Practical Limitations of Technical Privacy Protection

Download PDF
5 downloads 218912 Views 219KB Size Report
Comment
of code, sandboxes, disc encryption, certificate stores, and the like. To ensure the .... Besides these neuralgic points in hardware, it is possible to add additional ... phones, there are Android (Google), iOS (Apple), and Blackberry. (Research in ...
SCHWERPUNKT

Hans-Joachim Hof

Practical Limitations of Technical Privacy Protection On the Current State of IT Security Mechanisms Used for Privacy Protection in the Field Information provided by whistleblower Edward Snowden imposingly demonstrated the advanced capabilities of intelligence agencies, especially the National Security Agency (NSA), to monitor Internet usage on a large scale. Huge amounts of data are collected day by day, violating the privacy of millions of people. Public media suggest that IT security methods like encryption are the magic bullet to protect one’s privacy. This paper reflects on the feasibility and practical limitations of technical privacy protection. Current vulnerabilities of widely used IT security mechanisms impressively demonstrate the limitations of these mechanisms. 1 Introduction Following the publication of Edward Snowden, privacy protection gained increasing attention of public media. Privacy protection can be realized by technical and non-technical means. Examples of non-technical privacy protection means are data avoidance and data minimization. On the one hand, data avoidance and data minimization can be enforced by regulation. However, several big players of the Internet (e.g., Google and Facebook) base their business model on data collected about users. Hence, it is very likely that they use their influence to lobby for lax regulation. On the other hand, users could adapt their online behavior to improve their privacy. However, users still do not adapt their behavior. A recent study [16] shows that although the need for privacy grew from 2009 till 2013, users still published more information about themselves on social networks in 2013 compared to 2009. Usually, non-technical privacy protection means are accompanied by technical privacy protection means. An example of technical privacy protection means is encryption of data. Often, tech-

Prof. Dr.-Ing. Hans-Joachim Hof Professor für Sichere SoftwareSysteme an der Hochschule München, Leiter der Forschungsgruppe MuSe - Munich IT Security Research Group, Vice Chair German Chapter of the ACM, Leiter der Zusatzausbildung „Betrieblicher Datenschutz“ an der Hochschule München E-Mail: [email protected] DuD • Datenschutz und Datensicherheit

9 | 2014

nical privacy protection means the use of well-known methods from the IT security domain. Public media often advertise technical privacy protection means like encryption as the silver bullet of privacy protection. Of course, any technical privacy protection can only be as good as the IT security mechanisms used to implement it. This paper shows the practical limitations of technical privacy protection resulting from the use of IT security mechanism in the field. The following observations are structured as follows: Section 2 presents attacks on platform security. Section 3 summarizes typical problems of application security. Section 4 shows challenges in network security. Section 5 reflects on the complexity of security processes. Section 6 reviews security in open source products. Section 7 concludes on the current state of IT security mechanisms in the field.

2 Platform Security A platform in a technical sense is the underlying system every application runs on, including any privacy protection realized in an application. The platform consists of hardware and the operating system (OS) running on this hardware. Current platforms usually provide security services for applications, e.g., separation of code, sandboxes, disc encryption, certificate stores, and the like. To ensure the integrity of the platform is of crucial importance for the overall security of a system, hence for the effectiveness of any technical privacy protection running on this platform. If an attacker can infiltrate a platform, or if a platform has a backdoor that can be used by an attacker, any technical privacy protection mechanism fails. This section shows limitations for technical privacy protection on different levels of the platform. It 601

