Smartphones Security - University of Colorado …cs.uccs.edu/.../snaraya/doc/SmartphoneSecurityRpt.doc · Web view1.3 Smartphones In smartphone technology the mobile phone is added

Smartphones Security


Sujeeth NarayanCS691

May 2005

CS691 Sujeeth Narayan 1


Table of Contents

1 Introduction.......................................................................................................................21.1 Mobile Phones...........................................................................................................21.2 Wireless Technologies...............................................................................................21.3 Smartphones..............................................................................................................2

2 Security Risks...................................................................................................................22.1 Risks due to Inherent Characteristics........................................................................22.2 Risks related to the users.....................................................................................22.3 Risks related to Wireless Networks.....................................................................2

2.3.1 Infrared........................................................................................................22.3.2 Bluetooth......................................................................................................22.3.3 GPRS...........................................................................................................2

2.4 Security Policy.....................................................................................................2

3 Unified Framework......................................................................................................23.1 Introduction................................................................................................................23.2 Authentication Mechanisms................................................................................23.3 Picture Password..................................................................................................2

3.3.1 Algorithm.....................................................................................................2

4 Conclusion...................................................................................................................2

5 References....................................................................................................................2



1 Introduction

1.1 Mobile Phones

Current mobile phones differ quite a lot from the first mobile phones. The 1st

generation mobile phones (1G) used analogue technology and different countries

used different incompatible standards, leaving a mobile phone useless in a foreign

country.

It was then that the Conférence des Administrations Européenes des Postes et

Télécommunications (CERT), a collaboration of telecom administrations of twentysix

European countries, established a committee to develop a pan-European solution to

mobile communication, the Groupe Specéciale Mobile (GSM). Today's second-

generation GSM networks deliver high quality and secure mobile voice and data services,

such as Short Message Service (SMS) text messaging with full roaming capabilities

across the world.

1.2 Wireless Technologies

GSM is a mobile phone network used mainly for voice phone calls and sending

and receiving SMS messages, for data transfer GSM is very slow and thus not

used for data. The addition of GPRS gives users faster data connection over the

same GSM network. UMTS is the third generation (3G) of mobile phone networks

providing an even faster data connection. WLAN is faster then UMTS but, today’s



mobile terminals do not have WLAN connection possibilities yet, this due to the

high power consumption of WLAN.

IrDA and Bluetooth are mainly used for small amount of data like synchronisation

of contacts between Personal Data Assistants (PDA’s) or mobile terminals and

computers. The big disadvantage of IrDA over Bluetooth is the connecting

devices must be in line of sight in order to exchange data. But Bluetooth radio

waves penetrate clothes, briefcases and thin walls, so it is for example

unnecessary to take out the device from your briefcase before exchanging data.



1.3 Smartphones

In smartphone technology the mobile phone is added with many features such as

organizer, voice recorder, mp3 player, video camera, email, web browsing and more with

more technology advancement.

Below in Fig 1.1 is a sample screen shot of a Smartphone in the current market.

Fig 1.1 Sony P900

They have the special feature of synchronizing the mobile with a computer using a

common interface (USB).

All the smartphones are designed to run an Operating System suitable for it. The

currently well known mobile version Operating Systems are:

Symbian and Microsoft Smartphone TM

A recent survey by market research firm IDC shows that major mobile operating

systems are Symbian OS, Microsoft Windows Mobile, Palm OS and Linux (Figure

8) [Forbes 2003].



Fig 1.2 : Mobile OS market shares 2002 and 2006 projection by IDC

• Symbian

Symbian is owned and supported by Ericsson, Nokia, Panasonic, Psion, Samsung

Electronics, Siemens and Sony Ericsson. At the moment there are 12 mobile phones

available with the Symbian OS build by the owners or Symbian licensees (Such as

Motorola and BenQ).

• Microsoft

Windows Mobile is developed by Microsoft. Microsoft has an enormous market-share for

pc OS’s. But Mobile Windows has a hard time gaining a firm foothold in the Mobile OS

market for mobile terminals. This due to the enormous power the multinational Microsoft

has over smaller companies. Currently available Microsoft Windows Smartphone is

Audiovox SMT 5600.



2 Security RisksSecurity risks are the major concern in my research. According to the findings risks could

be classified according to the following.

