A single smartphone can DoS federal wiretaps

The official protocol for providing US law enforcement with the ability to monitor and record calls in the digital era was a product of compromise and, according to new research, it shows: an enterprising hacker could have a wealth of tools to interfere with the monitoring.

By John Timmer

As the telecommunications world went wireless and digital, the tried-and-true method law enforcement agencies used for wiretaps—splicing into the local loop—was in danger of becoming an anachronism. In 1994, Congress passed the Communications Assistance for Law Enforcement Act, which required telecommunications switches to incorporate a capacity for government monitoring of phone calls and other communications. That requirement ultimately produced an ANSI standard, J-STD-025, that dictated the capabilities of the hardware interface used by law enforcement agencies. A team of academic researchers has now put that standard to the test, and found that it’s vulnerable to various forms of denial and obfuscation attacks.

As the authors note, the monitoring of domestic communications has been a source of controversy in recent years; others have questioned whether having a standard capacity built into every piece of communication hardware leaves the US communications infrastructure at risk of external attack. They avoid these issues, however, and focus on a simpler question: how well does the J-standard actually work?

The answer, it appears, is that it’s trivial to defeat it and interfere with wiretaps. The big caveat to this work is that the authors didn’t have access to any of the actual hardware used by law enforcement agencies; they simply tested whether hardware that follows the J-standard could hold up to a variety of attacks. It’s possible that hardware makers have exceeded the standards with more recent equipment, and obviated some of the problems.

Still, there are two reasons to think that at least some wiretaps would be vulnerable. The first is that the hardware that’s actually deployed is probably from a variety of generations and manufacturers, making it likely that some of it does the bare minimum needed to comply. The second is that the authors demonstrate multiple vulnerabilities, making it unlikely that even the best equipment handles all of them.

Part of the problem is that there are two classes of phone monitoring available to law enforcement: simple call logging, which is relatively easy to obtain, and full call recording, which is typically more challenging. The two are handled separately within the protocol, and the capacity granted for the logging was based on typical usage patterns at the time: a single, 64kbps ISDN line. The authors go on to show that it’s relatively simple to exceed this bandwidth with a single computer or smartphone, creating a denial of service situation.

Part of the problem is that there’s an asymmetry between the basic information that needs to be sent down a phone line—there’s a connection waiting—and all the information that law enforcement needs, such as the source, a datestamp, a case identifier, etc. This asymmetry ensures that even a simple unconnected call produces significant data that has to be stuffed down the 64kbps pipe.

The other part of the problem is that modern telephony creates a variety of methods of sending a lot of traffic to an individual phone line with minimal effort. So, for example, the authors use an ISDN phone to send commands to voicemail boxes at a rate of 94 calls a second. Forty-two text messages a second would also work, as would repeated call/hangups using IP telephony. A rate of 20 hangups a second would do the trick, and the researchers were easily able to exceed that from a residential broadband connection.

Since the J protocol doesn’t allow for queueing or buffering, once the bandwidth is exceeded, any information that can’t be stuffed down the pipes is lost. So, once these levels are exceeded, law enforcement call logging becomes unreliable. The protocol is less clear about the capacity allocated to content monitoring, but the authors’ analysis suggests that this would be even easier to saturate.

More sophisticated attacks are also possible. For example, the J protocol calls for a termination of call recording once a tone is registered. However, communications hardware will only register the tone if it originates from specific hardware. As a result, a person being monitored could send the tone over their phone; the monitoring equipment should hang up, while the call would continue.

The authors were also able to craft a variety of IP packets that would interfere with monitoring. These include false datestamp information—which would inject irrelevant packets into the middle of a conversation—and eliminating the directionality information used by packets in some CDMA cellular systems. They also built packets that would be routed part of the way to the end user, but never reach them; these would be seen by the tap, but not interfere with the phone conversation.

All told, the authors come up with six attack scenarios that they consider practical, in that they could be carried out with readily available equipment. In fact, they tested a number of them using a laptop tethered to a CDMA phone (in one case, causing Sprint to throttle back their bandwidth).

