On Sat, 27 Jul 2013, Rick Moen <rick@linuxmafia.com> wrote:
A: The most-security-aware organizations are taking these threats very seriously. They're destroying phones after taking them to hostile areas with known malicious carriers, they're limiting what information gets copied to the default inbox/contact list on devices, they're limiting what applications can be installed on devices which have access to enterprise infrastructure. [...]
Which would be more of a risk? A random drive-by attack against all users of a rogue telco in some strange country or a random drive-by attack with a fake cell tower in the center of the Melbourne CBD or other well trafficed area? I presume the latter if compromising phones via mobile tower is so easy.
A: There are two major threat categories when it comes to international travel, the malicious foreign carrier and the enterprising private mobile attacker. These threats result from the fact that citizens of a foreign country generally have no rights to privacy and no official recourse if their information gets stolen while they are in the foreign country. I already spoke about how foreign carriers have total control over devices which are associated with their networks. Probably the most alarming thing we've seen happen in our tests is how foreign carriers can steal the cryptographic seed values from soft-tokens installed on smartphones. One take-away I'd love to get across to all of your readers is to never let soft-tokens become a solution to be relied on for organizations which have a large number of international travelers. [...]
Given that telcos in countries like the US have deliberately sold phones with malware pre-loaded, I expect that such things would be done in countries with a supposed rule of law too if they were so easy. Of course the rule of law in the US only applies to poor people.
Smartphone 'soft-tokens' means virtual dongles used for (supposed) two-factor authentication such as Symantec VIP or SecurEnvoy SecurAccess. Pity Turner doesn't say _how_ iOS, Android, and BlackberryOS yield 'total control over devices' to local carriers.
It seems that every time a new version of iOS is released someone jail-breaks it quite quickly. So it's obviously not impossible to crack the OS. But doing so reliably over a population without getting caught is going to be difficult.
Turner goes on, in the bit about international travelers, to talk about a cruise ship passenger who uses a cafe's WiFi in port, and 'the coffee shop owner has realized he can make more money selling your address book to spearfishers than he ever can make selling you even his most-expensive latte'. I'm intrigued, Mr. Turner. How does connecting a smartphone to a WAP give the WAP owner automatic access to the smartphone's address book?
There's also the economic issue. Why would someone who wants such data buy from small cafes? If it was so easy to do then someone could setup wifi acces points purporting to be McDonalds, Starbucks, and other common vendors in central city areas. Phones usually connect to such Wifi access points by default without even informing the user so if such a Wifi attack is possible then it could be implemented against 10s of thousands of people a day in Melbourne CBD instead of dozens a day in a backwater cafe.
I'm used to assuming that networks are dangerous and untrustworthy and layering things trustworthy over them. Why is that approach not feasible with a smartphone -- or is Turner just another guy selling unnecessary gear to the rubes?
Sounds like it. It seems to me that one of the biggest problems with security is the use of devices for multiple purposes. If a company issues a nice laptop and phone to an employee then there's a good chance the laptop will be used to view porn and the phone will be used for playing games (particularly if the employee has children) and that's two major vectors for attack. One of my suggestions has been to issue laptops with small screens to make them less suitable for porn. For phone use when employees access sensitive data it wouldn't be particularly expensive to give them a spare phone for games. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/