[ISN] Ten dangerous claims about smart phone security

From: InfoSec News (alerts@private)
Date: Sun Mar 25 2007 - 22:33:31 PST


By Jon Espenschied
March 23, 2007 

My heart sank when I first saw Al Gore pull out his BlackBerry. It was 
in the waning weeks of the 2000 presidential campaign, and there he was 
on the TV, tapping away on his then-novel converged device. Though I had 
no evidence, I was positive that whatever he was reading had already 
been perused by some conservative skunk works, with his responses 
scrutinized not long after. Given recent revelations about the 
opposition's ethics and panting obsession with domestic spying, I still 
suspect that any eavesdropping technically possible at the time was 
probably being done.

So imagine my dismay when I saw Sen. Barack Obama pulling a BlackBerry 
from his coat pocket shortly after announcing his candidacy for 
president. Like many others addicted to their converged devices (Sen. 
John McCain was apparently indulging during the last State of the Union 
speech, not sleeping), he's become a constant user, and he now uses it 
to manage a large portion of his communications. While I hope these 
politicians have IT staffers paying attention to this sort of thing, 
more often than not, a series of underinformed security and privacy 
assumptions are made shortly before sensitive information starts 

Many common assumptions about the security and privacy of smart phones 
or other handheld converged devices are off-base or just flat-out wrong. 
For any high-value target -- whether that's a political candidate or an 
organization with valuable financial or personal data -- a little more 
thought ought to go into the process of selecting and deploying any 
device handling important data. It makes sense then to challenge the 
more widespread assumptions and consider how to handle oft-ignored 

1. It's just a phone with cool features, right?

No, it's not. There's been a major shift in smart phone architecture in 
the past few years. Yesterday's phone ran an embedded operating system 
with software hooks written for the specific model's CPU, interface, 
vocoder and radio. Today's mobile converged device is more likely to run 
software considerably more advanced and versatile than desktop systems 
just 10 years ago. That versatility is an enemy of security because it 
turns the underlying security architecture on its head.

It used to be that a phone or small handheld device had a default-deny 
security model, because every feature was added from the ground up. 
There were no extraneous services running on the device, because every 
one was purpose-built. Now most converged devices run commodity 
operating systems, such as Symbian OS (owned in part by Nokia and Sony 
Ericsson) or Microsoft's Windows CE/Mobile family, that have portability 
as a core design goal. This means there are plenty of communications 
services and data handling hooks in the code base, and it's up to phone 
and application developers to ensure unused code is removed or disabled 
where not appropriate.

No one wants to annoy customers, so more often than not, a wide range of 
services and interfaces is included and enabled -- equivalent to a 
default-allow stance. While I'm a fan of open systems, it's worth 
evaluating a mobile device that provides the features you want and no 
more in the base configuration -- perhaps a "feature phone"  instead of 
a smart phone -- and place less priority on the capacity for upgrades 
and expansion.

2. It's stable, just like any other purpose-built appliance.

Don't assume that the lack of operating system patches and application 
updates for a smart phone means that they aren't needed. In the short 
history of mobile malware, Symbian received bad press by playing host to 
the first, the Cabir worm. However, Windows CE wasn't far behind with 
the Duts virus and Brador Trojan. Even single-purpose network devices 
are periodically found vulnerable to network and service exploits, and 
vendors ought to make updates available in a timely manner.

The bad news is that mobile platform vendors are still very slow to 
issue operating system and application patches. The only practical way 
to mitigate this is through a mix of process and technology: Teach users 
proper skepticism of e-mailed attachments and unexpected connection or 
update confirmations, and implement anti-malware programs for those who 
just keep clicking "OK."

3. Communications are encrypted from end to end.

BlackBerry and Sidekick users may have heard that their communications 
are encrypted "end to end," but e-mail and other communications are 
encrypted only from the phone to the phone company or service provider's 
servers. Beyond that point, e-mail, instant messages and file transfers 
may be transmitted unencrypted over the public Internet by default.

This is less of a concern for closed organizations where everyone 
involved uses the same services, but vendors, partners, consultants and 
others outside the organization often use their own e-mail addresses and 
smart phones on other carriers. There's no guarantee of message 
encryption in these cases, and the risk is no better or worse than any 
other Internet e-mail.

4. The connection's secure unless I use Wi-Fi in a cafe.

Some might be concerned about the cellular connection itself. The GPRS 
and EDGE data protocols used by T-Mobile and Cingular are based on GSM, 
and GSM authentication algorithms such as A5 have been broken in ways 
that allow a motivated eavesdropper to reconstruct voice and data 
conversations with only a few thousand dollars of equipment. CDMA and 
associated algorithms are mildly more secure (PDF format), but many 
carriers choose not to implement all of the security controls available 
because of performance and handset compatibility.