They also suggest a number of stopgap measures that could be used to help avert some of their own scenarios, such as providing law enforcement with greater bandwidth. Still, it’s clear that they think the J standard is due for a complete rewrite, as they suggest it was the product of compromise among law enforcement, hardware makers, and telcos, and a product of simpler telecommunications times.

http://arstechnica.com/security/news/2009/11/a-single-smartphone-can-dos-federal-wiretaps.ars

Fujitsu F-04B modular cellphone with pico-projector

By Chris Davies

If you thought you’d seen it all in Nokia’s Vision of 2015 video, book a flight to Tokyo and stop by Fujitsu’s offices there.  They haven’t seen to have got the memo that modular, wirelessly-connected mobile phones with integrated pico-projectors are meant to be the stuff of futurology, not fact, and as such have produced a working version of their F-04B cellphone.  Akihabara have been for a play, and claim it’s a brilliant multifunctional device.

The core F-04B splits into two sections, a touchscreen part and a QWERTY keyboard, with the two linked via Bluetooth and functional either as a combined slider device or separately.  That makes everything pretty bulky – and Fujitsu’s touchscreen doesn’t get the highest marks – but there’s still space for a 12.2-megapixel camera, 1-Seg digital TV.

As for the 854 x 480 pico-projector, that clicks on in place of the keyboard section, which then doubles as a remote-control.  We’re not sure when our Japanese friends will be able to pick one up, but it seems like Fujitsu really do intend to launch the F-04B to the market.

http://www.slashgear.com/fujitsu-f-04b-modular-cellphone-with-pico-projector-gets-played-with-1263375/

Contact lenses to get built-in virtual graphics

by Vijaysree Venkatraman

A contact lens that harvests radio waves to power an LED is paving the way for a new kind of display. The lens is a prototype of a device that could display information beamed from a mobile device.

Realising that display size is increasingly a constraint in mobile devices, Babak Parviz at the University of Washington, in Seattle, hit on the idea of projecting images into the eye from a contact lens.

One of the limitations of current head-up displays is their limited field of view. A contact lens display can have a much wider field of view. “Our hope is to create images that effectively float in front of the user perhaps 50 cm to 1 m away,” says Parviz.

His research involves embedding nanoscale and microscale electronic devices in substrates like paper or plastic. He also wears contact lenses. “It was a matter of putting the two together,” he says.

Fitting a contact lens with circuitry is challenging. The polymer cannot withstand the temperatures or chemicals used in large-scale microfabrication, Parviz explains. So, some components – the power-harvesting circuitry and the micro light-emitting diode – had to be made separately, encased in a biocompatible material and then placed into crevices carved into the lens.

One obvious problem is powering such a device. The circuitry requires 330 microwatts but doesn’t need a battery. Instead, a loop antenna picks up power beamed from a nearby radio source. The team has tested the lens by fitting it to a rabbit.

Parviz says that future versions will be able to harvest power from a user’s cell phone, perhaps as it beams information to the lens. They will also have more pixels and an array of microlenses to focus the image so that it appears suspended in front of the wearer’s eyes.

Despite the limited space available, each component can be integrated into the lens without obscuring the wearer’s view, the researchers claim. As to what kinds of images can be viewed on this screen, the possibilities seem endless. Examples include subtitles when conversing with a foreign-language speaker, directions in unfamiliar territory and captioned photographs. The lens could also serve as a head-up display for pilots or gamers.

Mark Billinghurst, director of the Human Interface Technology Laboratory, in Christchurch, New Zealand, is impressed with the work. “A contact lens that allows virtual graphics to be seamlessly overlaid on the real world could provide a compelling augmented reality experience,” he says. This prototype is an important first step in that direction, though it may be years before the lens becomes commercially available, he adds.

The University of Washington team will present their prototype at the Biomedical Circuits and Systems (BioCas 2009) conference at Beijing later this month.

http://www.newscientist.com/article/dn18146-contact-lenses-to-get-builtin-virtual-graphics.html

One Day, This Will Be Remembered as the First Real Tricorder

Leave it to a NASA scientist to create the first Star Trek Tricorder using a stamp-sized sensor chip, an iPhone, and some spiffy programing. What does it do? It can detect killer gasses in the air.

Chemical Sensor

While the concept is not new, this prototype is fully working and operational. Created by Jing Li and a team of researches at NASA’s Ames Research Center, Moffett Field, California, the sensor is a multiple-channel silicon-based sensing chip integrated in micro-board with 64 nanosensors.

