The Center for Automotive Embedded Systems Security (CAESS), a collaboration between the University of California San Diego and the University of Washington, has exposed a weakness in modern automobile engineering.

Their analysis was done by connecting to an ODB-II (a federally-madated On-Board Diagnotics port in almost every car) that gives access to a vehicle’s controller area network (CAN), also known as the CAN-bus. It turns out that someone who simply plugs into the ODB-II is granted open control of every other device in the car. Very simple tests revealed the lack of security.

While the automotive industry has always considered safety a critical engineering concern (indeed, much of this new software has been introduced specifically to increase safety, e.g., Anti-lock Brake Systems) it is not clear whether vehicle manufacturers have anticipated in their designs the possibility of an adversary.

One worst-case scenario suggested by the research team is that malformed traffic on an automobile’s CAN-bus can cause a life-threatening malfunction. Random packets sent to a brake, for example, caused a wheel to lock. This type of failure could be related to another system failing on the CAN-bus and not necessarily a targeted attack.

Another consideration is that all the new user-upgradable systems for audio and communications interface with the CAN-bus and emphasize wireless connectivity. Easy to imagine one of these devices or a “tuner” upgrade malfunctioning, as they tend to do already, and causing far more widespread impact by being integrated into the telematics platform of an automobile.

They study intentionally avoids discussion of the threats. They only mention physical and wireless access as areas for future research.

Clearly this is an area ripe for discussion as very few people (outside the engineers who build the systems and hope threats do not emerge) understand the extent to which a new car can be remotely monitored and controlled via the Internet. This calls out the notion that developers, often trusted to do the right thing and develop a secure system, may instead use on a thin veneer of obscurity and hope no one is looking.

Anyone who believes the automobile companies will rise to the security challenge and fix issues without independent assessments and regulation has not read the latest update on the Ford Explorer roll-over crisis. Ford actually lowered the strength ratio to a minimum federal requirement (1.5 times the weight) while the standard was being raised (3.0 times the weight), all the while claiming that the car design was good but the tires were entirely at fault. They are just now being forced to admit the Explorer design was also to blame.

Steve Forrest conducted several drop tests showing the performance of the production and reinforced UN150 Ford Explorer. He was able to establish through that testing that the strength of the Explorer roof could have been tripled for a cost of approximately $40. His testing showed that a reinforced roof in Ms. Parker’s wreck would have crushed approximately two inches instead of ten inches.

We also proved that the seat belt system in the 1999 Explorer was defective and failed to retain Ms. Parker in the vehicle during the rollover sequence. The evidence presented showed that slack could be introduced into the belt system when the B pillar was crushed inward. Plaintiff’s expert, Steve Meyer, testified that due to the poor roof design, the seat belt system should have included a cinching latch plate or been integrated into the seat back instead of being mounted to the B pillar. Mr. Meyer also testified that performance of the seat belt could be improved if the roof was strengthened.

Ford fought this for many years. Only in Argentina did they admit dangerous weaknesses in the Explorer design, but they characterized it as a response to the different “driving style” in that country.

This is like a car company claiming that the threat of wireless attack is only a risk in Argentina, or that a rogue device on the CAN-bus will only happen in Argentina. Does that sound like reasonable threat modeling?

Allowing the company to dismiss or weigh risk decisions entirely on vulnerability tests, and without realistic threat modeling, is not an acceptable gamble. Ford is one of the companies pushing hard for cars to adopt a new telematics platform, which could even allow third-party applications to be installed. A system such as this must address security properly in terms of threats as well as vulnerabilities. The CAESS is thus doing a great service with the report, helping the automobile industry see better how to protect their most valuable assets on and off the road.

One of the best articles I have seen on the Arizona immigration law just appeared in the AP news feed:

“Before the signing of this bill, citizens would wave at me,” said David Salgado, a 19-year Phoenix police officer who sued the city and the governor asking that the law be blocked. “Now they don’t even want to make eye contact.”

Police officers are debating whether the bill actually helps solve real crimes. Losing the support of communities is a huge risk for a bill that is supposed to help law enforcement.

On Monday, police bosses from Maryland and Nevada condemned the law, saying that it could suck up vital resources and destroy delicate relationships with immigrant communities if implemented in their own states. There are at least nine other states considering similar legislation.

