LAUR-04-8180

Don’t Swallow the Snake Oil! -- Understanding the

Limitations and Vulnerabilities of High-Technology

Or…

What the Heck, It’s Just High-Tech!

Roger G. Johnston, Ph.D., CPP

and
Jon S. Warner, Ph.D.

Vulnerability Assessment Team

Los Alamos National Laboratory
MS J565, Los Alamos, NM 87545
(505)-667-7414, [email protected]
http://pearl1.lanl.gov/seals/default.htm

Introduction

The long-running BBC television series, Doctor Who, was a cult favorite, adored
by adult science fiction fans and children alike. The show concerned the
adventures of a mysterious, eccentric time traveler who used his creativity and
intellect to outwit evil doers throughout time and space.

Even though he put high-technology to good use, Doctor Who was never naive
about its limitations. In a 1978 episode (“The Pirate Planet”), for example, he
quickly opened a high-tech lock placed in his path by the bad guys, commenting
matter-of-factly that, “The more sophisticated the technology, the more
vulnerable it is to primitive attack. People often overlook the obvious.” Security
managers should take a clue from Doctor Who and recognize that high-
technology is not an automatic panacea.

High-technology is an essential part of many security applications. Its

presence will only increase in the future. High-tech devices and systems can be
very helpful for many security functions, including monitoring, access control, and
cargo security. This article, however, warns about the dangers of being seduced
by, or having blind faith in technology. These warnings are the result of the
research and consulting performed by the Vulnerability Assessment Team at Los
Alamos National Laboratory.
Why High-Tech Does Not Guarantee High Security

As Doctor Who recognized, high-tech devices and systems are often vulnerable
to simple attacks. We believe there are 8 major reasons for this:

1. High-tech devices must still work in, and be physically coupled to, the real
world. This is often a source of exploitable vulnerabilities.

2. High-tech security measures still depend on the loyalty and effectiveness of

the user’s personnel. But high-technology sometimes has a way of making
security managers forget about critical human factors.

3. High-tech often permits an increased standoff distance from the assets being
protected. This tends to decrease personal attention to detail. In the end,
security (whether high-tech or low-tech) fundamentally requires staying alert and
paying attention to details.

4. With high-technology, there are usually many more legs for an adversary to
attack.

5. High-tech features often fail to address the critical vulnerability issues in any
given security application, and can even become a distraction.

6. With high-technology, users often don’t understand the device or system.

This is not conducive to good security. High-technology often requires extensive
training of security personnel. But since high-technology is typically employed in
the first place to save money by reducing labor costs, security managers often
scrimp on the training. Moreover, the training programs of many high-tech
manufacturers and vendors (if they even have them) are often poor, or they
avoid discussing product vulnerabilities and countermeasures for fear of harming
sales.

7. Developers and manufacturers of high-tech security devices and systems

often have the wrong expertise, or focus on the wrong issues. They may be
experts in electronics, software, encryption, communications, etc., but may lack
practical, holistic experience with real-world security.

8. The “Titanic Effect” is often a problem. This is overconfidence in, and

arrogance about, high-technology.

Inventory vs. Security

It is common to confuse the inventory function with the security function. This
usually leads to poor security, especially when high-technology is involved. 3 of
the 7 technologies discussed below are very problematic for security applications
because they are fundamentally inventory technologies.

Inventory involves locating and counting our “stuff”. It will detect innocent
errors by insiders, but it is not designed to counter nefarious adversaries. That is
the job for security.

Security is specifically designed (or at least should be) from the very start to
prevent or mitigate the actions of the bad guys. In an ideal world, there wouldn’t
be any bad guys, and we wouldn’t need security. But even in an ideal world,
we’d still need to perform the inventory function. (Of course, in an ideal world,
there’d be no need for security professionals, so maybe an ideal world wouldn’t
be so ideal after all!)

It is not uncommon for inventory systems to undergo “mission creep”. What

started out as an inventory system can often become viewed over time as a
security system, even when little or no security was ever designed in.

