On Sat, 27 Jul 2013, Rick Moen <rick(a)linuxmafia.com> wrote:
A: The most-security-aware organizations are taking
these threats very
seriously. They're destroying phones after taking them to hostile areas
with known malicious carriers, they're limiting what information gets
copied to the default inbox/contact list on devices, they're limiting
what applications can be installed on devices which have access to
Which would be more of a risk? A random drive-by attack against all users of
a rogue telco in some strange country or a random drive-by attack with a fake
cell tower in the center of the Melbourne CBD or other well trafficed area? I
presume the latter if compromising phones via mobile tower is so easy.
A: There are two major threat categories when it
comes to international
travel, the malicious foreign carrier and the enterprising private
mobile attacker. These threats result from the fact that citizens of a
foreign country generally have no rights to privacy and no official
recourse if their information gets stolen while they are in the foreign
country. I already spoke about how foreign carriers have total control
over devices which are associated with their networks. Probably the most
alarming thing we've seen happen in our tests is how foreign carriers
can steal the cryptographic seed values from soft-tokens installed on
smartphones. One take-away I'd love to get across to all of your readers
is to never let soft-tokens become a solution to be relied on for
organizations which have a large number of international travelers.
Given that telcos in countries like the US have deliberately sold phones with
malware pre-loaded, I expect that such things would be done in countries with
a supposed rule of law too if they were so easy. Of course the rule of law in
the US only applies to poor people.
Smartphone 'soft-tokens' means virtual dongles
used for (supposed)
two-factor authentication such as Symantec VIP or SecurEnvoy
SecurAccess. Pity Turner doesn't say _how_ iOS, Android, and
BlackberryOS yield 'total control over devices' to local carriers.
It seems that every time a new version of iOS is released someone jail-breaks
it quite quickly. So it's obviously not impossible to crack the OS. But
doing so reliably over a population without getting caught is going to be
Turner goes on, in the bit about international
travelers, to talk about
a cruise ship passenger who uses a cafe's WiFi in port, and 'the coffee
shop owner has realized he can make more money selling your address book
to spearfishers than he ever can make selling you even his
most-expensive latte'. I'm intrigued, Mr. Turner. How does connecting
a smartphone to a WAP give the WAP owner automatic access to the
smartphone's address book?
There's also the economic issue. Why would someone who wants such data buy
from small cafes? If it was so easy to do then someone could setup wifi acces
points purporting to be McDonalds, Starbucks, and other common vendors in
central city areas. Phones usually connect to such Wifi access points by
default without even informing the user so if such a Wifi attack is possible
then it could be implemented against 10s of thousands of people a day in
Melbourne CBD instead of dozens a day in a backwater cafe.
I'm used to assuming that networks are dangerous
and untrustworthy and
layering things trustworthy over them. Why is that approach not
feasible with a smartphone -- or is Turner just another guy selling
unnecessary gear to the rubes?
Sounds like it.
It seems to me that one of the biggest problems with security is the use of
devices for multiple purposes. If a company issues a nice laptop and phone to
an employee then there's a good chance the laptop will be used to view porn
and the phone will be used for playing games (particularly if the employee has
children) and that's two major vectors for attack.
One of my suggestions has been to issue laptops with small screens to make
them less suitable for porn. For phone use when employees access sensitive
data it wouldn't be particularly expensive to give them a spare phone for
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/