Mobile Security - bristol.bcs.org Security-David Rogers.pdf · MFF2 (machine-to-machine form...

Mobile Security

Security Mini Spring School

BCS Bristol Branch

David Rogers

23rd March 2015

http://www.mobilephonesecurity.org

Introduction

Mobile security is a huge topic

This is just a taster!

If you’re interested in more: http://www.cs.ox.ac.uk/softeng/subjects/MSS.html

Some History

Phones have constantly been under attack – Fraudsters

• Premium rate / international calling

• Subsidy fraud

– Call interception

– Denial of Service

– Device Hacking

– Nation state attacks

– Journalists

– Etc.

Continuous security improvement – Networks and devices

Hacking, Cracking, Jailbreaking and Rooting

THE THREAT LANDSCAPE

The problem with devices

People tamper with things!

What’s a device?

Source: http://www.engadget.com/2006/05/03/becks-loses-two-bimmers-to-laptop-toting-thieves/

Is it real?

From: http://www.littleredbook.cn/2009/07/06/obamas-sponsorship-of-shanzhai-blockberry-chinese-netizens-reactions/

Technical threat vectors

Handset theft

Anti-Theft Measures

Continued global industry work since 1999

GSMA Global Database

9 principles and other device hardware security work

IMEI weakness and reporting process

SG.24 – Anti-Theft Device Feature Requirements • Network operators already requesting in device requirements

• Input and comment from major manufacturers including Samsung, Google and Apple

Continuing to look at in-network measures

Partnership approach works industry / government / Police • Societal issue, not a technological one

Police Theft Awareness Campaigns

UK Home Office TV Advert Campaign

Mobile Phone Security - David Rogers

http://www.mobilephonesecurity.org http://www.mobilephonesecurity.org

Mobile malware

Mainly an issue only for Android – but only where user goes ‘off-piste’ from the official appstore

Some drive-by downloads observed

Getting a lot more organised – much more focus on mobile

Lots of FUD still from anti-virus vendors

Lots of “Spouseware!” – Someone you know uses it combined with a jailbreak

Mobile Malware (2)

Don’t believe everything you read in the press

Mobile is different to the PC world

Spouseware…

Malware (3)

“You are more likely to get struck by lightning in your entire lifetime than you are to be infected by mobile malware”

Patrick Traynor, Georgia Tech, March 2013

DEVICE SECURITY TECHNOLOGIES AND THE MOBILE INDUSTRY

Hardware-level security

Has got significantly better in mobile phones

Still extensively targeted

What does the future hold? – Not just mobile handsets anymore – small cells, automotive etc.

– Step-change seems to have worked rather than ‘the-moon-on-a-stick’

– Classes of devices?:

Platform software updates

From Michael DeGusta http://theunderstatement.com/post/11982112928/android-orphans-visualizing-a-sad-history-of-support

Application security

General harmonisation of mechanisms – Digital signatures and encryption

– Application isolation

– No redistribution of apps from device

– Permissions - principle of least privilege

– Authorised app stores

– Software security methods

– Protection of sensitive keys and authentication info.

Some things (like user permissions) need to be improved

Future web-based mobile platforms need to implement and build/improve on this

Responsible disclosure & incident handling

“USSD code attack” could reset and wipe Galaxy SIIIs – Dialler could be remotely called from web using ‘tel’ URI – USSD or proprietary MMI codes would execute with no user confirmation

Drive-by attack using rigged website or social engineering:

Mobile industry needs to get better at sharing information and working with researchers

Industry winning?

Tools such as Google’s Bouncer cause the attackers to focus on the castle walls

Samsung Knox, Blackberry OS10 and others are all increasingly improving overall device security

Source: http://cadw.wales.gov.uk/daysout/harlechcastle/?lang=en

USER EDUCATION & SECURITY BEHAVIOURS

Secure, usable, affordable devices?

Usability of security

Users will always choose dancing kittens over security.

They will get over any hurdle to get to the kittens…

Consumer education

UPCOMING TECHNOLOGY AND THE CONVERGING THREAT

Convergence across vastly different sectors

Televisions & Set-top boxes

Vehicle

White Goods Other Consumer Electronics

Security & Privacy?

