mobile security - bristol.bcs.org security-david rogers.pdf · mff2 (machine-to-machine form...
TRANSCRIPT
Mobile Security
Security Mini Spring School
BCS Bristol Branch
David Rogers
23rd March 2015
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
http://www.mobilephonesecurity.org
Introduction
Mobile security is a huge topic
This is just a taster!
If you’re interested in more: http://www.cs.ox.ac.uk/softeng/subjects/MSS.html
http://www.mobilephonesecurity.org
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
Some History
Phones have constantly been under attack – Fraudsters
• Premium rate / international calling
• Subsidy fraud
– Call interception
– Denial of Service
– Device Hacking
– Nation state attacks
– Journalists
– Etc.
Continuous security improvement – Networks and devices
http://www.mobilephonesecurity.org
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
Hacking, Cracking, Jailbreaking and Rooting
http://www.mobilephonesecurity.org
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
THE THREAT LANDSCAPE
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
http://www.mobilephonesecurity.org
The problem with devices
People tamper with things!
http://www.mobilephonesecurity.org
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
What’s a device?
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
Source: http://www.engadget.com/2006/05/03/becks-loses-two-bimmers-to-laptop-toting-thieves/
http://www.mobilephonesecurity.org
Is it real?
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved. 9
From: http://www.littleredbook.cn/2009/07/06/obamas-sponsorship-of-shanzhai-blockberry-chinese-netizens-reactions/
http://www.mobilephonesecurity.org
Technical threat vectors
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
http://www.mobilephonesecurity.org
Handset theft
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
http://www.mobilephonesecurity.org
Anti-Theft Measures
Continued global industry work since 1999
GSMA Global Database
9 principles and other device hardware security work
IMEI weakness and reporting process
SG.24 – Anti-Theft Device Feature Requirements • Network operators already requesting in device requirements
• Input and comment from major manufacturers including Samsung, Google and Apple
Continuing to look at in-network measures
Partnership approach works industry / government / Police • Societal issue, not a technological one
http://www.mobilephonesecurity.org
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
Police Theft Awareness Campaigns
UK Home Office TV Advert Campaign
Mobile Phone Security - David Rogers
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
http://www.mobilephonesecurity.org http://www.mobilephonesecurity.org
Mobile malware
Mainly an issue only for Android – but only where user goes ‘off-piste’ from the official appstore
Some drive-by downloads observed
Getting a lot more organised – much more focus on mobile
Lots of FUD still from anti-virus vendors
Lots of “Spouseware!” – Someone you know uses it combined with a jailbreak
http://www.mobilephonesecurity.org
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
Mobile Malware (2)
Don’t believe everything you read in the press
Mobile is different to the PC world
Spouseware…
http://www.mobilephonesecurity.org
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
Malware (3)
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
“You are more likely to get struck by lightning in your entire lifetime than you are to be infected by mobile malware”
Patrick Traynor, Georgia Tech, March 2013
http://www.mobilephonesecurity.org
DEVICE SECURITY TECHNOLOGIES AND THE MOBILE INDUSTRY
http://www.mobilephonesecurity.org
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
Hardware-level security
Has got significantly better in mobile phones
Still extensively targeted
What does the future hold? – Not just mobile handsets anymore – small cells, automotive etc.
– Step-change seems to have worked rather than ‘the-moon-on-a-stick’
– Classes of devices?:
vs
http://www.mobilephonesecurity.org
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
Platform software updates
From Michael DeGusta http://theunderstatement.com/post/11982112928/android-orphans-visualizing-a-sad-history-of-support
http://www.mobilephonesecurity.org
Application security
General harmonisation of mechanisms – Digital signatures and encryption
– Application isolation
– No redistribution of apps from device
– Permissions - principle of least privilege
– Authorised app stores
– Software security methods
– Protection of sensitive keys and authentication info.
Some things (like user permissions) need to be improved
Future web-based mobile platforms need to implement and build/improve on this
http://www.mobilephonesecurity.org
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
Responsible disclosure & incident handling
“USSD code attack” could reset and wipe Galaxy SIIIs – Dialler could be remotely called from web using ‘tel’ URI – USSD or proprietary MMI codes would execute with no user confirmation
Drive-by attack using rigged website or social engineering:
Mobile industry needs to get better at sharing information and working with researchers
http://www.mobilephonesecurity.org
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
Industry winning?
