The a16z Show - 16 Minutes on the News #9: All the Recent Phone Hacks
Episode Date: September 23, 2019This is episode #9 of our news show, 16 Minutes, where we quickly cover recent headlines of the week, the a16z way -- why they’re in the news; why they matter from our vantage point in tech -- and s...hare our experts’ views on the trends involved.This week we do a short but deep dive to tease apart the FUD from the facts on all the phone hacks of late (also, arguably, one of the worst years on record for certain device manufacturers) -- given the following news:Just this week, the FBI’s Cyber Division released a notification to private industry on “Cyber Criminals Use Social Engineering and Technical Attacks to Circumvent Multi-Factor Authentication”;Last week, a telecom security firm reported a vulnerability called “Simjacker” where SMS containing spyware-like code "takes over" a phone's SIM card in order to retrieve and perform sensitive commands, regardless of platform or device;Over the past month, Google and Apple have been going back and forth over a post the former released, “A very deep dive into iOS Exploit chains found in the wild”, where a small collection of hacked websites were using iPhone zero-day vulnerabilities to target China's Uyghur Muslim community (though Google is not the one who revealed the specific websites, Apple did confirm it in their response a week later) -- what do we make of this exchange; of the fact that zero-day hacks are now more expensive on Android than on Apple; and of Apple's ethos when it comes to a third-party ecosystem for security?Finally, how should we think about phone authentication overall when it comes to security, and what can we do to secure ourselves? Our a16z experts -- general partner Martin Casado and former chief security officer/ operating partner for security Joel de la Garza -- share their thoughts on all this and more with host Sonal Chokshi, in this episode of 16 Minutes.---The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation.This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments for which the issuer has not provided permission for a16z to disclose publicly as well as unannounced investments in publicly traded digital assets) is available at a16z.com/investments.Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see a16z.com/disclosures for additional important information. Stay Updated:Find a16z on YouTube: YouTubeFind a16z on XFind a16z on LinkedInListen to the a16z Show on SpotifyListen to the a16z Show on Apple PodcastsFollow our host: https://twitter.com/eriktorenberg Please note that the content here is for informational purposes only; should NOT be taken as legal, business, tax, or investment advice or be used to evaluate any investment or security; and is not directed at any investors or potential investors in any a16z fund. a16z and its affiliates may maintain investments in the companies discussed. For more details please see a16z.com/disclosures. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Transcript
Discussion (0)
Hi everyone. Welcome to the A6 and Z podcast. I'm Sonal and I'm here today with the ninth episode of our short-form news show, 16 minutes, where we cover recent headlines, The A6 and Z way, why they're in the news from our vantage point in tech. Sometimes we cover multiple items, sometimes we go deep on just one or two topics. So this week we're doing one of our deep dives connected to one huge topic, which is what the heck is going on with all the recent news around phone fraud happening lately. But first, you can subscribe to 16 minutes separately where
you like to get your podcasts. And also reminder that after next week or so, we will no longer publish
16 minutes here along with the regular A6 and Z podcast. So be sure to go and subscribe to it separately
if you still want the weekly take on news and tech. As a reminder, none of this is investment advice
or intended for investors. Please be sure to see A6&Z.com slash disclosures for important information.
Also, the show notes include links to the articles cited or other relevant background.
You can find those at A6NC.com slash 16 minutes. Thank you.
Okay, so let me quickly summarize the news and then I'll welcome our A6NZ experts.
One, just this week, the FBI's Cyber Division released a note,
headlined cybercriminals used social engineering and technical attacks to circumvent
multi-factor authentication.
And this matters in this context because phones are frequently used for second-factor
authentication.
Two, the next piece of news is that just last week, a telecom security firm reported on a
vulnerability called Sim Jacker that involves SMS containing a spywork like code being sent to a
mobile phone, which then instructs the SIM card within the phone to take over literally that phone
in order to retrieve and perform sensitive commands. And the key here is that it's platform agnostic,
which means it works across a wide range of mobile devices regardless of the hardware or software.
And then finally, another big piece of news is that Google's Project Zero team, which is focused
on finding zero-day vulnerabilities and just to quickly define that. Those are unintended flaws in
system, kind of like a tumor in the human body that hasn't been detected yet, that can be
targeted and exploited by cybercriminals resulting in zero-day exploits or zero-day attacks.
