a16z Podcast - 16 Minutes on the News #9: All the Recent Phone Hacks
Episode Date: September 23, 2019This is episode #9 of our news show, 16 Minutes, where we quickly cover recent headlines of the week, the a16z way -- why they’re in the news; why they matter from our vantage point in tech -- and s...hare our experts’ views on the trends involved.This week we do a short but deep dive to tease apart the FUD from the facts on all the phone hacks of late (also, arguably, one of the worst years on record for certain device manufacturers) -- given the following news:Just this week, the FBI’s Cyber Division released a notification to private industry on “Cyber Criminals Use Social Engineering and Technical Attacks to Circumvent Multi-Factor Authentication”;Last week, a telecom security firm reported a vulnerability called “Simjacker” where SMS containing spyware-like code "takes over" a phone's SIM card in order to retrieve and perform sensitive commands, regardless of platform or device;Over the past month, Google and Apple have been going back and forth over a post the former released, “A very deep dive into iOS Exploit chains found in the wild”, where a small collection of hacked websites were using iPhone zero-day vulnerabilities to target China's Uyghur Muslim community (though Google is not the one who revealed the specific websites, Apple did confirm it in their response a week later) -- what do we make of this exchange; of the fact that zero-day hacks are now more expensive on Android than on Apple; and of Apple's ethos when it comes to a third-party ecosystem for security?Finally, how should we think about phone authentication overall when it comes to security, and what can we do to secure ourselves? Our a16z experts -- general partner Martin Casado and former chief security officer/ operating partner for security Joel de la Garza -- share their thoughts on all this and more with host Sonal Chokshi, in this episode of 16 Minutes.---The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation.This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments for which the issuer has not provided permission for a16z to disclose publicly as well as unannounced investments in publicly traded digital assets) is available at a16z.com/investments.Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see a16z.com/disclosures for additional important information.
Transcript
Discussion (0)
Hi everyone. Welcome to the A6 and Z podcast. I'm Sonal and I'm here today with the ninth episode of our short form news show, 16 minutes, where we cover recent headlines, The A6 and Z way, why they're in the news from our vantage point in tech. Sometimes we cover multiple items, sometimes we go deep on just one or two topics. So this week we're doing one of our deep dives connected to one huge topic, which is what the heck is going on with all the recent news around phone fraud happening lately. But first, you can subscribe to 16 minutes,
wherever you like to get your podcasts. And also reminder that after next week or so, we will no longer publish 16 minutes here along with the regular A6 and Z podcast. So be sure to go and subscribe to it separately if you still want the weekly take on news and tech. As a reminder, none of this is investment advice or intended for investors. Please be sure to see A6 and Z.com slash disclosures for important information. Also, the show notes include links to the articles cited or other relevant background. You can find those at A6NZ.com slash
16 minutes. Thank you. Okay, so let me quickly summarize the news, and then I'll welcome our A6 and Z experts.
One, just this week, the FBI's Cyber Division released a note, headlined cybercriminals
used social engineering and technical attacks to circumvent multi-factor authentication.
And this matters in this context because phones are frequently used for second-factor
authentication. Two, the next piece of news, is that just last week, a telecom security firm
reported on a vulnerability called Simjacker that involves SMS containing a spy,
wire like code being sent to a mobile phone, which then instructs the SIM card within the phone
to take over, literally, that phone, in order to retrieve and perform sensitive commands.
And the key here is that it's platform agnostic, which means it works across a wide range
of mobile devices regardless of the hardware or software.
And then finally, another big piece of news is that Google's Project Zero team, which is focused
on finding zero day vulnerabilities and just to quickly define that.
