Carsten Zero: corporations against people, USB threats and biometrics flaws

Atlas Obscura published an interview with German data encryption and data protection specialist Karsten Nol. This expert deals with a variety of information security projects, from the development of a USB condom to helping securely connect a billion new users to the Internet in India. We bring to your attention the main thoughts from a conversation with Karsten.

Companies create risks, and people suffer from them.

Risks everywhere. Credit cards can be cloned, the car can get into an accident, even without the participation of hackers. There is always a risk, but you need to understand when the risk is acceptable and when this risk has the right owner. We criticize large companies, such as telecommunications giants like AT & T, or large banks, when they create risks and then make ordinary people, their customers, suffer from them.
')
Every time a user's personal information reaches the company, there is a risk, sometimes even the transfer can be risky. Even now, in the course of this interview, we are talking on Skype — so we trust Microsoft with our personal information, and they can protect, or they can, not protect it. If our conversation “leaks” somewhere and negative consequences arise, I and the journalist will suffer from this - and Microsoft, by and large, doesn’t care about the confidentiality of our conversation.

Large organizations rarely ask for verification of their systems.

Usually we are in the position of snoops - this happens most often. Initially, we were doing this without thinking about earnings. It is easy to guess when you talk about the problems of large companies, you can get on the front pages in the media, but do not make money.

Sometimes after our research, but only after them - never as a first step - we help some companies explore their systems more deeply and find problems in them. But not every organization is interested in this. If this were not so, then there would be no problems.

But in any industry there are always a few people who want to stand out from the gray mass and really care about their customers, or, rather, want to get a marketing advantage that will help a business and show that they can be trusted.

On the choice of the profession of security researcher

In general, in childhood I wanted to be an inventor. You know, children romanticize this profession. But then, starting to be engaged in engineering, you understand that the main functionality is created by the software. So in the simple combination of electrical and mechanical parts there is no special magic - the magic lies in the software that works on all this. So I started doing this science.

Security threats in developing countries

India is now on the verge of becoming a country connected to the Internet. There are many network users, but a huge part of a very large population is not yet connected.

There are 950 million phones in the country - almost a billion, of which only 5% can work with the Internet. So we have almost a billion people ready to become users as soon as you give them a smartphone and some money to pay for internet connection. These people will be the next major part of the Internet.



But they will also face problems that we in the West did not once encounter at the time of the first connection to the network. For example, my first passwords in the nineties were just lame, but the fact is that no one then tried to crack them!

I didn’t have to worry about phishing, I opened every email, because then I received them a little. There was almost no spam, and of course, no phishing. I grew up with the Internet, which gradually became more and more dangerous. In the end, now I can behave so that more or less to ensure security.

But the one who gets into the Internet for the first time today will not have that luxury, especially one who doesn’t understand technology, and has so far hardly used a tablet or computer.

Biometrics problems

A few years ago, all in the same India, the government launched a citizen registration system - the first of its kind. Until that moment, the authorities had no particular information about who lives in the country at all. Thanks to such a government database, they managed to collect data on about half of the population, and the numbers are growing. The database contains, among other things, fingerprints of all ten fingers of a person, as well as an image of the retina, in general, a complete biometric database.

The government is developing a database, and telecommunications companies (by whom I help) must collect data - now in India you don’t buy a phone without your fingerprints and scanning the retina. Then your data is transmitted over possibly secure channels, stored, possibly in a secure manner.

Such a base may in the future make life easier for citizens - for example, if the infrastructure for paying for purchases with the help of fingerprints is implemented. No passwords - besides in India no one got used to them. It's like Facebook - now we drive in the password from the social network on a bunch of sites in order to more conveniently use them. In India, everything is a little different, there is a government instead of Facebook, and prints instead of passwords.



But it is likely that someone will be able to steal the biometric information of nearly 600 million people. And fingerprints cannot be changed as a password - you need to keep this in mind when creating such systems from scratch and at such a fast pace.

What is dangerous USB

The risk is this: everything you plug into the USB port can be disguised as any number of devices. In the good old days you inserted a printer into a parallel port, installed drivers - as a user, you were involved in the process.

But the USB standard has removed all this extra work. Now a person connects something with a USB port, be it an external drive, keyboard or printer, everything works right out of the box. This is great, but to some extent, control over what is connected to the computer is lost. The user sees only the physical form of the connected device and understands that "yeah, I connect an external drive or printer."

But things may not be so simple - so we developed the SyncTop device (“USB condom”), which allows you to safely connect USB devices.

Our research has shown that it is possible to create viruses that will "live" in the hardware of the connected devices. In this case, even reinstalling the system will not help - you have reinstalled it, and the virus still sits, for example, in a webcam.

Cases of such attacks are still quite rare, but the leaked NSA documents contained evidence that they used USB hacking.



By the way, not so long ago the situation was discussed in the press when one government company destroyed all of its computers and related hardware. They did not reinstall the OS, and naturally destroyed everything. Many have criticized them for mindlessly spending taxpayer money on new equipment.

But in general, the idea that there may be backdoors that are directly in the hardware worries many people. Iron is everywhere, right? It's like a situation when a sick Ebola man runs along a busy street or at the airport. Who knows what will happen next? Maybe thousands of people will die, and maybe nothing will happen. Nobody knows. But the opportunity itself is already scary.

---

Carsten Nol spoke at the PHDays IV forum, which was held in 2014 in Moscow. At the event, the researcher spoke about attacks on mobile networks and ways to circumvent traditional measures of protection undertaken by telecom operators. The following is a record of the performance (presentation slides can be viewed here ):