Police Chief Thomas Manger of Montgomery County, Md., in suburban Washington said he doesn’t have the resources or the desire to enforce federal immigration violations by people who aren’t disrupting the community.

“If they’re not committing a crime here, frankly, I’m not sure how it enhances public safety to target those people for removal,” he said.

That sounds right to me. It does not enhance safety to generate false leads or to alienate and disconnect sources of information. An intrusion detection system is worthless without reliable agents and monitors. The AZ law is arguably going to weaken the very system that police rely upon to fight crime.

Targeting based on suspicion also should not be linked alone to physical characteristics such as race or creed or color; those are identifiers only, not indicators. The question, thus, is whether officers will be more able to find violators. It is not sufficient to ask only if they gain more ability to stop someone on sight. That was not the problem, as far as I can tell.

If officers are empowered to decide when it’s appropriate to arrest or even to kill someone, they should be trusted not to profile based on race, said Pinal County Sheriff Paul Babeu, a supporter whose jurisdiction includes busy human and drug smuggling routes into Phoenix.

This argument for the bill is an example of the problems with it. It seems to say if we trust someone with the authority to decide when to kill *then* we should trust that person will not race profile. Perhaps it has been too long since I studied logic, but that reads entirely backwards to me. *If* we trust they will not race profile then we should trust someone with the authority to decide when to kill. Totally different if/then statements.

Senator Harkin has proposed an ATM cap fee of $0.50. This of course has upset banking industry insiders such as Gary Faulkner, an executive who has worked for Cardtronics and Diebold.

Mr. Faulkner wrote an open letter to Senator Harkin that claims a cap on ATM fees would be unfair to his industry.

I will skip an analysis of Cardtronics and Diebold ATM security for this post, although it is a tempting and juicy topic. One could argue that fees for a secure system would be justified. Nevermind that, Mr. Faulkner sadly does not once mention security and safety for consumers in his letter. Instead he compares fees for ATM transactions to the beer industry, and argues that fees are “the American way”:

But what if the Congress passed a law forcing Carl to sell his beer for just 50 cents more than he paid for it? Carl, along with many others, would get out of the beer joint business. Soon there wouldn’t be any beer joints. The beer cooler industry would evaporate. The refrigeration man would sign up for food stamps. The college kid would have to dropout of school. That result would be an economic disaster. Nobody wants that – certainly not you and the citizens of Iowa. Senator, you might even like going to Carl’s’ from time to time.

Sounds like a Chicken Little story to me.

Here is the first problem with this letter. There are services that cost money and then there are services that save money. Some may remember the original justification for ATMs was the latter:

When banks first introduced ATM service, there were no ATM fees. The ATM bank was pioneered as a cheaper alternative to a bank teller. In fact, instead of ATM fees, some banks charged “human teller fees” to encourage customers to use the new ATM service.

Thus banks eliminated tellers (jobs) and saved money by introducing automation. It is fair to say the ATM systems cost more than expected, and the jobs were shifted from low-tech to high-tech. Both of these would be true. That does not support the false correlation by Mr. Faulkner — ATMs were meant to give the same service for less, not cost more. The whole idea of the ATM was to reduce the cost, and risk, of hiring and training a teller. This is completely different from selling a glass of beer.

The ATM industry expanded, however, past its original money-saving teller-replacement model. It allowed sharing ATMs across different banks and into foreign exchanges. This brings me to the second problem with the story by Faulkner. He makes a case for beer consumption (pun not intended) as an analogue to pulling your own money out of a bank. Philosophically, these two do not wash.

With money, you own it and you put it in a bank. When you want to get your money, the bank may have to cover fees. It makes sense for a bank to pass fees forward. This is similar to a moving service, rather than purchasing a beer. Another example would be the postal service, where you pay a rate to move your belongings. You expect to pay an amount that is relative to the distance or load.

In the case of interchange rates ATM operators and banks tend to overcharge their users by a significant rate. The average markup for an ATM, for example, is 25%! Here is a typical scenario for an ATM operator:

That is a 304% return on your $1,200 / yr. (after expenses). Even if you put $3,000 in the ATM to assure that the machine does not run low, it is 121% return. Again, this is an example of a location that does 10 transactions a day.