Counterfeit Counterfeits

Counterfeiting can be a very viable attack on security devices, systems, or

programs. Adversaries may try to counterfeit the assets being protected (so they
can be swapped out with the fakes). They might instead want to counterfeit
badges, IDs, parking permits, work orders, tags, seals, electronic signals,
computer data, or paper records. Even people can be counterfeited—through
impersonation, identity theft, or the counterfeiting of biological characteristics
(biometrics).

In the case of high-tech security devices or materials, it is common for

inventors, manufacturers, and vendors to claim they have a unique
manufacturing process that nobody else can duplicate. In our experience, this is
usually exaggerated, or even blatantly untrue. More to the point, it is usually
irrelevant.

The essential fact about counterfeiting that is often overlooked is the following:
It is usually sufficient for an adversary to counterfeit the superficial appearance of
a device or object, and perhaps its apparent performance. An adversary rarely
needs to replicate the actual device or object, or even counterfeit its real
performance. (This is because few security applications have the time or money
for detailed forensic postmortem examinations in a laboratory to reliably verify
authenticity.) Consequently, counterfeiting is usually much easier than it might
first appear. Relatively low-tech methods usually suffice, even when
counterfeiting very sophisticated, high-tech security devices or materials.
RFIDs

“RFIDs”, or radio frequency (rf) identification devices are transponders that

transmit a unique serial number using radio waves. Some have batteries, but
most are passive and rely instead on being energized by a high-energy radio
signal. The stored energy from this radio burst is quickly used by the RFID to
transmit its identification or serial number over a short distance where it is read
by a reader.

RFIDs are an excellent technology for inventory purposes. They can help to
quickly identify and track products moving through the supply chain in a non-
contact manner. Unfortunately, however, RFIDs have been highly touted as
security devices—and as the answer to both product counterfeiting and reliable
tamper detection. The fact is, they are silver bullets for neither.

RFIDs are relatively easy and cheap to counterfeit. When we first studied
RFIDs at Los Alamos, we quickly demonstrated a number of different counterfeit
designs—a new one every 2 days on average. This was done without the need to
involve a single electrical engineer or rf expert. Our counterfeits cost only a few
dollars in retail quantities. A clever home electronics hobbyist can counterfeit low
end RFIDs—which are the only ones that most security applications can afford.
Serious counterfeiters and cargo thieves will not be deterred by these devices.

It is also fairly easy to spoof a RFID reader even without counterfeiting the RFID
devices. There are 5 different ways an adversary can do this:

1. Replace the real reader with a modified design,

2. Replace parts of the real reader with modified electronics or hardware,

3. Otherwise tamper with the real reader,

or

4. Tamper with data stored in (or transmitted by) the real reader.

If the reader is a portable, handheld device, attack #1 typically requires less

than 3 seconds for someone to “palm” the real reader and swap it out for an
adversary’s version. This is why it is imperative to maintain a secure, continuous
chain of custody for the reader—even when it is not in use. Attacks 2 and 3 can
take as little as 15 seconds if the adversary is well practiced.

For attacks 1-3, the adversary may have the fake or modified reader
automatically accept all RFIDs as valid, or perhaps just special ones chosen by
the adversary. (Users of any reader must occasionally verify at random,
unpredictable times that an invalid RFID number will actually be rejected.)
Alternately, the adversary may want to control the reader from a distance using
inexpensive radio frequency (rf) electronics, which are now readily available,
inexpensive, and miniature.

Attack #4 typically involves changing the RFID number stored in the reader’s
database. This allows the adversary to remove the original RFID and replace it
with one of his choice without being detected.

In addition to being easy to counterfeit, RFIDs are usually trivial to “lift”, that
is, to remove from one object or container and place on another without being
detected. Nearly anyone moderately skilled with their hands can quickly saw,
undercut, grind, etch away, or dissolve with reactive chemicals whatever
mechanical, adhesive, or potting method is used to attach the RFID to the object
or container of interest. Reattaching the RFID is usually also simple. This ease
with which lifting can be accomplished limits the usefulness of RFIDs for security
applications.

RFID radio signals are also easy to block or jam. This makes certain kinds of
denial of service attacks trivial to execute.

Some high-tend RFIDs attempt to improve security through the use of

cryptography (see below), challenge-response protocols, rotating passwords,
and/or tamper detection. These devices are typically quite expensive and require
a battery. While such high-end RFIDs may somewhat complicate the job of an
adversary, they are not generally immune from relatively straightforward attacks.

