Uncategorized

You are the Key: Fingerprint Scanning on the iPhone 5S

mobilephonesecurity9368433311 Comment

So, here we are. Another iPhone launch and seemingly even less features. The September 10th launch of the iPhone 5S brings the only physical feature of note: fingerprint scanning via “Touch ID” which is built into the main button of the phone (an elegant way of doing it by the way). This turn of events is more about a push by Apple towards acceptable secure m-payments and stronger user authentication for the web and app store rather than just being completely about access control to the device itself. I’m pretty sure that there’s a strong pull from the business / enterprise sector as well for this kind of technology. In my experience, senior management seem to quite like things they’ve seen in a sci-fi film such as palm-print security access and voice recognition in front of big strong-room doors. Perhaps a blue LED or two to top it off. That of course, is real security. Not.

Just like in the movies! It must be secure!

So what does this technology really bring us and why hasn’t it been implemented before? Let’s concentrate on just the access control piece here.

Leaving your keys hanging around

Unlike PIN numbers, you leave a number of exact replicas of your fingerprints in various public places when you go about your daily business. That’s like leaving an exact imprint of your front door key over twenty times a day on things like the side of your car door, on a coffee cup and on the table of your favourite pub. In all likelihood, the back of your mobile phone probably contains a pretty good copy of your fingerprint right now. In 2008, the German interior minister Wolfgang Schauble found this out when hacktivists collected his fingerprints from a glass. And remember: once you’ve lost your fingerprint you can’t really get it back (you only have a limited number!).

There are some pretty extreme examples of people who’ve been tortured for bank PIN numbers and even one case in Malaysia where a man had his finger cut off to steal his fingerprint protected Mercedes.

There is an argument to say that most street thieves (like burglars) are not going to want a direct confrontation with the owner, but there’s also plenty of evidence of violence during mobile phone theft from people being shot or held at knifepoint, just for their phone.

One could easily imagine a scenario where the user is just forced to open up the device and remove the security protection before the criminal makes off. This scenario could just as easily be argued for users with PIN protection and it seems (from my unscientific hearsay point-of-view!) that we haven’t heard of many instances of thieves doing this. What seems to be more prevalent is either unattended theft or snatch theft where the phone is actually being used (and is therefore unlocked and ready to go).

“The number of phones found on the London Underground alone was 25,000 in 2011”

According to the Office of National Statistics’ report on Mobile Phone Theft [pdf], the Crime Survey of England and Wales for 2011/12 showed that 7 in 10 incidents of mobile phone theft were personal thefts (e.g. pickpocketing or snatch) or ‘other thefts of personal property’. These ‘others’ are defined as: “items stolen while away from home, but not carried on the person (such as theft of unattended property in pubs, restaurants, entertainment venues, workplaces etc.).”

Let’s also bear in mind that a lot of people could believe they’ve been pickpocketed or that their phone was stolen from somewhere when they have in fact just lost their device. The number of phones found on the London underground alone was 25,000 in 2011.

Convenience

What fingerprint biometric technology does give you is convenience, more so given that the sensor for Touch ID is built into the key that you would have to press anyway. Instead of having to make four or more finger movements and the possible engagement of brain to remember a PIN, you instead have almost instantaneous access, which when you consider how many times you have to enter your PIN into your phone every day is surely a good thing. What convenience then hopefully gives you is increased adoption by users, which overall is again a good thing. Most people using fingerprint access control security than a few using a PIN is a much better situation for everyone.

However, this is certainly not all a bed of roses. Usability is a big issue once you look into it (and I’m not sure how much Apple have taken this into consideration).

Some people just simply can’t use fingerprint readers. For example, the very young, the elderly and some disabled people. In addition “False negatives” can be caused by various factors such as:

  • Long fingernails
  • Arthritis
  • Circulation problems
  • People wearing hand cream
  • People who’ve just eaten greasy foods
  • Fingerprint abrasion, includes: the elderly, manual labourers, typists, musicians
  • People with cuts

In some senses, this functionality could be regarded as socially regressive, or at least a not socially inclusive and accessible technology. These types of users must fall back to things like PIN usage to provide access control.

Technology progression

Technical details of the Apple solution are not clear, but a lot of fingerprint technologies have failed in the past and I am sure that this one will come under intense scrutiny by security researchers. I have demonstrated the “gummy finger” attack against an optical fingerprint scanner myself at conferences and in lectures, even creating a working latex ‘replacement’ fingerprint aka ‘Diamonds are Forever’.