A three hundred percent return based on fees alone. That is for just 10 transactions a day, which is below average. Everyone knows that whether they try to withdraw $20 or $200 the ATM is going to charge them a flat fee. A $3 fee on $20?

Mr. Faulkner tries to argue that this level of profit is essential:

Sen. Harkin, like you I’m in favor of protecting our citizens from the ruthless deceit of a cadre of bad actors that would squander the collective wealth of America for their personal gain. I just don’t believe that eliminating the livelihoods of thousands of guileless individuals working in the ATM industry is a path to that result.

The US Treasury Department Office of Thrift Supervision says the average ATM transaction costs 27 cents. This exposes the weakness in Faulkner’s argument about the need to cover costs. The fees also serve as a reverse fee on those who have the least money. That is hardly defensible with an “American way” stance. The reality is fees are charged by ATM operators based on perceived demand:

ATM fees are also higher in locations such as sports arenas, airports and hotels, locations where you may need to access money quickly and can’t afford to waste time looking for your own bank’s ATM service.

I suppose Mr. Faulkner would say this is true of beer also. Imagine paying a 100% markup on mail delivered on holidays or special events. This is why he should simply admit his industry has had a good run charging high fees and enjoying large profit margins due to consumer demand. They charge high fees because they can, not because they need to. His argument that the fees for moving money are essential to the economy or the market ring entirely hollow.

Personally, I estimate that either through regulation or competition (direct by mobile ATM or indirect by other mobile payment options) fees for ATM will have to face a decline to less dramatic levels. I also know that ATMs need increasingly sophisticated security measures, which I estimate will reduce costs again (less fraud), but I’ll leave that for another post.

In conclusion, Mr. Faulkner has made an analogy to beer in order to explain the fairness of uncapped ATM fees to cover the cost of delivering money to its owner. However, ATMs were created by banks as a cost-savings and job-cutting mechanism. Also ATM fees are far greater than any real interchange or operational cost often delivering profit margins far greater than 100%. The bottom line becomes a question of why fees are a necessity, rather than whether people are willing to pay them, for access to money. With that in mind I do not see any argument posed by Mr. Faulkner that holds any water…or should I say beer?

I often wonder about the changes as a result of mobile technology in so called rural and under-developed areas. The cost of infrastructure can be prohibitive compared to deployment of wireless technologies. My first introduction to this was when Brazil announced cell phones were being sold within 24 hours at a time when a phone line there could take as long as a year to install. That was over ten years ago. Brazil went from extremely low telephony penetration (sorry I don’t remember exact stats) to over 50% by 2006. The Ukraine in 2010 reported 115% penetration for 54 million users. Just one mobile provider in India (e.g. Bharti Airtel) can report over 2 million new subscribers in a single month! Imagine trying that with this system:

Now I see companies racing to deploy ATMs with the same mobile technology. A point of sale (POS) device and/or a cash dispenser can be placed anywhere you have power. It became clear that the switch from land lines to wireless could significantly reduce the cost of creating and expanding capital for a market. This trend towards micro-capital on a giant scale is why I was excited when asked to help draft a security standard for ANSI that will ensure ATM and POS wireless implementations can be done securely.

A friend in Asia just pointed out a recent paper that is extremely helpful to me for this project. It is a detailed study of the economic impact of information technology in India that confirms the theory above. Wireless technology significantly assists the growth of markets in under-developed areas at a fraction of the overhead and cost of traditional IT. This paper from 2007 called “The Digital Provide: Information (Technology), Market Performance, and Welfare in the South Indian Fisheries Sector” provides the following synopsis:

Between 1997 and 2001, mobile phone service was introduced throughout Kerala, a state in India with a large fishing industry. Using microlevel survey data, we show that the adoption of mobile phones by fishermen and wholesalers was associated with a dramatic reduction in price dispersion, the complete elimination of waste, and near-perfect adherence to the Law of One Price. Both consumer and producer welfare increased.

This begs the question of information resilience in terms of confidentiality, integrity and availability. It is truly exciting to think of the benefits described in the paper, but as a security professional my job is usually to focus on the risks. That is why I have dedicated a chapter in the new ANSI draft to the problem of security in mobile technology for finance. We need to plan and create more dynamic controls for distributed commerce — decentralized or federated markets. This is only possible once business managers can see how and why risks from wireless really are different from wired, especially in terms of new business models.