Vulnerabilities and Theoretical Attacks

Identifying vulnerabilities is a difficult process because you are looking for what might occur and trying to anticipate how an attacker could attempt to exploit the system. The process is a dual-mode analysis in which you are examining potentially vulnerable areas while anticipating theoretical attacks. Based on the success or failure of these theoretical attacks, the particular component or resource is identified as vulnerable. Recall that you are not making any determination at this point about the practicality of an attack or the development trade-offs necessary to protect or mitigate the vulnerability.

To begin the examination of vulnerabilities, you begin at the top of the targets list and place yourself in the malicious roles identified earlier. You then create theoretical attacks to which these targets would be vulnerable. Experience and knowledge of the system's inner workings are crucial if you are to have any expectation of identifying all its potential vulnerabilities. If you are examining an existing system, this requirement may lead you to utilize the developers to conduct the vulnerability analysis. This is acceptable as long as the team is evenly weighted with those who were not involved with the development. The reason is, developers know what they were trying to accomplish, and they may make assumptions about how the system functions or responds under certain circumstances. Further, developers know how the system was intended to function, but most attacks attempt to cause the system to function in a manner in which it was not intended.

Vulnerabilities of the Wireless Device

Similar to identifying targets, you begin at the highest levels and work your way down to the lower functional levels of the system. In general, the lower functional levels require more detailed knowledge, for you to analyze and for an attacker to exploit. However, with any generality, there are always exceptions, particularly with exploits. Once identified by someone with knowledge, even the lower-level functional levels can be successfully exploited by others with less technical expertise. We discuss this in greater detail throughout the remainder of the chapter, looking at specific examples. Suffice it to say that for this analysis, you must try to be as thorough as possible to ensure that the system is fully protected. You begin by looking at the targets identified.

The Wireless Device Itself

The vulnerability, loss, or theft of this particular target is not new to wireless. Loss or theft of personal items has been a concern since our ancient ancestors first grasped the concept of personal property as they huddled around fires in caves. The vulnerability of wireless devices is that they can be misplaced by users or taken by malicious users.

User Interface

The user interface should be examined in its two parts: the physical interface and access to the user interface. These two have different issues that should be acknowledged for completeness of your risk assessment.

The Physical Interface

The physical interface is vulnerable to environmental factors such as water, shock, and abrasion for example, dropping the device in a puddle or spilling coffee on the device, dropping it off a table, having it slip out of the user's hands, having the device slide across a rough surface, and having someone sit on or drive over the device.

Access to the User Interface

The user interface is vulnerable to environmental factors that cause inadvertent input for example, a cellular phone in someone's purse being bumped and activated when an object inside the purse depresses the Send key.

Offline Functions

Personal Data on the PDA

Here is where things become more interesting. You examine each of the malicious roles separately to ensure that you cover all the possible vulnerabilities. Again, this is not guaranteed. To ensure a system's security, you must review the vulnerabilities in light of new known attacks, updated information on the system, or new theoretical attacks.

Malicious Device Support Personnel

Personal data stored on the device is vulnerable to malicious device support personnel when the device is taken in for upgrades, maintenance, or repair. These support personnel may have access to manufacturer bypass and diagnostic codes, equipment, or utilities that give them access to personal data stored on the device.

Poor or inexperienced device support personnel may inadvertently leave the device in a security bypass or diagnostic mode that leaves personal data vulnerable.

Malicious App Developer

Malicious application developers can create a virus or Trojan Horse (a program that, in addition to providing an overt useful function, performs a covert activity, usually malicious) utilities or programs that allow access to personal data on the PDA.

Poor or inexperienced application developers may not take appropriate security measures regarding their particular application, such as not clearing buffers and overwriting data elements, leaving personal data vulnerable during transit.

Malicious App Support Personnel

Malicious application support personnel may dupe the user via social engineering to provide access, or information necessary for access, to personal data under the auspices of assisting with an application issue. Alternatively, malicious app support personnel may enable debug or other diagnostic switches within the software, disabling security mechanisms present in the device or software.

Poor or inexperienced app support personnel may inadvertently leave debug or diagnostic switches enabled following a support activity, rendering the personal data vulnerable.

Malicious User

Personal data is vulnerable to a malicious user who has gained access to the device. Recall that malicious user is a catchall term encompassing a variety of activities. Although this simple statement is adequate for describing the vulnerability, the complexity of the role becomes important and should not be forgotten when generating mitigations and protections or performing the security-functionality trade-offs. For example, a malicious user may pose as a member of one of the legitimate functional roles and become the functional equivalent of one of the malicious roles just discussed.

