Smartphones Security

Total Page:16

File Type:pdf, Size:1020Kb

Smartphones Security

Smartphones Security Smartphones Security

Sujeeth Narayan CS691 May 2005

CS691 Sujeeth Narayan 1 Smartphones Security

Table of Contents

1 Introduction...... 2 1.1 Mobile Phones...... 2 1.2 Wireless Technologies...... 2 1.3 Smartphones...... 2

2 Security Risks...... 2 2.1 Risks due to Inherent Characteristics...... 2 2.2 Risks related to the users...... 2 2.3 Risks related to Wireless Networks...... 2 2.3.1 Infrared...... 2 2.3.2 Bluetooth...... 2 2.3.3 GPRS...... 2 2.4 Security Policy...... 2

3 Unified Framework...... 2 3.1 Introduction...... 2 3.2 Authentication Mechanisms...... 2 3.3 Picture Password...... 2 3.3.1 Algorithm...... 2

4 Conclusion...... 2

5 References...... 2

CS691 Sujeeth Narayan 2 Smartphones Security

1 Introduction

1.1 Mobile Phones

Current mobile phones differ quite a lot from the first mobile phones. The 1st generation mobile phones (1G) used analogue technology and different countries used different incompatible standards, leaving a mobile phone useless in a foreign country.

It was then that the Conférence des Administrations Européenes des Postes et

Télécommunications (CERT), a collaboration of telecom administrations of twentysix

European countries, established a committee to develop a pan-European solution to mobile communication, the Groupe Specéciale Mobile (GSM). Today's second- generation GSM networks deliver high quality and secure mobile voice and data services, such as Short Message Service (SMS) text messaging with full roaming capabilities across the world.

1.2 Wireless Technologies

GSM is a mobile phone network used mainly for voice phone calls and sending and receiving SMS messages, for data transfer GSM is very slow and thus not used for data. The addition of GPRS gives users faster data connection over the same GSM network. UMTS is the third generation (3G) of mobile phone networks providing an even faster data connection. WLAN is faster then UMTS but, today’s mobile terminals do not have WLAN connection possibilities yet, this due to the high power consumption of WLAN.

CS691 Sujeeth Narayan 3 Smartphones Security

IrDA and Bluetooth are mainly used for small amount of data like synchronisation of contacts between Personal Data Assistants (PDA’s) or mobile terminals and computers. The big disadvantage of IrDA over Bluetooth is the connecting devices must be in line of sight in order to exchange data. But Bluetooth radio waves penetrate clothes, briefcases and thin walls, so it is for example unnecessary to take out the device from your briefcase before exchanging data.

CS691 Sujeeth Narayan 4 Smartphones Security

1.3 Smartphones

In smartphone technology the mobile phone is added with many features such as organizer, voice recorder, mp3 player, video camera, email, web browsing and more with more technology advancement.

Below in Fig 1.1 is a sample screen shot of a Smartphone in the current market.

Fig 1.1 Sony P900

They have the special feature of synchronizing the mobile with a computer using a common interface (USB).

All the smartphones are designed to run an Operating System suitable for it. The currently well known mobile version Operating Systems are:

Symbian and Microsoft Smartphone TM

A recent survey by market research firm IDC shows that major mobile operating systems are Symbian OS, Microsoft Windows Mobile, Palm OS and Linux (Figure

8) [Forbes 2003].

CS691 Sujeeth Narayan 5 Smartphones Security

Fig 1.2 : Mobile OS market shares 2002 and 2006 projection by IDC

• Symbian

Symbian is owned and supported by Ericsson, Nokia, Panasonic, Psion, Samsung

Electronics, Siemens and Sony Ericsson. At the moment there are 12 mobile phones available with the Symbian OS build by the owners or Symbian licensees (Such as

Motorola and BenQ).

• Microsoft

Windows Mobile is developed by Microsoft. Microsoft has an enormous market-share for pc OS’s. But Mobile Windows has a hard time gaining a firm foothold in the Mobile OS market for mobile terminals. This due to the enormous power the multinational Microsoft has over smaller companies. Currently available Microsoft Windows Smartphone is

Audiovox SMT 5600.

CS691 Sujeeth Narayan 6 Smartphones Security

2 Security Risks Security risks are the major concern in my research. According to the findings risks could be classified according to the following.