And that team released a post titled a very deep dive into iOS exploit chains found in the
wild, sharing that they had discovered a small collection of hacked websites using iPhone
zero-days. And just to make this more concrete, those sites were targeting China's oppressed
Muslim community, though Google is not the one who revealed the specific sites. Apple did confirm
that, though, in their response a week later, where they also shared and that the attack was,
I quote, narrowly focused, not a broad-based exploitive iPhones and mass as described.
And they also disputed that the sites were out there in the wild for the estimated two years
and that they were in the process of fixing the exploited bucks. So that's a high-level summary of what's
been going on lately. I'd like to now welcome our A6 and Z experts, General Partner Martine
Cassato and Joel De LaGarza, our chief security officer, to help us tease apart the fud from the
facts and what to pay attention to. Let's first begin to.
by talking about the scope of the phone hacking problem overall.
Can you break it down for us, Martin?
There's two pretty significant topics that are worth taking in.
The first one is we've been relying on the phone system,
which isn't a secure system in order to secure ourselves.
But the second one is the most predominant device maker for phones is Apple.
And this has been the worst year for them, probably on record,
when it comes to problems, right?
So we all know that there's this FaceTime bug.
I could call you on FaceTime,
and you didn't even have to pick up, and I could hear what was going on.
And that happened in January.
And then, of course, there's Project Zero stuff out of Google.
Who knows who else was using it?
And so you've got these two pretty significant topics that reduced to the same implication,
which is we've trusted our phones for security, and now we're paying the price.
Let's address the first one, and then we can go deep on the second one.
So you've actually said, in fact, on a previous episode of 16 minutes,
we should absolutely have two-factor, just don't use your phone.
as a second factor. And so can you talk a little bit more about this trend of the phone being
used in authentication? So unfortunately, this is actually a fairly complicated topic. What does two
factor mean? Two factor means that you don't just use a password because somebody can steal your
password or fish your password, but you use some other factor, whether it's I use an authenticator
on my phone or- So it's not just something you know the password. It's something you have that you
uniquely have. Yeah, yeah, yeah. Now, there are many options for a second factor. One of the most
popular has been texting. That text will go to whoever has the phone number on record.
And that phone number, who receives it is dictated by the phone companies. And phone companies
have lots of employees. And so anybody that can trick any employee in the entirety of T-Mobile
or Sprint or AT&T, anybody at all to move that phone number to their phone will get that message.
Let me just quickly pause on that because I, until now, had understood the vulnerability of it being
me losing my phone and someone getting that text, but you're actually saying the entire surface
area of attack is all those employees to transport that phone information to you, the attacker.
That's huge.
Can you actually break down the details of sim porting specifically?
And then we can talk about the other variations of this.
Yeah.
So it comes by many names, sim swapping, sim porting.
The way to think about it is someone's able to get your phone number on their phone,
normally by social engineering someone in the phone company.
You don't need the SIM card.
You don't need the phone.
you don't need anything. This happens every day all the time. And the way you think about it,
this, like there's some rural T-Mobile store where they have the ability to change the phone number
because people get new phones. Somebody walks in there, convinces a store representative who doesn't
know better, maybe using like fake credentials or a fake ID to get the phone number ported. They reset your
passwords. They have access to your accounts as financial accounts. This is crypto accounts. And then
they have access to whatever you have. And they don't even have to go into the store, right?
You can use the data that you buy on the black market that's been taken from the credit rating agencies.
So I can call yourself and provider.
I can say, I'm you.
Here's my address.
And they're going to say, well, we need to authenticate you.
What's the first car you bought?
I look at your credit report.
Or they ask for the last four of your social and I've got your whole number for you.
And I can authenticate myself.
Which is a Capital One breach.
Absolutely.
Because we talked about that, how they actually had like, what, like 100,000 social security numbers in there.
Absolutely.
I mean, we should just assume that all American social security numbers are out there being sold.
And there's clearly evidence based on the FBI alert that came out today that criminals are using social engineering techniques
as well as technical methods to steal phone numbers and put them to new handsets.