Corporate or Third-Party Information

From a vulnerability perspective, no distinction exists between corporate and third-party information and personal data. There may be some distinction when it comes to the security-functionality trade-offs. For example, a device manufacturer may be willing to limit some functionality to ensure the protection of the user's personal data but may decide that the same trade-off for corporate data is unnecessary because its obli-gation ends with the user.

Online Functions

Personal Data Being Sent

This target is personal data as it is in transit. You will notice that all the previous roles are present, with the addition of a few others because of the data's increased exposure during transport.

Malicious Wireless Service Provider (WSP)

Your first thought may be, "How could a WSP be malicious?" In general, WSPs are not. They are in the business of providing wireless services, so performing any untoward activity would be counterproductive. However, consider the following example, based on the office complex scenario introduced in Chapter 1, "Wireless Technologies."

Suppose that AdEx Inc., as a courtesy to its clients, offers wireless access through its network. NitroSoft is visiting AdEx for a presentation of a proposed new marketing campaign. During breaks in the presentation, the NitroSoft representative sends and receives e-mail via his wireless PDA. This information is related to the campaign, including price limits and current bids from other representatives attending similar presentations around the country. The connectivity is much appreciated by the NitroSoft representative because he can discreetly communicate the current status to his NitroSoft co-workers to ensure that NitroSoft receives the best marketing campaign for the money.

What the NitroSoft representative doesn't know is that someone from the AdEx IT staff is monitoring the NitroSoft representative's communications and relaying any pertinent information to AdEx's marketing staff so that they will be well informed of her feelings about the presentation, any misgivings she may have, what NitroSoft's bottom line will be, and possibly what the bids are from other marketing firms.

In this example, is AdEx just doing smart business? After all, AdEx owns the wireless connectivity hardware, and by extension, everything it transports. Or is AdEx a malicious WSP? Unless AdEx had the NitroSoft representative sign an agreement to access its wireless network and this agreement contained a waiver granting AdEx access to anything transmitted over the network, we would vote for the latter. Therefore, personal data transmitted by the device may be vulnerable to a malicious WSP.

Malicious Device Support Personnel

Personal data transmitted by the device can be made vulnerable by malicious device support personnel when the device is taken in for upgrades, maintenance, or repair. These support personnel may have access to manufacturer bypass and diagnostic codes, equipment, or utilities that allow them to bypass security features, leaving personal data transmitted by the device vulnerable.

Poor or inexperienced device support personnel may inadvertently leave the device in a security bypass or diagnostic mode that renders personal data vulnerable during transit.

Malicious WSP OMS Personnel

Personal data transmitted by the device is vulnerable to malicious WSP OMS personnel who have access to the WSP transceiver and wireless network equipment.

Malicious App Developer

Malicious application developers may create a virus or Trojan Horse utilities or programs that cause the transmitted data to be vulnerable. An example would be an encryption utility containing nonunique or known keys. To the user, the data appears encrypted, but it is readily accessible to unauthorized individuals who know the key. Alternatively, an e-mail utility may send a blind copy of every message sent or received by the device to a predefined address.

Poor or inexperienced application developers may not take appropriate security measures regarding their particular application, rendering personal data vulnerable during transit.

Malicious App Support Personnel

Malicious application support personnel may coerce the user via social engineering to provide access, or information necessary for access, to personal data under the auspices of assisting with an application issue. Alternatively, malicious app support personnel may enable debug or other diagnostic switches within the software, disabling security mechanisms present in the device or software.

Poor or inexperienced app support personnel may inadvertently leave debug or diagnostic switches enabled at the conclusion of a support activity, rendering the personal data vulnerable during transit.

Malicious User

Personal data is vulnerable to a malicious user who has access to, or has built a receiver that can monitor, the transmission of the PDA and can reconstruct the data transmitted and received. Again, a malicious user can assume any of the preceding malicious roles to gain access necessary to exploit a vulnerability.

Corporate or Third-Party Information Being Sent

As with offline functions, from a vulnerability perspective there is no distinction between corporate or third-party information and personal data in transit.

User Online Activities, Usage Patterns, Location and Movement

This category can be considered a subset or equivalent to user personal data as far as vulnerabilities are concerned. The difference lies in how this type of information can be protected, which we discuss in Chapter 12, "Define and Design."

Access to Network and Online Services

As used here, access to network and online services means the use of the device or information on the device to gain access to network and online services. This distinction separates it from similar activities occurring against the service provider, which we will discuss shortly.

