http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9014118 By Jon Espenschied March 23, 2007 Computerworld My heart sank when I first saw Al Gore pull out his BlackBerry. It was in the waning weeks of the 2000 presidential campaign, and there he was on the TV, tapping away on his then-novel converged device. Though I had no evidence, I was positive that whatever he was reading had already been perused by some conservative skunk works, with his responses scrutinized not long after. Given recent revelations about the opposition's ethics and panting obsession with domestic spying, I still suspect that any eavesdropping technically possible at the time was probably being done. So imagine my dismay when I saw Sen. Barack Obama pulling a BlackBerry from his coat pocket shortly after announcing his candidacy for president. Like many others addicted to their converged devices (Sen. John McCain was apparently indulging during the last State of the Union speech, not sleeping), he's become a constant user, and he now uses it to manage a large portion of his communications. While I hope these politicians have IT staffers paying attention to this sort of thing, more often than not, a series of underinformed security and privacy assumptions are made shortly before sensitive information starts flowing. Many common assumptions about the security and privacy of smart phones or other handheld converged devices are off-base or just flat-out wrong. For any high-value target -- whether that's a political candidate or an organization with valuable financial or personal data -- a little more thought ought to go into the process of selecting and deploying any device handling important data. It makes sense then to challenge the more widespread assumptions and consider how to handle oft-ignored risks. 1. It's just a phone with cool features, right? No, it's not. There's been a major shift in smart phone architecture in the past few years. Yesterday's phone ran an embedded operating system with software hooks written for the specific model's CPU, interface, vocoder and radio. Today's mobile converged device is more likely to run software considerably more advanced and versatile than desktop systems just 10 years ago. That versatility is an enemy of security because it turns the underlying security architecture on its head. It used to be that a phone or small handheld device had a default-deny security model, because every feature was added from the ground up. There were no extraneous services running on the device, because every one was purpose-built. Now most converged devices run commodity operating systems, such as Symbian OS (owned in part by Nokia and Sony Ericsson) or Microsoft's Windows CE/Mobile family, that have portability as a core design goal. This means there are plenty of communications services and data handling hooks in the code base, and it's up to phone and application developers to ensure unused code is removed or disabled where not appropriate. No one wants to annoy customers, so more often than not, a wide range of services and interfaces is included and enabled -- equivalent to a default-allow stance. While I'm a fan of open systems, it's worth evaluating a mobile device that provides the features you want and no more in the base configuration -- perhaps a "feature phone" instead of a smart phone -- and place less priority on the capacity for upgrades and expansion. 2. It's stable, just like any other purpose-built appliance. Don't assume that the lack of operating system patches and application updates for a smart phone means that they aren't needed. In the short history of mobile malware, Symbian received bad press by playing host to the first, the Cabir worm. However, Windows CE wasn't far behind with the Duts virus and Brador Trojan. Even single-purpose network devices are periodically found vulnerable to network and service exploits, and vendors ought to make updates available in a timely manner. The bad news is that mobile platform vendors are still very slow to issue operating system and application patches. The only practical way to mitigate this is through a mix of process and technology: Teach users proper skepticism of e-mailed attachments and unexpected connection or update confirmations, and implement anti-malware programs for those who just keep clicking "OK." 3. Communications are encrypted from end to end. BlackBerry and Sidekick users may have heard that their communications are encrypted "end to end," but e-mail and other communications are encrypted only from the phone to the phone company or service provider's servers. Beyond that point, e-mail, instant messages and file transfers may be transmitted unencrypted over the public Internet by default. This is less of a concern for closed organizations where everyone involved uses the same services, but vendors, partners, consultants and others outside the organization often use their own e-mail addresses and smart phones on other carriers. There's no guarantee of message encryption in these cases, and the risk is no better or worse than any other Internet e-mail. 4. The connection's secure unless I use Wi-Fi in a cafe. Some might be concerned about the cellular connection itself. The GPRS and EDGE data protocols used by T-Mobile and Cingular are based on GSM, and GSM authentication algorithms such as A5 have been broken in ways that allow a motivated eavesdropper to reconstruct voice and data conversations with only a few thousand dollars of equipment. CDMA and associated algorithms are mildly more secure (PDF format), but many carriers choose not to implement all of the security controls available because of performance and handset compatibility. Use a VPN to mitigate this problem for sensitive data and make sure essential services are encrypted at the application level using SSL or similar protocols. While it might seem redundant, using a voice-over-IP client through a smart phone's VPN data connection is one way to ensure that voice calls are private. Direct SIP-compliant VoIP clients are best for this; closed-protocol applications such as Skype Mobile may try to route across a public connection even if a VPN is available. It also may relay connections between NAT endpoints through random clients on the Internet, so it's not a good candidate in this scenario. It's also worth noting that VoIP with AEC, one of the features of Windows Mobile 5, is not encryption. AEC refers to Acoustic Echo Canceling, not the NIST Advanced Encryption Standard ("AES ") described in FIPS 197. 