There are large criminal organizations that are doing this at scale.
And by the way, just to be clear, this is really about having convenience,
because the only reason these people would give up that information is because you could
legitimately lose your phone and want that number back because you can't live without your phone.
So it's not like they're trying to aid abusers.
They're actually trying to be helpful.
There's a phenomenal medium post from someone that lost, I think, $100,000 in cryptocurrency due to sim porting.
he does a very good job of detailing and breaking down the attack. And I think it's important that
everyone listening to this realizes how common this is. But like you don't actually have to
Simport to pull this off. So there's a whole other type of attack called active fishing where
you social engineer somebody with a phone number to tell you what the passcode is. Can you give me
an example of how that actually works? Sure. I want to get into Joel's account. And so I'm like,
oh, I need to know whatever passcode that has sent me because I got his password somehow. I fished it.
So what I do is I text Joel and I'm like, hey, listen, I used to have your phone number.
It's been a while.
That's the number that's registered with my account.
I'm trying to reset my account.
Can you tell me the passcode that came in?
I feel like that's kind of dumb that people would fall for that.
Right.
However, it turns out this is a very effective attack for people that aren't educated on cybersecurity.
You could try and educate everybody.
But the reality is that because you're all connected and anybody can reach anybody, every sociopath on the planet is somehow your next-door neighbor.
So pinporting, is that the same thing as this or is that something different?
So a number of the carriers in response to some of these activities have set the ability for you to establish a pin on your SIM card.
And so this means that if I want to change my phone number to a new handset, I have to provide this pin.
What we've actually found is that these cell phone carriers aren't honoring those pins.
They'll actually just ask you for the last four of your social in place of that pin and then switch the number over.
Because as a best practice, they're just looking for a way to know that it's you or they think it's you.
And in fact, they really need to be asking for this additional layer of the actual pin.
Even then because consumers legitimately forget their pin.
Yeah, I need to do all the time.
But even, yeah, and just remember, like, even if you're required to show up with a driver's license or whatever, that is not a hard thing to do, given how much money's at stake.
And, like, how much the cost to get a fake ID?
$100.
And you can get $100,000, like, in that medium post.
And the reason why we've gotten here is because consumers are just so averse to the friction created by security, right?
Like, in the past, we've generally had very horrible two-factor authentication experiences, right?
You had to, you had a bunch of donald's tokens.
Yeah, right.
And even then the Chinese managed to reach that.
The RSA was like the VPN tokens, right?
Oh, absolutely.
Oh, yeah, yeah, yeah.
Yeah, I remember those.
And you probably had five of them.
Instead of a ringful of keys, you had a ring full of tokens.
Yeah.
And that was a problem.
And so what companies did was, rather than roll out more tokens, they decided, well,
let's use phone numbers as an authenticator, which then pulled everything to the, to the cell phone.
The cell phone became this really core anchor of trust.
Now that phone numbers are starting to fall away and becoming problematic,
they're saying, well, let's start to use authenticated software on a cell phone to get you into your account.
Well, now the attackers are just breaking the cell phones, right?
You're making the observation that the phone connects us and it makes it convenient, but it also connects us sociopaths.
What is the way out of this?
So what we like to advocate for a second factor is to reduce the trust to a set of atoms, something physical as opposed to bits, right?
There's no way you could be social engineered out of from somebody that's in a separate country.
because they would have to have physical access to those bits.
But a phone is physical.
So if it requires the physical hardware to be there of a phone,
that's not just knowing the number that showed up on your SMS
or a certain phone number, which is not physical.
These are logical entities.
So for example, most phone devices have secure hardware,
and that secure hardware can be verified that it exists.
There's also, of course, security keys,
which is a very similar thing that you plug in, which is hardware.
So we like the idea of reducing,
security to something physical that you have as opposed to something logical, which you can be
social engineered out of. I think there's another kind of meta issue here at a higher level,
which is that you don't want the thing that you're using to log in be the thing that also
authenticate you, right? You want to have a delineation of responsibilities and putting that
kind of a load on one single device, especially a device that based on the news that we've heard
recently is going to be heavily targeted means that you're probably blending two different threat
surfaces together that you don't want to have intermixed.
exactly right. And I do think this is kind of the second reason this topic so interesting is,
okay, so it's important to have something physical if you really care about security on the
internet. But what we've learned recently is, you know, one of the most major players in
device manufacturing has this terrible track record this year with device security. So Android
exploits right now are more expensive than iPhone exploits. So it's like 1.5 million to one.
