Security of wireless communication in Eastern Asia and details of the crypto algorithm used in South Korea are the issues Paul S. Ziegler looks into here.
Let’s jump to wireless for a second. So, if any of you have been wardriving recently in a European city or in an American city, and you’ve seen all of those lovely WPA2-secured hotspots, and you remember the good old days where you would find open hotspots everywhere belonging to private people who couldn’t configure their router – well, the good old days are well and alive in Tokyo. This is a recent screenshot (see right-hand image).
So, at a random place we see that two of them are open, three of them are using WEP, two of them are using WPA, and only one of them is using WPA2. This is not really the worst part yet. The worst part, if you really look at it, is these guys (left-hand image above). These are the three major Japanese mobile carriers: SoftBank, au by KDDI, and NTT DoCoMo.
And these guys have serious issues with their traffic, because mobile traffic has just completely exploded over the last couple of years. So, what they did is they came up with a fairly interesting system, where they just set up Wi-Fi hotspots, standard 802.11 Wi-Fi hotspots, and if your cell phone runs with one of these companies it will automatically detect the hotspot if it’s nearby and automatically sign you in.
So, if you use a SoftBank phone and you sit in a cafe that has a SoftBank hotspot, and that’s about all of them, your phone will automatically log in and it will shoot all of your data over that particular hotspot, saving the company lots of data traffic.
Now, these will not actually allow you to connect with a computer – well, they will allow you to connect, but they won’t allow you to get through the router. They do that by filtering a) MAC address and b) the user-agent that your machine sends when it connects to the router for the very first time. As you can plainly see, this is absolutely secure and no one could ever really break into that, and since SoftBank tried to sue the hell out of the last guy who revealed how exactly you break into them – I’m not going to tell you, but if you have a sniffer set up it’s going to take you about 20 seconds.
But even when you look at this in Japan, Korea really takes the cake here, because this is a screenshot from last year in Korea (see right-hand image). Can anyone spot a problem? So, if you go to Korea and you like using Skype, you don’t really have to buy a data plan or a foreign SIM or roaming or anything, you just log into one of the hotspots; the whole Seoul is covered by open hotspots belonging to some person.
Now, exploitation vector: I don’t really know what we could possibly do with anonymous public open Internet access; I’ll let you guys figure that one out. While we’re talking about Korea, I would like to ask a question, and I’m taking all guesses here: what’s the browser market share for Internet Explorer, all versions of it, in South Korea at this very moment? 83? 90? It’s actually 97%.
Let me spell that out for you: it’s Ninety-Seven Percent. Here’s a graph: unfortunately, it stops at 2010, I couldn’t find a newer one (image to the left). The thing that really creeped me out personally is if you look up here, the dark blue line is IE6 – it’s going up!
What on earth is going on in South Korea with browsers? Any ideas? This is really funny because it’s one of those things that’s really big about Korea, but no one else ever looks into it. SSL or TLS or whatever you want to look at – it’s universal, right? We use it in every country. Yeah, let me show you this map of the adaption of SSL standard. Do you see the red spot? (see right-hand image) By the way, green means they use SSL. So, the red spot is called South Korea.
Let me introduce SEED. SEED is an encryption algorithm developed in 1998 by the Korean Information Security Agency, it’s a 128-bit block cypher, and it wasn’t developed as an alternative to SSL, it actually predates SSL’s public availability in many regions. So, what they did is they basically spun off this entire new algorithm, and until this day it’s required for online banking, online shopping, government transactions, paying your taxes – basically, in any secure online communication you want to do with a Korean company, you have to use SEED.
Now, SEED runs as an ActiveX plug-in, so unless you’re using some version of Windows and some version of Internet Explorer, you cannot use SEED, and your computer basically gets degraded to a toy to look at cats, because you cannot build an encrypted channel.
Mozilla tried really hard to implement SEED; they did it. There are still some companies that the government refuses to sign with their own keys. So, if you’re in Korea you will use Internet Explorer, and this also explains why IE6 is going up: because people were upgrading to Windows Vista or Windows 7 at some later points, and they had lots of complications, because, of course, as an ActiveX component, it’s fairly sensitive to the OS you’re running, so people just switched back to XP, and since they already switched back, they figured: “Yeah, better not upgrade that browser because it may break it again.”
Here are some of the effects that SEED is having. Number 1 is that there is really slow adaption to new Windows versions, as we’ve already seen. Alternative browsers and OS’s are basically useless and are perceived as toys, because you can’t really do anything that’s really working with them. It’s integrated with most cell phones; that’s one of the cool things: your cell phone has a unique ID, and if you tell that to your bank, your cell phone is able to actually log into your bank account, and it will do a two-factor authentication.
The two-factor authentication is actually the kicker, because many of the communications that SEED does are two-factor, so the certificates on the user end are given out by the government. So, if you access a SEED-protected site, you become 100% traceable. Since you’re 100% traceable, people don’t really see the need to secure web applications, because if you’re going to hack it, they’re going to know who you are anyway.
We’re going to talk about this in a bit again. In a nutshell, if you’re talking about Korean security, or if you’re planning to do a pentest over there, look into the RFCs for SEED, they’re very complex. It’s not a bad algorithm at all, it’s just an algorithm that no one ever uses anywhere outside of Korea, which completely replaces SSL within a country. This also means that if you’re working with a Korean developer and they’re writing something for you, don’t expect them to know how SSL works, because it’s simply not relevant to their lives.
In this particular case, how do you exploit it? Well, FUD.