personnel, and resources. However, high tech devices have to be used with an eye toward their limitations and vulnerabilities.
We must not engage in wishful thinking, or automatically believe every unsubstantiated claim for high technology. As noted cryptologist Bruce Schneier wrote in the preface to his book Secrets and Lies: Digital Security in a Networked World: “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”
Roger G. Johnston, M.S., Ph.D., CPP, is the head of the Vulnerability Assessment Team at Los Alamos National Laboratory (LANL). He serves as a security consultant and was recently awarded the LANL Fellows Prize for Outstanding Research. He is a member of ASIS International.
Jon S. Warner, M.S., Ph.D., is a staff member in the Advanced Diagnostics and Instrumentation Group at Los Alamos National Laboratory.
The views expressed in this article are solely those of the authors.