SCHWERPUNKT

should be noted that any single vulnerability in a platform might lead to the infiltration of all technical privacy means running on this platform. Nowadays, hardware does not only consist of electronic components but of all kind of embedded code. As with all kinds of code, vulnerabilities can exist in this code as well as backdoors. According to van Kooten and Verberne [3], the countries with the highest number of hardware companies in 2010 were (in descending order, number of companies in brackets): USA (40), Japan (21), Taiwan (18), China (7), South Korea (3). The top 10 companies based on annual hardware revenues in 2010 were (in descending order, country of origin in brackets): Samsung (South Korea), Hewlett-Packard (USA), Foxconn (Taiwan), LG Electronics (South Korea), Nokia (Finnland), Toshiba (Japan), Dell (USA), Intel (USA), Apple (USA), and Cisco (USA). It is obvious from this list that Germany does not play any significant role in the hardware manufacturing industry. This is a potential security risk as hardware manufacturers in a country could be forced to include backdoors or known weaknesses of cryptographic algorithms into hardware. Attractive targets for such kind of manipulation are: random number generator Trusted Platform Module A random number generator is used, as the name indicates, to generate random numbers. As it is not possible to use a deterministic machine to create “real” randomness, pseudo-random generators combine all kind of volatile system information at hand to generate “good” random numbers. Random numbers are crucial for the overall security of a system, because they are needed to create keys for encryption. If an attacker knows about a vulnerability in a random number generator, e.g., that every fourth bit is a 0 with a probability of 75%, it is easier for him to determine the key used for encryption. Any knowledge about a weakness of a random number generator to generate keys allows attacks even on encryption algorithms that are otherwise secure. According to Reuters [4] and the New York Times [5] the National Security Agency (NSA) introduced a backdoor into the Dual EC DRBG standard, a standard for a cryptographically secure pseudorandom generator, and paid a well-known US security company to include the weakened random generator into their security products. According to The Guardian [6], “the NSA spends $250m a year on a program which, among other goals, works with technology companies to ‘covertly influence’ their product designs.” While these real-world attacks were executed on standards, not on actual hardware, Becker et al. [7] show a concept on how to weaken random number generators by directly manipulating the hardware during manufacturing. Such a direct attack would be very hard to notice, even for experts. A Trusted Platform Module (TPM) offers core security functionality in an encapsulated part of the system. Usually, the Trusted Platform module has special protection to avoid any manipulation of this module. A TPM can be used to verify any code that is executed on the system. If only signed code can be executed, the execution of malicious code can be avoided. However, greatest danger lies in the fact that a system user must blindly trust the TPM manufacturer, that it did not include any backdoor into the TPM. As by design all action in a system must be approved by the TPM, a backdoor in a TPM may allow an attacker not only to execute custom commands but also to disable all kinds of other security software, e.g., virus scanners, or personal firewalls.

602

Besides these neuralgic points in hardware, it is possible to add additional components to an existing hardware platform. The Telegraph [8] reports an attack on credit card terminals. This attack was executed during manufacturing or shortly after so that it was not possible to distinguish hacked terminals from valid terminals. The attacker injected a SIM card into the credit card terminal and manipulated the code of the terminal in such a way that information about credit cards used in this terminal were collected and sent via mobile phone network to the attacker. Detecting manipulated credit card terminals was only possible because the SIM card slightly added to the total weight of the credit card terminal. Another very important aspect of platform security is the Operating System (OS) used. Unfortunately, there are only a very limited number of OS available. For desktop operating systems, there are the Windows product family (Microsoft), the Mac OS product family (Apple), and Linux (open source). For mobile phones, there are Android (Google), iOS (Apple), and Blackberry (Research in Motion). As with hardware, it is obvious that Germany is not an important player in operating systems. For a discussion about open source software see Section 7. Regarding the mobile platforms, the availability of jailbreaks, hacks that allow to circumvent the security mechanisms of mobile phones e.g., to install pirate copies of apps, shows that the security of the operating systems has serious vulnerabilities, see e.g. [15].

3 Application Security Mechanisms of application security often overwhelm users, especially privacy settings of applications are often unnecessary complicated and well-hidden. Some bad examples are presented in [12-13]. Especially exchanging a secret key in private or authentication of an exchanged public key are non-trivial tasks that seem to prevent the widespread use of end-to-end encryption, e.g., email encryption. Another problem in application security is the use of certificates. A Certificate Authority issues certificates for a subject. Such a certificate attests the binding between an identity and a public key and includes meta data about identity and public key. Server certificates used for secure Internet communication, for example, include the host name and the public key of the server as well as starting and ending date and time of the validity of the certificate. Whenever a secure connection should be established, certificates are used to ensure that communication takes place with the intended party. However, to check certificates for validity, hence to be really sure that the corresponding party is really the intended party, it is necessary to either have the certificate of the Certificate Authority or to have the certificate of the intended party installed in another (secure) way. Modern software like web browsers know several Certificate Authorities, often the security certificates of these Certificate Authorities come prebuilt into applications. Yet another problem is that software often does not come in the most secure configuration. User action is required to harden the application. Often, the developers use a less secure default configuration of an application because they want the application to behave in an easy way when the user uses it for the first time. One key issue of IT security for example is the exchange of keys. For symmetric encryption, a confidential key exchange of DuD • Datenschutz und Datensicherheit

