smartphones security

05-05-2005 Sujeeth Narayan 1

Smartphones Security

CS 691 Sujeeth Narayan

05-05-2005 Sujeeth Narayan 2

Agenda

Part 1 - Introduction to Smartphones

Part 2 - Security Issues

Part 3 - Unified Framework

Part 4 - New Authentication Method

Part 5 - Conclusion

05-05-2005 Sujeeth Narayan 3

Motivation

• A developing Technology Industry

• Security is unstable in Mobile phones

• Easy to Test

05-05-2005 Sujeeth Narayan 4

Part 1: Introduction to Smartphones

05-05-2005 Sujeeth Narayan 5

What are Smartphones?

Includes :

•Vocal Communications – GSM,GPRS•Web Browsing•eMail•Organizer Functions•Multimedia Capabilities

•Media Player•Audio, Video Recorder•Camera

05-05-2005 Sujeeth Narayan 6

Smartphones Internals

Capabilities : •Personal Information Management

•Synchronize using protocols such as ActiveSync, IntelliSync

•Connect using Bluetooth, IrDA or GPRS

Operating Systems :•Windows Mobile TM - Audiovox SMT 5600

•Symbian (Linux) – Motorola A760

05-05-2005 Sujeeth Narayan 7

OS Architecture

05-05-2005 Sujeeth Narayan 8

•Based on Operating System – Bugs , Security Holes

•Data Security – PIN exists but not applied for data

Risks related to Inherent Characteristics

05-05-2005 Sujeeth Narayan 9

Risks related to Users

Mobile usage Survey by Pointsec Mobile Technologies

•Ease to synchronize data with Personal Computer

•Not Enough Data Security

05-05-2005 Sujeeth Narayan 10

Risks related to Networks

Bluetooth :•Short range wireless connections•Has Security specification but not used many users.•Setting Bluetooth Service in Discoverable Mode

Possible Attacks: •BTBrowser scans for nearby Bluetooth devices and Browses Directories

•Buffer overflows attacks in some response messages

•Bluejacking : •Putting a message in place of ones device name•Sending with a pairing request•With a prompting message, the victim presses a key •Victim would be allow attacker to access files

05-05-2005 Sujeeth Narayan 11

Risks related to Networks

GPRS (General Packet Radio Service) :

•Works on Radio waves •Work with Internet connectivity

Possible Attacks:

•Attacks from Internet – eMails, Messenger Messages•Compromised backbone of GGSN – Gateway GPRS Support Node

05-05-2005 Sujeeth Narayan 12

Enterprises Security Policy

Banning use of Personal Smartphones• Unrealistic • Impossible to physically control

Should Define:• Synchronization • Use of devices in public places (Deactivate Bluetooth)• Information Exchange between Device and Enterprise System

05-05-2005 Sujeeth Narayan 13

USF - Unified Security Framework

Driven by: NIST – National Institute of Standard and TechnologyCSRC – Computer Security Resource Center

Published on June 2004 http://csrc.nist.gov/mobilesecurity/Publications/PP-UNIsecFramework-fin.pdf

05-05-2005 Sujeeth Narayan 14

• User Authentication – •The first line of defense for an unattended, lost, or stolen device.• Multiple modes of authentication increase the work factor for an attacker.  

• Content Encryption – • The second line of defense for protecting sensitive information. 

• Policy Controls – •Policy rules, enforced for all programs regardless of associated privileges, protect critical components from modification, and limit access to security-related information.

USF- Addresses Issues

05-05-2005 Sujeeth Narayan 15

Part 4: New Authentication Method

05-05-2005 Sujeeth Narayan 16

Picture Password :A Visual Login Technique for Mobile Devices

http://csrc.nist.gov/publications/nistir/nistir-7030.pdf

Wayne Jansen, Serban Gavrila, Vlad Korolev, Rick Ayers, Ryan Swanstrom

05-05-2005 Sujeeth Narayan 17

Method: Extracting the selection of Images

•Matrix Formation of Images•Associated value for each image•Generate equivalent Password

Extracting the characteristics of Image ???

05-05-2005 Sujeeth Narayan 18

Part 5: Conclusion

05-05-2005 Sujeeth Narayan 19

• Smartphones are complex in Architecture and Design

• Network protocols are complex to implement

• Technology is growing and possibly more weaknesses discovered

• Organizations should consider these devices in policy making

Conclusion

05-05-2005 Sujeeth Narayan 20

References

http://csrc.nist.gov/mobiledevices/projects.html

http://www.wirelessdev.net

http://www.smartphonethoughts.com

http://www.AirScanner.com -Mobile Firewall and Antivirus

http://www.PointSec.com - Mobile Security Software

05-05-2005 Sujeeth Narayan 21

Questions ??