Those are unintended flaws in a system, kind of like a tumor in the human body that hasn't
been detected yet, that can be targeted and exploited by cybercriminals resulting in
zero-day exploits or zero-day attacks. And that team released a post titled a very deep dive
into iOS exploit chains found in the wild, sharing that they had discovered a small collection
of hacked websites using iPhone zero days. And just to make this more concrete, those sites were
targeting China's oppressed Muslim community, though Google is not the one who revealed the specific
sites. Apple did confirm that, though, in their response a week later, where they also share,
and that the attack was, I quote, narrowly focused, not a broad-based exploitive iPhones and mass as
described. And they also disputed that the sites were out there in the wild for the estimated
two years and that they were in the process of fixing the exploited bucks. So that's a high-level
summary of what's been going on lately. I'd like to now welcome our A6 and Z experts, General
partner, Martine Casado and Joel de la Garza, our chief security officer, to help us tease apart
the fud from the facts and what to pay attention to. Let's first begin by talking about the
scope of the phone hacking problem overall? Can you break it down for us, Martin? There's two pretty
significant topics that are worth taking in. The first one is we've been relying on the phone
system, which isn't a secure system in order to secure ourselves. But the second one is the most
predominant device maker for phones is Apple. And this has been the worst year for them, probably
on record, when it comes to problems, right? So we all know that there's this FaceTime bug. I could call
you on FaceTime. And you didn't even have to pick up. And I could hear what was.
going on. And that happened in January. And then, of course, there's Project Zero stuff out
of Google. Who knows who else was using it? And so you've got these two pretty significant
topics that reduced to the same implication, which is we've trusted our phones for security,
and now we're paying the price. Let's address the first one, and then we can go deep on the
second one. So you've actually said, in fact, on a previous episode of 16 minutes, we should
absolutely have two-factor, just don't use your phone as a second factor. And so can you talk a
bit more about this trend of the phone being used in authentication. So unfortunately, this is actually
a fairly complicated topic. What does two factor mean? Two factor means that you don't just use a password
because somebody can steal your password or fix your password, but you use some other factor,
whether it's I use an authenticator on my phone or... So it's not just something you know, the password,
it's something you have, that you uniquely have. Yeah, yeah, yeah. Now, there are many options for a second
factor. One of the most popular has been texting. That text will go to whoever has the phone
number on record. And that phone number, who receives it as dictated by the phone companies. And
phone companies have lots of employees. And so anybody that can trick any employee in the entirety
of T-Mobile or Sprint or AT&T, anybody at all to move that phone number to their phone will get
that message. Let me just quickly pause on that because I, until now, had understood the
vulnerability of it being me losing my phone and someone getting that text. But you're actually
saying the entire surface area of attack is all those employees to transport that phone
information to you, the attacker. That's huge. Can you actually break down the details of
sim porting and specifically? And then we can talk about the other variations of this.
Yeah. So sims, it comes by many names, sim swapping, sim porting. The way to think about it is someone's
able to get your phone number on their phone, normally by social engineering someone in the
phone company. You don't need the stuff card. You don't need the phone. You don't need anything.
This happens every day all the time. And the way you think about it,
this, like there's some rural T-Mobile store where they have the ability to change the phone number
because people get new phones. Somebody walks in there, convinces a store representative who doesn't know
better, maybe using like fake credentials or a fake ID to get the phone number ported. They reset your
passwords. They have access to your accounts as financial accounts. This is crypto accounts. And then
they have access to whatever you have. And they don't even have to go into the store, right?
You can use the data that you buy on the black market that's been taken from the credit rating
agencies. So I can call yourself and provider. I can say, I'm you. Here's my address. And they're
going to say, well, we need to authenticate you. What's the first car you bought? Right? I look at your
credit report. Or they ask for the last four of your social and I've got your whole number for
you. And I can authenticate myself. Which is a capital one breach. Absolutely. We talked about that
how they actually had like what, like 100,000 social security numbers in there. Absolutely.
I mean, we should just assume that all American social security numbers are out there being
sold. And there's clearly evidence based on the FBI alert that came out today that criminals are
using social engineering techniques as well as technical methods to steal phone numbers and put them
a new handsets. There are large criminal organizations that are doing this at scale.
And by the way, just to be clear, this is really about having convenience, because the only reason
these people would give up that information is because you could legitimately lose your phone
and want that number back because you can't live without your phone. So it's not like
they're trying to aid abusers. They're actually trying to be helpful. There's a phenomenal
medium post from someone that lost, I think, $100,000 in cryptocurrency due to sim porting.
