Security and Privacy Events at Mobile World Congress 2014

Here’s a list of the main security and privacy related events at Barcelona (some of which I’ll be speaking at). You’ll need a specific pass to get into some of them and that is shown next to the event.

Sunday 23rd February

1) Copper Horse Mobile Security Dinner
21:00 – Secret Location in Barcelona

Monday 24th February

1) Mobile Security Forum presented by AVG
12:15-14:30 – Hall 8.0 – Theatre District -Theatre F
2) Mobile Security Forum presented by FingerQ
14:30-16:45 – Hall 8.0 – Theatre District -Theatre F

Tuesday 25th February

1) Secure all the things! – the changing future of mobile identity, web, policy and governance
10:00-12:00 (09:15 for networking) UKTI / ICT KTN seminar – in the main conference area, CC1 Room 1.2
2) GSMA Personal Data Seminar (with the FIDO Alliance)
11:00-14:30 Room CC 1.1
3) Global Mobile Awards 2014 – Category 6d – Best Mobile Identity, Safeguard & Security Products/Solutions [Gold passes only]
14:30-16:30 – Hall 4, Auditorium 1

Wednesday 26th February

1) Cyber Security Workshop: The Role of the Mobile Network Operator in Cyber Security [Ministerial Programme Access only]
15:30–16:30 – Minsterial Programme, Hall 4, Auditorium B

Thursday 27th February

1) Privacy – Mobile and Privacy – Transparency, choice and control: building trust in mobile
11:00-13:00 – GSMA Seminar Theatre 2 – CC1.1

Of course plenty of the other presentations have security aspects – all the Connected Home, mHealth and Intenet of Things talks to mention but a few! Also, if you’d like to meet me, you’ll see me at a few of these events or you can email to make an appointment out there.

Please feel free to let me know in the comments if I’ve missed any.

Copper Horse Mobile Security Dinner – Mobile World Congress 2014

Another year and we’re back again. This year’s Copper Horse security dinner will take place as usual at a secret location in Barcelona on the 23rd of February. With some of the world’s leading minds in mobile security present, it’s the hottest ticket for Sunday night. Contact us if you’d like to attend, there’s a limited number of places. As always, we split the bill at the end.

This is far too early for the dinner and in the wrong location…

 

Mobile World Congress 2014 – Planning to Eat…

Happy New Year everyone! That must mean that the entire mobile industry has to start going into overdrive for Mobile World Congress in February in Barcelona. Over at linkedin, there is a pretty useful thread for discussing what kind of tips and suggestions you’d give first time attendees to MWC.

Parties aside, my best personal advice for Mobile World Congress is actually about eating. Having been to Barcelona for every MWC since it moved there, I’ve worked out what is best for me and really what is not good at all for me. I’ve described it to some people as doing a year’s worth of meetings in one week. It is pretty intense – you definitely work hard and play hard. In my experience, you walk about a million miles (maybe just slightly less), drink far too much alcohol and go to bed way too late for a couple of hours sleep before doing it all again the next day, all without eating much more than a couple of bites of tapas and maybe a Jamon baguette. The biggest thing that has at least helped me sleep better and feel better is to address the food problem head-on.

Not sure how healthy this sandwich is Mr. Messi…

Here’s my addition to to the thread:

One thing that I’d add, make sure you eat properly and heathily. It is a crazy week of early mornings, late nights and lots of walking. Also, if you’re like most of the attendees and therefore not ‘entirely’ tee-total, you may need to soak up some of that booze 😉 

It can be difficult to get food during a really hectic week and what food is on-site is usually limited. Mostly jamon / spanish tortilla baguettes, crisps and maybe some fairly rank salads (unless you can eat in the Gold pass areas). The queues at lunchtimes are mental, so if you are going to grab something, try and get it early on and stick it in your bag for later if you can. 

Don’t expect to be eating well at any of the parties unless you can get by on a couple of cocktail snacks and a bit of Paella. 

As someone who needs food to keep me going, I generally try to eat as follows each day: 

* a healthy, large breakfast with some fruit 
* get some early coffee on-site 
* make time for lunch – I now resist the temptation to skip it and fill it with a meeting 
* eat something substantial if I can early on in the evening that isn’t just tapas at a party 

Hope this helps!

I’d be interested in any other thoughts people have on how to eat properly at MWC. Anyway, with that slight detour I have to get back to judging entries for the GMAs and preparing our own Copper Horse trip out there!

Shiny Expensive Things: The Global Problem of Mobile Phone Theft

I was kindly invited down to Bournemouth University the other day by Shamal Faily, to give a talk as part of their Cyber Seminar series. I decided to talk about a quite hot topic which I’m very familiar with, mobile phone theft. The slides are updated from an earlier talk, but cover some of the political involvement in 2012/13 and some information on recent industry action and what should happen next.

