Security Questions Lurk Below Microsofts Surface

News Analysis: Partners may add a credit card payment option to Microsoft's new touch-sensitive computing table; what are the security issues?

Microsoft Surface—Microsofts new touch-sensitive, flat computing table technology—promises shopping at the users fingertips.

Patrons will be able to order food in a restaurant by touching its image. Someday, after Microsoft partners work out the details, theyll also be able to pay for that meal by laying a credit card on the Surface or by using, for example, an associated magnetic stripe reader, an RFID-enabled credit card or NFC (near-field communication)— aka short-range wireless interaction.

Is any of that a good idea in terms of security?

The first version of Surface, which Microsoft unveiled the morning of May 30, wont be shipping with the option to make payments by laying a credit card on top.

Nigel Keam, software development lead and architect on Microsofts Milan Surface computer project, told me that when that type of application is available, Microsoft, based in Redmond, Wash., plans to work closely with partners to iron out the security details.

Milan is built on a standard Windows Vista SKU and hence picks up the security strengths—and weaknesses—of that operating system. It will initially be placed in commercial and retail environments, including Starwood Resorts and Harrahs. If those same commercial outfits turn out to be the first to enable the technology to accept payment cards, then those companies reputations as far as handling sensitive data goes will be a measure of the possible security of a credit card-handling computer table. Fortunately, those two companies, at least, have solid reputations in this respect.

/zimages/3/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

"Obviously, security is a big concern for everybody these days," Keam said. "We started by leveraging the security built into Windows Vista. … Were primarily saying, Heres this system, which has a good solid base and … which everybody understands the security implications of. It will be up to partners how much information they want to get from customers, and theyll validate [the security of handling that information]. Whatever model they use to expose it [will be] handled properly."


Still, there are things Microsoft can do to make it safer, he said: to wit, making use of the aforementioned wireless technologies, NFC and RFID (radio-frequency identification).

"Near-field communications [will be rolled out] in future [versions]: Its inherently more secure," he said.

Still, anybody who has followed the tug-of-war over RFID security thats been going on between privacy advocates and the government—specifically when it comes to RFID-enabled passports—has to wonder how attractive it might be for a thief with a wireless packet sniffer to hang out at a restaurant near one of these tables.

"Partners will choose what level of exposure to things that they want," Keam said. "Well make sure its clear to them what the attack surface may be and what the attack modes may be."

/zimages/3/28571.gifWho will buy Microsofts "Milan" Surface technology? Click here to read more.

So, again, retailers and other commercial companies that employ Milan will need to provide security. Is this any different from handing a credit card to a waiter in a restaurant who then takes it out of sight?

Well, maybe. There are still unknowns when it comes to securing NFC. Philips Semiconductors put out a paper (here in PDF) on the subject for the RFID Security 2006 conference. In it, authors Ernst Haselsteiner and Klemens Breitfuß reported that one main question is how close an attacker has to be to be able to retrieve a usable RF signal.

"Unfortunately, there is no correct answer to this question," they wrote.

Their reasoning is that it depends on a "huge" number of parameters. Among them, according to the report, are:

  • RF filed [sic] characteristic of the given sender device (i.e. antenna geometry, shielding effect of the case, the PCB, the environment)
  • Characteristic[s] of the attackers antenna (i.e. antenna geometry, possibility [of changing] the position in all 3 dimensions)
  • Quality of the attackers receiver
  • Quality of the attackers RF signal decoder
  • Setup of the location where the attack is performed (e.g. barriers like walls or metal, noise floor level)
  • Power sent out by the NFC device

"Therefore any exact number given would only be valid for a certain set of the above given parameters and cannot be used to derive general security guidelines," they said.

Other security questions around NRC that they discussed include eavesdropping and data modification. "NFC by itself cannot protect against eavesdropping. It is important to note that data transmitted in passive mode is significantly harder to be eavesdropped on, but just using the passive mode is probably not sufficient for most applications which transmit sensitive data," they wrote.

As for data modification, they wrote, "By using 106K Baud in active mode it gets impossible for an attacker to modify all the data transmitted via the RF link. … This means that for both directions, active mode would be needed to protect against data modification. While this is possible, this has the major drawback that this mode is most vulnerable to eavesdrop[ping]. Also, the protection against modification is not perfect, as even at 106K Baud some bits can be modified."

At any rate, NFC is being built into modern credit cards by the credit card companies; Microsoft isnt responsible. "Were just enabling a form of communication theyre building into their credit cards," Keam said.

As far as the question of leaving your data hanging around on a Milan Surface in a hotel lobby goes, Keam said the system will wipe memory if the user walks away for more than a few seconds.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.