2.1 Risks due to Inherent Characteristics

As described above, smartphones come equipped with dedicated operating systems. This in itself will induce new risks such as the emergence of security holes and bugs, mainly due to the complex architecture of these operating systems. For example, known issues in the implementation of Java MIDP 2.0 in the Nokia 6600. It is possible to exploit these bugs to jam devices and provoke a reset. This would erase the data stored on the device.

System-based vulnerabilities will be making their way in smartphones, just as they do on computers as smartphone operating systems will grow in sophistication.

Another issue linked to the inherent nature of smartphones revolves around access control and data security.

As there is no form of encryption used to protect the data inside the devices, the information remains at hand for anyone that can gain physical access to the device. Other than the PIN code, there is no native form of authentication for the most widely used smartphones despite the face they ate very often used to store personal and maybe confidential data. Even if a pin code is protecting access to the telephone features, sometimes the data remains unprotected. Moreover data is stored on flash chipsets so, with physical access to the chipset anyone can bypass the access controls and steal data.

CS691 Sujeeth Narayan 7 Smartphones Security

This is a risk to be considered by manufactures to push down the security feature or the users have to setup their own. There would be trade-off between ease of use and security.

2.2 Risks related to the users

Pointsec Mobile Technologies conducted a survey on the mobile usage. The results are as below in Fig 2.1.

Fig 2.1 Mobile Usage Survey – Pointsec Mobile Technologies

The survey shows that the mobiles are used for storing important information without being aware of the security risks. As discussed above there is no proper data encryption mechanism to keep information secure. With illegitimate connection, an attacker can access information stored.

More importantly the smartphones could be easily synchronized to access corporate emails, which could be a threat to the organization information system. As there may not be authentication of the user for every action in synchronization, Trojan horse or worms could deceivingly pass to the smartphone of the corporate internal network.

CS691 Sujeeth Narayan 8 Smartphones Security

2.3 Risks related to Wireless Networks

Connectivity of smartphones to a variety of different networks present’s risks due to the inherent nature of the wireless medium and the always-on connectivity provided by 2.5G,

3G networks. The interconnection of different types of wireless networks incurred by 4G networks will escalate these risks factoring in rebound and complexity.

2.3.1 Infrared

Risks due to Infrared connection are less, due to the need of physical alignment, unless the device is not in control of the user. There could be risks in synchronization using

Infrared.

2.3.2 Bluetooth

Bluetooth provides security features. However, very often these features are not implemented nor activate on smartphones.

In most cases, the implementation of Bluetooth security in smartphones is restricted to the pairing mechanism and setting the Bluetooth mode to “non-discoverable”.

Tools such as Redfang and BTscanner bypass the non-discoverable mode by brute- forcing the last 6 bytes of the Bluetooth address and calling the read_remote_name() function. Redfang works on a Linux platform.

Other tools such as BTbrowser developed for Nokia 6600 and SonyEricsson P900 allow a user to list surrounding devices and browse available files as well as PIM data.

It won’t be long before smartphone versions of Redfang are out.

Bluejacking is a term referred to a hijacking a mobile device using Bluetooth technology. Commonly the pattern followed is:

CS691 Sujeeth Narayan 9 Smartphones Security

•Putting a message in place of ones device name

•Sending it with a pairing request

•With a prompting message, the victim presses a key (Yes/No)

•Victim would be allowing attacker to access files

It is also possible to have a buffer overflow attack using Bluetooth. It was seen in Nokia phones a mal-formed OBEX message is vulnerable to buffer overflow attack.

There are more vulnerabilities in the Bluetooth implementation of certain smartphones, which are being discovered.

The actual protocol implementation is complex and hence there could be some design flaws or code flaws during the implementation by individual vendor.

2.3.3 GPRS

Smartphones connected to the GPRS are exposed to risks originating from the GPRS IP

Backbone. Security of the GPRS backbone depends on the measures taken by the operator to secure the GGSN (Gateway GPRS Support Node). If the GGSN is compromised, the GPRS operator’s subscribers are exposed to attacks from the Internet.

GPRS are always on connectivity, which makes it more vulnerable for the applications using the service. Applications such as email, Web Browser could be attacked like a normal computer system being attacked through Internet.

