http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9014118
By Jon Espenschied
March 23, 2007
Computerworld
My heart sank when I first saw Al Gore pull out his BlackBerry. It was
in the waning weeks of the 2000 presidential campaign, and there he was
on the TV, tapping away on his then-novel converged device. Though I had
no evidence, I was positive that whatever he was reading had already
been perused by some conservative skunk works, with his responses
scrutinized not long after. Given recent revelations about the
opposition's ethics and panting obsession with domestic spying, I still
suspect that any eavesdropping technically possible at the time was
probably being done.
So imagine my dismay when I saw Sen. Barack Obama pulling a BlackBerry
from his coat pocket shortly after announcing his candidacy for
president. Like many others addicted to their converged devices (Sen.
John McCain was apparently indulging during the last State of the Union
speech, not sleeping), he's become a constant user, and he now uses it
to manage a large portion of his communications. While I hope these
politicians have IT staffers paying attention to this sort of thing,
more often than not, a series of underinformed security and privacy
assumptions are made shortly before sensitive information starts
flowing.
Many common assumptions about the security and privacy of smart phones
or other handheld converged devices are off-base or just flat-out wrong.
For any high-value target -- whether that's a political candidate or an
organization with valuable financial or personal data -- a little more
thought ought to go into the process of selecting and deploying any
device handling important data. It makes sense then to challenge the
more widespread assumptions and consider how to handle oft-ignored
risks.
1. It's just a phone with cool features, right?
No, it's not. There's been a major shift in smart phone architecture in
the past few years. Yesterday's phone ran an embedded operating system
with software hooks written for the specific model's CPU, interface,
vocoder and radio. Today's mobile converged device is more likely to run
software considerably more advanced and versatile than desktop systems
just 10 years ago. That versatility is an enemy of security because it
turns the underlying security architecture on its head.
It used to be that a phone or small handheld device had a default-deny
security model, because every feature was added from the ground up.
There were no extraneous services running on the device, because every
one was purpose-built. Now most converged devices run commodity
operating systems, such as Symbian OS (owned in part by Nokia and Sony
Ericsson) or Microsoft's Windows CE/Mobile family, that have portability
as a core design goal. This means there are plenty of communications
services and data handling hooks in the code base, and it's up to phone
and application developers to ensure unused code is removed or disabled
where not appropriate.
No one wants to annoy customers, so more often than not, a wide range of
services and interfaces is included and enabled -- equivalent to a
default-allow stance. While I'm a fan of open systems, it's worth
evaluating a mobile device that provides the features you want and no
more in the base configuration -- perhaps a "feature phone" instead of
a smart phone -- and place less priority on the capacity for upgrades
and expansion.
2. It's stable, just like any other purpose-built appliance.
Don't assume that the lack of operating system patches and application
updates for a smart phone means that they aren't needed. In the short
history of mobile malware, Symbian received bad press by playing host to
the first, the Cabir worm. However, Windows CE wasn't far behind with
the Duts virus and Brador Trojan. Even single-purpose network devices
are periodically found vulnerable to network and service exploits, and
vendors ought to make updates available in a timely manner.
The bad news is that mobile platform vendors are still very slow to
issue operating system and application patches. The only practical way
to mitigate this is through a mix of process and technology: Teach users
proper skepticism of e-mailed attachments and unexpected connection or
update confirmations, and implement anti-malware programs for those who
just keep clicking "OK."
3. Communications are encrypted from end to end.
BlackBerry and Sidekick users may have heard that their communications
are encrypted "end to end," but e-mail and other communications are
encrypted only from the phone to the phone company or service provider's
servers. Beyond that point, e-mail, instant messages and file transfers
may be transmitted unencrypted over the public Internet by default.
This is less of a concern for closed organizations where everyone
involved uses the same services, but vendors, partners, consultants and
others outside the organization often use their own e-mail addresses and
smart phones on other carriers. There's no guarantee of message
encryption in these cases, and the risk is no better or worse than any
other Internet e-mail.
4. The connection's secure unless I use Wi-Fi in a cafe.
Some might be concerned about the cellular connection itself. The GPRS
and EDGE data protocols used by T-Mobile and Cingular are based on GSM,
and GSM authentication algorithms such as A5 have been broken in ways
that allow a motivated eavesdropper to reconstruct voice and data
conversations with only a few thousand dollars of equipment. CDMA and
associated algorithms are mildly more secure (PDF format), but many
carriers choose not to implement all of the security controls available
because of performance and handset compatibility.