Use a VPN to mitigate this problem for sensitive data and make sure 
essential services are encrypted at the application level using SSL or 
similar protocols. While it might seem redundant, using a voice-over-IP 
client through a smart phone's VPN data connection is one way to ensure 
that voice calls are private. Direct SIP-compliant VoIP clients are best 
for this; closed-protocol applications such as Skype Mobile may try to 
route across a public connection even if a VPN is available. It also may 
relay connections between NAT endpoints through random clients on the 
Internet, so it's not a good candidate in this scenario.

It's also worth noting that VoIP with AEC, one of the features of 
Windows Mobile 5, is not encryption. AEC refers to Acoustic Echo 
Canceling, not the NIST Advanced Encryption Standard ("AES ") described 
in FIPS 197.

5. E-mails and messages are secure from prying eyes.

Whoever controls your smart phone application server has access to your 
data. While smart phone service providers and software packages all 
provide a modicum of access control, administrators with root access can 
always get at your information if they want.

While your corporate IT department might not be spying on marketing on 
behalf of finance, Obama might want to take note that congressional IT 
organizations that serve both Democratic and Republican senators have 
had several incidents involving e-mail disclosures to other parties. In 
the midst of the Mark Foley scandal, it was interesting to note a person 
described in the media as a "Democratic operative" was able to retrieve 
and forward messages sent months earlier from a Republican 
representative's smart phone.

Know where messages and other data reside when sent from a smart phone. 
If service is provided by a neutral vendor, make sure you have a 
service-level agreement that considers whether your data may be 
commingled with other businesses -- possibly your competitors -- on the 
same systems. Those with specific competitive concerns ought to run 
their own systems using their own administrative staff. Obama would do 
well to use a device controlled by the Democratic National Committee or 
his own campaign, rather than one managed by Senate IT staff and easily 
influenced pages.

6. Using a mobile phone constitutes out-of-band communication.

A phone call over a landline used to be an acceptable method for 
communicating out-of-band administrative information. For example, a 
system administrator might call you back at your desk to verbally give 
you a new password (which you then changed, right?). This worked because 
the desk phone was isolated from the network and system resources to 
which you were being given access.

Not so anymore. If you lose your smart phone and IT calls you back on 
that mobile number to confirm the trouble ticket, is it a meaningful 
method of verifying the identity or location of the person who answers? 
Of course not. Possession of the number means little if anything 
anymore, especially since most phones will allow answering of an 
incoming call even when locked.

IT help desks should cross callbacks off the list of acceptable methods 
of identity verification for anything to do with mobile devices or 
remote access. The new BlackBerry Smart Card Reader is a viable option 
for those who need to authenticate using something they possess, and 
while similar options lag a little on other platforms, they are 

7. I trust the integrity of data and applications on a smart phone.

On modern desktop and server systems, file systems with journaling, 
database-like features and integrated backup are common. Not so with 
mobile devices, where almost all data integrity relies upon some sort of 
synchronization with a stable fixed server system for backup and 

Windows Mobile users can use a variety of synchronization options to 
ensure that messages and data on the mobile device are consistent with a 
central Microsoft-based repository such as Exchange, SharePoint or even 
Groove file-share workspaces. BlackBerry Enterprise users have 
over-the-air device security options that include data synchronization 
and backup, and remote shutdown options for lost devices. (A product 
called SyncBerry provides advanced sync and backup features to 
SyncML-capable systems, and extends some of the BlackBerry goodness to 
Symbian users.)

T-Mobile's Sidekick, on the other hand, stores very little data locally 
because it's constantly synchronizing with the servers at Danger Inc., 
the manufacturer. If the device is lost, damaged or reset, data can be 
reloaded on the device by logging in with a name and password. However, 
this means that data is stored at a service provider with which 
individuals have a rather one-sided service-level agreement unsuitable 
for corporate use.

All of this can be protected by setting the device to require a passcode 
at start-up. If the wrong passcode is entered four times on Sidekick, 
local data is erased but can be restored by a remote password reset on 
the management Web site. Security administrators might lament the 
scarcity of people who use this feature, but it's interesting to note 
that the young thief who acquired up the now-famous Sidekick II in New 
York last year was identified and arrested only because she had access 
to the phone, sent messages and took pictures of herself -- which then 
synchronized with the legitimate owner's account on the Danger servers.

What about application integrity? OK, you say, you'll just install 
digitally signed or approved applications. A few months ago, some 
enterprising pot-stirrers managed to buy a BlackBerry code-signing key 
from RIM (arguably the most security-oriented of the smart phone 
vendors) for $100, no questions asked. This is all bad. Users tricked 
into giving network access to unsigned applications may be opening 
themselves up to all sorts of spyware, message relay and other malware, 
but signed applications don't even require consent to suspicious 
prompts. It's far better to teach astute users about acceptable 
applications and forbid the rest from installing anything. The choice of 
installable applications ought to be from a whitelist -- or no list.