The low-cost, low-power system can detect minimal concentrations of ammonia, chlorine gas, and methane, showing the values in an iPhone application. It can automatically communicate the results with other cellphones or the Enterprise’s computer using Wi-Fi or 3G, and order massive teleportation evacuations if needed. OK, not true. No teleportation yet, but we are getting there. [NASA]

Send an email to Jesus Diaz, the author of this post, at jesus@gizmodo.com.

http://gizmodo.com/5403126/one-day-this-will-be-remembered-as-the-first-real-tricorder

Remote repair for infected phones in development

Angela Moscaritolo

In response to the growing threat of mobile malware, researchers at Georgia Tech are planning to study mobile device security and ultimately hope to devise a way to remotely repair infected devices.

“Today, there haven’t been widespread attacks, but we are seeing attackers starting to pay attention to mobile devices and we expect that that’s only going to be increasing,” Jonathon Giffin, an assistant computer science professor, told SCMagazineUS.com on Tuesday.

Giffin and fellow assistant professor Patrick Traynor will lead a research study into cyberattacks within cellular networks, to be funded by a three-year, $450,000 grant from the National Science Foundation.

The researchers and a team of graduate students plan to build a cellular network test bed on campus to simulate how cellular devices communicate, Giffin said. Subsequently, they plan to study how attacks against mobile devices operate inside the test bed.

“We do hope that this is a test bed that will be useful to others who would like to do research into cellular security as well,” Giffin said.

The researchers also plan to investigate whether service providers, such as AT&T and Verizon Wireless, are capable of detecting infected devices in their networks, he said. Infected devices often send a high volume of traffic to a known malicious server or generate a high volume of text messages. So, service providers should be able to locate an infected device by monitoring network traffic patterns for anomalies..

“One of the hallmarks of our design is to use the network itself to identify attacks,” Giffin said.

Ultimately, the researchers want to develop a remote repair method that would enable service providers to clean malicious code off an infected device without the device having to be brought into a service center, Giffin said. The remote repair solution might be similar to remote wipe technologies that are used today to clear all the data off a mobile device that has gone missing.

Traynor has contacted a number of major carriers about the project and there is “a sense of excitement all around,” he said. “We need to develop solutions today so we are ready when these widespread attacks occur.”

When contacted by SCMagazineUS.com on Tuesday, a Verizon Wireless spokeswoman the company will await the outcome of the research before commenting. A spokesperson at AT&T could not be reached.

The hacker community clearly is ramping up efforts to study mobile devices.

This week, it was reported that a prank worm is circulating over jailbroken iPhones in Australia. In addition, late last month, a proof-of-concept (PoC) application was released that enables an attacker to remotely activate a BlackBerry microphone and listen in on surrounding sounds and conversations.

http://www.scmagazineus.com/Remote-repair-for-infected-phones-in-development/article/157504/

First-known iPhone worm ‘Rickrolls’ jailbroken Apple handsets

By Sam Oliver

The iPhone’s first worm — a playful, wallpaper-changing prank that only affects jailbroken phones — could be a sign of more dangerous things to come.

A hacker who identifies himself as “ikex” created the worm, which changes the user’s wallpaper to a picture of 1980s pop star Rick Astley, who sang the 1987 hit “Never Gonna Give You Up.” The software includes the message: “ikee is never gonna give you up.”

The term jailbreaking refers to a hack that allows users to run software not approved by Apple on the iPhone. It can grant users the ability to install custom wallpapers and themes, enable tethering, or unlock the handset for use on a non-approved carrier.

The ikex worm is simply a prank known as “Rickrolling,” an Internet bait-and-switch meme when users expect to see a video on a certain topic, only to find themselves watching Astley’s cheesy 1987 music video. According to Forbes, the worm does nothing malicious.

“The world’s first iPhone worm is also hardly a true criminal exploit,” the report said. “Instead, it seems to be half warning, half prank. Ikee’s author, who identifies himself or herself as ‘ikex’ in the worm’s source code, also wrote in the code that “People are stupid, and this is to prove it so,” adding that users should read their phones’ manuals.”

For now, the worm is said to be spreading among jailbroken iPhones in Australia. It affects only users who did not change their default SSH password, which allows file transfers between phones.

