Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Mobile

    Security Questions Lurk Below Microsofts Surface

    By
    Lisa Vaas
    -
    May 30, 2007
    Share
    Facebook
    Twitter
    Linkedin

      Microsoft Surface—Microsofts new touch-sensitive, flat computing table technology—promises shopping at the users fingertips.

      Patrons will be able to order food in a restaurant by touching its image. Someday, after Microsoft partners work out the details, theyll also be able to pay for that meal by laying a credit card on the Surface or by using, for example, an associated magnetic stripe reader, an RFID-enabled credit card or NFC (near-field communication)— aka short-range wireless interaction.

      Is any of that a good idea in terms of security?

      The first version of Surface, which Microsoft unveiled the morning of May 30, wont be shipping with the option to make payments by laying a credit card on top.

      Nigel Keam, software development lead and architect on Microsofts Milan Surface computer project, told me that when that type of application is available, Microsoft, based in Redmond, Wash., plans to work closely with partners to iron out the security details.

      Milan is built on a standard Windows Vista SKU and hence picks up the security strengths—and weaknesses—of that operating system. It will initially be placed in commercial and retail environments, including Starwood Resorts and Harrahs. If those same commercial outfits turn out to be the first to enable the technology to accept payment cards, then those companies reputations as far as handling sensitive data goes will be a measure of the possible security of a credit card-handling computer table. Fortunately, those two companies, at least, have solid reputations in this respect.

      /zimages/3/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

      “Obviously, security is a big concern for everybody these days,” Keam said. “We started by leveraging the security built into Windows Vista. … Were primarily saying, Heres this system, which has a good solid base and … which everybody understands the security implications of. It will be up to partners how much information they want to get from customers, and theyll validate [the security of handling that information]. Whatever model they use to expose it [will be] handled properly.”

      /zimages/3/176331.jpg

      Still, there are things Microsoft can do to make it safer, he said: to wit, making use of the aforementioned wireless technologies, NFC and RFID (radio-frequency identification).

      “Near-field communications [will be rolled out] in future [versions]: Its inherently more secure,” he said.

      Still, anybody who has followed the tug-of-war over RFID security thats been going on between privacy advocates and the government—specifically when it comes to RFID-enabled passports—has to wonder how attractive it might be for a thief with a wireless packet sniffer to hang out at a restaurant near one of these tables.

      “Partners will choose what level of exposure to things that they want,” Keam said. “Well make sure its clear to them what the attack surface may be and what the attack modes may be.”

      /zimages/3/28571.gifWho will buy Microsofts “Milan” Surface technology? Click here to read more.

      So, again, retailers and other commercial companies that employ Milan will need to provide security. Is this any different from handing a credit card to a waiter in a restaurant who then takes it out of sight?

      Well, maybe. There are still unknowns when it comes to securing NFC. Philips Semiconductors put out a paper (here in PDF) on the subject for the RFID Security 2006 conference. In it, authors Ernst Haselsteiner and Klemens Breitfuß reported that one main question is how close an attacker has to be to be able to retrieve a usable RF signal.

      “Unfortunately, there is no correct answer to this question,” they wrote.

      Their reasoning is that it depends on a “huge” number of parameters. Among them, according to the report, are:

      • RF filed [sic] characteristic of the given sender device (i.e. antenna geometry, shielding effect of the case, the PCB, the environment)
      • Characteristic[s] of the attackers antenna (i.e. antenna geometry, possibility [of changing] the position in all 3 dimensions)
      • Quality of the attackers receiver
      • Quality of the attackers RF signal decoder
      • Setup of the location where the attack is performed (e.g. barriers like walls or metal, noise floor level)
      • Power sent out by the NFC device

      “Therefore any exact number given would only be valid for a certain set of the above given parameters and cannot be used to derive general security guidelines,” they said.

      Other security questions around NRC that they discussed include eavesdropping and data modification. “NFC by itself cannot protect against eavesdropping. It is important to note that data transmitted in passive mode is significantly harder to be eavesdropped on, but just using the passive mode is probably not sufficient for most applications which transmit sensitive data,” they wrote.

      As for data modification, they wrote, “By using 106K Baud in active mode it gets impossible for an attacker to modify all the data transmitted via the RF link. … This means that for both directions, active mode would be needed to protect against data modification. While this is possible, this has the major drawback that this mode is most vulnerable to eavesdrop[ping]. Also, the protection against modification is not perfect, as even at 106K Baud some bits can be modified.”

      At any rate, NFC is being built into modern credit cards by the credit card companies; Microsoft isnt responsible. “Were just enabling a form of communication theyre building into their credit cards,” Keam said.

      As far as the question of leaving your data hanging around on a Milan Surface in a hotel lobby goes, Keam said the system will wipe memory if the user walks away for more than a few seconds.

      Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×