From Radio frequency identification to Software, E&T continues its rundown of counterfeit and fake technologies
R is for RFID
Radio frequency identification (RFID) technology offers a tremendously convenient method of tracking assets across a range of applications, from automated stock control to electronic pet tagging. However, in its purest form it is innately insecure.
This insecurity takes the form of the illicit tracking or ‘skimming’ of RFID data via unauthorised scanning devices, a practice more generically known as RFID cloning. Such clones become, in effect, fake RFID tags. Whilst they may then exist only as data collected onto a data thief’s computer, they can be used to create new doctored devices.
‘Active RFID’ tags transmit data constantly, in search of a scanner, which will determine what the tag is attached to. Tag data captured by an unauthorised scanner could be used for felonious purposes. For years, although this was a background concern, it was generally reckoned that the potential rewards from cloning industrial-strength RFID tags were not equal to the effort involved in hacking them. But as more RFID sensors have found their way into a greater number of objects - from car keys to gambling chips, price tags to passports - they have become subject to greater unlawful attention.
Concern among retailers has been stoked by the amount of information appearing on the Web, posted by so-called ethical hackers and self-confessed mischief-makers alike, on how easy it is to hack RFID data and what you can do with it once this has been achieved.
RFID cloning has regularly been demonstrated by White Hat hackers at developer conferences and other events; even YouTube features several videos demonstrating how easy some cloning methodologies are to perform. In 2009, for instance, online tech journal The Register reported that, using $250-worth of off-the-shelf components, security expert Chris Paget built a mobile platform that could, it claimed, clone large numbers of the RFID tags used in US passport cards and advanced drivers licenses. It was reported that during a 20-minute drive through downtown San Francisco, Paget’s skimmer successfully copied data from the RFID tags of two passport cards without the knowledge of their owners.
One variant of cloning, spoofing, is a form of hack that does not physically replicate an RFID tag, but ‘impersonates’ a valid RFID tag to gain its privileges. This impersonation needs full access to the same communication channels as the original tag, including knowledge of the protocols and secure data used in any authentication that is to take place. If an RFID chip has a rewritable memory it theoretically exposes it to data tampering, which means that tags attached to goods in transit can be redirected into the hands of hijackers.
But RFID chips are not completely vulnerable. They can be protected with encryption, and the most advanced varieties can deploy a technology challenge-response authentication. The problem is that this adds significantly to the cost of implementation, both for the encryption process itself, and the additional power needed for it. Moreover, RFID critics say, even sophisticated encryption is still by no means 100 per cent secure.
This was demonstrated five years ago when soccer superstar David Beckham famously had his showroom-fresh BMW X5 sports car stolen when thieves managed to decode the vehicle’s RFID-enabled door locks using a portable scanner attached to a laptop that took only a few minutes to detect weakness in the car’s security systems’ encryption sequence.
RFID’s critics - and there are many - have argued that RFID proliferation should be halted until its security flaws are fixed. They point out that unlike, say, vulnerabilities in PC software, RFID devices cannot be ‘patched’ in one fell swoop with Internet downloads. Other observers expect the question of RFID security to come increasingly under the scrutiny of legislators anxious to impose parity and continuity on national data protection laws.
S is for software
Software that isn’t what it appears to be, in both appearance and functionality, emerged almost as soon as personal computer programs became commoditised in the 1980s. This was a time when the ability of software companies to protect their products from unlicensed copying was minimal: application code could be copied from its original host media to new floppy disks, and repackaged, and (in pre-Internet days) sold mail-order or even out of a car boot.
Later manifestations of ‘fake’ software were imitations of market-leading products based on code that aped the originals while also maybe adding or removing features here and there. An immature user-base was often satisfied with imitative word processors or spreadsheets, even when they were buggy because they didn’t cost much.
As software prices bottomed out, users became savvy to the fact that cheap substitutes caused more problems than they were worth; but knock-off copies of legitimate software continued to proliferate in developing markets where there was a ready demand - and a supply of less-than-scrupulous software handlers who knew how to repackage and distribute.
Despite the knock-offs, software vendors like Microsoft and Lotus started to spend more of their growing revenues on building copy protection into their products, and in defending them against piracy through the courts.
The rise of the PC marketplace created opportunities for software spivs to cheat users with the next generation of fake software: poorly-featured programs written by wannabe coders that promised more than they delivered, yet sold at just-below premium prices. Examples included word-processors that lacked standard features like spellcheckers, spreadsheets that offered fewer functions than a cheap pocket calculator, and games that crashed if high scores were exceeded.
Purveyors of such wares were sometimes bold enough to advertise in specialist publications, which were bound by the advertising codes and consumer rights, and who therefore found themselves among the first to enforce clampdowns on the dodgy dealers. This led to strict codes of conduct for software distribution that helped clean up the market.
Yet pirated business software proved profitable throughout the 1990s, despite public awareness campaigns by industry bodies such as FAST (Federation Against Software Theft) to educate end-users away from purchasing illegitimate products. Even today, despite the ubiquity of quality free and open-source solutions, direct-sales software piracy continues.
Last June (2011) in the US, for instance, Wayne Chih-Wei Shu was sentenced to three years in prison, and $687,633 in restitution for charges arising from a scheme to flog counterfeit Microsoft software. Shu had sold products found to be counterfeit, tampered with, or infringed on copyrights. Shu reportedly engaged in a practice known as ‘kitting’ - selling software products that contained some genuine components with other components that were counterfeit or tampered with. This made it more difficult for users to determine that the software was counterfeit. Shu also used counterfeit licences and certificates of authenticity to convince buyers who thought they were purchasing licensed Microsoft products.
The advent of the Internet, and the climate of online security threats it has brought, caused the notion of fake software to be redefined as ‘rogue software’ (rogueware) the principle agent in acts of Internet-based fraud using malware that misleads users into paying for fake or simulated removal of malware, or that installs other malware as a matter of course, that can be used to harvest additional information. Self-installed rogueware can create even more problems (installing pop-up links to adult content websites, say) that will prove so aggravating or embarrassing that users are willing to pay for more remedial ‘help’. Rogueware is not altogether a technological threat: it also relies on social engineering to circumvent security built into contemporary operating systems and browsers. A website may, for example, display a phoney warning stating that a PC is infected with a virus, then urge its user to install or purchase rogueware under the impression that they are purchasing genuine anti-virus software.
Fake security software scams constitute criminal activity, and over the last two years have been targeted by law-enforcement agencies as one of the more addressable kinds of cybercrime. One of the most proactive has been the US Federal Bureau of Investigation (FBI) which has brought a number of prosecutions. In June 2011 the FBI indicted two individuals from Latvia, and the seized more than 40 computers, servers and bank accounts as part of an enforcement action targeting international cyber-crime called Operation Trident Tribunal (OTT). Evidence uncovered in such operations reveals the full scale of fake software-led cyber-crime, both in terms of extent and financial returns. OTT targeted international cybercrime rings that caused some $74m in total losses to more than one million computer users through the sale of fake security software.
Penalties for fake software scans are tough. If convicted, the defendants face penalties of up to 20 years in prison and fines of up to $250,000 on the wire fraud and conspiracy charges, the FBI says, and up to 10 years in prison and fines of $250,000 on the computer fraud charge.