A recent personal experience was when I received an offline text message from a friend through Internet. It had some malicious code, I guess. After I read the message, the

CS691 Sujeeth Narayan 10 Smartphones Security mobile battery power was reducing at fast pace. In normal usage the battery would loose

80% power in 2 days but that day it lost that much power in around 6 hours. By deleting that message, unloading all the running programs and restarting the mobile was the comeback.

2.4 Security Policy

There is a need for every organization to reconsider its technology related security policies. Many of them don’t consider smartphone devices while making a policy. This is a big risk to the company as there could be many issues arising.

There cannot be options such as:

 Banning the personal use of smartphones

 Physically control and enforce the use.

A better way could be by defining policies such as:

 Controlled Synchronization by the employee

 The use of device in beware hotspots (to deactivate Bluetooth)

 Information exchange/download between the device and Enterprise System

A major step by enterprises is to recognize Smartphones as possible threat to the organization. Some companies would restrict the use of personal CD’s in the company resources. Smartphones now can have equal capacity and more capability than just CD’s.

CS691 Sujeeth Narayan 11 Smartphones Security

3 Unified Framework

3.1 Introduction

In my initial idea of the project, the plan was to develop a framework, which would give solid framework with all the suitable and required security technologies for smartphones.

With the research I found NIST (National Institute of Standards and Technology) to have sponsored a project called Unified Security Framework for mobile devices.

The security aspects that are addressed by the framework are as below: “

 User Authentication - Strong user authentication is the first line of defense for an

unattended, lost, or stolen device. Multiple modes of authentication increase the

work factor for an attacker; however, very few devices support more than one

mode, usually password-based authentication.

 Content Encryption - With sufficient time and effort an authentication mechanism

can be compromised. Content encryption is the second line of defense for

protecting sensitive information.

 Policy Controls - When a device is active, various attacks can occur. Policy rules,

enforced for all programs regardless of associated privileges, protect critical

components from modification, and limit access to security-related information. ”

CS691 Sujeeth Narayan 12 Smartphones Security

The framework supports multiple policy contexts, which could be implemented for

operation. The contexts are such as restricted and unrestricted, or low, medium and

high security.

3.2 Authentication Mechanisms

Mobile devices have different usability, different applications and different capacity when compared to normal desktop computer. Hence not all authentication mechanism can be sued for the mobile device also.

With further research, I found an interesting paper on new approach to the authentication mechanism.

3.3 Picture Password

This is a recently published paper - Picture Password:

A Visual Login Technique for Mobile Devices

by Wayne Jansen

et al.

I chose because it is great idea for the simple mobile interface and it is an interesting algorithm for less powerful processor in the mobile devices.

CS691 Sujeeth Narayan 13 Smartphones Security

The main idea is that a visually inclined mobile user can easily remember a password in form of picture and also easy for any user to enter using a joystick/navigate buttons than the keypad on the mobile device.

3.3.1 Algorithm

In this algorithm the images are sorted out into a matrix in a thumbnail size. Then the user sets his choice of images as the password. The selected matrix number i.e. selected[i][j] where i is the selected image row number and j is the selected image column number.

Corresponding to each of these matrix cells a value is associated.

This value is then mapped onto a series of Alphanumeric ASCII values.

Many of the values would be out of the range of Alphanumeric series.

According their research, with 30 thumbnail images to choose, the effective size of the alphabet is 930. The password strength is discussed in detail in the paper.

Fig 3.1 shows the mapping of Image Matrix to Value Matrix

Fig 3.1 Image matrix vs. Value matrix

CS691 Sujeeth Narayan 14 Smartphones Security

4 Conclusion

From my research I understand that smartphone technologies would grow more to support more capabilities and more capacity. With this there is added security risks and concerns.

There should be an important step taken by an organization to include smartphones in their policies.

There is also scope for Standard framework that could be implemented by an Enterprise to include smartphones in their network. This standard framework could have security mechanisms such central authentication using User Enterprise Login.

Even the vendors or mobile application developers should probably make use of the standard security framework such as NIST given Unified Framework. This will make applications consistent and stable to attacks.

CS691 Sujeeth Narayan 15 Smartphones Security

5 References http://csrc.nist.gov/mobiledevices/projects.html - NIST Unified Framework

http://www.wirelessdev.net

http://www.smartphonethoughts.com

http://www.AirScanner.com -Mobile Firewall and Antivirus

http://www.PointSec.com - Mobile Security Software

http://www.blackhat.com

CS691 Sujeeth Narayan 16

Recommended publications