Daily Archives: September 13, 2016

Federal Judge: Hacking Someone’s Computer Is Definitely a ‘Search’

Posted on September 13, 2016 | Leave a comment

FederalJudge_Hacking
Courts across the country can’t seem to agree on whether the FBI’s recent hacking activities ran afoul of the law—and the confusion has led to some fairly alarming theories about law enforcement’s ability to remotely compromise computers.

In numerous cases spawned from the FBI takeover of a darkweb site that hosted child abuse images, courts have been split on the legality of an FBI campaign that used a single warrant to hack thousands of computers accessing the site from unknown locations, using malware called a Network Investigative Technique, or NIT.  Some have gone even further, arguing that hacking a computer doesn’t constitute a “search,” and therefore doesn’t require a warrant at all.

But a federal judge in Texas ruled this week that actually, yes, sending malware to someone’s computer to secretly retrieve information from it—as the FBI did with the NIT—is a “search” under the Fourth Amendment.

“[T]he NIT placed code on Mr. Torres’ computer without his permission, causing it to transmit his IP address and other identifying data to the government,” Judge David Alan Ezra of wrote Friday, in a ruling for one of the NIT cases, in San Antonio, Texas.  “That Mr. Torres did not have a reasonable expectation of privacy in his IP address is of no import.  This was unquestionably a “search” for Fourth Amendment purposes.”

As obvious as that sounds, not everyone agrees.  Previously, another judge in Virginia stunningly ruled that a warrant for hacking isn’t required at all,because a defendant infected with government malware “has no reasonable expectation of privacy in his computer.”

That judgment was a leap from several other rulings, in which judges claimed that users of the Tor anonymity network, where the illegal site was hidden, have  no expectation of privacy in their IP address—even though hiding your IP is the entire point of using Tor. The argument—which the Department of Justice apparently agrees with—states this is because Tor users technically “reveal” their true IP address to another computer when they first enter the Tor network, through an entry point called a “guard node.” (That computer can not determine what sites the user visits, however)

But while the FBI’s use of malware was definitely a search, Judge Ezra of Texas nevertheless denied the defendant’s motion to suppress evidence obtained by the NIT.

That’s because it can’t be proven that the FBI “willfully” violated Rule 41(b), a procedural rule that’s meant to stop judges from authorizing searches outside of their districts. The FBI is now controversially seeking to expand that rule, which would grant them the power to hack computers anywhere—not just within the jurisdictions where the hacking was authorized.

Instead, Judge Ezra wrote that the NIT warrant “has brought to light the need for Congressional clarification regarding a magistrate’s authority to issue a warrant in the internet age, where the location of criminal activity is obscured through the use of sophisticated systems of servers designed to mask a user’s identity.”

Leave a comment

Posted in Cyber Security, eDiscovery, Hacking, Security

Tagged , ,

How Hackers Can Disrupt ‘911’ Emergency System and Put Your Life at Risk

Posted on September 13, 2016 | Leave a comment

911_Hack

What would it take for hackers to significantly disrupt the US’ 911 emergency call system?

It only takes 6,000 Smartphones.

Yes, you heard it right!

According to new research published last week, a malicious attacker can leverage a botnet of infected smartphone devices located throughout the country to knock the 911 service offline in an entire state, and possibly the whole United States, for days.

The attacker would only need 6,000 infected smartphones to launch automated Distributed Denial of Service (DDoS) attacks against 911 service in an entire state by placing simultaneous calls from the botnet devices to the emergency numbers.

However, as little as 200,000 infected mobile phones could knock the 911 emergency call system offline across the entire US.

Where does the Problem Lies?

Researchers from Ben-Gurion University of the Negev’s Cyber-Security Research Center say the problem is in the fact that current US Federal Communications Commission (FCC) regulations demand all calls to 911 must immediately be routed to emergency services, regardless of the caller’s identifiers.

In other words, mobile carriers re-route all 911 emergency calls to a local Public Safety Answering Point (PSAP) without even verifying the caller’s identity or whether the caller is subscribers to the mobile network.

These identifiers could be a phone’s International Mobile Subscriber Identity (IMSI) and International Mobile Station Equipment Identity (IMEI) codes, which tell whether the caller is a subscriber to their service and identity of the mobile equipment, respectively.

How can Attackers Carry Out such Attacks?

All an attacker need is a mobile botnet to launch TDoS (Telephony Denial of Service) attacks. The attack can be carried out in two ways:

  • By infecting smartphones with malware, or
  • By buying the smartphones needed to launch the TDoS attack.

The researchers Mordechai Guri, Yisroel Mirsky, and Yuval Elovici note in a paper [PDF] that an attacker could exploit cellular network protocols by placing a rootkit or persistent, low-level malware within the baseband firmware of a mobile phone.

The rootkit can then mask and randomize all cellular identifiers, causing the cell phone to have no genuine identification within the cellular networks.

“Such anonymised phones [bots] can issue repeated [911] emergency calls that can not be blocked by the network or the emergency call centers, technically or legally,” the team notes in the paper.

Secondly, an attacker could simply buy 6,000 or 200,000 smartphones, which could cost $100,000 or $3.4 Million – a small sum for state-sponsored attackers – to jam 911 emergency system in an entire state or across the whole country respectively.

This TDoS attack should not come as a surprise, as during the 9/11 terror attack on the Twin Towers in New York City, thousands of legitimate callers collectively dialing 911 caused DDoS attacks on both telephony network as well as the emergency reporting system.

Of course, the team did not perform this attack in an actual, nationwide system. It created a small simulated cellular network based on North Carolina’s 911 network and attacked it instead.

The team bot-infected Samsung Galaxy S3, S4 and S5 smartphones running Android 4.4 and 5.x operating system to test their work.

How can we prevent such DDoS campaign against our Emergency Services?
Such attacks are currently difficult to block, as PSAPs have no way to blacklist fake calls. Also, blocking at the network level is not possible beyond selectively turning off cellular service in bot-infested areas.

However, researchers suggest some countermeasures that can mitigate such attacks, which includes:

  • Storing IMEIs and other unique identifiers in a phone’s trusted memory region (like ARM-processor design TrustZone), where malware can not alter them.
  • Implementing a mandatory “Call Firewall” on mobile devices to block DDoS activities like frequent 911 calls.

Since these changes would require government cooperation, security professionals, cellular service providers, emergency services, and others, it is hard to expect such significant changes in reality anytime soon.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,