“It’s not that hard, guys,” ikex wrote in the source code. “But hey who cares its only your bank details at stake.”

Mikko Hyppönen, researcher with F-Secure, discussed the worm on his company’s Web site. It lets users know how to change their root password, and also warns that the software could become more dangerous.

“The creator of the worm has released full source code of the four existing variants of this worm,” he said. “This means that there will quickly be more variants, and they might have nastier payload than just changing your wallpaper or might try password cracking to gain access to devices where the default password has been changed.”

This summer, Apple quickly fixed a text messaging exploit that could have affected all iPhones. The exploit took advantage of the fact that SMS can send binary code to a phone. That code is automatically processed without user interaction, and can be compiled from multiple messages, allowing larger programs to be sent to a phone.

The exploit, discovered by security researcher Charlie Miller, exposed the iPhone completely, giving hackers access to the camera, dialer, messaging and Safari.

Miller also, back in 2007, discovered the iPhone’s first security flaw. It allowed malicious Web sites to take advantage of flaws within the Safari Web browser.

http://www.appleinsider.com/articles/09/11/09/first_known_iphone_worm_rickrolls_jailbroken_apple_handsets.html

Toshiba Corporation launches highly sensitive CMOS image sensor with BSI

Applies world’s first 300mm wafer lines for BSI technology

TOKYO— Toshiba Corporation (TOKYO: 6502) today announced the launch of a new CMOS image sensor that will bring 14.6 million pixels (as in 14.6 megapixel) to digital still cameras and to mobile phones supporting video imaging. The sensor, the latest addition to Toshiba’s “Dynastron™” line-up, is also the company’s first to integrate the enhanced sensitivity offered by back-side illumination technology (BSI). Sampling of the new sensor will begin in December and mass production will follow from the third quarter of 2010 (July—September).

BSI brings new levels of responsiveness to CMOS imaging. Lenses are deployed on the rear of the sensor on the silicon substrate, not on the front, where wiring limits light absorption. This positioning boosts light sensitivity and absorption by 40% compared to existing Toshiba products, and allows formation of finer image pixels.

Toshiba has made full use of the advantages of BSI to realize image pixels with a pitch of 1.4 microns, and to pack 14.6 million of them into a 1/2.3-inch sensor that meets the high level imaging and processing requirement, and that will also bring a new level of image quality to mobile phones. Toshiba will use the new sensor to promote its full-scale entry to digital camera market, and will continue to develop BSI products as a mainstream technology.

The new sensor will be mass produced at Toshiba’s Oita Operations, on industry leading 300mm wafer lines deploying 65nm process technology. Initial production will be at a volume of 500,000 sensors a month.

CMOS image sensors are a focus product of Toshiba’s System LSI business. Until now, their main application has been in mobile phones, where Toshiba could leverage its high density integration and low power consumption technologies. With the introduction of BSI CMOS sensors, Toshiba will reinforce the sensor business by expanding application to include digital cameras.

http://www.dpreview.com/news/0910/09102701toshibabackilluminatedsensor.asp

Eavesdropping on Smartphone Secrets

Researchers say that smartphones are vulnerable to an attack used to steal information from smartcards.

By Erica Naone

As phones become increasingly like pocket computers many people have called for closer scrutiny of their security. When explaining this, these people usually point out that today’s phones are a lot like the desktop PCs of the mid-1990s. Attackers can apply a huge body of experience from attacking desktop machines when looking for a way into mobile devices.

However, some experts argue that mobile phones are actually simple enough to be vulnerable to attacks originally designed for embedded systems.

“The phone is a very stripped down environment,” says Benjamin Jun, vice president of technology at Cryptography Research, a security research company based in San Francisco, CA. “Which means that someone who’s trying to attack the device generally has an easier time, because it’s not as complicated as a desktop system.”

To demonstrate this, Cryptography Research adapted a smartcard attack for use against today’s smartphones.

About a decade ago, the company found that a technique called differential power analysis would allow an attacker to extract the cryptographic keys from a smartcard by analyzing its patterns of power consumption. As it turns out, Jun says, that the same type of analysis will reveal the cryptographic keys that a phone uses to access a carrier’s network, or to secure data stored on the device. In contrast, such an attack would be hard to pull off on a more complicated device, simply because a laptop, for example, would run more programs at the same time and produce a lot more noise.