Streaming Media

Temperature sensors

Timers

Location

Messaging

Gallery

Weight

Diagnostics / telematics

Fares / charging

Gallery

Street

furniture

Electronic street sign: via Wikimedia / Ross

Smart pills from: http://www.themalaysianinsider.com/features/article/sensorised-smart-pills-to-launch-in-uk

mHealth Patient monitoring

Dosage

Information

Control

Smart pills

Small cells

From: http://www.lightreading.com/blog.asp?blog_sectionid=414&doc_id=222293&image_number=1

Truly connected devices

What is Home Security?

From: http://www.independent.co.uk/news/world/americas/hacker-takes-control-of-ohio-couples-baby-monitor-and-screams-bad-things-9296986.html www.nest.com

Mobile Cyber Security?

Emerging Device Security & Privacy

MFF2 (machine-to-machine form factor) – embedded SIM

– surface mount

– mainly used for M2M

Some security issues e.g. Karsten Nohl ‘Rooting SIM cards’ 2013

The ever-evolving SIM

http://m2mworldnews.com/2012/07/18/47198-rapid-migration-to-embedded-sim-forecast-for-cellular-m2m/

• UICC supports multiple javacard applets • SIM, USIM and ISIM all applications • Embedded NFC • Updateable and configurable remotely

http://commons.wikimedia.org/wiki/File:GSM_SIM_card_evolution.svg

https://srlabs.de/rooting-sim-cards/

Biometrics

Still immature on mobile devices – Early solutions easy to defeat (e.g. gummy finger etc.)

– Other types difficult to use

– Requires significant processing power

– iPhone 5S introduced TouchID

– 990 million devices with fingerprint sensors predicted by 2017

Increased risk for the user – User as unlock key means user becomes the target of attack

– Same issue as car crime

Challenges for biometrics

False negatives:

– Eyelashes too long

– Long fingernails

– Arthritis

– Circulation problems

– People wearing hand cream

– People who’ve just eaten greasy foods

– People with brown eyes

– Fingerprint abrasion, includes: Manual labourers, typists, musicians

– People with cuts

– Disabled people

The Future?

Mobile extending outwards – Internet of Things / Machine-to-machine

– Embedded SIM

– Next generation networks

– Connected car

– Connected homes / businesses

– Payment and banking

What about privacy?

Mobile handset will be at heart of everything

The “things” will need securing

Fraud / security issues won’t go away, they’ll just evolve

Products & Services

Management Committee

Fraud & Security Group

Device Security Group

Mobile Malware

Fraud & Security

Architecture Group

Roaming & Interconnect

Fraud & Security

Fraud & Security Comms.

Security & Fraud Risk

Assessment

Security Assurance

Fraud & Security Advisory

Africa

Latin America

GSMA Fraud and Security Group

Questions?

david.rogers @ copperhorse.co.uk

@drogersuk

Mobile Security: A Guide for Users: http://www.lulu.com/gb/en/shop/david-rogers/mobile-security-

a-guide-for-users/paperback/product-21197551.html

Mobile Security - bristol.bcs.org Security-David Rogers.pdf · MFF2 (machine-to-machine form...

Documents

SoK: Security and Privacy in Machine Learning

COEN 350: Network Security Authentication. Between human and machine Between machine and machine

Applied Machine Learning in Software Security · Applied Machine Learning in Software Security ... “How can we build computer ... you would likely benefit from machine learning

Privacy, Security, and Machine Learning for Mobile … Privacy, Security...Privacy, Security, and Machine Learning for Mobile Health Applications ... depicts a Body Area Network (BAN),

Machine learning methods for data security

Exadata Database Machine Security

Optimal Machine Learning Algorithms for Cyber Threat Detection · Machine Learning (ML) based analytics for security machine data is the next emerging trend in cyber security, aimed

Practice Exam - Chris Rogers.pdf

Machine Learning Threatens 5G Security

Security Considerations for Machine Builders

ENHANCING VIRTUAL MACHINE SECURITY IN OPENSTACK …

Compilation of a Network Security/Machine Learning

Security in Machine-to-Machine Communication: The …€¦ · Security in Machine-to-Machine Communication: The role of the Telecommunication Operator ... • Monitor connections

Advanced Security Mechanisms for Machine Readable Travel

28 - Approaches and Methods in LT - Richards and Rogers.pdf

Machine Assisted Document Security Verification

Machine to Machine Communication for Physical Security

Virtual machine security

SECURITY AND PRIVACY OF MACHINE LEARNING - Ian …MACHINE LEARNING Staff Research Scientist Google Brain @goodfellow_ian (Goodfellow 2018) #RSAC Machine Learning and Security 2 y h

Accidente Challenger -Comisión Rogers.pdf