Apple's basically, their posture on security has been to say there's no problem.
Therefore, there's no third-party ecosystem around them to actually patch the problem.
And so, like, a very direct result of this is like actually now it's cheaper to buy an exploit for iPhone than it is for Android.
Yeah.
And by cheaper to buy an exploit, you mean that it's like essentially the market of ways to essentially do.
Yeah, yeah.
I actually got this quote from a wired article where the guy was like, we see so many exploits in like I messaged and iPhone.
We're starting to turn them away now.
I get that this is a tension between open and closed and like sort of all the innovation that.
that provides, but I still don't quite get why Apple may be particularly vulnerable here.
Apple's design philosophy has been to bundle as much stuff into the platform as possible and to
sit it at the center of so many ecosystems. So not only does it hold your personal data, it also
access your authenticator, it access your communications device. And whenever you have any kind
of concentration like that, it really just sort of makes it a really ripe target. Not to mention
being the center of this ecosystem of all the new services they just announced. Like we just did a podcast
on 16 minutes last week, where we talked about the fact that you're now also connecting in card and
TV and games. I mean, you're essentially living your life on your phone.
And every new sort of spoke you add to the hub of your life is basically another way where
people can get at you. And Apple does a really good job in isolation, designing specific
features that are highly secure. So like, parts of Apple pay are actually really admirable.
They've done a really great job in figuring out how to do e-payment and e-commerce in that
regard. But when they combine it into this multifaceted ecosystem and you get increased,
increasing complexity, you get increasing risk. So what we're seeing with phones and what we were
talking about earlier with the pinpointing is they'll go after things like your email account,
they'll go after your phone number to try to take over those things as you work your way up
the stack. So you have to think of this in terms of the sophistication of your adversaries.
Fraudsters, people that are just trying to steal money, they're going to just go through
the window that gets left open. They're not going to deconstruct your house.
Nation states will because they have the kind of money that they can spend on doing that.
And so what we've seen recently is that nation states have been obviously spending a lot of money finding ways to deconstruct the iPhone.
You can visit a community action website for a cause that you're interested in,
and I can infect your phone with malware that will listen to everything you do, take all of your data, and surveil you in real time.
Yeah, they built pretty secure things, for sure, to give them credit.
But here's what to me is so worrisome about Apple's general demeanor around security.
They don't want to admit that you require third party.
It's part of their design ethos.
per Joel's point, their posture in the past has been to deny any security issues because they thought it would kind of tarnish the reputation of whatever it was, like Mac OS, etc.
So now here we are. We have two like startling examples. And yet there's very little actual mature ecosystem around Apple products to provide solutions to it.
Okay. So let me just push back because if I were in Apple's shoes, when you have this very vertically integrated, top-down approach to design, that's actually the thing that makes you more secure.
It would seem that letting third-party players into this is actually the thing that makes you more vulnerable.
Or why is the third-party ecosystem the thing, like, is that really the thing they need to do or just do they need to do a better job at security?
So maybe I'll just use an instance and then we'll back into it.
It's broadly understood and I certainly believe that the most secure way of acting on the internet and authenticating is having a hardware key.
It doesn't matter who makes the hardware key.
and you use that in conjunction with whatever device you're using, right?
So I can store it in separate places, so if I lose my phone, you know,
somebody else doesn't have access to it, I can put it in a safe,
it's a single-purpose device with not a big attack surface.
It's like a real key.
It's like a real key, right?
We understand the security properties of physical things.
So that's the most secure way, which is broadly recognized.
So Apple, because of its closed design philosophy,
has been very resistant to interoperating,
even though it costs them nothing
to allowing people to use security keys.
And it's just part of their ethos.
We have seen some positive movements in Safari.
We have seen some positive movements in NFC,
which is the protocol that they use to kind of connect with things.