The smartcard attack called for the attacker to be in possession of the object, but, in adapting it for smartphones, the researchers found a way to do the same types of calculations based on leaked electromagnetic signals picked up with an antenna.

Jun believes attacks on mobile devices are particularly serious because these devices are being used to access high-value corporate data.

But the bad news has a positive flip side. Jun notes that, just as attackers have experience exploiting vulnerabilities on embedded systems, manufacturers have experience developing countermeasures. Because embedded systems have even more limited memory and processing power than today’s mobile devices, he thinks these countermeasures would be relatively easy to translate to smartphones.

“The main question is whether protections can be done entirely in software or not,” Jun says. Entirely software-based solutions would be cheapest to roll out, he notes. Hardware countermeasures, however, are readily available, and have already been shipped in millions of smartcards.

http://www.technologyreview.com/blog/editors/24306/?a=f

Cameraphone Photographer of the Year

World View cameraphone photo competition

(Joanne Frances Hanna)

The Times Picture Editor has chosen A very British afternoon as his overall winner

<!–

Enlarge

–>

//

The Times are the Sony Ericsson World View 2008 competition media partner, so enter here to avoid missing out on your shot of a lifetime

http://technology.timesonline.co.uk/tol/news/tech_and_web/specials/cameraphone_photographer/

5 Tips for Taking Better Photos with Your Camera Phone

By Dave Johnson

Cameras are so ubiquitous that they’re built into everything these days, including pocket calculators and toaster ovens. Unfortunately, the image quality from camera phones can be somewhat lackluster. Fight back by reading Chase Jarvis’s tips to improve your iPhone photos.

Sure, his post is iPhone centric, but much of his advice applies to any camera phone. Here are the highlights:

• Hold the camera still. Camera phone photos are notoriously blurry, in part due to sluggish shutters that take their sweet time getting started, and in part slow exposures that can make a snail appear to have motion blur.
• Keep your finger on the shutter release. The iPhone (like many phones) takes the picture when you lift your finger, not when you press down. Take that into account.
• Avoid fast-moving subjects. Remember my comment about the snail? Camera phones crave light and work best when shooting absolutely static images under the blaze of a twin-sun system going supernova. Photos in dark rooms or of moving objects are likely to fail.

After you master your camera phone’s idiosyncracies, be sure to read Rick’s clever tips on ways to unexpectedly use a camera to make your life easier.

http://blogs.bnet.com/businesstips/?p=2658&tag=content;col1

Five Killer Cell-Phone Camera Tricks

By Rick Broida

Smile! You’re about to learn five fantastic ways to get the most from your cameraphone. Yes, we’re talking about that crummy, low-resolution point-and-shoot that’s built into your cell. It’s a lot more useful than you think, provided you point it at the right things:

• Where you parked Now where’d you leave the car? G7? F4? If only you’d taken a photo of the nearest signpost, and maybe a few landmarks to boot. Take it from us: Losing your car in a crowded airport lot — especially when it’s 10 degrees out — is not fun.
• Your passport and/or driver’s license If one of these documents goes missing while you’re traveling, you’re potentially screwed. Before you embark, take a snapshot of your license and/or passport, making sure the numbers are legible. If nothing else, you’ll have an easier time proving your identity and getting your documents replaced.
• Your hotel room number Sounds nuts, I know, but remember: Hotels no longer put room numbers on room keys. If you’re the forgetful type, this beats stopping at the front desk to ask for your own room number.
• The label on the wine bottle A client raves about the bottle of wine you shared over dinner. Snap a photo of the label (when he/she’s not looking, of course) so you can match it later, then send along a bottle (or even a case, if it’s a big client) to help seal the deal.
• Evernote, Qipit, ScanR Snap a photo of business card, cocktail napkin, whiteboard, or whatever, then send it to one of these free information-management services. From there you can organize, share, publish, or even fax your “digital copy.”

What’s your favorite cameraphone trick? Hit the Comments and share your snapshot secrets. Photo by Thomas Rockstar.

http://blogs.bnet.com/businesstips/?p=2217&tag=col1;post-2658