He does a very good job of detailing and breaking down the attack.
and I think it's important that everyone listening to this realizes how common this is.
But you don't actually have to Simport to pull this off.
So there's a whole other type of attack called Active Fishing where you social engineer
somebody with a phone number to tell you what the passcode is.
Can you give me an example of how that actually works?
Sure.
I want to get into Joel's account.
And so I'm like, oh, I need to know whatever passcode that has sent me because I got his
password somehow I fished it.
So what I do is I text Joel and I'm like, hey, listen, I used to have your phone number.
it's been a while. It's the number that's registered with my account. I'm trying to reset my account. Can you tell me the passcode that came in?
I feel like that's kind of dumb that people would fall for that. Right. However, it turns out this is a very effective attack for people that aren't educated on cyber security. You could try and educate everybody. But the reality is that because you're all connected and anybody can reach anybody, every sociopath on the planet is somehow you're next door neighbor.
So pin porting, is that the same thing as this or is that something different? So a number of the carriers in response to some of these activities have set the ability for you to establish a pin.
on your SIM card.
And so this means that if I want to change my phone number to a new
handset, I have to provide this pin.
What we've actually found is that these cell phone carriers aren't honoring those pins.
They'll actually just ask you for the last four of your social in place of that pin
and then switch the number over.
Because as a best practice, they're just looking for a way to know that it's you or they think
it's you.
And in fact, they really need to be asking for this additional layer of the actual pin.
Well, even then, because consumers legitimately forget their pin.
Yeah, I need to all the time.
But even, yeah, and just remember, like,
even if you're required to show up with a driver's license or whatever, that is not a hard
thing to do, given how much money's at stake and, like, how much the cost to get a fake ID?
$100,000, and you can get $100,000, like, in that medium post.
And the reason why we've gotten here is because consumers are just so averse to the friction
created by security, right?
Like, in the past, we've generally had very horrible two-factor authentication experiences, right?
You had to, you had a bunch of Donald's tokens, yeah, right?
And even then the Chinese managed to reach them, right?
The RSA was like the VPN tokens, right?
Where you'd get this thing constantly reset.
Yeah, I remember those.
And you probably had five of them.
Instead of a ringful of keys, you had a ring full of tokens.
And that was a problem.
And so what companies did was, rather than roll out more tokens, they decided, well, let's use
phone numbers as an authenticator, which then pulled everything to the cell phone.
The cell phone became this really core anchor of trust.
Now that phone numbers are starting to fall away and becoming problematic, they're saying,
well, let's start to use authenticated software on a cell phone to get you into your account.
while now the attackers are just breaking the cell phones, right?
You're making the observation that the phone connects us and it makes it convenient,
but it also connects with sociopaths.
What is the way out of this?
So what we like to advocate for a second factor is to reduce the trust to a set of atoms,
something physical as opposed to bits, right?
There's no way you could be social engineered out of from somebody that's in a separate country
because they would have to have physical access to those bits.
But a phone is physical.
So if it requires the physical hardware to be there of a phone, that's not just knowing the number that showed up on your SMS or a certain phone number, which is not physical. These are logical entities.
So, for example, most phone devices have secure hardware, and that secure hardware can be verified that it exists.
There's also, of course, security keys, which is a very similar thing that you plug in, which is hardware.
So we like the idea of reducing the security to something physical that you have as opposed to something logical, which you can be social engineered out of.
I think there's another kind of meta issue here at a higher level, which is that you don't want the thing that you're using to log in be the thing that also authenticate you, right?
You want to have a delineation of responsibilities and putting that kind of a load on one single device, especially a device that based on the news that we've heard recently is going to be heavily targeted means that you're probably blending two different threat surfaces together.
that you don't want to have intermixed.
Joe's exactly right.
And I do think this is kind of the second reason this topic is so interesting is, okay,
so it's important to have something physical if you really care about security on the
internet.
But what we've learned recently is, you know, one of the most major players in device manufacturing
has this terrible track record this year with device security.