Contact Memory Buttons

Contact memory buttons are a lot like RFIDs except that they have no rf
emanations. Instead, they communicate electrically through mechanical contact.
Typically, these are passive devices that get their power from electrical contact
with the reader. The button then sends an electronic signal with its unique serial
number.

Contact memory buttons are usually easy to counterfeit. When we first

analyzed them at Los Alamos, we had a working counterfeit within 2 hours. (The
first hour was spent reading the manufacturer’s publicly available literature to
see how they work.) Some of our counterfeits actually cost less than the original
products and work better! Typically, readers are also fairly easy to spoof.

When counterfeiting a contact memory button, the entire button (or “can”)
may be counterfeited, or else another button can be purchased or stolen, then
modified to look—at least on the outside—like the original, but with a counterfeit
circuit inside.

Manufacturers often etch the serial number on the outer case of the contact
memory button. This does not, as some manufacturers claim, “increase
security”. It simply makes it possible for an adversary to tell from a distance
what serial number to counterfeit without having to touch or electronically read
the memory button. A 3” telescope can be used to view the serial number from
60 feet away, while it can be read from 5 feet away with the naked eye.

Like RFIDs, high-end (and thus expensive) memory buttons are available that
use batteries, cryptography, challenge-response protocols, rotating passwords,
and/or tamper detection to try to improve security. None of these are particularly
effective at stopping a determined adversary who has taken time to understand
the devices.

Tags

A tag is a device or intrinsic feature used to uniquely identify an object or

container. (An example is an RFID or even a license plate on your car.)

There are really 4 distinct kinds of tags, though people are often unclear about
which kind they have in mind. Inventory tags are strictly for inventory
purposes; there is no nefarious adversary to worry about, so neither lifting or
counterfeiting are of concern.

With security tags, on the other hand, both lifting and counterfeiting are a
concern. This is in contrast to anti-counterfeiting tags where only
counterfeiting is an issue. These are used, for example, to try to prevent
counterfeiting of commercial products. Lifting is not of concern because the
product counterfeiter has no economic interest in buying the authentic product so
that he can move the security tag to his fake product.

Counterfeiting is also the only issue for buddy tags (sometime called
tokens). They differ from anti-counterfeiting tags in that they usually are not
physically attached to the object or container of interest.

Few, if any high-tech (or even low-tech) security tags have solved the lifting
problem. Lifting is usually relatively easy to achieve if the adversary has skilled
hands—and sometimes, even if he doesn’t.

Furthermore, current high-tech anti-counterfeiting tags are typically much

easier to counterfeit than their inventors expect (under the more practical
definition of counterfeiting given above). Most suffer from not having an
inexpensive, easy-to-use reader that can be operated by non-technical personnel
such as shop clerks. High-tech, anti-counterfeiting tags that require an analysis
by sophisticated laboratory methods can certainly be used to reliably detect
counterfeiting, but the high cost and delay in getting results usually makes them
utterly impractical for all but the most expensive and exotic assets.
 Most new tags are the result of an inventor or manufacturer trying to force fit a
given technology onto tag applications. Unfortunately, few researchers appear to
be trying to develop effective tags from basic principles.

Tamper-Indicating Seals

Tamper-indicating seals are used to detect unauthorized access and

tampering. There are many applications including cargo security, records
integrity, law enforcement, courier bags, utility meters, nuclear safeguards,
securing forensics evidence and election ballots, and protecting drugs and
consumer products.

Unlike locks, seals do not try to resist or delay unauthorized access, just record
that it took place. Unlike intrusion detectors, the trespassing is detected only
after the fact, at the time the seal is inspected.

There is currently a great deal of interest in using high-tech electronic seals for
cargo security and counter-terrorism. This includes seals that use RFIDs, contact
memory buttons, and/or encryption. Many of the proponents of such high-tech
seals seem to be confusing inventory with security, as discussed above.

We have studied hundreds of seals in detail at Los Alamos, and found them all
easy to defeat quickly using only low-tech, inexpensive methods available to
almost anyone. These include seals used for nuclear applications, as well as
seals used extensively for cargo security applications. We find that high-tech
seals are often easier to defeat than low-tech seals for the reasons discussed
above. This does not, however, necessarily have to be the case if the high-tech
seals were better designed and/or used in a more sophisticated manner.