9 | 2014

SCHWERPUNKT

the used secret key is needed. For public key cryptography, an authentic transfer of public keys of communication partners is necessary. One example for this problem: Threema is a secure messenger, meant as replacement of WhatsApp. Threema includes an exchange of public keys of a user. Per default, Threema checks for each telephone number in the phone book of the user if this telephone number is included in a database on the Threema server. If this is the case, the server sends the public key to the user. The key is marked as “yellow”, meaning that a server was used for the key exchange and the key has not yet been authenticated. An attack on this key exchange is that an attacker impersonates a telephone number and inserts his own public key for this telephone number into the Threema database. Now, other users communicate with him, thinking that he is the impersonated user. To avoid this kind of attack, Threema offers a key authentication method that requires a meeting in person where the two communication partners authenticate their key by taking a photo of a QR-code displayed by Threema that encodes the fingerprint of the own public key. After this key exchange, the status of the key changes to green. This kind of key exchange is quite user-friendly. However, the problem lies in the fact that authentication is not enforced and to the observation of the author, most people just use unauthenticated keys (yellow status). This is a problem for privacy, because an attacker can use a man-in-the-middle to read all messages. Another problem of application security lies in the widespread use of passwords for authentication or encryption of sensitive information. Password-based security can offer a suitable level of security if good passwords are used. Good passwords are long, do not include words or patterns, are not a variation of words or patterns, and use a large number of different signs. However, users are usually not capable of selecting good passwords. They even use the same password for different systems [17]. Password safes are one way to deal with password usage. A password safe stores passwords of users and usually automatically generates good passwords for the user. However, a password safe is a single point of failure and a single attack target. If the content of a password safe gets lost, the user has to restore many passwords. Also, a password safe stores all passwords of a user, hence is a very attractive attack target. Also, access to the database of the password safe is usually protected by a password.

works, e.g., routers or gateways, he can launch a large number of attacks, e.g., man-in-the-middle attacks. Also, collecting data in networks is much more efficient than collecting data on single computers. One example for a network infrastructure component in private homes is the AVM Fritz!Box home router. A Fritz!Box is the component that connects a home network to the public Internet. The Fritz!Box acts as a gateway between the home network and the public Internet and it has a firewall that protects the home network from attacks of the public Internet. From remote, only the public interface of the Fritz!Box is visible for an attacker (named 178.26.113.16 in Figure 1). Having said that, it should be clear that a Fritz!Box is a very critical component for home networks, and it should get a lot of attention to keep security up to date. At the beginning of February 2014, AVM issued an update for Fritz!Boxes that closes a critical vulnerability that allowed attackers to gain root access from remote. Two and a half month after the update was released, [2] found that still 34% of Fritz!Boxes were not updated. This is only a slight decrease from 35% of vulnerable Fritz!Boxes one and a half month after the attack. These figures show that security of critical network components is not understood in a home network context. Figure 1 | Use of a AVM Fritz!Box in a home networks

4 Network Security The privacy of users is not only endangered on his local systems but of course also by communication in networks, e.g., the Internet. Network security became even more important because nowadays, Cloud Computing is heavily used on private devices for convenience reasons. This means that data is not kept on the local system, but stored on some distant computer, often moving from one system to another. These data streams are of great interest because they do not only hold the content of the communication but also the usage pattern of device usage. Current trends like connected cars, Cyber-Physical Systems (CPS) etc. indicate that data streams will even increase in the future. Usually, encryption is one means to protect communication in networks. Section 5 discusses in great detail the problem of current network encryption methods (e.g., OpenSSL). Another problem is the security of the underlying network infrastructure. If an attacker can infiltrate core components of netDuD • Datenschutz und Datensicherheit

9 | 2014

5 Security in Operation To maintain the security level of a platform, an application, or a network infrastructure component, it is crucial to react on the publication of vulnerabilities. Measures to keep the security level of a system high are attack mitigation and security updates. Security updates usually are used to close vulnerabilities of a system or component. When a company issues a security update for one of its products, the vulnerability fixed by the update becomes widely known. Hence, it is of uttermost importance to apply security patches as soon as possible. However, lately software providers are not so much interested to provide security updates as soon as possible. Microsoft for example has a distinguished “patch day” 603

