Page 406

Cell Phone Kill Switches Mandatory in California

California passed a kill-switch law, meaning that all cell phones sold in California must have the capability to be remotely turned off. It was sold as an antitheft measure. If the phone company could remotely render a cell phone inoperative, there would be less incentive to steal one.

I worry more about the side effects: once the feature is in place, it can be used by all sorts of people for all sorts of reasons.

The law raises concerns about how the switch might be used or abused, because it also provides law enforcement with the authority to use the feature to kill phones. And any feature accessible to consumers and law enforcement could be accessible to hackers, who might use it to randomly kill phones for kicks or revenge, or to perpetrators of crimes who might—depending on how the kill switch is implemented—be able to use it to prevent someone from calling for help.

“It’s great for the consumer, but it invites a lot of mischief,” says Hanni Fakhoury, staff attorney for the Electronic Frontier Foundation, which opposes the law. “You can imagine a domestic violence situation or a stalking context where someone kills [a victim’s] phone and prevents them from calling the police or reporting abuse. It will not be a surprise when you see it being used this way.”

I wrote about this in 2008, more generally:

The possibilities are endless, and very dangerous. Making this work involves building a nearly flawless hierarchical system of authority. That’s a difficult security problem even in its simplest form. Distributing that system among a variety of different devices—computers, phones, PDAs, cameras, recorders—with different firmware and manufacturers, is even more difficult. Not to mention delegating different levels of authority to various agencies, enterprises, industries and individuals, and then enforcing the necessary safeguards.

Once we go down this path—giving one device authority over other devices—the security problems start piling up. Who has the authority to limit functionality of my devices, and how do they get that authority? What prevents them from abusing that power? Do I get the ability to override their limitations? In what circumstances, and how? Can they override my override?

The law only affects California, but phone manufacturers won’t sell two different phones. So this means that all cell phones will eventually have this capability. And, of course, the procedural controls and limitations written into the California law don’t apply elsewhere

EDITED TO ADD (9/12): Users can opt out, at least for now: “The bill would authorize an authorized user to affirmatively elect to
disable or opt-out of the technological solution at any time.”

How the bill can be used to disrupt protests.

Tags: , , , ,

Posted on August 29, 2014 at 12:31 PMView Comments

ISIS Threatens US with Terrorism

They’re openly mocking our profiling.

But in several telephone conversations with a Reuters reporter over the past few months, Islamic State fighters had indicated that their leader, Iraqi Abu Bakr al-Baghdadi, had several surprises in store for the West.

They hinted that attacks on American interests or even U.S. soil were possible through sleeper cells in Europe and the United States.

“The West are idiots and fools. They think we are waiting for them to give us visas to go and attack them or that we will attack with our beards or even Islamic outfits,” said one.

“They think they can distinguish us these days ­ they are fools and more than that they don’t know we can play their game in intelligence. They infiltrated us with those who pretend to be Muslims and we have also penetrated them with those who look like them.”

I am reminded of my debate on airport profiling with Sam Harris, particularly my initial response to his writings.

Tags: , , , ,

Posted on August 29, 2014 at 6:08 AMView Comments

Hacking Traffic Lights

New paper: “Green Lights Forever: Analyzing the Security of Traffic Infrastructure,” Branden Ghena, William Beyer, Allen Hillaker, Jonathan Pevarnek, and J. Alex Halderman.

Abstract: The safety critical nature of traffic infrastructure requires that it be secure against computer-based attacks, but this is not always the case. We investigate a networked traffic signal system currently deployed in the United States and discover a number of security flaws that exist due to systemic failures by the designers. We leverage these flaws to create attacks which gain control of the system, and we successfully demonstrate them on the deployment in coordination with authorities. Our attacks show that an adversary can control traffic infrastructure to cause disruption, degrade safety, or gain an unfair advantage. We make recommendations on how to improve existing systems and discuss the lessons learned for embedded systems security in general.

News article.

Tags: , , ,

Posted on August 28, 2014 at 6:14 AMView Comments

People Are Not Very Good at Matching Photographs to People

We have an error rate of about 15%:

Professor Mike Burton, Sixth Century Chair in Psychology at the University of Aberdeen said: “Psychologists identified around a decade ago that in general people are not very good at matching a person to an image on a security document.

“Familiar faces trigger special processes in our brain—we would recognise a member of our family, a friend or a famous face within a crowd, in a multitude of guises, venues, angles or lighting conditions. But when it comes to identifying a stranger it’s another story.

“The question we asked was does this fundamental brain process that occurs have any real importance for situations such as controlling passport issuing ­ and we found that it does.”

The ability of Australian passport officers, for whom accurate face matching is central to their job and vital to border security, was tested in the latest study, which involved researchers from the Universities of Aberdeen, York and New South Wales Australia.

In one test, passport officers had to decide whether or not a photograph of an individual presented on their computer screen matched the face of a person standing in front of their desk.

It was found that on 15% of trials the officers decided that the photograph on their screen matched the face of the person standing in front of them, when in fact, the photograph showed an entirely different person.

Tags: , ,

Posted on August 25, 2014 at 7:08 AMView Comments

Friday Squid Blogging: Squid Boats Illuminate Bangkok from Space

Really:

To attract the phytoplankton, fishermen suspend green lights from their boats to illuminate the sea. When the squid chase after their dinner, they’re drawn closer to the surface, making it easier for fishermen to net them. Squid boats often carry up to 100 of these green lamps, which generate hundreds of kilowatts of electricity—making them visible, it appears, even from space.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Tags:

Posted on August 22, 2014 at 4:49 PMView Comments

← Earlier EntriesLater Entries →

Sidebar photo of Bruce Schneier by Joe MacInnis.