Alex Plaskett, Principal Offensive Security Researcher
10 mins read
MWC offers the chance to explore vendor stands and attend conference talks as well as a huge opportunity to network with key people within the mobile industry. While the event is slightly different to the traditional technical security conferences F-Secure Consulting normally attends, security was nevertheless high on the agenda of the presentations given, with it being featured heavily in discussions on emerging technologies and by vendors emphasizing the security benefits of their solutions or services.
The first talk I attended was that of the ‘Disruptive Impact of Blockchain’, which was hosted by a panel of four speakers and a moderator. Blockchain innovation features heavily within the industry currently, but due to the complexity of the idea behind it and the many varying implementations of blockchain-based technology, there is often confusion.
This talk began by discussing what the panel thought the blockchain was useful for and what benefits it could give. A debate then began about the differences between permissioned and permissionless blockchains and the pros and cons.
As the talk was primarily about its disruptive properties, a lot of discussion was around the impact of the blockchain to the financial services industry. Even on the panel, there was a very mixed view of what industries blockchain is disruptive to. However, one statement that the whole panel agreed on was that the current banking industry is very much in need of it. The regulation and stability offered to banking by the technology counteracts the current price volatility within the blockchain world (for example, cryptocurrencies) and would enhance existing financial services being offered. There was also a high emphasis put on blockchain technologies enabling payments for individuals outside of the traditional financial industry.
The most interesting comments on the panel for me were the disruption it could cause to other non-financial services industries, such as identity management, smart contracts and biometrics. With the introduction of smart contracts and their rapid integration into blockchain solutions, we are starting to see a number of emerging security risks.
Whilst smart contacts have completely changed the functionality that blockchains used to have (i.e., shared public ledgers used for simple transactions of value) to multi-functional autonomous systems, the security of smart contracts is a new area for research. F-Secure Consulting has noted that smart contacts have introduced an easy platform to potentially distribute malware that people will execute. This was, in part, to be expected due to the nature of smart contacts essentially being executed as untrusted code.
The key challenges that smart contracts face are as follows:
F-Secure Consulting is currently developing a tool that will address the first point. A framework has been developed that is able to process an existing blockchain and analyzes the contracts using custom-based rules that have been included in it. This will help derive statistics that will be able to help investigate and assess the level of security of smart contact-based systems.
The second keynote talk attended was on the subject of connected vehicles. While the range of topics was quite varied, even on a panel about connected vehicles, security was again high on the agenda.
Eugene Kaspersky kicked things off with a talk about how “smart”, “connected” or “Internet of Things” devices were being hacked in the wild and how the technology used was not being designed with security in mind. Therefore, in future it is going to be more and more necessary to consider and design with security in mind from product inception. He also touched on the cyber skills shortage being one difficulty we as an industry have to overcome in future.
The second panelist up was Anthony Levandowski from Otto. Otto is an example of how far self-driving technology has advanced recently, with pilot deliveries actually occurring in the wild with self-driving trucks! Amazing technology aside, security was also mentioned in Levandowski’s talk and about how important it is going to be for autonomous vehicles. He mentioned some of the things Otto was doing toward security such as not exposing the drive by wire system and building the security in layers. He showed images of the ‘computer brain’ and Otto’s mapping techniques to avoid collisions.
The next two talks were on electric car racing (Alejandro Agag from Formula E racing) and robot racing (Daniel Simon and Denis Sverdlov) - http://roborace.com/. This talk was extremely impressive and probably my favorite of the event as the engineering, programming and design effort involved in creating autonomous racing cars is unbelievable. The crowd literally stood up, clapped and took pictures as the car was being unveiled.
So from a security perspective, what are the kind of emerging threats we might see in this area? I can see the potential of the hacking of robotic cars becoming more and more of a threat. While we have seen security research into traditional motor vehicles, at this stage little has been published for autonomous vehicles. With race cars in particular, there exists the threat of cheating, and how that could be enabled with hacking. A simple denial of service attack could lead to disruption of a race or potentially fatal scenarios if full car control was gained. Roborace's Robocar in the picture above features Radar, GNSS, LIDAR and likely significantly more connectivity and sensor technology, increasing the attack surface.
Another highlight of the conference for me was a talk on disruption in digital finance. The panelists were from a mix of both financial institutions and tech companies.
The first speaker up, Rocky Scopelliti, discussed his research on millennials and how their behavior was affecting and influencing the financial services industry. His report is available here with plenty of details not easily summarized here and I encourage you to read the full report. However, from a security perspective, two things really stood out to me: That the growth in mobile banking and users using their mobile for financial services was significant, and that mobile devices are now the primary technology used to access financial services rather than traditional financial mechanisms. Whilst financial applications have been around for mobile devices for a long period of time, the great increase of usage shows that security is going to become increasingly paramount for both the applications and devices themselves.
F-Secure Consulting has been performing mobile security research and assurance for a long period of time and it’s reassuring to know that our developments within these areas are going to be increasingly important for the mobile finance industry going forward. An example of some of the work in this area can be found here, showing key tools used for the identification of security vulnerabilities within both Android and iOS applications.
The second panelist (Pere Nebot) discussed the technologies used by Caixa Bank to change how customers interacted with the bank. Together with traditional technologies such as mobile banking, video banking etc., Nebot mentioned Caixa’s usage of cognitive computing to enhance their financial services offering. For those unfamiliar with cognitive computing, it is essentially the simulation of human thought processes in a computerized model. For example, a self-learning system using data mining, natural language processing and pattern recognition to mimic the way a human brain works. Some real world examples include speech recognition, face detection and sentiment analysis.
From a security perspective, we have yet to see much research within this domain with practical systems due to the technology often sitting within the background of user interactions. However, as technologies start becoming more prevalent within critical systems and used for authentication then more attacks will start being envisaged. Simple attacks on implementations of speech recognition have been performed in the past, such as using Siri to bypass lock screen enforcements and gain access to user data.
Nebot also highlighted that regulation such as PSD2 is actually going to allow for the provision of improved financial services if viewed correctly. From a purely technological perspective, this could indeed increase the amount of information available to third parties to use for their technologies. However, with the increased connectivity and open APIs, there will be increasing demand to ensure that these data are shared, stored and communicated securely going forward.
Following Nebot’s comments, Anuj Nayar from PayPal discussed that the mobile payments space is growing significantly and lots of new players are entering the industry. For example, platforms such as the Braintree are enabling more and more businesses to accept and process payments.
The fourth panelist was Dror Oren from Kasisto, a company that is developing a conversational artificial intelligence platform. This talk led on well from Nebot’s presentation and discussed how Kasisto’s aim is to create technology that allows human-like interactions. Kasisto also work within the banking and finance space to create conversational AI with deep financial knowledge. One such interaction aims to provide a balance overview and then continue the conversation from there. I previously touched on the security concerns of cognitive computing technologies, but it is important that traditional mobile security technologies are also considered with these systems. Whilst the AI system itself may be robust to attack, if vulnerabilities exist within mobile applications implementing this technology then users may be subject to the traditional mobile application threat model.
Finally, Gulru Atak Gundem of Citi discussed the role of a traditional institution within the digital finance world and some of the differences between retail banking and corporate banking, where there is a much higher level of trust required due to larger payment sizes.
Overall, while MWC was notably unlike the traditional security conference, the fact that security was so prevalent in so many of its key presentations shows that the issue is forcing those outside of the cyber security industry to sit up and take note. The insight gained from emerging technologies in the mobile and telecom space also allows F-Secure Consulting to ensure both services and research are aligned with customer needs. I would not hesitate to recommend the conference to anyone interested in telecoms or mobile security.