SCHWERPUNKT

once a month [9]. A regular periodic date for publication of security bulletins has the advantage that there is enough time to test security updates as well as that security processes can be better planned both on Microsoft’s side as well as on client’s side. However, a period of 30 days means that in the worst case an attack window may be open for up to 29 days. Other platforms, e.g., Android on Non-Google devices, have an even longer schedule for updates, often in the range of 6 months or more (see [10] for a discussion of time till update for Android devices). Whenever there is a known vulnerability in a system, it can be exploited by an attacker to violate the privacy of a user. Another problem is the time an operating system is supported by a software provider. Windows XP for example is no more supported by Microsoft unless a special contract is used. Without support, there are no more updates for these systems, so vulnerabilities cannot be patched. Other OS providers like Apple only offer support for two to three generations of their OS. Under an average development cycle this means that no more security updates are available after three years. On mobile platforms like Android, this time is even less: carriers usually only provide 18 month security support for mobile phones after the day the phone was presented. Even worse, an update of the OS of a mobile phone is usually not intended by the carriers. Security updates also put a burden on users and system administrators. Keeping up to date with security updates not only for the operating system but also for all installed libraries as well as all installed applications is nearly impossible today. A current serious vulnerability shows the problem with security updates: the Heartbleed attack exploits vulnerability in the widespread OpenSSL library. This library is used in server systems to establish secure communication with clients. Hence, it is of great importance for protection of the user’s privacy. OpenSSL is widely used to protect communication in the web, e.g., for online banking. The Heartbleed attack allows an attacker to extract the private key of the server used to protect all communication. If servers are not configured to offer Perfect Forward Secrecy, all communication from the past can be decrypted with this key. Also, the Heartbleed attack allows an attacker to extract user passwords. It is obvious, that immediate actions should be taken to mitigate this serious vulnerability. A short time after the attack became known, Errata Security scanned the Internet for vulnerable hosts and found 600.000 vulnerable hosts. One month later, the number of vulnerable hosts was 300.000. Even worse, another month later, the number of vulnerable hosts was still around 300.000 [1]. These figures show, that roughly half of the server operators have a quite fast update mechanism, whereas the other half is not able to react in two months to very serious security vulnerabilities. Netcraft [11] reports the three steps to eliminate the Heartbleed vulnerability: Apply the security update for the OpenSSL library. Replace the server certificate used before the security update. This replacement is necessary, because the server’s private key has possibly been infiltrated. Hence, a new private key is necessary. The generation of a new private key means that a new public key is used, and the public key is stated in the certificate. Revocation of the old server certificate. This step is necessary to avoid that an attacker that got to know the old private key of the server can issue a Man-in-the-Middle attack as shown in Figure 2.

604

Figure 2 | Man in the middle attack

In total, Netcraft found that 43% of administrators did take action to eliminate the OpenSSL vulnerability. However, the analysis shows that only 14% of administrators of all affected servers did follow all necessary three steps, hence achieved an effective protection. 7% of administrators did not change the private key used before the security update. 2% of administrators did not revoke the old certificate. This section showed the problems with keeping the security level of a platform, application, or infrastructure on a high level. Technical privacy protecting means can only be successful if a continuous monitoring of the security level takes place. The example of a serious OpenSSL vulnerability elimination shows that even if an administrator takes immediate action to close security vulnerabilities, only a very small number of administrators succeed in the field to achieve efficient security. DuD • Datenschutz und Datensicherheit

9 | 2014

SCHWERPUNKT

6 Is Open Source the Solution? The last sections showed some serious vulnerabilities and manipulation of systems, applications, and infrastructure components. The Open Source community nowadays supports a large number of software, including the Linux Operating system, and important addons like the OpenSSL library. It was long assumed by the security community that access to source code is a security benefit, because thorough security source code reviews are possible. “No error will go unnoticed for long” was one of the main ideas of open source security software. However, this believe was shaken by the Heartbleed attack. A critical vulnerability in the OpenSSL library that is widely used to establish secure communication in the Internet, was undiscovered in open source for more than a year. The vulnerability was a trivial programming error that occurred because the length of a field was not correctly checked, hence even average security experts should be able to find the bug leading to the vulnerability. Obviously, for a long time nobody had a look at the source code. Even worse, arstechnica [14] claims that signs of hacking attempts using the Heartbleed attack were found in logs dating back five months before the attack became known. The vulnerability leading to the Heartbleed attack went unnoticed by the project maintainer that integrated the code in the productive code. This shows that quality management of critical security open source components should be significantly improved.

7 Conclusion This paper presented limitations of technical privacy protection. Several serious security incidents were presented to show limitations of IT security mechanisms in the field. Keeping the security level of any system high requires significant effort, which may be too much for private persons. This leads to the conclusion that it becomes increasingly hard to achieve efficient privacy using IT security mechanisms. Data minimization and data avoidance are more important than ever. However, new applications in computer science like Cyber-Physical Systems and Google Glasses are made for collecting tons of data. Controlling such systems and forcing data minimization and data avoidance is harder than ever.