Malicious Device Support Personnel

User network and online services access credentials are vulnerable to device support personnel who have access to the device for upgrade, maintenance, or repair purposes. Device support personnel may have access to manufacturer bypass and diagnostic codes, equipment, or utilities that give them access to network and online services access credentials on the device.

Malicious WSP OMS Personnel

User network and online services access credentials are vulnerable to WSP OMS personnel when this information is received and processed by the WSP equipment. The user may also be coerced into providing network or online access credentials to WSP OMS personnel.

Malicious App Developer

User network and online services access credentials are vulnerable to applications that can copy and store, or forward, these credentials to the developer.

Malicious User

Access to network and online services are vulnerable to a malicious user. A malicious user may gain access to the device and retrieve network and online services credentials, to be used on another device or at a later time. A malicious user may monitor transmissions, discussed under "Malicious User" for personal data being sent to obtain network and online services credentials. Again, a malicious user can assume any of the preceding malicious roles to gain access necessary to exploit a vulnerability.

Transceiver

The Transceiver Itself

Malicious Device OMS Personnel

The transceiver is vulnerable to manipulation or modification by malicious device OMS personnel.

Malicious User

The transceiver is vulnerable to manipulation or modification by a malicious user. For example, this may be done to assist a man-in-the-middle attack.

Vulnerabilities of the Service Provider

The Transceiver Itself

When we use the term transceiver in regard to the service provider, we are considering a transceiver system consisting of the antenna array, tower, coax, transceiver, and switching equipment.

Malicious Device OMS Personnel

The transceiver is vulnerable to manipulation or modification by malicious device OMS personnel.

Malicious User

The transceiver is vulnerable to manipulation or modification by a malicious user. For example, this may be done to deny service to areas or individuals at crucial times.

The Transceiver Services

Malicious Device OMS Personnel

The transceiver services are vulnerable to manipulation or modification by malicious device OMS personnel for example, granting network access to unauthorized users by providing maintenance or diagnostic access credentials to these unauthorized users.

Malicious User

The transceiver is vulnerable to manipulation or modification by a malicious user. For example, a malicious user may obtain access credentials to utilize the service without paying for the privilege.

Access to Its Subscribers

Malicious WSP OMS Personnel

The service provider is vulnerable to WSP OMS personnel who can grant access to the network, and thereby its subscribers, for spam or other unsolicited purposes.

Malicious Corporate/Private Servers

The service provider is vulnerable to malicious corporate or private servers that access the service provider to deliver advertising, marketing, or other spam to the service provider's subscribers.

Malicious Corporate/Private Server OMS Personnel

The service provider is vulnerable to malicious corporate or private server OMS personnel who utilize authorized servers to perform unauthorized access to subscribers. For example, service provider subscribers receive stock quotes as part of their service plan. OMS personnel with access to the quote server that provides this service could alter the server to deliver anything in addition to, or in place of, the stock quotes.

Malicious Content Providers

The service provider is vulnerable to malicious content providers who use the service provider resources to spam or otherwise deliver their payload to the subscribers.

Malicious App Developer

The service provider is vulnerable to malicious app developers who include back doors or Trojan Horse utilities or programs that the service provider uses. These app developers can then use the privileged access available to their legitimate applications to obtain illegitimate access to the subscribers.

Malicious App Support Personnel

Service provider subscribers are vulnerable to malicious application support personnel who enable debug or other diagnostic switches within the software, disabling security mechanisms that protect access to the subscribers.

Poor or inexperienced app support personnel may inadvertently leave debug or diagnostic switches enabled at the conclusion of a support activity, rendering corporate proprietary data and resources vulnerable on the network server.

Malicious User

The service provider is vulnerable to malicious users gaining network access to allow them access to the service provider's subscribers, either by these malicious users' acting in one of the preceding roles or by exploiting a vulnerability in the overall service provider's system.

Transceiver

Recall that there were no targets for the transceiver beyond those identified for the higher-level functional block.

Administrative Server

By administrative server, we are referring to the billing, maintenance, and support systems associated with keeping the wireless infrastructure functional.

User-Specific Data

User-specific data is information such as credit card numbers, address, finances, call and access log information that resides on the administrative server.

Malicious WSP OMS Personnel

User-specific data resident on the administrative server is vulnerable to malicious WSP OMS personnel who exploit their system access to gain access to user-specific data.

Malicious App Developer

User-specific data resident on the administrative server is vulnerable to malicious app developers who include back doors or Trojan Horse utilities or programs that the service provider uses. These app developers then use the privileged access available to their legitimate applications to obtain illegitimate access to user-specific data.