Tools such as Google’s Bouncer cause the attackers to focus on the castle walls
Samsung Knox, Blackberry OS10 and others are all increasingly improving overall device security
Source: http://cadw.wales.gov.uk/daysout/harlechcastle/?lang=en
http://www.mobilephonesecurity.org
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
USER EDUCATION & SECURITY BEHAVIOURS
http://www.mobilephonesecurity.org
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
Secure, usable, affordable devices?
http://www.mobilephonesecurity.org
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
Usability of security
Users will always choose dancing kittens over security.
They will get over any hurdle to get to the kittens…
http://www.mobilephonesecurity.org
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
Consumer education
http://www.mobilephonesecurity.org
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
UPCOMING TECHNOLOGY AND THE CONVERGING THREAT
http://www.mobilephonesecurity.org
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
Convergence across vastly different sectors
Televisions & Set-top boxes
Vehicle
s
White Goods Other Consumer Electronics
Security & Privacy?
Streaming Media
Temperature sensors
Timers
Location
Messaging
Gallery
Weight
Speed
Diagnostics / telematics
Fares / charging
Gallery
Street
furniture
Electronic street sign: via Wikimedia / Ross
Smart pills from: http://www.themalaysianinsider.com/features/article/sensorised-smart-pills-to-launch-in-uk
mHealth Patient monitoring
Dosage
Information
Control
Smart pills
http://www.mobilephonesecurity.org
Small cells
From: http://www.lightreading.com/blog.asp?blog_sectionid=414&doc_id=222293&image_number=1
http://www.mobilephonesecurity.org
Truly connected devices
phone
http://www.mobilephonesecurity.org
What is Home Security?
From: http://www.independent.co.uk/news/world/americas/hacker-takes-control-of-ohio-couples-baby-monitor-and-screams-bad-things-9296986.html www.nest.com
http://www.mobilephonesecurity.org
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
Mobile Cyber Security?
http://www.mobilephonesecurity.org
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
Emerging Device Security & Privacy
http://www.mobilephonesecurity.org
MFF2 (machine-to-machine form factor) – embedded SIM
– surface mount
– mainly used for M2M
Some security issues e.g. Karsten Nohl ‘Rooting SIM cards’ 2013
The ever-evolving SIM
http://www.mobilephonesecurity.org
http://m2mworldnews.com/2012/07/18/47198-rapid-migration-to-embedded-sim-forecast-for-cellular-m2m/
• UICC supports multiple javacard applets • SIM, USIM and ISIM all applications • Embedded NFC • Updateable and configurable remotely
http://commons.wikimedia.org/wiki/File:GSM_SIM_card_evolution.svg
https://srlabs.de/rooting-sim-cards/
Biometrics
Still immature on mobile devices – Early solutions easy to defeat (e.g. gummy finger etc.)
– Other types difficult to use
– Requires significant processing power
– iPhone 5S introduced TouchID
– 990 million devices with fingerprint sensors predicted by 2017
Increased risk for the user – User as unlock key means user becomes the target of attack
– Same issue as car crime
http://www.mobilephonesecurity.org
Also see: http://blog.mobilephonesecurity.org/2013/09/you-are-key-fingerprint-access-on.html Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
Challenges for biometrics
False negatives:
– Eyelashes too long
– Long fingernails
– Arthritis
– Circulation problems
– People wearing hand cream
– People who’ve just eaten greasy foods
– People with brown eyes
– Fingerprint abrasion, includes: Manual labourers, typists, musicians
– People with cuts
– Disabled people
http://www.mobilephonesecurity.org
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
The Future?
Mobile extending outwards – Internet of Things / Machine-to-machine
– Embedded SIM
– Next generation networks
– Connected car
– Connected homes / businesses
– Payment and banking
What about privacy?
Mobile handset will be at heart of everything
The “things” will need securing
Fraud / security issues won’t go away, they’ll just evolve
http://www.mobilephonesecurity.org
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.
Products & Services
Management Committee
Fraud & Security Group
Device Security Group
Mobile Malware
Group
Fraud & Security
Architecture Group
Roaming & Interconnect
Fraud & Security
Fraud & Security Comms.
Security & Fraud Risk
Assessment
Security Assurance
Group
Fraud & Security Advisory
Panel
Asia
Africa
Latin America
GSMA Fraud and Security Group
http://www.mobilephonesecurity.org
Questions?
david.rogers @ copperhorse.co.uk
@drogersuk
Mobile Security: A Guide for Users: http://www.lulu.com/gb/en/shop/david-rogers/mobile-security-
a-guide-for-users/paperback/product-21197551.html
http://www.mobilephonesecurity.org
Copyright © 2015 Copper Horse Solutions Ltd. All rights reserved.