Use a VPN to mitigate this problem for sensitive data and make sure
essential services are encrypted at the application level using SSL or
similar protocols. While it might seem redundant, using a voice-over-IP
client through a smart phone's VPN data connection is one way to ensure
that voice calls are private. Direct SIP-compliant VoIP clients are best
for this; closed-protocol applications such as Skype Mobile may try to
route across a public connection even if a VPN is available. It also may
relay connections between NAT endpoints through random clients on the
Internet, so it's not a good candidate in this scenario.
It's also worth noting that VoIP with AEC, one of the features of
Windows Mobile 5, is not encryption. AEC refers to Acoustic Echo
Canceling, not the NIST Advanced Encryption Standard ("AES ") described
in FIPS 197.
5. E-mails and messages are secure from prying eyes.
Whoever controls your smart phone application server has access to your
data. While smart phone service providers and software packages all
provide a modicum of access control, administrators with root access can
always get at your information if they want.
While your corporate IT department might not be spying on marketing on
behalf of finance, Obama might want to take note that congressional IT
organizations that serve both Democratic and Republican senators have
had several incidents involving e-mail disclosures to other parties. In
the midst of the Mark Foley scandal, it was interesting to note a person
described in the media as a "Democratic operative" was able to retrieve
and forward messages sent months earlier from a Republican
representative's smart phone.
Know where messages and other data reside when sent from a smart phone.
If service is provided by a neutral vendor, make sure you have a
service-level agreement that considers whether your data may be
commingled with other businesses -- possibly your competitors -- on the
same systems. Those with specific competitive concerns ought to run
their own systems using their own administrative staff. Obama would do
well to use a device controlled by the Democratic National Committee or
his own campaign, rather than one managed by Senate IT staff and easily
influenced pages.
6. Using a mobile phone constitutes out-of-band communication.
A phone call over a landline used to be an acceptable method for
communicating out-of-band administrative information. For example, a
system administrator might call you back at your desk to verbally give
you a new password (which you then changed, right?). This worked because
the desk phone was isolated from the network and system resources to
which you were being given access.
Not so anymore. If you lose your smart phone and IT calls you back on
that mobile number to confirm the trouble ticket, is it a meaningful
method of verifying the identity or location of the person who answers?
Of course not. Possession of the number means little if anything
anymore, especially since most phones will allow answering of an
incoming call even when locked.
IT help desks should cross callbacks off the list of acceptable methods
of identity verification for anything to do with mobile devices or
remote access. The new BlackBerry Smart Card Reader is a viable option
for those who need to authenticate using something they possess, and
while similar options lag a little on other platforms, they are
available.
7. I trust the integrity of data and applications on a smart phone.
On modern desktop and server systems, file systems with journaling,
database-like features and integrated backup are common. Not so with
mobile devices, where almost all data integrity relies upon some sort of
synchronization with a stable fixed server system for backup and
management.
Windows Mobile users can use a variety of synchronization options to
ensure that messages and data on the mobile device are consistent with a
central Microsoft-based repository such as Exchange, SharePoint or even
Groove file-share workspaces. BlackBerry Enterprise users have
over-the-air device security options that include data synchronization
and backup, and remote shutdown options for lost devices. (A product
called SyncBerry provides advanced sync and backup features to
SyncML-capable systems, and extends some of the BlackBerry goodness to
Symbian users.)
T-Mobile's Sidekick, on the other hand, stores very little data locally
because it's constantly synchronizing with the servers at Danger Inc.,
the manufacturer. If the device is lost, damaged or reset, data can be
reloaded on the device by logging in with a name and password. However,
this means that data is stored at a service provider with which
individuals have a rather one-sided service-level agreement unsuitable
for corporate use.
All of this can be protected by setting the device to require a passcode
at start-up. If the wrong passcode is entered four times on Sidekick,
local data is erased but can be restored by a remote password reset on
the management Web site. Security administrators might lament the
scarcity of people who use this feature, but it's interesting to note
that the young thief who acquired up the now-famous Sidekick II in New
York last year was identified and arrested only because she had access
to the phone, sent messages and took pictures of herself -- which then
synchronized with the legitimate owner's account on the Danger servers.
What about application integrity? OK, you say, you'll just install
digitally signed or approved applications. A few months ago, some
enterprising pot-stirrers managed to buy a BlackBerry code-signing key
from RIM (arguably the most security-oriented of the smart phone
vendors) for $100, no questions asked. This is all bad. Users tricked
into giving network access to unsigned applications may be opening
themselves up to all sorts of spyware, message relay and other malware,
but signed applications don't even require consent to suspicious
prompts. It's far better to teach astute users about acceptable
applications and forbid the rest from installing anything. The choice of
installable applications ought to be from a whitelist -- or no list.
