mobile security - bristol.bcs.org security-david rogers.pdf · mff2 (machine-to-machine form...

Mobile Security

Security Mini Spring School

BCS Bristol Branch

David Rogers

23rd March 2015

Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.

http://www.mobilephonesecurity.org

Introduction

Mobile security is a huge topic

This is just a taster!

If you’re interested in more: http://www.cs.ox.ac.uk/softeng/subjects/MSS.html



http://www.cs.ox.ac.uk/softeng/subjects/MSS.html

http://www.cs.ox.ac.uk/softeng/subjects/MSS.html

Some History

Phones have constantly been under attack – Fraudsters

• Premium rate / international calling

• Subsidy fraud

– Call interception

– Denial of Service

– Device Hacking

– Nation state attacks

– Journalists

– Etc.

Continuous security improvement – Networks and devices



Hacking, Cracking, Jailbreaking and Rooting



http://westerna.org/preview.phtml?16c5b8845d61d8bd323f19ec9f4753f6:3

http://westerna.org/preview.phtml?b0f011c0c3061169d9db2992e3914d92:6

THE THREAT LANDSCAPE



The problem with devices

People tamper with things!



What’s a device?


Source: http://www.engadget.com/2006/05/03/becks-loses-two-bimmers-to-laptop-toting-thieves/


http://www.engadget.com/2006/05/03/becks-loses-two-bimmers-to-laptop-toting-thieves/















Is it real?

Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved. 9

From: http://www.littleredbook.cn/2009/07/06/obamas-sponsorship-of-shanzhai-blockberry-chinese-netizens-reactions/


http://www.littleredbook.cn/2009/07/06/obamas-sponsorship-of-shanzhai-blockberry-chinese-netizens-reactions/
















Technical threat vectors



Handset theft



Anti-Theft Measures

Continued global industry work since 1999

GSMA Global Database

9 principles and other device hardware security work

IMEI weakness and reporting process

SG.24 – Anti-Theft Device Feature Requirements • Network operators already requesting in device requirements

• Input and comment from major manufacturers including Samsung, Google and Apple

Continuing to look at in-network measures

Partnership approach works industry / government / Police • Societal issue, not a technological one



Police Theft Awareness Campaigns

UK Home Office TV Advert Campaign

Mobile Phone Security - David Rogers


http://www.mobilephonesecurity.org http://www.mobilephonesecurity.org

Mobile malware

Mainly an issue only for Android – but only where user goes ‘off-piste’ from the official appstore

Some drive-by downloads observed

Getting a lot more organised – much more focus on mobile

Lots of FUD still from anti-virus vendors

Lots of “Spouseware!” – Someone you know uses it combined with a jailbreak



Mobile Malware (2)

Don’t believe everything you read in the press

Mobile is different to the PC world

Spouseware…



Malware (3)


“You are more likely to get struck by lightning in your entire lifetime than you are to be infected by mobile malware”

Patrick Traynor, Georgia Tech, March 2013


DEVICE SECURITY TECHNOLOGIES AND THE MOBILE INDUSTRY



Hardware-level security

Has got significantly better in mobile phones

Still extensively targeted

What does the future hold? – Not just mobile handsets anymore – small cells, automotive etc.

– Step-change seems to have worked rather than ‘the-moon-on-a-stick’

– Classes of devices?:

vs



Platform software updates

From Michael DeGusta http://theunderstatement.com/post/11982112928/android-orphans-visualizing-a-sad-history-of-support


http://theunderstatement.com/post/11982112928/android-orphans-visualizing-a-sad-history-of-support

















Application security

General harmonisation of mechanisms – Digital signatures and encryption

– Application isolation

– No redistribution of apps from device

– Permissions - principle of least privilege

– Authorised app stores

– Software security methods

– Protection of sensitive keys and authentication info.

Some things (like user permissions) need to be improved

Future web-based mobile platforms need to implement and build/improve on this



Responsible disclosure & incident handling

“USSD code attack” could reset and wipe Galaxy SIIIs – Dialler could be remotely called from web using ‘tel’ URI – USSD or proprietary MMI codes would execute with no user confirmation

Drive-by attack using rigged website or social engineering:

Mobile industry needs to get better at sharing information and working with researchers



Industry winning?

Tools such as Google’s Bouncer cause the attackers to focus on the castle walls

Samsung Knox, Blackberry OS10 and others are all increasingly improving overall device security

Source: http://cadw.wales.gov.uk/daysout/harlechcastle/?lang=en



http://cadw.wales.gov.uk/daysout/harlechcastle/?lang=en

http://cadw.wales.gov.uk/daysout/harlechcastle/?lang=en

USER EDUCATION & SECURITY BEHAVIOURS



Secure, usable, affordable devices?



