I'm just returning from a security conference held at Intel headquarters outside of Portland, OR.  Travel was super-lousy, but the conference was terrific.  I'm not allowed to speak of the other presenter's talks, but I finished up the conference by delivering a presentation on the loss of privacy and anonymity in well-established wireless protocol exploits.

In the presentation I talked about how software defined radios (SDRs) and field programmable gate arrays (FPGAs) are being used to exploit pervasive wireless protocols.  Work done by folks such as Max Moser and Phil Schrodel on sniffing wireless keyboards, Steve/THC and David Hulton on sniffing and decrypting GSM networks, and my experiences with Bluetooth attacks are strong evidence of how SDR's and FPGA's are being used to exploit wireless protocols.  Most recently there has been news on a research paper exploiting implantable cardiac defibrillators (IDCs) (all your heartbeats are belong to us).

Ultimately, these protocols are well-established, and the ability to compromise GSM and Bluetooth networks especially threaten privacy.  I'm also concerned about anonymity, where it becomes trivial to discover my location through GSM and the unencrypted international machine subscriber identifier (IMSI) to a range of approximately 1/4 mile.  From there, it becomes possible to locate someone by their Bluetooth Device Address to 10 meters.  Using this short-range location analysis, it becomes possible to follow someone using Bluetooth, locate them, and to correlate relationships with other people as they travel and meet (e.g. every day at 10:45 Bob and Sue meet for coffee for 20 minutes).

At this conference, my goal was to discuss how privacy and anonymity are threatened with well-established protocols, and as we adopt more wireless technology, these risks continue.  Traditional security measures don't address privacy and anonymity attacks.

Inevitably, someone always says "I'm not doing anything wrong, why do I care about my anonymity".  Ultimately, I believe people take privacy and anonymity as an implicit security, and likely won't miss it until they are gone, and cannot be recovered.

My presentation is posted in the Publications section.  Special thanks to the great hosts at Intel who extended me the opportunity to speak at this year's conference.

-Josh