Global Mobile Awards 2014

I’ll once again be judging in the Global Mobile Awards “Best Mobile Identity, Safeguard & Security Products/Solutions” category this year. The deadline for entry submissions is Friday, the 29th of November 2013 at 5pm (GMT). The shortlist will be announced in January 2014 and the awards will be presented at Mobile World Congress.

If you’re planning to enter, there’ll be a live Q&A on the awards on Friday, November the 8th. Follow the GSMA’s twitter account @GSMA and the hashtag #GMA14 for more details!

If you want to show off your organisation’s success and innovation in the world of telecoms, please enter at the awards page: www.globalmobileawards.com

Good luck!

ForumOxford Mobile Security discussion

Join me on Friday the 11th at 3pm (UK), 7am (PDT), 10am (EDT) for a discussion via linkedin on the topic of mobile security. I’ll be talking about everything from mobile phone theft and fingerprint scanners, to what the future could hold.

More details here. So hopefully see you all there. If you can’t make it, have a look at this book if you’re interested in the topic.

9th ETSI Security Workshop

In January 2014, it’ll be the 9th ETSI Security Workshop, in Sophia Antipolis in the south of France. I’ve always found the event really interesting and have spoken there a couple of times myself.

There’s a call for presentations that’s still open until the 11th of October, so if you’re interested in security and mobile, why not put in an abstract? The topics are really broad-ranging (which is part of the appeal). This year’s include:

1. Machine-to-Machine Security
2. Critical infrastructure protection
3. Cybersecurity
4. Analysis of real world security weaknesses
5. Next Generation Networks security
6. Mobile Telecommunications systems
7. RFID and NFC Security issues
8. Privacy and Identity Management
9. Cryptography and Security algorithms
10. Security in the Cloud
11. Smart city security (energy, transport, privacy, …)
12. Trusted Security (services and platforms)
13. Security Indicators/Metrics
14. Academic research and Innovation
15. Device and smart phones security
16. Malware detection and forensics

More details here: http://www.etsi.org/news-events/events/681-2014-securityws

 

CCC bust Apple’s fingerprint scanner?

Just a few days ago I wrote about some of my concerns on biometrics, after the launch of the fingerprint scanner ‘TouchID’ on the iPhone 5S. It appears that they may have been well-founded. The Chaos Computer Club in Germany have released a blog and video which seems to show TouchID being broken by a fake fingerprint. Back to the drawing board again on biometrics? Watch the video for yourself below:

 

You are the Key: Fingerprint Scanning on the iPhone 5S

So, here we are. Another iPhone launch and seemingly even less features. The September 10th launch of the iPhone 5S brings the only physical feature of note: fingerprint scanning via “Touch ID” which is built into the main button of the phone (an elegant way of doing it by the way). This turn of events is more about a push by Apple towards acceptable secure m-payments and stronger user authentication for the web and app store rather than just being completely about access control to the device itself. I’m pretty sure that there’s a strong pull from the business / enterprise sector as well for this kind of technology. In my experience, senior management seem to quite like things they’ve seen in a sci-fi film such as palm-print security access and voice recognition in front of big strong-room doors. Perhaps a blue LED or two to top it off. That of course, is real security. Not.

Just like in the movies! It must be secure!

So what does this technology really bring us and why hasn’t it been implemented before? Let’s concentrate on just the access control piece here.

Leaving your keys hanging around

Unlike PIN numbers, you leave a number of exact replicas of your fingerprints in various public places when you go about your daily business. That’s like leaving an exact imprint of your front door key over twenty times a day on things like the side of your car door, on a coffee cup and on the table of your favourite pub. In all likelihood, the back of your mobile phone probably contains a pretty good copy of your fingerprint right now. In 2008, the German interior minister Wolfgang Schauble found this out when hacktivists collected his fingerprints from a glass. And remember: once you’ve lost your fingerprint you can’t really get it back (you only have a limited number!).

There are some pretty extreme examples of people who’ve been tortured for bank PIN numbers and even one case in Malaysia where a man had his finger cut off to steal his fingerprint protected Mercedes.

There is an argument to say that most street thieves (like burglars) are not going to want a direct confrontation with the owner, but there’s also plenty of evidence of violence during mobile phone theft from people being shot or held at knifepoint, just for their phone.

One could easily imagine a scenario where the user is just forced to open up the device and remove the security protection before the criminal makes off. This scenario could just as easily be argued for users with PIN protection and it seems (from my unscientific hearsay point-of-view!) that we haven’t heard of many instances of thieves doing this. What seems to be more prevalent is either unattended theft or snatch theft where the phone is actually being used (and is therefore unlocked and ready to go).