So Android exploits right now are more expensive than iPhone exploits.
So it's like 1.5 million to one.
Apple's basically, their posture on security has been to say there's no problem.
Therefore, there's no third-party ecosystem around them to actually patch the problem.
And so, like, a very direct result of this is like actually now it's cheaper to buy an exploit for iPhone than it is for Android.
Yeah.
And by cheaper to buy an exploit, you mean that it's like essentially the market of ways to essentially do it.
I actually got this quote from a wired article where the guy was like, we see so many exploits in like I messaged and iPhone.
We're starting to turn them away now.
I get that this is a tension between open and closed and like sort of all the innovation that.
that provides, but I still don't quite get why Apple may be particularly vulnerable here.
Apple's design philosophy has been to bundle as much stuff into the platform as possible and
to sit it at the center of so many ecosystems. So not only does it hold your personal data,
it also access your authenticator, it access your communications device. And whenever you have
any kind of concentration like that, it really just sort of makes it a really ripe target.
Not to mention being the center of this ecosystem of all the new services they just announced.
We just did a podcast on 16 minutes last week where we talked about the fact that
You're now also connecting in card and TV and games.
I mean, you're essentially living your life on your phone.
And every new sort of spoke you add to the hub of your life is basically another way where people can get at you.
And Apple does a really good job in isolation designing specific features that are highly secure.
So like parts of Apple Pay are actually really admirable.
They've done a really great job in figuring out how to do e-payment and e-commerce in that regard.
But when they combine it into this multifaceted ecosystem and you get increasing complexity, you get increasing risk.
So what we're seeing with phones and what we were talking about earlier with the pinporting
is they'll go after things like your email account, they'll go after your phone number
to try to take over those things as you work your way up the stack.
So you have to think of this in terms of the sophistication of your adversaries.
Fraudsters, people that are just trying to steal money, they're going to just go through
the window that gets left open.
They're not going to deconstruct your house.
Nation states will because they have the kind of money that they can spend on doing that.
And so what we've seen recently is that nation states have.
been obviously spending a lot of money, finding ways to deconstruct the iPhone. You can visit
a community action website for a cause that you're interested in, and I can infect your phone
with malware that will listen to everything you do, take all of your data, and surveil you in
real time. Yeah, they built pretty secure things, for sure, to give them credit. But here's what to me
is so worrisome about Apple's general demeanor around security. They don't want to admit that you
require third party. It's part of their design ethos, per Joel's point, their posture in the past
has been to deny any security issues because they thought it would kind of tarnish the reputation
of whatever it was, like macOS, et cetera. So now here we are. We have two like startling examples.
And yet there's very little actual mature ecosystem around Apple products to provide solutions to it.
Okay. So let me just push back because if I were in Apple's shoes, when you have this very vertically
integrated, top-down approach to design, that's actually the thing that makes you more secure.
It would seem that letting third-party players into this is actually the thing that makes you more
vulnerable? Or why is the third-party ecosystem the thing, like, is that really the thing they
need to do or just do they need to do a better job at security? So maybe I'll just use an instance
and then we'll back into it. So it's broadly understood and I certainly believe that the most
secure way of acting on the internet and authenticating is having a hardware key. It doesn't matter
who makes the hardware key. And you use that in conjunction with whatever device you're using,
right? So I can store it in separate places. So if I lose my phone, you know, somebody else doesn't have access to it, I can put it in a safe. It's a single purpose device with not a big attack surface. It's like a real key. It's like a real key, right? We understand the security properties of physical things. So that's the most secure way, which is broadly recognized. So Apple, because of its closed design philosophy, has been very resistant to interoperating, even though it costs them nothing.
to allowing people to use security keys.
And it's just part of their ethos.
We have seen some positive movements in Safari.
We have seen some positive movements in NFC,
which is the protocol that they use to kind of connect with these.
Nearfield communication.
Didn't they just announce this week
that you can actually now use Ubikis and NFCs with them?
Yeah.
