Jefferson's Wheel

I’m organizing a workshop next week on the “Science of Security”, co-sponsored by the National Science Foundation, IARPA, and the National Security Agency.

The goal of the workshop is to gather a group of about 40 leading scientists and researchers in a diverse range of areas to identify scientific questions regarding computer security, and to stimulate new work toward defining and answering those questions.

For more information, see the workshop website: http://sos.cs.virginia.edu.

The full details of the Crypto-1 cipher (initially exposed back in December) have now been released.

They are published in Appendix A of Henryk Plötz’s thesis report: Mifare Classic – Eine Analyse der Implementierung. The thesis is in German, but the algorithm is published as a C program (by Karsten Nohl, Henryk Plötz and Sean O’Neil), so should be understandable to non-German code readers.

Also yesterday, the paper, Dismantling MIFARE Classic, by Flavio D. Garcia, Gerhard de Koning Gans, Ruben Muijrers, Peter van Rossum, Roel Verdult, Ronny Wichers Schreur, and Bart Jacobs of Radboud University Nijmegen, The Netherlands, appeared at ESORICS 2008. This is the paper that was the subject of NXP’s failed lawsuit.

The publication of these details remove any remaining doubts about the insecurity of the Mifare Classic.

News articles:

D-Day for RFID-based transit card systems, c|net News, 6 October 2008.

“Combining these two pieces of information, attacks can now be implemented by anyone,” RFID researcher Karsten Nohl told CNET News. “All it takes is a $100 (card) reader and a little software.”
…
Security systems like the Mifare Classic that are not peer reviewed are not as trustworthy as systems that can be openly analyzed by researchers looking for flaws, Johanson and Nohl said.

“Developing your own proprietary security mechanisms and not getting public scrutiny on it does not work,” Nohl said.

Boffins (finally) publish hack for world’s most popular smartcard, The Register, 6 October 2008.

Two research papers published Monday have finally made it official: The world’s most widely deployed radio frequency identification (RFID) smartcard – used to control access to transportation systems, military installations, and other restricted areas – can be cracked in a matter of minutes using inexpensive tools.

The two documents combined mean that virtually anyone with the time and determination can carry out the attacks, said Karsten Nohl, a PhD candidate at the University of Virginia and one of the cryptographers who first warned of the weakness in December.

“Now the weakness that we and others have been talking about for months can be verified independently by really anybody,” he said. “The flip side is that everybody can now attack Mifare-based security systems.”

Over the past six months, many organizations that rely on the Mifare Classic have upgraded their systems, but Nohl said he is personally aware of a “handful” of systems used by government agencies or large multinational companies that have been unable to make the necessary changes because of the logistical challenges of issuing new badges to employees.

“One hopes that just based on the announcement, most operators of critical security systems have adopted other technologies besides Mifare,” Nohl said.

Update: (10 Oct) Another article from the CBC: Security flaw in smart cards poses risk for transit, building access, CBC News, 10 October, 2008.

The Call for Papers for the 30^th IEEE Symposium on Security and Privacy, May 17-20 2009 is now available: http://oakland09.cs.virginia.edu/cfp.html (PDF for printing: http://oakland09.cs.virginia.edu/cfp.pdf.

Submissions of research papers, workshop proposals, and tutorial proposals are due Monday, 10 November 2008. Please consider submitting a paper and attending the conference!

Kim Hart has written an article covering Adrienne Felt’s study of privacy issues with Facebook applications: A Flashy Facebook Page, at a Cost to Privacy: Add-Ons to Online Social Profiles Expose Personal Data to Strangers, The Washington Post, 12 June 2008.

Ben Ling, director of Facebook’s platform, said that developers are not allowed to share data with advertisers but that they can use it to tailor features to users. Facebook now removes applications that abuse user data by, for example, forcing members to invite all of their friends before they can use it.

“When we find out people have violated that policy, there is swift enforcement,” he said.

But it is often difficult to tell when developers are breaking the rules by, for example, storing members’ data for more than 24 hours, said Adrienne Felt, who recently studied Facebook security at the University of Virginia.

She examined 150 of the most popular Facebook applications to find out how much data could be gathered. Her research, which was presented at a privacy conference last month, found that about 90 percent of the applications have unnecessary access to private data.

“Once the information is on a third-party server, Facebook can’t do anything about it,” she said. Developers can use it to provide targeted ads based on a member’s gender, age or relationship status.

The article also appeared in MSNBC, the Kansas City Star, the Los Angeles Times (Facebook widgets pose privacy risks:Users often give away their personal data and that of friends without knowing when they install the popular social network programs), the Austin American-Statesman (Social networking applications could become a privacy headache), and the Washington Post’s Express edition (FreeRide Lunchtime Reading: Who’s Getting in Your Facebook?).

Electronic Design has an interview with me: Electronic Design Interviews U. of Virginia Computer Prof, Electronic Design, 21 May 2008. The interview focuses on the history of Splint, and the current state and future of program analysis tools.

Our upcoming USENIX Security Symposium paper is now available: Reverse-Engineering a Cryptographic RFID Tag by Karsten Nohl, David Evans, Starbug, and Henryk Plötz.

The paper describes the methods used to reverse engineering the encryption on the Mifare Classic RFID tag and some of the things we learned by doing it. Karsten Nohl will present the paper at the USENIX Security Symposium in San Jose on July 31.