Researchers have even gone as far as ‘lifting’ fingerprints, reversing the image (to get it back to the right way round) and etching them in order to create a pattern for new, usable replicas (see the gummy finger link above for more details). Other researchers have also defeated ‘liveness’ or pulse detection too.

Summary

So what do I really think? I think for high-end enterprise use cases (one area that Apple has been really going after in the past couple of years), this does make sense. I can imagine a CEO complying with that kind of policy more than a mandatory very long PIN or password. If they’re really important people though, you can certainly imagine them being targeted to copy their fingerprints as I mentioned at the beginning.

For your average user, maybe just maybe, the convenience aspect will make this a success. What that would mean is more devices secured at rest (i.e. left on café tables), so an opportunistic thief would not be able to get immediate access. It could even provide a different, potentially more secure way of authenticating to banking and payment services over the web or in a shop. I truly hope that users do not become the targets of more violent assaults where they are forced to give fingerprint access to their device.

Lastly, I hope that the Apple security engineering team have done their job correctly. At the end of the day, your fingerprint is translated into 1s and 0s. A representation of this has to be stored on the device in some way. Each time you access your phone, your data is then processed through an algorithm to get compared. If that is not done properly using secure hardware, then there’ll be another set of people producing hacking tools to address a new market for criminals to get around the fingerprint protection. The first commercially sold fingerprint scanner on a phone that I remember was in 2004 in the GI100,a PanTech device that was released in Asia. I looked into and rejected fingerprint scanning as a possibility for mobile phones at Panasonic in 2005 for many reasons (not least the processing capability needed). Nearly 10 years later it’ll be interesting to see whether it really is a useful security technology or just simply a movie-inspired gimmick.

Mobile Security: A Guide for Users

mobilephonesecurity936843331Leave a comment

Back in May, I released a leaflet on Mobile Phone Security advice for ordinary people to be able to manager their own security for their devices. I promised that we’d be releasing the longer whitepaper that accompanies it soon, so here it is. We’ve released it as a short book, which can you can initially purchase from this site. The book covers some of the history of mobile security, things that have happened in industry and security design decisions that have been taken to try and protect users over the years. It also talks about various issues and incidents, their impact and what users should do to try and mitigate those things. There are also sections on personal safety and lost and stolen phones. I really hope this is useful for people!

Mobile related presentations at Blackhat and DEFCON 2013

mobilephonesecurity936843331Leave a comment

Next week I’ll be heading over to Las Vegas for the world’s biggest security and hacking conferences; Blackhat and DEFCON. Here’s a short run-down of some presentations and briefings that are related to mobile. Obviously there are many others that may also be relevant to mobile (e.g. SSL attacks or HTML5). As you can see, mobile interest is again steadily going up, as well as in other embedded platforms such as automotive and in-home systems. It looks like it is going to be a pretty interesting, if slightly scary week!

Blackhat
DEFCON

The phone theft debate continues…

mobilephonesecurity9368433312 Comments

A number of articles on mobile phone theft in the papers this weekend (20-21st July 2013). Regular readers will know that I’ve spoken quite a lot about phone theft in the past and at various events.

Snatch thefts are particularly high because the phone is ‘active’ at that point and not locked

The Daily Mail discusses the fact that Apple will publish the update later this year which will enable the “authentication lock” feature which will prevent the re-enablement of stolen phones after theft. It also mentions that GPS won’t be able to be disabled and the phone wiped – common methods used by thieves to prevent tracking of phones and one which also encouraged snatches of ‘active’ devices.

In the Daily Telegraph, Boris Johnson apparently said “Each of your companies promote the security of your devices, their software and information they hold, but we expect the same effort to go into hardware security so that we can make a stolen handset inoperable and so eliminate the illicit second-hand market in these products”.

This is badly off the mark – the problem is not the hardware security (this was addressed years ago and the work was acknowledged by the Home Secretary in 2008). The real problem is the export of devices – they are not blocked outside the UK so can continue to be used. This has nothing at all to do with hardware security, but it has everything to do with the ability to disable devices globally.