Nearfield communication.
Didn't they just announce this week
that you can actually now use Ubikis and NFCs with them?
Yeah.
So the changes you can read and write,
which allows you to implement Vito and U2F,
which are protocols needed for this.
stronger authentication. So we're seeing good movement. But boy, it can't come soon enough.
Okay. So before we go back to the whole hacking and securing phones in general topic, I wanted to
actually ask you guys what you made of the whole Google Project Zero, which I summarized at the
very beginning. I mean, we have one company that's professing to be helping everyone in the ecosystem,
but then they also have their own stake in it. And then you have Apple responding that Google was being
alarmist. And so I want your guys this quick take on, you know, this whole exchange that played out
over the last few weeks between them and help me to disaparte the facts from their interests.
I respect that Google has taken the initiative to try to uplevel the security of the ecosystem.
I think it's a really important thing to do.
I have issues with going after competitors and finding security vulnerabilities in their products.
There's something very performative about that, isn't there?
So I'll do the counterpoint of that.
I think Apple's history security is so atrocious because they have not been open that you need real muscle and a real public display to shame them.
in to do something right. And so I'm so glad for Project Zero, I think it was a great thing for all of us.
Okay. So just to sum up, we've covered new type supporting Sims and phone numbers and pins.
But now let's go back to Sim Jacker, which I described earlier in the intro, why is that one
news and why is the carrier side of that in particular something to pay attention to you?
I mean, that's what really felt different in you to me in thinking through what were the
interesting news headlines for this episode. This is unbelievable. Sim Jackers and attacks,
is a legend attack, which involves me sending an SMS to you with some spyware, and with that,
I can basically take over your mobile phone. And the reason I can do that is because the SIM cards,
I think the firmware for the SIM cards, has an old browser with an exploit in it.
So the more software that the Telcos install on your phones, they're not security companies.
The interesting thing about cell phones is that ultimately your device is controlled by someone else, right?
your carrier, they have to have the ability to access it, they have to update carrier settings,
they have to be able to push baseband software and other software unbeknownst to your devices.
Wherever you have backdoors or godkeys, that's where attackers target.
And I think there's a whole surface area of carrier tools and baseband tools that we don't even
talk about that are probably where, you know, really sophisticated adversaries are spending some
time right now.
Once we figure out the sim porting and once we figure out some of the software stuff, carrier
tools is where this goes next. Okay. So, guys, bottom line it for me. So from my perspective as a
security geek, the thing that's really interesting to me is thinking about this in terms of what we
call the kill chain. So where an attacker goes from targeting who they're going to get to
to getting and acting on the intent and getting the information they want. And for me,
the really important thing is understanding and figuring out the quickest way an attacker can go
from deciding who they want to target to achieving their outcome. We have this concept called
defense in depth. So we want to have a lot of little walls that you have to get through before
you can actually get to where you want to act on your intent. And the entire security industry is
predicated on building these little walls along that kill chain, finding ways to force the disclosure
of an attacker. What we've seen with some of these device makers in the last year has been a way
to short circuit a lot of that kill chain. These attacks that we've seen in the last year are
direct. They're to the point. They're immediately acting on their intent, and they don't have any of those
little checks that we want to have in place. And generally, this is where nation states kind of focus on
applying the gasoline. Honestly, my takeaway is like, I should just throw my phone into the water.
It's not that bad. I think we know the answer. And unfortunately, it's kind of our human nature
that we don't want to pursue it. Right. Like, we know that the key to health is eating right,
exercising, not smoking, doing things in moderation, right? When it comes to online behavior,
we actually know that the answer. Let's use a valid, strong factor of second factor authentication.
And if we have to like engage with someone on the internet, let's trust but verify, right?
The good news is it's actually not very hard to be incredibly secure on the internet.
And it's just following best practice.
Things like you as a password manager.
We believe it's good to use a security key.
Use a Chromebook.
If you have a physical thing you want to protect, you use a safe to protect it in.
Have good physical security.
Don't ever click on links that come in SMS and so forth.
So there's a very small list of things that if you follow, we think that you're in a good spot.
Well, thank you for joining this week's episode of 16 minutes.
Thank you.
Thank you.