8. Information deleted from a smart phone is gone, right?

Most converged devices have relatively small storage capacities, and use 
variants of the venerable FAT file system. When a file is deleted, the 
markers for the beginning and end of the data on the storage media are 
removed so that it is no longer retrievable by normal means (orphaned). 
However, the actual data remains until it's overwritten. There are no 
guarantees against orphaned data. In fact, the whole practice of cell 
phone forensics rests on the availability of orphaned data and logs.

I'm not aware of any smart phone that comes with a secure delete 
function to remove orphaned file system data. Perhaps, Apple will 
include the file system wiping option from OS X in its forthcoming 
iPhone, but it's not present in any of the other major players' 
offerings. With many smart phones offering basic word processing and 
spreadsheet applications, residual data from deleted copies becomes even 
more of an issue.

IT staffers responsible for disposal of outdated smart phones should use 
tools to ensure that residual data is removed. The simple method is to 
copy and erase chunks of data onto the device in a manner that fills the 
flash memory or hard disk, but forensically sound methods are available 
from various vendors. If the device memory can't be erased, it should be 
destroyed -- a damaged but repairable smart phone ought not be found in 
the trash. Those resorting to a hammer are advised to remove the Li-Ion 
battery first.

9. Spying on my smart phone is hard.

Think spying on your activities is hard? Think again. Most smart phones 
have no equivalent of Bluetooth authentication when plugged in; they 
just become slave USB devices and give up all your data. Worse yet, a 
rogue employee, jealous husband or political opponent can buy backdoor 
malware ... uh, "remote phone monitoring" software here and keep ongoing 
tabs on communications. If they manage to install the spendy version on 
your phone (or trick you into doing it), it even includes remote 
microphone activation and generates a tidy Excel spreadsheet of your 
activities each day.

Flexispy is cheap, oriented toward consumers and very worrisome. It's 
only available for Symbian so far, but less-polished remote viewing 
software or illicit copies of management tools are available for 
BlackBerry, Windows Mobile and other platforms. It's not clear if 
anti-malware products send alerts upon finding these, so the best policy 
now is to educate users on physical security and admonish them not to 
install unexpected software or updates.

10. Abuse is minimal because the network and phones are constrained.

Four words: Remember ASCII art porn. Network miscreants will work with 
what's available, and resource limitations only make those inclined to 
misbehave do so in more creative ways. The difference is that smart 
phones are quite capable, and modern 2.5G and 3G phone networks provide 
surprisingly adequate bandwidth. For example, there are now multiple 
BitTorrent clients for Symbian as well as other platforms, some phones 
are adept at seamlessly switching between cellular and unsecured Wi-Fi 
networks, and with the price point for 4+ GB flash cards dropping below 
$100, there's lots to worry about.

To paraphrase Steve Jobs, misuse of technology is a social problem, not 
a technological one. Having a well-defined policy for the use of 
converged devices is essential prior to deployment. Conversely, rolling 
out smart phones without proper guidance will lead to all sorts of 
havoc. Users might respect pay-per-minute airtime as a corporate asset, 
but unless instructed otherwise they'll think of flat-rate data services 
as free connectivity on someone else's network (not covered by your 
policy), and the phone itself as corporate tribal adornment suitable for 
display anywhere, anytime.

More to consider

Am I advocating Naomi Campbell's method of disposing of one's fancy 
mobile? No, in fact, just this month I bought a new smart phone. While 
I'm no fan of troublesome devices -- two colleagues recently commented 
that their new WM5 phones rarely crash more than once per day now -- 
mobile e-mail and Internet access are quickly becoming de rigueur. I 
made a list of the functions I needed and tried to avoid models that 
included features I would not use or could not secure.

Readers looking for a structured set of criteria for evaluating and 
selecting a specific smart phone product are encouraged to read NIST 
Special Publication 800-48 (PDF format [1]). It's a little dated, but 
when mobile system and application developers are rediscovering every 
mistake they made a decade ago with remote desktop and laptop systems, 
these old documents are right on the mark.


Jon Espenschied has been at play in the security industry for enough 
years to become enthusiastic, blas, cynical, jaded, content and 
enthusiastic again. He is currently a senior security consultant in 
Seattle, where his advice has been ignored by CEOs, auditors and 
sysadmins alike.

This column has been edited to correct a misstatement: The Symbian OS is 
in fact owned in part by Nokia and Sony Ericsson.

[1] http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Sun Mar 25 2007 - 22:47:24 PST