Other countries such as the US have only recently joined the party, claiming massive new street theft problems. The truth is this – phone theft will have always been a problem but it has only been recently that high profile violent robberies have forced them into action. What have the authorities been doing for the last ten or so years?

Apple’s authentication lock is not a kill switch

The terminology being used by politicians and the media is incorrect – preventing access to services is actually the opposite of reaching out and telling a device to ‘die’. Creating a real kill switch like that could in itself become a security problem. Imagine being able to turn off every phone in the world?

The reality is that the functionality for an “authentication lock” has only been technically possible in the past 5 years, because previously the manufacturer would have virtually no relationship with the customer. These days all the major OS providers ask users to sign up for an account with them to access services – and that’s the key. A relationship with the end user means that they can take action because they know when that phone gets used post-theft.

In the past, this simply wasn’t possible for the network operators. No operator (as far as I know) has presence in every country in the world, so it wouldn’t usually see a phone if it had been exported. Yes, the IMEI (identity of the device) could technically be shared with a global database called the Central Equipment Identity Register, but that one piece of data is not reliable for many reasons including a rash of counterfeit devices in some countries. However if a phone has to connect home over the web, it allows a lot of information to be checked and even shared with the rightful owner. Although it is not fool-proof, it is the right thing to do as it makes the phone less attractive to a thief. It does raise a question for the Android manufacturers particularly. Will they now ask Google to provide this functionality for them, or somehow try and build it into their own anti-theft find-and-locate apps (which will not be as robust as putting this in at the OS level)?

Next steps

Assuming the industry gets this right (and I hope they do), the ball will be back in government and Police hands. With rising theft figures, it is very easy to blame the manufacturers and operators. In reality this is a complex and largely social problem – people are still going to snatch expensive mobiles and try to use them to pay for things / use their functions etc and sell them. There’ll be a new, lucrative challenge for the cracking community to disable things like authentication lock. Up until 2011, the UK was the only country that had really done lots of things to help address theft in a proper manner including:

  • education for young people (youth-on-youth crime is very high)
  • posters in high crime areas like London
  • legal measures (making it illegal to change the IMEI number and possess the equipment to do so)
  • working with industry to harden devices (OMTP TR1)
  • encouraging industry to share information on theft (stolen IMEI numbers)
  • setting up a dedicated Police unit to target thieves

Mobile phone theft affects ordinary people – for that reason alone, politicians like Boris Johnson are going to continue to jump on what has been for years a populist bandwagon.

Helping ordinary mobile phone users manage their security

mobilephonesecurity9368433312 Comments

My company recently completed some work for the UK Police about giving some basic guidance on mobile phone security. It seemed to them (and to us) that there is a gap between the daily deluge from the media of new threats to mobile users and understanding the real situation (which is often highly technical). What this often means is that users are just completely forgotten in a sea of meaningless rhetoric. People using phones inevitably then do the wrong thing. We also found that the organisations setting policies also want to give basic advice to people about how they use their phones in their daily lives.

We wrote quite a long whitepaper (which will soon be available as a booklet) but with the help of the excellent team at Beyond Design, we decided to also create a leaflet that was easy to understand and which would capture the main points easily. After all, what we’re looking for is for people to remember and adopt the advice we’re giving out. The advice covers things like:

  • Personal safety
  • Lost and stolen devices
  • Using the features of your device securely
  • The types of threats you need to be aware of
  • Things that you can do to mitigate security issues or to help prevent them happening

We’ve had some good initial feedback and I understand a couple of universities in the UK are looking to distribute the leaflets for their students too.

What risks are you taking?

Free leaflet

I’ve decided to make the leaflet freely available for download and printing – you can take the print ready version and send it to a local printers or online service and then use it for your own purposes. Just click the links below to get a copy:

Mobile Security Advice leaflet (online version)
Mobile Security Advice leaflet (print-ready version)

I hope this is useful to people and we’d love to hear your feedback and who you’ve given the leaflets to. Drop us a line or add a comment below!

A note on giving out advice

The danger of course with doing something like this is that we a) miss something important or give bad advice and that b) the advice would be impractical and be ignored. We would hope that we have given out good advice based on our own experience, but please let us know if you really disagree with something. We acknowledge that there is a risk of b), but we also acknowledge that giving people nothing and just leaving them to fend for themselves is ultimately worse. Everything we do from a security perspective in our personal lives is about risk management decisions (or risk avoidance). Just as not every alley is going to have some guy lurking down it waiting to rob you, not every open WiFi connection you connect to is going to be compromised. It’s good to be at least ‘aware’ of the risks though.