Malicious App Support Personnel

User-specific data is vulnerable to malicious application support personnel who enable debug or other diagnostic switches within the administrative server software that disable security mechanisms.

Poor or inexperienced app support personnel may inadvertently leave debug or diagnostic switches enabled at the conclusion of a support activity, leaving the user-specific data vulnerable on the administrative server.

Malicious User

User-specific data resident on the administrative server is vulnerable to malicious users' gaining access to the service provider's network and thereby accessing user-specific data. The service provider's network access may be obtained by these malicious users' acting in one of the preceding roles or exploiting a vulnerability in the overall service provider's system.

Corporate Proprietary Data and Resources

Corporate proprietary data and resources refer to information resident on the administrative server that provides network details, fraud detection scheme information, and the like.

Malicious WSP OMS Personnel

Corporate proprietary data and resources resident on the administrative server are vulnerable to malicious WSP OMS personnel who exploit their system access to gain access to corporate proprietary data and resources.

Malicious App Developer

Corporate proprietary data and resources resident on the administrative server are vulnerable to malicious app developers who include back doors or Trojan Horse utilities or programs that the service provider uses. These app developers can then use the privileged access available to their legitimate applications to obtain illegitimate access to corporate proprietary data and resources.

Malicious App Support Personnel

Corporate proprietary data and resources are vulnerable to malicious application support personnel who enable debug or other diagnostic switches within the software that disable security mechanisms present in the network server.

Poor or inexperienced app support personnel may inadvertently leave debug or diagnostic switches enabled at the conclusion of a support activity, leaving corporate proprietary data and resources vulnerable on the network server.

Malicious User

Corporate proprietary data and resources resident on the administrative server are vulnerable to malicious users gaining access to the service provider's network, and thereby access to corporate proprietary data and resources. The service provider's network access may be obtained by these malicious users' acting in one of the preceding roles or exploiting a vulnerability in the overall service provider's system.

Network Server

User-Specific Data

User-specific data is information such as credit card numbers, addresses, and data such as e-mail and Web traffic that transits the network server.

Malicious WSP OMS Personnel

User-specific data transiting the network server is vulnerable to malicious WSP OMS personnel who have access to the network server.

Malicious App Developer

Malicious application developers can create virus or Trojan Horse utilities or programs that cause the transit data to be vulnerable. An example would be a network routing utility containing code that routes a copy of the transit data to the app developer.

Poor or inexperienced application developers may not take appropriate security measures regarding their particular application, rendering user data vulnerable during transit.

Malicious App Support Personnel

User-specific data is vulnerable to malicious application support personnel who enable debug or other diagnostic switches within the software that disable security mechanisms present in the network server.

Poor or inexperienced app support personnel may inadvertently leave debug or diagnostic switches enabled at the conclusion of a support activity, leaving the user data vulnerable during transit of the network server.

Malicious User

User-specific data is vulnerable to a malicious user who has access to, or has assumed one of the preceding roles to get access to, the network server.

Corporate Proprietary Data and Resources

Much the same as for the administrative server, corporate proprietary data and resources refer to information resident on the network server. We are referring to the system that connects the service provider's transceivers to the remainder of the wired world.

Malicious WSP OMS Personnel

Corporate proprietary data and resources resident on the network server are vulnerable to malicious WSP OMS personnel who exploit their system access to gain access to corporate proprietary data and resources.

Malicious App Developer

Malicious App Support Personnel

Malicious User

Corporate proprietary data and resources resident on the administrative server are vulnerable to malicious users gaining access to the service provider's network, and thereby access to corporate proprietary data and resources. The service provider's network access can be obtained by these malicious users' acting in one of the preceding roles or exploiting a vulnerability in the overall service provider's system.

Vulnerabilities of the Gateway

The gateway is functionally not much more than a server that performs processing to convert Web traffic to a form compatible with the wireless device. You will notice that the vulnerabilities listed mirror those for the administrative and network servers. The Web server and backend server also have similar vulnerabilities. Therefore, we will not cover the vulnerabilities for the Web server and backend server. Further, no additional vulnerability is associated with having those servers linked to a wireless system (with the exception of no longer needing physical access) than to a totally wired system.

The Physical Gateway

Malicious OMS Personnel

The gateway is vulnerable to manipulation or modification by malicious OMS personnel.

Malicious App Developer

The gateway is vulnerable to malicious app developers who include back doors or Trojan Horse utilities or programs that the gateway uses. These app developers can then use the privileged access available to their legitimate applications to obtain illegitimate access to gateway services.

Malicious App Support Personnel

The gateway is vulnerable to malicious application support personnel who enable debug or other diagnostic switches within the software that disable security mechanisms present in the gateway.

