Carsten Zero: corporations versus people, USB threats and biometrics flaws
Atlas Obscura published an interview with German specialist in encryption and data protection Carsten Zero. This expert is engaged in a variety of projects in the field of information security - from developing a “ USB condom ” to helping organize a secure connection of a billion new users to the Internet in India. We bring to your attention the main thoughts from a conversation with Karsten.
Companies create risks, and people suffer from them
Risks are everywhere. Credit cards can be cloned, a car can get into an accident, even without the participation of hackers. There is always a risk, but you need to understand when the risk is acceptable and when this risk has the right owner. We criticize large companies, for example, telecommunications giants like AT&T, or large banks, when they create risks and then make ordinary people, their customers, suffer from them.
Every time a user’s personal information gets to the company, there is a risk, sometimes even a transfer can be risky. Even now, during this interview, we are talking on Skype - so we trust Microsoft with our private information, and they may or may not protect it. If our conversation “leaks” somewhere and negative consequences arise, I and the journalist will suffer from this - and Microsoft, by and large, does not give a damn about the privacy of our conversation.
Large organizations rarely themselves ask to check their systems.
Usually we are in the position of bloodhounds - this happens most often. Initially, we did this without thinking about making money. As you might guess, when you talk about the problems of large companies, you can get on the front pages in the media, but not make money.
Sometimes after our research, but only after it - never as a first step - we help some companies to study their systems more deeply and find problems in them. But not every organization is interested in this. If this were not so, then there would be no problems.
But in any industry there are always a few people who want to stand out from the gray mass and really care about their customers, or, rather, want a marketing advantage that will help the business and show that they can be trusted.
About choosing a security researcher profession
In general, as a child, I wanted to be an inventor. You know, children romanticize this profession. But then, starting to engage in engineering, you realize that the main functionality is created by software. So in the simple combination of electrical and mechanical parts there is no special magic - the magic is in software that works on all this. So I began to engage in real science.
Security threats in developing countries
India is now on the verge of becoming an internet-connected country. There are many network users, but a huge part of a very large population is not yet connected.
There are 950 million phones in the country - almost a billion, of which only 5% can work with the Internet. So we have almost a billion people ready to become users as soon as you give them a smartphone and some money to pay for an Internet connection. These people will be the next big part of the internet.
But they will also encounter problems that we in the West did not encounter at the time when we first connected to the network. For example, my first passwords in the nineties were simply sloppy, but the fact is that nobody tried to crack them then!
I didn’t have to worry about phishing, I opened every email, because then I received them a little. There was almost no spam, and certainly no phishing. I grew up with the Internet, which gradually became more and more dangerous. As a result, now I can behave in such a way as to more or less provide security.
But the one who these days gets to the Internet for the first time will not have such luxury, especially the one who does not understand technology, and so far has difficulty using a tablet or computer.
A few years ago, all in the same India, the government launched a citizen registration system - the first of its kind. Until that moment, the authorities did not have much information about who lives in the country at all. Thanks to such a government database, they were able to collect data on about half of the population, and the numbers are growing. The database, among other things, stores the fingerprints of all ten human fingers, as well as the image of the retina, in general, a complete biometric database.
The government is developing a database, and telecommunications companies (which I help) should collect data - now in India you will not buy a phone without having your fingerprints and your retina scanned. Then your data is transmitted through possibly secure channels, stored, possibly in a safe manner.
Such a base can make life easier for citizens in the future - for example, if the infrastructure for paying for purchases with fingerprints is implemented. No passwords - besides, in India no one was used to them. It's like Facebook - now we drive the password from the social network on a bunch of sites to make it more convenient to use them. In India, everything is a little different: there is a government instead of Facebook, and fingerprints instead of passwords.
But it is likely that someone will be able to steal biometric information from nearly 600 million people. And fingerprints cannot be changed like a password - you need to remember this when creating such systems from scratch and at such a fast pace.
What is dangerous USB
The risk is this: everything that you insert into the USB port can be disguised as any number of devices. In the good old days, you inserted a printer into a parallel port, installed drivers - as a user, you were involved in the process.
But the USB standard removed all this extra work. Now a person connects something using a USB port, whether it is an external drive, keyboard or printer, everything works right away “out of the box”. This is great, but to some extent the control over what is connected to the computer is lost. The user sees only the physical form of the connected device and understands that "aha, I connect an external drive or printer."
But things may not be so simple - that's why we developed the SyncTop device(“USB condom”), which allows you to safely connect USB devices.
Our studies have shown that there is the possibility of creating viruses that will "live" in the gland of connected devices. In this case, even reinstalling the system will not help - you have reinstalled it, and the virus still sits, for example, in a webcam.
So far, cases of such attacks are quite rare, but the leaked NSA documents contained evidence that they used a USB hack.
By the way, not so long ago, the press discussed the situation when one government company destroyed all of its computers and related hardware. They did not reinstall the OS, but naturally destroyed everything. Many criticized them for the thoughtless waste of taxpayer money on new equipment.
But in general, the idea that backdoors can exist that are directly in the hardware worries many people. Iron is everywhere, right? It’s like a situation when a sick Ebola man runs along a busy street or at the airport. Who knows what will happen next? Thousands of people may die, or maybe nothing will happen. Nobody knows. But the possibility itself is already scary.
Carsten Zero spoke at the PHDays IV forum, which took place in 2014 in Moscow. At the event, the researcher talked about attacks on mobile networks and ways to circumvent traditional protection measures taken by telecom operators. Below is a recording of the presentation (presentation slides can be viewed here ):