2.1 Risks due to Inherent Characteristics

As described above, smartphones come equipped with dedicated operating systems. This

in itself will induce new risks such as the emergence of security holes and bugs, mainly

due to the complex architecture of these operating systems. For example, known issues in

the implementation of Java MIDP 2.0 in the Nokia 6600. It is possible to exploit these

bugs to jam devices and provoke a reset. This would erase the data stored on the device.

System-based vulnerabilities will be making their way in smartphones, just as they do on

computers as smartphone operating systems will grow in sophistication.

Another issue linked to the inherent nature of smartphones revolves around access control

and data security.

As there is no form of encryption used to protect the data inside the devices, the

information remains at hand for anyone that can gain physical access to the device. Other

than the PIN code, there is no native form of authentication for the most widely used

smartphones despite the face they ate very often used to store personal and maybe

confidential data. Even if a pin code is protecting access to the telephone features,

sometimes the data remains unprotected. Moreover data is stored on flash chipsets so,

with physical access to the chipset anyone can bypass the access controls and steal data.



This is a risk to be considered by manufactures to push down the security feature or the

users have to setup their own. There would be trade-off between ease of use and security.

2.2 Risks related to the users

Pointsec Mobile Technologies conducted a survey on the mobile usage. The results are as below in Fig 2.1.

Fig 2.1 Mobile Usage Survey – Pointsec Mobile Technologies

The survey shows that the mobiles are used for storing important information without

being aware of the security risks. As discussed above there is no proper data encryption

mechanism to keep information secure. With illegitimate connection, an attacker can

access information stored.

More importantly the smartphones could be easily synchronized to access corporate

emails, which could be a threat to the organization information system. As there may not

be authentication of the user for every action in synchronization, Trojan horse or worms

could deceivingly pass to the smartphone of the corporate internal network.



2.3 Risks related to Wireless Networks

Connectivity of smartphones to a variety of different networks present’s risks due to the

inherent nature of the wireless medium and the always-on connectivity provided by 2.5G,

3G networks. The interconnection of different types of wireless networks incurred by 4G

networks will escalate these risks factoring in rebound and complexity.

2.3.1 Infrared

Risks due to Infrared connection are less, due to the need of physical alignment, unless

the device is not in control of the user. There could be risks in synchronization using

Infrared.

2.3.2 Bluetooth

Bluetooth provides security features. However, very often these features are not

implemented nor activate on smartphones.

In most cases, the implementation of Bluetooth security in smartphones is restricted to

the pairing mechanism and setting the Bluetooth mode to “non-discoverable”.

Tools such as Redfang and BTscanner bypass the non-discoverable mode by brute-

forcing the last 6 bytes of the Bluetooth address and calling the read_remote_name()

function. Redfang works on a Linux platform.

Other tools such as BTbrowser developed for Nokia 6600 and SonyEricsson P900 allow

a user to list surrounding devices and browse available files as well as PIM data.

It won’t be long before smartphone versions of Redfang are out.

Bluejacking is a term referred to a hijacking a mobile device using Bluetooth

technology. Commonly the pattern followed is:



•Putting a message in place of ones device name

•Sending it with a pairing request

•With a prompting message, the victim presses a key (Yes/No)

•Victim would be allowing attacker to access files

It is also possible to have a buffer overflow attack using Bluetooth. It was seen in Nokia

phones a mal-formed OBEX message is vulnerable to buffer overflow attack.

There are more vulnerabilities in the Bluetooth implementation of certain smartphones,

which are being discovered.

The actual protocol implementation is complex and hence there could be some design

flaws or code flaws during the implementation by individual vendor.

2.3.3 GPRS

Smartphones connected to the GPRS are exposed to risks originating from the GPRS IP

Backbone. Security of the GPRS backbone depends on the measures taken by the

operator to secure the GGSN (Gateway GPRS Support Node). If the GGSN is

compromised, the GPRS operator’s subscribers are exposed to attacks from the Internet.

GPRS are always on connectivity, which makes it more vulnerable for the

applications using the service. Applications such as email, Web Browser could be

attacked like a normal computer system being attacked through Internet.

A recent personal experience was when I received an offline text message from a

friend through Internet. It had some malicious code, I guess. After I read the message, the

mobile battery power was reducing at fast pace. In normal usage the battery would loose



80% power in 2 days but that day it lost that much power in around 6 hours. By deleting

that message, unloading all the running programs and restarting the mobile was the

comeback.