5. E-mails and messages are secure from prying eyes. Whoever controls your smart phone application server has access to your data. While smart phone service providers and software packages all provide a modicum of access control, administrators with root access can always get at your information if they want. While your corporate IT department might not be spying on marketing on behalf of finance, Obama might want to take note that congressional IT organizations that serve both Democratic and Republican senators have had several incidents involving e-mail disclosures to other parties. In the midst of the Mark Foley scandal, it was interesting to note a person described in the media as a "Democratic operative" was able to retrieve and forward messages sent months earlier from a Republican representative's smart phone. Know where messages and other data reside when sent from a smart phone. If service is provided by a neutral vendor, make sure you have a service-level agreement that considers whether your data may be commingled with other businesses -- possibly your competitors -- on the same systems. Those with specific competitive concerns ought to run their own systems using their own administrative staff. Obama would do well to use a device controlled by the Democratic National Committee or his own campaign, rather than one managed by Senate IT staff and easily influenced pages. 6. Using a mobile phone constitutes out-of-band communication. A phone call over a landline used to be an acceptable method for communicating out-of-band administrative information. For example, a system administrator might call you back at your desk to verbally give you a new password (which you then changed, right?). This worked because the desk phone was isolated from the network and system resources to which you were being given access. Not so anymore. If you lose your smart phone and IT calls you back on that mobile number to confirm the trouble ticket, is it a meaningful method of verifying the identity or location of the person who answers? Of course not. Possession of the number means little if anything anymore, especially since most phones will allow answering of an incoming call even when locked. IT help desks should cross callbacks off the list of acceptable methods of identity verification for anything to do with mobile devices or remote access. The new BlackBerry Smart Card Reader is a viable option for those who need to authenticate using something they possess, and while similar options lag a little on other platforms, they are available. 7. I trust the integrity of data and applications on a smart phone. On modern desktop and server systems, file systems with journaling, database-like features and integrated backup are common. Not so with mobile devices, where almost all data integrity relies upon some sort of synchronization with a stable fixed server system for backup and management. Windows Mobile users can use a variety of synchronization options to ensure that messages and data on the mobile device are consistent with a central Microsoft-based repository such as Exchange, SharePoint or even Groove file-share workspaces. BlackBerry Enterprise users have over-the-air device security options that include data synchronization and backup, and remote shutdown options for lost devices. (A product called SyncBerry provides advanced sync and backup features to SyncML-capable systems, and extends some of the BlackBerry goodness to Symbian users.) T-Mobile's Sidekick, on the other hand, stores very little data locally because it's constantly synchronizing with the servers at Danger Inc., the manufacturer. If the device is lost, damaged or reset, data can be reloaded on the device by logging in with a name and password. However, this means that data is stored at a service provider with which individuals have a rather one-sided service-level agreement unsuitable for corporate use. All of this can be protected by setting the device to require a passcode at start-up. If the wrong passcode is entered four times on Sidekick, local data is erased but can be restored by a remote password reset on the management Web site. Security administrators might lament the scarcity of people who use this feature, but it's interesting to note that the young thief who acquired up the now-famous Sidekick II in New York last year was identified and arrested only because she had access to the phone, sent messages and took pictures of herself -- which then synchronized with the legitimate owner's account on the Danger servers. What about application integrity? OK, you say, you'll just install digitally signed or approved applications. A few months ago, some enterprising pot-stirrers managed to buy a BlackBerry code-signing key from RIM (arguably the most security-oriented of the smart phone vendors) for $100, no questions asked. This is all bad. Users tricked into giving