(To “defeat” a seal means to remove it, then replace it with a counterfeit or the
original seal in a manner that avoids detection. Simply yanking a seal off a
container is not defeating it because the fact that the seal is missing or damaged
will be noted at the time of inspection.)

We’ve categorized all the methods for defeating seals into 105 general
categories. There are many possible variations within each category. As with
RFIDs, both lifting and reader attacks are usually viable for seals.

It is clear that much better seal designs (low-tech and high-tech) are both
necessary and possible. Very little research, however, is underway towards this
goal. In the meantime, the performance of tamper-indicating seals can be
dramatically improved if seal users understand the vulnerabilities and look for the
most likely attack scenarios for the specific seals they are using. This requires,
first and foremost, a recognition that seals can be defeated, followed by hands-on
training.
Cryptography & Authentication

Cryptography—the use of ciphers—is a powerful technique for communicating

between two locations (or across time) in a private manner. With a secure cipher,
an adversary can listen in on the communications and still not understand the
meaning. Authentication is a closely related technique that allows the person at
the receiving end to be sure the message she received is authentic.

Many things can go wrong to compromise the security of an encrypted or

authenticated message, often involving mistakes or betrayals by human beings.
One particularly serious vulnerability has to do with the physical security of the
sending and receiving locations. If an adversary can gain undetected physical
access to one of the locations, he can view (and tamper with) the data prior to its
encryption or after its decryption. The cipher (or authentication) then adds little
security.

Developers and manufacturers like to talk about the high security of the
encryption or authentication algorithms used in their security devices or systems.
The fact that it is usually easy to gain undetected access to the interior of the
hardware (before or after installation) means that cryptography frequently adds
little to the security of tags, seals, monitoring systems, or access control devices.

GPS

The Global Positioning System (GPS) is being used increasingly for a wide
variety of applications. GPS receivers are now embedded in watches and cell
phones, for example.

GPS receivers tune into the radio signals from 24 satellites orbiting the earth.
Those signals help the GPS receiver determine the current time, and where it is
located on the earth’s surface, typically to within about ±15 yards.

GPS is increasingly being used for security applications. These include cargo
tracking; public safety services such as police, fire, rescue and ambulance; and
time synchronization signals for financial transactions and critical utility,
computer, and telecommunications networks.

The problem with using GPS for security applications is that it was never
intended for such uses—it is fundamentally an inventory technology. Private
industry, foreigners, and 90% or so of the federal government must use the
civilian GPS signals. Unlike the military signals, these are unencrypted and
unauthenticated. This makes it easy to spoof them using widely available, user-
friendly GPS satellite simulators. These simulators can be purchased, rented, or
stolen; they are not export controlled. They can be easily operated by people
with little understanding of GPS, electronics, or computers.

Manufacturer’s and vendors of GPS cargo tracking systems like to emphasize

the security of the encryption scheme used by the truck or transportainer to
periodically report its location back to headquarters. The most secure encryption
in the world, however, won’t solve the problem that the GPS signals reaching the
GPS receiver may be fake, and thus the truck or transportainer will be reporting
the wrong coordinates.

There are several possible scenarios for hijacking a truck that uses GPS cargo
tracking. If the driver is part of the conspiracy--which statistics tell us happens in
the majority of cases--he can simply hard-wire a GPS satellite simulator to the
antenna of his truck’s GPS receiver. (There is thus no need to send the fake
signals through the air.) This lets him trick headquarters into thinking the truck is
somewhere it is not during the hijacking and cargo unloading, thus creating
deniable culpability for the driver and misdirection for the hijackers.

If the driver is instead honest, hijackers must decide whether to disable him
before or after spoofing, based on whether or not he might be able to get off a
panic call for help. If no panic alarm is likely, the cargo thieves can take out the
driver first, and again hard-wire the GPS satellite simulator to the GPS receiver’s
antenna. They will then make headquarters think the truck is happily traveling
along its intended route on schedule, while in actuality it is being driven
elsewhere by the crooks to be unloaded.