“The number of phones found on the London Underground alone was 25,000 in 2011”

According to the Office of National Statistics’ report on Mobile Phone Theft [pdf], the Crime Survey of England and Wales for 2011/12 showed that 7 in 10 incidents of mobile phone theft were personal thefts (e.g. pickpocketing or snatch) or ‘other thefts of personal property’. These ‘others’ are defined as: “items stolen while away from home, but not carried on the person (such as theft of unattended property in pubs, restaurants, entertainment venues, workplaces etc.).”

Let’s also bear in mind that a lot of people could believe they’ve been pickpocketed or that their phone was stolen from somewhere when they have in fact just lost their device. The number of phones found on the London underground alone was 25,000 in 2011.

Convenience

What fingerprint biometric technology does give you is convenience, more so given that the sensor for Touch ID is built into the key that you would have to press anyway. Instead of having to make four or more finger movements and the possible engagement of brain to remember a PIN, you instead have almost instantaneous access, which when you consider how many times you have to enter your PIN into your phone every day is surely a good thing. What convenience then hopefully gives you is increased adoption by users, which overall is again a good thing. Most people using fingerprint access control security than a few using a PIN is a much better situation for everyone.

However, this is certainly not all a bed of roses. Usability is a big issue once you look into it (and I’m not sure how much Apple have taken this into consideration).

Some people just simply can’t use fingerprint readers. For example, the very young, the elderly and some disabled people. In addition “False negatives” can be caused by various factors such as:

  • Long fingernails
  • Arthritis
  • Circulation problems
  • People wearing hand cream
  • People who’ve just eaten greasy foods
  • Fingerprint abrasion, includes: the elderly, manual labourers, typists, musicians
  • People with cuts

In some senses, this functionality could be regarded as socially regressive, or at least a not socially inclusive and accessible technology. These types of users must fall back to things like PIN usage to provide access control.

Technology progression

Technical details of the Apple solution are not clear, but a lot of fingerprint technologies have failed in the past and I am sure that this one will come under intense scrutiny by security researchers. I have demonstrated the “gummy finger” attack against an optical fingerprint scanner myself at conferences and in lectures, even creating a working latex ‘replacement’ fingerprint aka ‘Diamonds are Forever’.

Researchers have even gone as far as ‘lifting’ fingerprints, reversing the image (to get it back to the right way round) and etching them in order to create a pattern for new, usable replicas (see the gummy finger link above for more details). Other researchers have also defeated ‘liveness’ or pulse detection too.

Summary

So what do I really think? I think for high-end enterprise use cases (one area that Apple has been really going after in the past couple of years), this does make sense. I can imagine a CEO complying with that kind of policy more than a mandatory very long PIN or password. If they’re really important people though, you can certainly imagine them being targeted to copy their fingerprints as I mentioned at the beginning.

For your average user, maybe just maybe, the convenience aspect will make this a success. What that would mean is more devices secured at rest (i.e. left on café tables), so an opportunistic thief would not be able to get immediate access. It could even provide a different, potentially more secure way of authenticating to banking and payment services over the web or in a shop. I truly hope that users do not become the targets of more violent assaults where they are forced to give fingerprint access to their device.

Lastly, I hope that the Apple security engineering team have done their job correctly. At the end of the day, your fingerprint is translated into 1s and 0s. A representation of this has to be stored on the device in some way. Each time you access your phone, your data is then processed through an algorithm to get compared. If that is not done properly using secure hardware, then there’ll be another set of people producing hacking tools to address a new market for criminals to get around the fingerprint protection. The first commercially sold fingerprint scanner on a phone that I remember was in 2004 in the GI100,a PanTech device that was released in Asia. I looked into and rejected fingerprint scanning as a possibility for mobile phones at Panasonic in 2005 for many reasons (not least the processing capability needed). Nearly 10 years later it’ll be interesting to see whether it really is a useful security technology or just simply a movie-inspired gimmick.

Mobile Security: A Guide for Users

Back in May, I released a leaflet on Mobile Phone Security advice for ordinary people to be able to manager their own security for their devices. I promised that we’d be releasing the longer whitepaper that accompanies it soon, so here it is. We’ve released it as a short book, which can you can initially purchase from this site. The book covers some of the history of mobile security, things that have happened in industry and security design decisions that have been taken to try and protect users over the years. It also talks about various issues and incidents, their impact and what users should do to try and mitigate those things. There are also sections on personal safety and lost and stolen phones. I really hope this is useful for people!