Usability of security

Users will always choose dancing kittens over security.

They will get over any hurdle to get to the kittens…



Consumer education



UPCOMING TECHNOLOGY AND THE CONVERGING THREAT



Convergence across vastly different sectors

Televisions & Set-top boxes

Vehicle

s

White Goods Other Consumer Electronics

Security & Privacy?

Streaming Media

Temperature sensors

Timers

Location

Messaging

Gallery

Weight

Speed

Diagnostics / telematics

Fares / charging

Gallery

Street

furniture

Electronic street sign: via Wikimedia / Ross

Smart pills from: http://www.themalaysianinsider.com/features/article/sensorised-smart-pills-to-launch-in-uk

mHealth Patient monitoring

Dosage

Information

Control

Smart pills


http://www.themalaysianinsider.com/features/article/sensorised-smart-pills-to-launch-in-uk













Small cells

From: http://www.lightreading.com/blog.asp?blog_sectionid=414&doc_id=222293&image_number=1


http://www.lightreading.com/blog.asp?blog_sectionid=414&doc_id=222293&image_number=1



Truly connected devices

phone


What is Home Security?

From: http://www.independent.co.uk/news/world/americas/hacker-takes-control-of-ohio-couples-baby-monitor-and-screams-bad-things-9296986.html www.nest.com



http://www.independent.co.uk/news/world/americas/hacker-takes-control-of-ohio-couples-baby-monitor-and-screams-bad-things-9296986.html



























http://www.nest.com/

Mobile Cyber Security?



Emerging Device Security & Privacy


MFF2 (machine-to-machine form factor) – embedded SIM

– surface mount

– mainly used for M2M

Some security issues e.g. Karsten Nohl ‘Rooting SIM cards’ 2013

The ever-evolving SIM


http://m2mworldnews.com/2012/07/18/47198-rapid-migration-to-embedded-sim-forecast-for-cellular-m2m/

• UICC supports multiple javacard applets • SIM, USIM and ISIM all applications • Embedded NFC • Updateable and configurable remotely

http://commons.wikimedia.org/wiki/File:GSM_SIM_card_evolution.svg

https://srlabs.de/rooting-sim-cards/




















http://commons.wikimedia.org/wiki/File:GSM_SIM_card_evolution.svg






Biometrics

Still immature on mobile devices – Early solutions easy to defeat (e.g. gummy finger etc.)

– Other types difficult to use

– Requires significant processing power

– iPhone 5S introduced TouchID

– 990 million devices with fingerprint sensors predicted by 2017

Increased risk for the user – User as unlock key means user becomes the target of attack

– Same issue as car crime


Also see: http://blog.mobilephonesecurity.org/2013/09/you-are-key-fingerprint-access-on.html Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.

http://blog.mobilephonesecurity.org/2013/09/you-are-key-fingerprint-access-on.html











Challenges for biometrics

False negatives:

– Eyelashes too long

– Long fingernails

– Arthritis

– Circulation problems

– People wearing hand cream

– People who’ve just eaten greasy foods

– People with brown eyes

– Fingerprint abrasion, includes: Manual labourers, typists, musicians

– People with cuts

– Disabled people



The Future?

Mobile extending outwards – Internet of Things / Machine-to-machine

– Embedded SIM

– Next generation networks

– Connected car

– Connected homes / businesses

– Payment and banking

What about privacy?

Mobile handset will be at heart of everything

The “things” will need securing

Fraud / security issues won’t go away, they’ll just evolve



Products & Services

Management Committee

Fraud & Security Group

Device Security Group

Mobile Malware

Group

Fraud & Security

Architecture Group

Roaming & Interconnect

Fraud & Security

Fraud & Security Comms.

Security & Fraud Risk

Assessment

Security Assurance

Group

Fraud & Security Advisory

Panel

Asia

Africa

Latin America

GSMA Fraud and Security Group


Questions?

david.rogers @ copperhorse.co.uk

@drogersuk

Mobile Security: A Guide for Users: http://www.lulu.com/gb/en/shop/david-rogers/mobile-security-

a-guide-for-users/paperback/product-21197551.html



mailto:[email protected]



http://www.lulu.com/gb/en/shop/david-rogers/mobile-security-a-guide-for-users/paperback/product-21197551.html















mobile security - bristol.bcs.org security-david rogers.pdf · mff2 (machine-to-machine form...

Documents