Poor or inexperienced app support personnel may inadvertently leave debug or diagnostic switches enabled at the conclusion of a support activity, leaving the gateway vulnerable.

Malicious User

The gateway is vulnerable to manipulation or modification by a malicious user who has assumed one of the preceding roles or has otherwise gained access to the gateway.

User-Specific Data

Malicious OMS Personnel

User-specific data transiting or resident on the gateway is vulnerable to malicious WSP OMS personnel who have access to the network server.

Malicious App Developer

Malicious application developers can create virus or Trojan Horse utilities or programs that cause the user-specific data to be vulnerable.

Poor or inexperienced application developers may not take appropriate security measures regarding their particular application, rendering user-specific data vulnerable during transit or storage on the gateway.

Malicious App Support Personnel

User-specific data is vulnerable to malicious application support personnel who enable debug or other diagnostic switches within the gateway software that disable security mechanisms.

Poor or inexperienced app support personnel may inadvertently leave debug or diagnostic switches enabled at the conclusion of a support activity, rendering the user-specific data vulnerable during transit or storage on the gateway.

Malicious User

User-specific data is vulnerable to a malicious user who has access to, or has assumed one of the preceding roles to get access to, the gateway.

User Data

Malicious OMS Personnel

User data transiting the gateway is vulnerable to malicious OMS personnel who have access to the gateway.

Malicious App Developer

Malicious application developers can create virus or Trojan Horse utilities or programs that cause the user data to be vulnerable.

Poor or inexperienced application developers may not take appropriate security measures regarding their particular application, rendering user data vulnerable during transit of the gateway.

Malicious App Support Personnel

User data is vulnerable to malicious application support personnel who enable debug or other diagnostic switches within the gateway software that disable security mechanisms.

Poor or inexperienced app support personnel may inadvertently leave debug or diagnostic switches enabled at the conclusion of a support activity, rendering the user data vulnerable during transit of the gateway.

Malicious User

User data is vulnerable to a malicious user who has access to, or has assumed one of the preceding roles to get access to, the gateway.

Corporate Proprietary Data and Resources

Malicious OMS Personnel

Corporate proprietary data and resources on the gateway are vulnerable to malicious OMS personnel who have access to the gateway.

Malicious App Developer

Malicious application developers can create virus or Trojan Horse utilities or programs that cause the corporate proprietary data and resources to be vulnerable.

Poor or inexperienced application developers may not take appropriate security measures regarding their particular application, leaving corporate proprietary data and resources vulnerable on the gateway.

Malicious App Support Personnel

Corporate proprietary data and resources are vulnerable to malicious application support personnel who enable debug or other diagnostic switches within the gateway software that disable security mechanisms.

Poor or inexperienced app support personnel may inadvertently leave debug or diagnostic switches enabled at the conclusion of a support activity, rendering the corporate proprietary data and resources accessible from the gateway vulnerable.

Malicious User

Corporate proprietary data and resources are vulnerable to a malicious user who has access to, or has assumed one of the preceding roles to get access to, the gateway.

Third-Party Data Transiting the Gateway

Malicious OMS Personnel

Third-party data transiting or resident on the gateway is vulnerable to malicious OMS personnel who have access to the gateway.

Malicious App Developer

Malicious application developers can create virus or Trojan Horse utilities or programs that cause third-party data to be vulnerable.

Poor or inexperienced application developers may not take appropriate security measures regarding their particular application, rendering third-party data vulnerable during transit or storage on the gateway.

Malicious App Support Personnel

Third-party data is vulnerable to malicious application support personnel who enable debug or other diagnostic switches within the gateway software that disable security mechanisms.

Poor or inexperienced app support personnel may inadvertently leave debug or diagnostic switches enabled at the conclusion of a support activity, rendering third-party data vulnerable during transit or storage on the gateway.

Malicious User

Third-party data is vulnerable to a malicious user who has access to, or has assumed one of the preceding roles to get access to, the gateway.

Vulnerabilities of the Web Server and the Backend Server

The Web server and backend server have nearly identical vulnerabilities as those identified for the gateway. Because we are concentrating on the wireless aspects of security, we will not explicitly go through the exercise of listing the vulnerabilities of these two functional blocks. Keep in mind that although the vulnerabilities may be identical, the protections or mitigations chosen can differ considerably because of the analysis of likelihood and the functionality trade-offs considered.

It should be clear that when you have identified the targets and roles, stating the vulnerabilities becomes simple. It should also be obvious how these vulnerability statements can be easily modified to become requirement statements.