You Will Never Get It Microsoft.
Publicated on : 1213649710Last night I watched I-Robot again.
Despite the weak story telling of the original book by Asimov, I find this movie very interesting for many different aspects. For one, the robots abide the three laws of robotics. But the problem with being an advocate of the devil and it's fine print, is to find loopholes. One loophole is that robots can break all the laws if they do not understand that they break a law. Simply put: A robot can be tricked into doing something that the robot doesn't know can harm a human. This has great analogies to hacking and security as well, because many things in hacking are based upon getting proper privileges -or abusing the fine print of the contract- Most often we trick surfers, servers, browsers or just software in elevating these privileges, or use their privilege to give new instructions with different kinds of techniques.
So, engineers create software that must have privileges to set new instructions for itself. All we have to do is tricking that software to do it for us, and thereby overriding the 'software rules' or it's security policy. You can do the same by phishing or CSRFing surfers. It is basically the same principle of executing our new rules by distracting or trick the opponent. That's why we can never reach complete security and that is also why we should never store sensitive data online that goes through so many hoops and loops as HealthVault does. In my previous article about HealthVault, I got a couple of questions what the article has to do with HealthVault. You don't have to say it, I know: Microsoft obviously think that I don't know how HealthVault works. I don't have to know how it works, I only know that it will and can be abused one day.
So how do I know?
For starters, HealthVault isn't just a Web site - it's the hub of a network of Web sites, personal health devices and other services that you can use to help manage your health. HealthVault lets you store the information in one central place on the Web. You're in control of what information you store and can decide who else can see, change, or help manage it. HealthVault never lets other Web sites or programs see or change the information in your HealthVault record without explicit permission from you or a record custodian invited to share your records.
Look at figure 1 for example.
You will notice that this system has many points which we could attack. I listed a couple from the top of my head:
The user or the physician in userland:
1. Phish/CSRF the user
2. Hack the medical device (is already done)
3. Sniff data from the medical device (hey wireless anyone?)
4. Hack his Windows PC.
5. Install a Trojan
6. Hack his router (or think ZLOB here) and change DNS (that is no movie plot anymore!)
7. Execute a browser exploit. (Flash, ActiveX anyone?)
The HealthVault system or their partners:
1. Attack it's database
2. DDOS a service
3. Find a vulnerability
4. Setting up a evil twin website e.g. HealthVault.biz
5. Attack a partner that uses HealthVault (same list)
6. Find a XSS vulnerability (Google has them)
7. Find a SQL injection vulnerability (Microsoft has them)
It's not like this can't be done or something.
And I can go on and on. there are just too many steps to ensure security. To put it simply again: You can't secure this, people will get hacked. And the most frightening thing is that it can be automated to a single process which means that any attack on any part that can be distributed to a large quantity of users will be fruitful. Think ZLOB trojan again, which already can change your DNS settings on the fly. Of course it has to be monetized by attackers. With medical info, it isn't that hard to monetize it. How much would an insurance company pay for this kind of information? This data is worth gold to them, just common sense.
The moral of this whole story is that you should never, ever store highly sensitive data on a single place on a computer/server that is connected to the Internet and distributes or 'shares' that data in a one-way fashion, through a multiple-way system or website or process that cannot be decentralized.
Human robots, if you are interested to see what is possible these days