Everything starts well. I feel more secure when I speak after people that are more junior than I am. Today, I am speaking just after Jacques Stern. Too bad for my assurance.
Still, I do believe in my topic, so I will take the opportunity in this entry to discuss a bit what my message is. Basically, the message is that it is very interesting and important to design new attacks on existing things, but it is just as interesting and important to think about the impact of the environmental changes, and more generally to think about the target of the attacks in a more global way.
I have tried here to distinguish between the exogenous threats, which come from the outside, and the endogenous threats, which come from the inside. The idea is here to say that every application has intrinsic weaknesses and other issues, which are at the basis of endogenous threats.
If we want to explain it differently, we can say that exogenous threats define the individual attacks, whereas the endogenous threats define the attack paths, i.e., the way in which the individual attacks can be combined in order to attack a specific implementation of a product.
Even more practically, the issue I want to raise is that security people have access to a hammer, and as such, have a tendency to see every application as a nail, without taking into consideration the specificity of the application. An extreme example of this is last year’s big fuss about the guy who cloned an e-passport. This created headlines, with quite a few supposedly respectable guys explaining why this is very bad. In fact, it turns out that cloning is not considered as a security issue, because the passport is based on biometrics.
Another example is about mobile payment, i.e., smart card payment using a mobile phone. People can argue that, if it is the same application as usual, there are no new risks. This is mostly true, but there still remains a difference: the application runs on a mobile phone, and is therefore accessible (directly or indirectly) from a network. This is typical of a small evolution that may have a security impact. I don’t mean here that this new threat can be completely exploited, but it may still open new doors, for instance by making some transaction delegation attacks feasible.
Of course, it is very tempting for a vendor to take the shortcut, and to say that a threat does not exist if we don’t know today of a way to exploit it. However, I strongly believe that this is a wrong shortcut, as we may succeed in convincing ourselves that the problem is negligible, while the bad guys remain active in finding actual exploits.
We are living exciting times, as we are starting to deploy very interesting solutions. We all need to work together in analyzing the risks associated to these new solutions, rather than attempting to deny them. And then, we also need to find innovative ways to build the required trust and to define certification schemes that meet the requirements of all major actors (from banks to telcos and application developers).
If you don’t know about an attack today, it is natural not to take it into account. What is your proposal to protect unknown attacks? Is it not enough to react on the first successful attack? Otherwise we might as well get paranoid.
My post may be misleading, but I don’t believe in magic, and I am not saying that we should protect against unknown attacks. The only thing that I am saying is that, once we have uncovered a partial attack path, we should act upon it, or at least, think about it.
If I consider again the delegation issue, I have not identified any “industrial” attack based on it. Does it mean that we should not worry about allowing applications to know the origin of the command? An application that only expects some commands to come from the NFC antenna (and not from the mobile phone) should be able to perform that check, and reject commands that come from the mobile phone. If the cost is very small (as it is in that case), I really believe that this is not paranoia.