2.4 Security Policy

There is a need for every organization to reconsider its technology related security

policies. Many of them don’t consider smartphone devices while making a policy. This

is a big risk to the company as there could be many issues arising.

There cannot be options such as:

Banning the personal use of smartphones

Physically control and enforce the use.

A better way could be by defining policies such as:

Controlled Synchronization by the employee

The use of device in beware hotspots (to deactivate Bluetooth)

Information exchange/download between the device and Enterprise System

A major step by enterprises is to recognize Smartphones as possible threat to the

organization. Some companies would restrict the use of personal CD’s in the company

resources. Smartphones now can have equal capacity and more capability than just CD’s.



3 Unified Framework

3.1 Introduction

In my initial idea of the project, the plan was to develop a framework, which would give

solid framework with all the suitable and required security technologies for smartphones.

With the research I found NIST (National Institute of Standards and Technology) to have

sponsored a project called Unified Security Framework for mobile devices.

The security aspects that are addressed by the framework are as below: “

User Authentication - Strong user authentication is the first line of defense for an

unattended, lost, or stolen device. Multiple modes of authentication increase the

work factor for an attacker; however, very few devices support more than one

mode, usually password-based authentication.

Content Encryption - With sufficient time and effort an authentication mechanism

can be compromised. Content encryption is the second line of defense for

protecting sensitive information.

Policy Controls - When a device is active, various attacks can occur. Policy rules,

enforced for all programs regardless of associated privileges, protect critical

components from modification, and limit access to security-related information. ”



The framework supports multiple policy contexts, which could be implemented for

operation. The contexts are such as restricted and unrestricted, or low, medium and

high security.

3.2 Authentication Mechanisms

Mobile devices have different usability, different applications and different capacity

when compared to normal desktop computer. Hence not all authentication mechanism

can be sued for the mobile device also.

With further research, I found an interesting paper on new approach to the authentication

mechanism.

3.3 Picture Password

This is a recently published paper - Picture Password:

A Visual Login Technique for Mobile Devices

by Wayne Jansen

et al.

I chose because it is great idea for the simple mobile interface and it is an interesting

algorithm for less powerful processor in the mobile devices.



The main idea is that a visually inclined mobile user can easily remember a password in

form of picture and also easy for any user to enter using a joystick/navigate buttons than

the keypad on the mobile device.

3.3.1 Algorithm

In this algorithm the images are sorted out into a matrix in a thumbnail size. Then the

user sets his choice of images as the password. The selected matrix number i.e.

selected[i][j] where i is the selected image row number and j is the selected image

column number.

Corresponding to each of these matrix cells a value is associated.

This value is then mapped onto a series of Alphanumeric ASCII values.

Many of the values would be out of the range of Alphanumeric series.

According their research, with 30 thumbnail images to choose, the effective size of the

alphabet is 930. The password strength is discussed in detail in the paper.

Fig 3.1 shows the mapping of Image Matrix to Value Matrix

Fig 3.1 Image matrix vs. Value matrix



4 Conclusion

From my research I understand that smartphone technologies would grow more to

support more capabilities and more capacity. With this there is added security risks and

concerns.

There should be an important step taken by an organization to include smartphones in

their policies.

There is also scope for Standard framework that could be implemented by an Enterprise

to include smartphones in their network. This standard framework could have security

mechanisms such central authentication using User Enterprise Login.

Even the vendors or mobile application developers should probably make use of the

standard security framework such as NIST given Unified Framework. This will make

applications consistent and stable to attacks.



5 References

http://csrc.nist.gov/mobiledevices/projects.html - NIST Unified Framework

http://www.wirelessdev.net

http://www.smartphonethoughts.com

http://www.AirScanner.com -Mobile Firewall and Antivirus

http://www.PointSec.com - Mobile Security Software

http://www.blackhat.com


http://www.blackhat.com/

http://www.pointsec.com/

http://www.airscanner.com/

http://www.smartphonethoughts.com/

http://www.wirelessdev.net/

http://csrc.nist.gov/mobiledevices/projects.html

Documents

Smartphones Security - University of Colorado …cs.uccs.edu/.../snaraya/doc/SmartphoneSecurityRpt.doc · Web view1.3 Smartphones In smartphone technology the mobile phone is added