By Rachel Chalmers
From Microsoft, AOL and Yahoo to Motorola, more and more IT giants are pinning their hopes on the proliferation of wireless, embedded devices as the growth market of the future. As Warren Adams, director of product development for Amazon.com Inc, said of the wireless e-commerce enabled by the Palm VII: If customers are in the car and they hear a song they like, they can look it up and purchase it. In our mind, this is a cash register in every pocket. With dollar signs in their eyes, the IT giants may be forgiven for overlooking a few of the elementary problems with wireless e-commerce – namely that the problems of security and authentication, which are more or less solved for static, wired networks, are anything but solved for devices with low power, high latency and variable location.
To address this deficiency, Frank Stajano and Ross Anderson, researchers at the University of Cambridge Computer Laboratory, have proposed a new security policy model. Everyone – including potential users – knows that wireless networking is more prone to passive eavesdropping attacks, the researchers admit, but it would be highly misleading to take this as the only, or even the main, security concern. For example, a malicious user could interact with a network node in some perfectly legitimate way, for no other purpose than to drain the battery. Battery life is a critical parameter for many portable devices, Stajano and Anderson point out. They call this technique the sleep deprivation torture attack, and it’s safe to assume it’s only one of many new cracking techniques enabled by the shift to wireless.
How might administrators protect nodes from these kinds of attack? Any publicly accessible server must trade off between making itself useful to unknown visitors and making itself vulnerable to vandals, but clearly network nodes that depend on limited-life batteries present special problems. The researchers suggest that functions can be identified as primary and secondary – provision of information to the owners of a server, for example, could be given a higher priority than provision of information to casual inquirers. The highest priority use of all may be battery management, they write; if one can estimate fairly accurately the amount of usable energy remaining, then the service can be monitored and managed.
Some of the most interesting questions about securing wireless nodes come from the ways such devices are typically used. A universal remote control, for example, should respond only to its owners’ commands, and not to those of a burglar. If such a remote is stolen or lost, the owner should have the power to disable it and replace it with another device. Her TV and VCR should then obey the new device rather than the old one, and so forth. To address these issues, Stajano and Anderson propose a model they call the ‘resurrecting duckling’ security policy. They build on Konrad Lorenz’s observation that a newly hatched duckling will be imprinted by the first moving thing that it sees, and will thereafter treat that thing as its mother. Think of the duckling as a wireless networked device, and imprinting as the exchange of a cryptographic key which uniquely identifies the mother.
We can view the hardware of the device as the body, and the software (particularly the state) as the soul, the researchers explain. As long as the soul stays in the body, the duckling remains alive and bound to the same mother to which it was imprinted. The clever part is that the bond is dissolved by death. Thereupon, the soul dissolves and the body returns to its pre-birth state, with the resurrecting duckling ready for another imprinting that will start a new life with another soul. Devices can die when they are no longer being used, as with a medical thermometer that is returned to a disinfectant bath. They can die of old age, which makes them easy to lease or rent. Or they can be instructed to die by their mothers, as with a stolen universal remote control. Stajano and Anderson even propose escrowed seppuku, in which a trusted third party can order a duckling to commit suicide if the mother has lost the secret key.
The resurrecting duckling policy offers an urgently needed new way of thinking about security in wireless devices, constrained as they are by the comparative lack of power, CPU cycles and bandwidth. This combination makes much of the conventional wisdom about authentication, naming and service denial irrelevant, the researchers write. There are interesting new attacks, such as the sleep deprivation torture, and limitations on the acceptable primitives for cryptographic protocols. However, there are also new opportunities opened up by the model of secure transient association. In the brave new world of wireless, existing security policies may be worse than useless. Those contesting for e-commerce dominance in this market must confront and somehow overcome that unpalatable fact. á