Alternately, if the hijackers are worried about the driver getting off a panic call
for help, they may instead want to feed his GPS cargo tracking system fake
signals remotely using radio frequency (rf) signals. (We’ve demonstrated how
easy this is to do from a "chase" vehicle.) They will make the truck wrongly
report back to headquarters that it is 10 or 20 miles farther along, or farther
behind, the planned route than it truly is. When the hijackers then attack the
driver, any panic alarm he gets off will cause the authorities to descend on the
wrong location. The truck hijackers can drive the truck off without fear of being
apprehended.

There are other GPS spoofing concerns beyond cargo hijacking. The possibility
of using spoofing to crash (or steal from) nationwide computer,
telecommunications, financial, and utility networks that rely on GPS for time
synchronization is very real. Unfortunately, the backup time standard often used
(when there is one) is the radio signal from the atomic clocks at the National
Institutes of Standards and Technology (NIST). These signals are also not
encrypted or authenticated, and can also be counterfeited.

There are relatively inexpensive countermeasures that can detect the use of a
GPS satellite simulator. Such countermeasures, however, are not currently in
use. Even with such countermeasures, sophisticated adversaries will always be
able to spoof civilian GPS signals unless they are eventually encrypted or
authenticated. At this point, it would just be useful if the general public couldn’t
easily spoof civilian GPS receivers.

It is also easy to block or jam civilian GPS signals. The satellite signals from
space can be blocked by breaking the antenna on the GPS receiver, or by
covering it with aluminum foil or other metal. Jamming involves making a noisy rf
circuit that broadcasts on the GPS frequency. Complete plans are available on
the Internet. A jammer capable of blocking civilian GPS satellite signals over
hundreds of square miles costs less than $50. Fortunately, however, blocking
and jamming (unlike spoofing) are not surreptitious. The GPS receiver (and its
user) knows full well that it is not receiving signals.

Biometrics

Biometrics involves identifying people, or verifying their identity, based on

biological feature(s). Examples include height, weight, eye color, fingerprints,
face recognition, voice recognition, retinal patterns, iris patterns, and DNA
analysis.

While biometrics clearly have a bright future, the fact remains that most
biometric access control systems are currently easy to spoof. This can be done
by replicating or counterfeiting the actual biometric—which is often surprisingly
easy to do. Alternately, an adversary can tamper with the access control device
itself. The tamper detection on most biometric devices is either nonexistent or
remarkably unsophisticated.

Conclusion

The point of this article is not to discourage the use of high-technology. It has
a very important role to play in security, now and in the future. High-technology
can offer important security improvements, while saving time, money, personnel,
and resources.

Like any tool, however, high-technology has to be used thoughtfully. Security

managers need to think critically about high-tech devices and systems, and the
claims made for them. It is essential to fully understand their limitations and
vulnerabilities. We must not engage in wishful thinking, or automatically believe
every unsubstantiated claim for high-technology. To quote Bruce Schneier: “If
you think technology can solve your security problems, then you don’t
understand the problems and you don’t understand the technology.”

Acknowledgments and Disclaimer

 We benefited greatly from the contributions of Anthony Garcia, Leon Lopez,
Ron Martinez, Adam Pacheco, and Sonia Trujillo. The views expressed in this
article are those of the authors and should not necessarily be ascribed to Los
Alamos National Laboratory, the United States Department of Energy, or the BBC.
About the Authors

Roger G. Johnston, Ph.D., CPP has been head of the Vulnerability Assessment
Team at Los Alamos National Laboratory (LANL) since 1992. He received a B.A.
degree from Carleton College (1977), and M.S. and Ph.D. degrees in physics from
the University of Colorado (1983). Johnston is the author of over 80 technical
publications, holds 10 U.S. patents, and serves as a security consultant. He was
recently awarded the LANL Fellows Prize for Outstanding Research.

Jon S. Warner, Ph.D. is a staff member in the Advanced Diagnostics and

Instrumentation Group at Los Alamos National Laboratory. He received B.S.
degrees in physics and in business management from Southern Oregon
University (1994), and M.S. and Ph.D. degrees in physics from Portland State
University (1998 & 2002). His research interests include security devices,
electronics, and microprocessor applications.