network access to unsigned applications may be opening themselves up to all sorts of spyware, message relay and other malware, but signed applications don't even require consent to suspicious prompts. It's far better to teach astute users about acceptable applications and forbid the rest from installing anything. The choice of installable applications ought to be from a whitelist -- or no list. 8. Information deleted from a smart phone is gone, right? Most converged devices have relatively small storage capacities, and use variants of the venerable FAT file system. When a file is deleted, the markers for the beginning and end of the data on the storage media are removed so that it is no longer retrievable by normal means (orphaned). However, the actual data remains until it's overwritten. There are no guarantees against orphaned data. In fact, the whole practice of cell phone forensics rests on the availability of orphaned data and logs. I'm not aware of any smart phone that comes with a secure delete function to remove orphaned file system data. Perhaps, Apple will include the file system wiping option from OS X in its forthcoming iPhone, but it's not present in any of the other major players' offerings. With many smart phones offering basic word processing and spreadsheet applications, residual data from deleted copies becomes even more of an issue. IT staffers responsible for disposal of outdated smart phones should use tools to ensure that residual data is removed. The simple method is to copy and erase chunks of data onto the device in a manner that fills the flash memory or hard disk, but forensically sound methods are available from various vendors. If the device memory can't be erased, it should be destroyed -- a damaged but repairable smart phone ought not be found in the trash. Those resorting to a hammer are advised to remove the Li-Ion battery first. 9. Spying on my smart phone is hard. Think spying on your activities is hard? Think again. Most smart phones have no equivalent of Bluetooth authentication when plugged in; they just become slave USB devices and give up all your data. Worse yet, a rogue employee, jealous husband or political opponent can buy backdoor malware ... uh, "remote phone monitoring" software here and keep ongoing tabs on communications. If they manage to install the spendy version on your phone (or trick you into doing it), it even includes remote microphone activation and generates a tidy Excel spreadsheet of your activities each day. Flexispy is cheap, oriented toward consumers and very worrisome. It's only available for Symbian so far, but less-polished remote viewing software or illicit copies of management tools are available for BlackBerry, Windows Mobile and other platforms. It's not clear if anti-malware products send alerts upon finding these, so the best policy now is to educate users on physical security and admonish them not to install unexpected software or updates. 10. Abuse is minimal because the network and phones are constrained. Four words: Remember ASCII art porn. Network miscreants will work with what's available, and resource limitations only make those inclined to misbehave do so in more creative ways. The difference is that smart phones are quite capable, and modern 2.5G and 3G phone networks provide surprisingly adequate bandwidth. For example, there are now multiple BitTorrent clients for Symbian as well as other platforms, some phones are adept at seamlessly switching between cellular and unsecured Wi-Fi networks, and with the price point for 4+ GB flash cards dropping below $100, there's lots to worry about. To paraphrase Steve Jobs, misuse of technology is a social problem, not a technological one. Having a well-defined policy for the use of converged devices is essential prior to deployment. Conversely, rolling out smart phones without proper guidance will lead to all sorts of havoc. Users might respect pay-per-minute airtime as a corporate asset, but unless instructed otherwise they'll think of flat-rate data services as free connectivity on someone else's network (not covered by your policy), and the phone itself as corporate tribal adornment suitable for display anywhere, anytime. More to consider Am I advocating Naomi Campbell's method of disposing of one's fancy mobile? No, in fact, just this month I bought a new smart phone. While I'm no fan of troublesome devices -- two colleagues recently commented that their new WM5 phones rarely crash more than once per day now -- mobile e-mail and Internet access are quickly becoming de rigueur. I made a list of the functions I needed and tried to avoid models that included features I would not use or could not secure. Readers looking for a structured set of criteria for evaluating and selecting a specific smart phone product are encouraged to read NIST Special Publication 800-48 (PDF format [1]). It's a little dated, but when mobile system and application developers are rediscovering every mistake they made a decade ago with remote desktop and laptop systems, these old documents are right on the mark. -=- Jon Espenschied has been at play in the security industry for enough years to become enthusiastic, blas, cynical, jaded, content and enthusiastic again. He is currently a senior security consultant in Seattle, where his advice has been ignored by CEOs, auditors and sysadmins alike. This column has been edited to correct a misstatement: The Symbian OS is in fact owned in part by Nokia and Sony Ericsson. [1] http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf _________________________________________ Visit the InfoSec News Security Bookstore http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Sun Mar 25 2007 - 22:47:24 PST