Abstract

The security of embedded devices often relies on the secrecy of proprietary cryptographic algorithms. These algorithms and their weaknesses are frequently disclosed through reverse-engineering software, but it is commonly thought to be too expensive to reconstruct designs from a hardware implementation alone. This paper challenges that belief by presenting an approach to reverse-engineering a cipher from a silicon implementation. Using this mostly automated approach, we reveal a cipher from an RFID tag that is not known to have a software or micro-code implementation. We reconstruct the cipher from the widely used Mifare Classic RFID tag by using a combination of image analysis of circuits and protocol analysis. Our analysis reveals that the security of the tag is even below the level that its 48-bit key length suggests due to a number of design flaws. Weak random numbers and a weakness in the authentication protocol allow for pre-computed rainbow tables to be used to find any key in a matter of seconds. Our approach of deducing functionality from circuit images is mostly automated, hence it is also feasible for large chips. The assumption that algorithms can be kept secret should therefore to be avoided for any type of silicon chip.

Full paper (9 pages): [PDF] [HTML]

Nathanael Paul’s PhD dissertation has been approved! He will graduate this Sunday.

The dissertation is available here: Disk-Level Malware Detection [Abstract] [Full text: PDF, 155 pages].

Congratulations, Nate! (That is, “Dr. Paul”.) Nate is currently a post-doctoral fellow at Vrije Universiteit, Amsterdam working with Andrew Tanenbaum.

Our paper, Privacy Protection for Social Networking Platforms by Adrienne Felt and David Evans is now available [PDF]. Adrienne Felt will present the paper at the Web 2.0 Security and Privacy 2008 (in conjunction with 2008 IEEE Symposium on Security and Privacy) in Oakland, CA on May 22, 2008.

Abstract

Social networking platforms integrate third-party content into social networking sites and give third-party developers access to user data. These open interfaces enable popular site enhancements but pose serious privacy risks by exposing user data to third-party developers. We address the privacy risks associated with social networking APIs by presenting a privacy-by-proxy design for a privacy-preserving API. Our design is motivated by an analysis of the data needs and uses of Facebook applications. We studied 150 popular Facebook applications and found that nearly all applications could maintain their functionality using a limited interface that only provides access to an anonymized social graph and placeholders for user data. Since the platform host can control the third party applications’ output, privacy-by-proxy can be accomplished by using new tags and data transformations without major changes to either the platform architecture or applications.

Full paper (8 pages): [PDF]
Project Website

[Added 25 May]: Talk slides (by Adrienne Felt): [PDF]

Our paper, Hiding in Groups: On the Expressiveness of Privacy Distributions by Karsten Nohl and David Evans, is now available: PDF (15 pages). Karsten Nohl will present the paper at the 23^rd International Information Security Conference (SEC 2008, Co-located with IFIP World Computer Congress 2008) in Milan, Italy, 8-10 September 2008.

Abstract

Many applications inherently disclose information because perfect privacy protection is prohibitively expensive. RFID tags, for example, cannot be equipped with the cryptographic primitives needed to completely shield their information from unauthorized reads. All known privacy protocols that scale to the anticipated sizes of RFID systems achieve at most modest levels of protection. Previous analyses found the protocols to have weak privacy, but relied on simplifying attacker models and did not provide insights into how to improve privacy. We introduce a new general way to model privacy through probability distributions, that capture how much information is leaked by different users of a system. We use this metric to examine information leakage for an RFID tag from the a scalable privacy protocol and from a timing side channel that is observable through the tag’s random number generator. To increase the privacy of the protocol, we combine our results with a new model for rational attackers to derive the overall value of an attack. This attacker model is also based on distributions and integrates seamlessly into our framework for information leakage. Our analysis points to a new parameterization for the privacy protocol that significantly improves privacy by decreasing the expected attack value while maintaining reasonable scalability at acceptable cost.

Full paper (15 pages): [PDF]

Extended Technical Report (18 pages): [PDF]

The Associated Press has an article by Martha Irvine, Social networking applications can pose security risks, that is based on Adrienne Felt’s analysis of Facebook platform privacy.

Still, it’s an honor system, says Adrienne Felt, a computer science major at the University of Virginia. A Facebook user herself, she decided to research the site’s applications and even created her own so she could see how it worked.

Most of the developers Felt polled said they either didn’t need or use the information available to them and, if they did, accessed it only for advertising purposes.

But, in the end, Felt says there’s really nothing stopping them from matching profile information with public records. It also could be sold or stolen. And all of that could lead to serious matters such as identity theft.

“People seem to have this idea that, when you put something on the Internet, there should be some privacy model out there — that there’s somebody out there that’s enforcing good manners. But that’s not true,” Felt says.

(Note: there wasn’t actually any “polling” of developers, just examining what applications do to determine how they appeared to use information.)

The story has been picked up by some other places including BusinessWeek, CNNMoney (From games to virtual gifts, social networking applications popular — but at what risk?), Forbes, International Herald Tribune, National Public Radio, San Jose Mercury News, Philadelphia Inquirer, Las Vegas Sun, Fort Worth Star-Telegram, Houston Chronicle, San Francisco Chronicle, Seattle Post-Intelligencer, MyFOX, and The Sydney Morning Herald.

The Colorado Daily wins the best title award for MySpace is your space (and yours, and yours…) (but its the same story).

Pantagraph (Central Illinois) has it currently as their top article and includes a picture their front page.

[Added 13 May] Pew Internet and American Life Project has a post on this: Securing Private Data from Network ‘Zombies’ by Mary Madden.