So the changes you can read and write,
which allows you to implement Vito and U2F,
which are protocols needed for this stronger authentication.
So we're seeing good movement.
But boy, it can't come soon enough.
Okay.
So before we go back to the whole,
hacking and securing phones in general topic. I wanted to actually ask you guys what you made of
the whole Google Project Zero, which I summarized at the very beginning. I mean, we have one company
that's professing to be helping everyone in the ecosystem, but then they also have their own stake in it.
And then you have Apple responding that Google was being alarmist. And so I want your guys this
quick take on, you know, this whole exchange that played out over the last few weeks between them
and help me to disaparte the facts from their interests. I respect that Google has taken the
initiative to try to uplevel the security of the ecosystem. I think it's a really important
thing to do. I have issues with going after competitors and finding security vulnerabilities
in their products. There's something very performative about that, isn't there?
So I'll do the counterpoint of that. I think Apple's history security is so atrocious because
they have not been open that you need real muscle and a real public display to shame them in
to do something right. So I'm so glad for Project Zero. I think it was a great thing for all of us.
Okay, so just to sum up, we've covered new types of porting sims and phone numbers and pins.
But now let's go back to Sim Jacker, which I described earlier in the intro.
Why is that one a news and why is the carrier side of that in particular something to pay attention to you?
I mean, that's what really felt different and new to me in thinking through what were the interesting news headlines for this episode.
This is unbelievable.
Simjackers an attack, is a legend attack, which involves me sending an SMS to you with some spyware.
and with that, I can basically take over your mobile phone.
And the reason I can do that is because the SIM cards,
I think the firmware for the SIM cards,
has an old browser with an exploit in it.
So the more software that the Telcos install on your phones,
they're not security companies.
The interesting thing about cell phones is that ultimately
your device is controlled by someone else, right?
Your carrier, they have to have the ability to access it.
They have to update carrier settings.
They have to be able to push baseband software
and other software, unbeknownst to you, to your devices, wherever you have backdoors or Godkeys,
that's where attackers target. And I think there's a whole surface area of carrier tools and
baseband tools that we don't even talk about that are probably where, you know, really sophisticated
adversaries are spending some time right now. Once we figure out the sim porting and once we figure
out some of the software stuff, carrier tools is where this goes next. Okay. So guys, bottom line it for me.
So from my perspective as a security geek, the thing that's really interesting to me is,
is thinking about this in terms of what we call the kill chain.
So where an attacker goes from targeting who they're going to get
to getting and acting on the intent and getting the information they want.
And for me, the really important thing is understanding
and figuring out the quickest way an attacker can go from deciding who they want to target
to achieving their outcome.
We have this concept called defense in depth.
So we want to have a lot of little walls that you have to get through
before you can actually get to where you want to act on your intent.
And the entire security industry is predicated on building these little walls
along that kill chain, finding ways to force the disclosure of an attacker.
What we've seen with some of these device makers in the last year has been a way to short
circuit a lot of that kill chain. These attacks that we've seen in the last year are direct.
They're to the point. They're immediately acting on their intent, and they don't have any of those
little checks that we want to have in place. And generally, this is where nation states kind of
focus on applying the gasoline. Honestly, my takeaway is like, I should just throw my phone into the water.
It's not that bad. I think we know the answer.
And unfortunately, it's kind of our human nature that we don't want to pursue it, right?
Like, we know that the key to health is eating right, exercising, not smoking, doing things in moderation, right?
When it comes to online behavior, we actually know that the answer.
Let's use a valid, strong factor of second factor authentication.
And if we have to, like, engage with someone on the internet, let's trust but verify, right?
The good news is it's actually not very hard to be incredibly secure on the internet.
And it's just following best practice.
Things like you as a password manager.
we believe it's good to use a security key.
Use a Chromebook.
If you have a physical thing you want to protect,
you use a safe to protect it in.
Have good physical security.
Don't ever click on links that come in SMS and so forth.
So there's a very small list of things that if you follow,
we think that you're in a good spot.
Well, thank you for joining this week's episode of 16 minutes.
Thank you.
Thank you.