8. Information deleted from a smart phone is gone, right?
Most converged devices have relatively small storage capacities, and use
variants of the venerable FAT file system. When a file is deleted, the
markers for the beginning and end of the data on the storage media are
removed so that it is no longer retrievable by normal means (orphaned).
However, the actual data remains until it's overwritten. There are no
guarantees against orphaned data. In fact, the whole practice of cell
phone forensics rests on the availability of orphaned data and logs.
I'm not aware of any smart phone that comes with a secure delete
function to remove orphaned file system data. Perhaps, Apple will
include the file system wiping option from OS X in its forthcoming
iPhone, but it's not present in any of the other major players'
offerings. With many smart phones offering basic word processing and
spreadsheet applications, residual data from deleted copies becomes even
more of an issue.
IT staffers responsible for disposal of outdated smart phones should use
tools to ensure that residual data is removed. The simple method is to
copy and erase chunks of data onto the device in a manner that fills the
flash memory or hard disk, but forensically sound methods are available
from various vendors. If the device memory can't be erased, it should be
destroyed -- a damaged but repairable smart phone ought not be found in
the trash. Those resorting to a hammer are advised to remove the Li-Ion
battery first.
9. Spying on my smart phone is hard.
Think spying on your activities is hard? Think again. Most smart phones
have no equivalent of Bluetooth authentication when plugged in; they
just become slave USB devices and give up all your data. Worse yet, a
rogue employee, jealous husband or political opponent can buy backdoor
malware ... uh, "remote phone monitoring" software here and keep ongoing
tabs on communications. If they manage to install the spendy version on
your phone (or trick you into doing it), it even includes remote
microphone activation and generates a tidy Excel spreadsheet of your
activities each day.
Flexispy is cheap, oriented toward consumers and very worrisome. It's
only available for Symbian so far, but less-polished remote viewing
software or illicit copies of management tools are available for
BlackBerry, Windows Mobile and other platforms. It's not clear if
anti-malware products send alerts upon finding these, so the best policy
now is to educate users on physical security and admonish them not to
install unexpected software or updates.
10. Abuse is minimal because the network and phones are constrained.
Four words: Remember ASCII art porn. Network miscreants will work with
what's available, and resource limitations only make those inclined to
misbehave do so in more creative ways. The difference is that smart
phones are quite capable, and modern 2.5G and 3G phone networks provide
surprisingly adequate bandwidth. For example, there are now multiple
BitTorrent clients for Symbian as well as other platforms, some phones
are adept at seamlessly switching between cellular and unsecured Wi-Fi
networks, and with the price point for 4+ GB flash cards dropping below
$100, there's lots to worry about.
To paraphrase Steve Jobs, misuse of technology is a social problem, not
a technological one. Having a well-defined policy for the use of
converged devices is essential prior to deployment. Conversely, rolling
out smart phones without proper guidance will lead to all sorts of
havoc. Users might respect pay-per-minute airtime as a corporate asset,
but unless instructed otherwise they'll think of flat-rate data services
as free connectivity on someone else's network (not covered by your
policy), and the phone itself as corporate tribal adornment suitable for
display anywhere, anytime.
More to consider
Am I advocating Naomi Campbell's method of disposing of one's fancy
mobile? No, in fact, just this month I bought a new smart phone. While
I'm no fan of troublesome devices -- two colleagues recently commented
that their new WM5 phones rarely crash more than once per day now --
mobile e-mail and Internet access are quickly becoming de rigueur. I
made a list of the functions I needed and tried to avoid models that
included features I would not use or could not secure.
Readers looking for a structured set of criteria for evaluating and
selecting a specific smart phone product are encouraged to read NIST
Special Publication 800-48 (PDF format [1]). It's a little dated, but
when mobile system and application developers are rediscovering every
mistake they made a decade ago with remote desktop and laptop systems,
these old documents are right on the mark.
-=-
Jon Espenschied has been at play in the security industry for enough
years to become enthusiastic, blas, cynical, jaded, content and
enthusiastic again. He is currently a senior security consultant in
Seattle, where his advice has been ignored by CEOs, auditors and
sysadmins alike.
This column has been edited to correct a misstatement: The Symbian OS is
in fact owned in part by Nokia and Sony Ericsson.
[1] http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf
_________________________________________
Visit the InfoSec News Security Bookstore
http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Sun Mar 25 2007 - 22:47:24 PST