Literature [1] Robert Graham, “300k vulnerable to Heartbleed two months later”, in: Errata Security - Advanced persistent cybersecurity, http://blog.erratasec.com/2014/06/300k-vulnerable-to-heartbleed-two.html, accessed 01.07.2014, published Juni 2014 [2] heise, “Das Router-Desaster: Fritzbox-Update gerät ins Stocken”, heise online, http://www.heise.de/newsticker/meldung/Das-Router-De-

DuD • Datenschutz und Datensicherheit

9 | 2014

[3]

[4]

[5]

[6] [7]

[8]

[9] [10]

[11]

[12]

[13]

[14]

[15] [16]

[17]

saster-Fritzbox-Update-geraet-ins-Stocken-2173043.html, accessed 01.07.2014, published April 2014 Michel van Kooten and Balder Verberne: “The world’s top hardware companies in 2010”, http://www.hardwaretop100.org/the-worlds-largest-hardware-companies-2010.php, accessed 01.07.2014, published October 2010 Joseph Menn, “Exclusive: Secret contract tied NSA and security industry pioneer”, http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220, Reuters, accessed 01.07.2014, published December 2013 Nicole Perlroth: “Government Announces Steps to Restore Confidence on Encryption Standards”, New York Times, http://bits.blogs.nytimes.com/2013/09/10/government-announces-steps-to-restore-confidence-on-encryption-standards/?_php=true&_type=blogs&_r=0, accessed 01.07.2014, published September 2013 James Ball, Julian Borger and Glenn Greenwald: “Revealed: how US and UK spy agencies defeat internet privacy and security”, Guardian Weekly, Friday 6 September 2013 Georg T. Becker, Francesco Regazzoni, Christof Paar, and Wayne P. Burleson: “Stealthy Dopant-Level Hardware Trojans”, in: Cryptographic Hardware and Embedded Systems - CHES 2013, Lecture Notes in Computer Science Volume 8086, pp 197-214, 2013 Henry Samuel, “Chip and pin scam ‘has netted millions from British shoppers’”, The Telegraph, http://www.telegraph.co.uk/news/uknews/lawand-order/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html, accessed 01.07.2014, published October 2008 Microsoft:”Security-TechCenter”, http://technet.microsoft.com/de-de/security/bb291012, accessed 01.07.2014 Andrew Cunningham: “What happened to the Android Update Alliance?”, arstechnica, http://arstechnica.com/gadgets/2012/06/what-happenedto-the-android-update-alliance/, accessed 01.07.2014, published June 2012 Netcraft: “Keys left unchanged in many Heartbleed replacement certificates!”, http://news.netcraft.com/archives/2014/05/09/keys-left-unchanged-in-many-heartbleed-replacement-certificates.html, accessed 01.07.2014, published Mai 2014 Hans-Joachim Hof: „Towards Enhanced Usability of IT Security Mechanisms - How to Design Usable IT Security Mechanisms Using the Example of Email Encryption“, International Journal On Advances in Security, volume 6 number 1&2 2013, 2013 Hans-Joachim Hof: „User-Centric IT Security - How to Design Usable Security Mechanisms“ , The Fifth International Conference on Advances in Human-oriented and Personalized Mechanisms, Technologies, and Services (CENTRIC 2012), 2012 Sean Gallagher: „Heartbleed vulnerablity may have been exploited months before patch [Updated]“, http://arstechnica.com/security/2014/04/heartbleed-vulnerability-may-have-been-exploited-months-before-patch/, accessed 01.07.2014, published April 2014 Bundesamt für Sicherheit in der Informationstechnik: “Überblickspapier Apple iOS”, https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/ Grundschutz/Download/Ueberblickspapier_Apple_iOS_pdf, July 2013 Sabine Trepte, Tobias Dienlin, Leonhard Reinecke: “Privacy, Self-Disclosure, Social Support, and Social Network Site Use”, Research Report, University of Hohenheim, http://opus.uni-hohenheim.de/volltexte/2013/889/, November 2013 Eiji Hayashi, and Jason I. Hong:“A Diary Study of Password Usage in Daily Life“, Proceedings of the SIGCHI Conference on Human Factors in Computer Systems, pp. 2627-2630, ISBN 978-1-4503-0228-9, 2011

605