Entries Tagged "spoofing"
Page 3 of 6
EDITED TO ADD (7/9): It wasn’t a DHS drone. It was a drone owned by the university.
Great movie-plot threat:
Financial institutions depend on timing that is accurate to the microsecond on a global scale so that stock exchanges in, say, London and New York are perfectly synchronised. One of the main ways of doing this is through GPS, and major financial institutions will have a GPS antenna on their main buildings. “They are always visible because they need a clear view of the sky,” Humphreys told Wired.co.uk.
He explains that someone who directed a spoofer towards the antenna could cause two different problems which could have a major impact on the largely automated high-frequency trading systems. The first is simply causing confusion by manipulating the times — a process called “time sabotage” — on one of the global stock exchanges. This sort of confusion can be very damaging.
There’s a report that Iran hacked the drones’ GPS systems:
“The GPS navigation is the weakest point,” the Iranian engineer told the Monitor, giving the most detailed description yet published of Iran’s “electronic ambush” of the highly classified US drone. “By putting noise [jamming] on the communications, you force the bird into autopilot. This is where the bird loses its brain.”
The “spoofing” technique that the Iranians used — which took into account precise landing altitudes, as well as latitudinal and longitudinal data — made the drone “land on its own where we wanted it to, without having to crack the remote-control signals and communications” from the US control center, says the engineer.
The Aviationist has consistently had the best analysis of this, and here it talks about the Tehran Times report that Iran has four Israeli and three U.S. drones.
There’s a security story from biology I’ve used a few times: plants that use chemicals to call in airstrikes by wasps on the herbivores attacking them. This is a new variation: a species of orchid that emits the same signals as a trick, to get pollinated.
I’ve been asked this question by countless reporters in the past couple of weeks. Here’s a good explanation. Shorter answer: it’s easy to spoof source destination, and it’s easy to hijack unsuspecting middlemen and use them as proxies.
No, mandating attribution won’t solve the problem. Any Internet design will necessarily include anonymity.
Still minor, but this kind of thing is only going to get worse:
The new research shows that other systems in the vehicle are similarly insecure. The tire pressure monitors are notable because they’re wireless, allowing attacks to be made from adjacent vehicles. The researchers used equipment costing $1,500, including radio sensors and special software, to eavesdrop on, and interfere with, two different tire pressure monitoring systems.
The pressure sensors contain unique IDs, so merely eavesdropping enabled the researchers to identify and track vehicles remotely. Beyond this, they could alter and forge the readings to cause warning lights on the dashboard to turn on, or even crash the ECU completely.
Now, Ishtiaq Rouf at the USC and other researchers have found a vulnerability in the data transfer mechanisms between CANbus controllers and wireless tyre pressure monitoring sensors which allows misleading data to be injected into a vehicle’s system and allows remote recording of the movement profiles of a specific vehicle. The sensors, which are compulsory for new cars in the US (and probably soon in the EU), each communicate individually with the vehicle’s on-board electronics. Although a loss of pressure can also be detected via differences in the rotational speed of fully inflated and partially inflated tyres on the same axle, such indirect methods are now prohibited in the US.
EDITED TO ADD (8/25): This is a better article.
Location-based encryption — a system by which only a recipient in a specific location can decrypt the message — fails because location can be spoofed. Now a group of researchers has solved the problem in a quantum cryptography setting:
The research group has recently shown that if one sends quantum bits — the quantum equivalent of a bit — instead of only classical bits, a secure protocol can be obtained such that the location of a device cannot be spoofed. This, in turn, leads to a key-exchange protocol based solely on location.
The core idea behind the protocol is the “no-cloning” principle of quantum mechanics. By making a device give the responses of random challenges to several verifiers, the protocol ensures that multiple colluding devices cannot falsely prove any location. This is because an adversarial device can either store the quantum state of the challenge or send it to a colluding adversary, but not both.
Don’t expect this in a product anytime soon. Quantum cryptography is mostly theoretical and almost entirely laboratory-only. But as research, it’s great stuff. Paper here.
Sidebar photo of Bruce Schneier by Joe MacInnis.