1 / 19

Security and Trust in Mobile Devices

Security and Trust in Mobile Devices. Abdulrhman Alkhanifer Ricardo Figueroa. DEVICES - Introduction. Mobile devices serve as access points to data stored either locally or in some remote server. Currently there are 5.3 billion mobile users around the world (77% of the world population) 1 .

phuc
Télécharger la présentation

Security and Trust in Mobile Devices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security and Trust in Mobile Devices Abdulrhman Alkhanifer Ricardo Figueroa

  2. DEVICES - Introduction • Mobile devices serve as access points to data stored either locally or in some remote server. • Currently there are 5.3 billion mobile users around the world (77% of the world population)1 . • How many of them are smartphones? 1 [International Telecommunication Union (October 2010), mobiThinking, http://mobithinking.com/mobile-marketing-tools/latest-mobile-stats]

  3. DEVICES - Smartphone Market Share 1 [Worldwide Mobile Communications Device Open OS Sales to End Users by OS, Gartner, http://www.gartner.com/it/page.jsp?id=1622614]

  4. DEVICES - Why is it important to think about Security and Trust? • Mobile devices are “single user OS” which is very different from laptop or desktop OS’s security point of view. • Most mobile users do not realize the potential risk of exposing information, or identity theft. • Mobile devices serve as access points to personal and/or corporate information and are more accessible than laptop or desktop computers.

  5. DATA - Sensitivity

  6. DATA - What is the value if lost?

  7. DATA - Where does it reside?

  8. DATA - Accessibility Threats

  9. ACCESS - Physical Access • PIN number typically of 4-6 numbers. • A 4-digit pin number requires 10000 tries (using brute force attack) which is not impossible! • Password. • Auto-lock feature. • iPad 2 issue before iOS 5 and smart cover • Some users do not use PIN number or password. • Easy to break a 4-digit PIN number by eavesdropping.

  10. ACCESS - Internet and Wireless Access • Bluetooth Attacks1: • Bluesnarfing(2003-2004) • Bluebugging • Bluejacking • Denial of service (DoS) 1 [A menu of Bluetooth attacks, Governoment Computer News, http://gcn.com/Articles/2005/07/20/A-menu-of-Bluetooth-attacks.aspx]

  11. ACCESS – GSM Security Features • GSM encryption mechanism is based on a symmetric stream cipher. • The key for encryption is established as part of the authentication protocol. • 64-bit A5/1 GSM encryption1. • 128-bit A5/3 GSM encryption [2007]. • 4G (LTE): 128-bit AES, or 128-bit SNOW 3G2. 1 [KarstenNohl, 1988, http://www.engadget.com/2009/12/29/gsm-call-encryption-code-cracked-published-for-the-whole-world/] 2 [Security in the LTE-SAE Network, documentation, Agilent Technologies, http://www.home.agilent.com/upload/cmc_upload/All/Security_in_the_LTE-SAE_Network.PDF?&cc=US&lc=eng]

  12. ACCESS - 3G Encryption • Is the data transmitted over 3G/4G network secure? • “Israel's Weizmann Institute of Science went ahead and cracked the KASUMI system -- a 128-bit A5/3 algorithm implemented across 3G networks -- in less than two hours”1,2 . 1 [3G GSM encryption cracked in less than two hours, engadget, Jan 2010, http://www.engadget.com/2010/01/15/3g-gsm-encryption-cracked-in-less-than-two-hours/] 2 [3G encryption can be broken in 2 hours, 'suggest' security experts, http://www.fiercewireless.com/europe/story/3g-encryption-can-be-broken-2-hours-suggest-security-experts/2010-01-15]

  13. ACCESS - Blackberry • Uses BlackBerry1 OS. • Every Phone has a BlackBerry PIN (8 hexadecimal Number). • BlackBerry uses Standard, Triple DES and AES encryption schemes2. • Issues in some countries: • India: In January 2011, RIM gave India access to its consumer services, including its Messenger services, but said it could not allow monitoring of its enterprise email. • Saudi Arabia: Saudi Arabia has threatened to ban the service, but reportedly it was close to reaching an agreement with RIM to set up a server for the service inside the Kingdom. • UAE: In October 2010, UAE tried to ban the service requesting to bring servers inside the country, however their request was denied. Later, blackberry services were back. 1 [http://en.wikipedia.org/wiki/BlackBerry] 2 [http://docs.blackberry.com/en/admin/deliverables/12873/Standard_BlackBerry_message_encryption_193608_11.jsp]

  14. ACCESS - Privacy: Geotagging • Adding geographical identification to photographs, video, websites and SMS messages. • It is the equivalent of adding a 10-digit grid coordinate to everything you post on the internet1. • In some smartphones this information is embedded with every picture taken by that device. • Many social applications allow users to share their location (Facebook, Twitter, Flicker, etc.). 1 [http://www.slideshare.net/NavalOPSEC/geotagging-safety]

  15. ACCESS - Is Geotagging potentially dangerous? • It can establish personal patterns. It could potentially be easy to identify a user’s daily routine and times. • Exposing home and work addresses.

  16. ACCESS – Geotagging: Example1 • Adam Savage, of “Myth Busters”,took a photo using his phone and posted it on his Twitter account with “off to work” as the message. • His photo contained metadata revealing the exact geographical location of his house. 1 [Web Photos That Reveal Secrets, Like Where You Live ,  August 11, 2010, The NY Times, http://www.nytimes.com/2010/08/12/technology/personaltech/12basics.html?pagewanted=all]

  17. ACCESS - Privacy: Custom Profiling • Malls used phones signals to track shoppers on black Friday1. • Could lead to spam advertisement. 1 [http://money.cnn.com/2011/11/22/technology/malls_track_cell_phones_black_friday/index.htm]

  18. Recommendations on how to better protect your data • Use password and auto-lock feature. • Do not auto save passwords in applications. • Do not let your mobile device out of your sight. • Make sure that your phone OS and apps are updated. • Try not to use un-secure wireless hotspots. • Encryption on local drive and external flash drives: • Windows mobile: SecuBox, 3rd party application1. • Android: Droid Crypt, AnDisk Encryption, 3rd party uses AES 128-bit2. • iPhone: no apps available yet, some apps for encrypting voice calls and messages. • Blackberry: offers “content protection” that encrypts all data in the device4. • Subscribe with remote wipe (if available). • Possible newer security methods like Picture Password3. 1 [http://www.aikosolutions.com] 2 [http://www.pcworld.com/article/242650/how_to_encrypt_your_smartphone.html] 3 [http://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-with-a-picture-password.aspx] 4 [http://docs.blackberry.com/en/smartphone_users/deliverables/1487/About_content_protection_29009_11.jsp]

  19. Questions?

More Related