Bring Your Own Dilemma

mobilephonesecurity936843331Leave a comment

Matt Williams sums up a couple of events last week on BYOD:

Bring Your Own Device (BYOD) is proving to be a big challenge among business directors. Many employers are looking to the idea of their employees taking their own mobile phones with them to work, for use in the day job.

Last week, I attended two events, both of which have featured BYOD as the subject of focus. The first of these was the Mobile Monday panel discussion: BYOD – A Faustian Pact? Held at Centre Point in London, Copper Horse Director, David Rogers, was chairman for the session and panelists were from companies such as Blackberry and Telefonica O2. The greatest aspect of the discussion was, in addition to the interesting points raised by the panel, the interactivity between themselves and an audience that was one of the most active I’ve seen. It provided some stimulating talk, which was occasionally partitioned by an audience show of hands on questions such as “Do you regularly use mobile banking?”. What was surprising to me was that the majority of the audience raised their hand to that.

David Rogers (Copper Horse) chairing the BYOD panel at Mobile Monday, with Mubaloo’s  Gemma Coles speaking.
Event number two was an online webinar titled Mobile Apps – The Danger of Making Security an Afterthought. This time, David switched to the role of panellist to join fellow guest speakers from the likes of IBM and Sanofi as a discussion took place surrounding mobile app security.

The primary reasons behind implementing BYOD are to: increase flexibility, improve productivity and reduce cost for the organisation by not having to purchase ‘work phones’ for staff. However, there are important issues to consider for decision makers. And after attending these events, here are my thoughts on the subject:

  • BYOD is a balance of trust – A big question mark before embarking on implementing the idea of BYOD is – do employers trust their employees enough? Employers must expect and believe that their staff are capable of using their devices to an acceptable standard, be it at work, from the basics of refraining from making personal calls to not engaging in dangerous or illegal activities, or on a more general level, by having the nous to make sure that their device is as safe as it can be from outside threats. However, this all comes down to a piece of paper – the policy that’s written and implemented by the company and signed up to by the employee. In truth, employers are just giving in to the reality of the fact that their staff are bringing in their own devices anyway and the company has no control whatsoever.
  • BYOD is a balance of separation between work and home life – One of the largest considerations for an employer is that their employees’ work and home lives do not intertwine to a great extent. Of course, this depends on the role. For some staff, normally lower down the ladder of employment, it is a case of when the clock hits 5pm, work for the day is over and can be resumed at 9am the following day. But for other individuals, be it company directors or those whose job requires them to be ‘on call’, work becomes more of a continuous element of their lives. For the former, having work-related emails and calls coming through at hours when an employee is meant to have finished work for the day is a problem that needs to be considered. So where is the line drawn between work and play?
  • App permissions are a large consideration for employers seeking to implement BYOD– It’s not so much about what type of apps that employees are downloading to their phones, it’s the permissions that the applications ask for upon being downloaded that is the problem. Your mobile number, contacts and location are just some of the many examples of types of information that can be gathered by a mobile app. And depending on the type of work an individual’s business carries out, employers may not be so keen to let users reveal particular data. There are data protection obligations too. Ultimately, the phone belongs to the employee, but there may be situations where restrictions need to be in place so that their work for a company isn’t compromised. This needs to be addressed via remote mobile device management tools (MDM), but is that too intrusive into the personal side of things?
  • Policies: A simple one-time checklist or an ever-changing nightmare? – Whilst a BYOD policy outlines the rules set by an employer which an employee must abide by, a device policy addresses the issues of what features of the phone the employee is able to use – and this is a problem when it comes to BYOD. Employees’ phones are all so different, suited on a work level for their particular role and on a non-work level in terms of personal preferences, e.g. the type of apps they download (and the sensitive access to features which come with them). So is it the case that tailored device policies are required, in conjunction with their phone settings, or is it possible to roll out a generalised device policy for all to agree by? Or is it a combination of the two, where a middle ground needs to be identified? Technology and the components of it are changing all the time, with mobile phone applications being updated regularly as well as the device, platform and browser software. So is it the case that an employee’s device policy needs to be looked at after every individual change? The word “impractical” springs to mind, particularly in a large organisation. But regular changes made to phones will include addressing security features from time to time, so whose responsibility is it to take care of security in BYOD?
  • The responsibility of mobile application security is still ‘up in the air’ – Following on from the previous two points, a poll was taken during the webinar, asking attendees whether they believed the responsibility of mobile app security should be down to IT departments. Over 25% of the voters answered with the option that it is down to IT. However, the remaining voters disagreed, with the majority of those saying that responsibility should be shared across more than one area. In the area of BYOD, security is surely something that users should be involved in, but is it something that they are wholly responsible for? To have each individual employee notifying their organisation about updates to their phone and how it affects their policy again seems impractical. Overall, the responsibility is definitely something that in my opinion needs to be shared, but how and exactly who with remains to be seen.
As is clear, there are a plethora of questions that need to be answered before BYOD can be implemented, regardless of a company’s size. But I suppose the ultimate question is – do the benefits outweigh the drawbacks? Another audience show of hands was taken at the conclusion of the Mobile Monday panel discussion, asking whether the advantages of BYOD outweighed the disadvantages. The advantages had it, but by a narrow margin, so this example further evidences the fact that although BYOD is being increasingly taken up by organisations, there are still major hang-ups with the idea that need to be considered meticulously by an employer before the implementation process can begin. It remains, for now, a difficult subject.Some links:

Mobile World Congress 2013 – The Copper Horse Experience

mobilephonesecurity936843331Leave a comment

Copper Horse’s Mobile Security Intern Matt Williams experienced Mobile World Congress for the first time this year. Here’s his write-up on what went on out there:

It was that time of year again. When everyone in the mobile industry gathered in one place to exhibit, network and discover the latest updates in the ever-growing world of mobile phones. As usual, the Copper Horse team were there, from the Friday before the event to the Friday after. And here is a short summary of our experience of the largest ever Mobile World Congress!

The word “ever-growing” used earlier is a more than appropriate term to describe the current state of the mobile industry, as was evident by the scale of this year’s event. Mobile World Congress had moved from its previous home, the Fira Montjuic, across the city of Barcelona (the congress’s current and future host until at least 2018), to the substantially larger Fira Gran Via exhibition centre. The 2013 event consisted of nine Walmart sized halls, six of which were for exhibition stands, with the other three carrying out the roles of registration, a conference village and a theatre district. To walk from the Southern Entrance at Hall 1 to the Northern Entrance at Hall 8 would typically take 15-20 minutes; such was the enormity of the occasion. Consequently, a record 65,000 people were expected to attend (the final totals were over 72,000!). But prior to the new venue even being looked at, the Copper Horse team had a busy weekend of events to attend and people to meet.

The Weekend Before

After some initial settling in on the Friday and Saturday, consisting of networking, tapas tasting at local bars and collecting our badges, we headed up to the Nou Camp, home of Barcelona FC for a once in a lifetime trip to see them play. Along with some other industry colleagues we watched them beat Seville 2-1 in a hard fought game.

Copper Horse’s team were now ready to attend the first mobile-related event of the week – Innovation on the Fringe at MOB (Makers of Barcelona). Hosted by Heroes of the Mobile Fringe, Innovation on the Fringe is the speed-dating equivalent of mobile app demonstrations – time-wise at least! App demonstrators had two minutes to present their ideas, with a further two minutes of questions from an audience containing potential investors. A wide variety of ideas were presented – from neighbourhood change to online authentication with pictures.

Copper Horse’s main role in the event was not to witness the app presentations, but to give out an inaugural award. Namely, the Dead Technology Award – A golden calculator trophy presented to the technology that has either died off or flopped spectacularly in the past year.

Essentially the tech equivalent of the Golden Raspberry Award (Razzie) for Worst Film, attendees at the fringe event were given the opportunity to vote from a shortlist of nine nominees via SMS. At the end of the event, it was decided by the audience that Sony Ericsson’s demise as it was finally subsumed into Sony was to be the first ever winner of this prestigious title. And so it came to be that Sony Ericsson was propelled into Silicon Heaven (as they say in Red Dwarf). So congratulations (or should that be condolences?) to the now ‘deceased’ Sony Ericsson! RIP. You can watch the video of the shortlist below:

It was a quick dash for some filmed interviews, then back into town. Later on in the evening, it was our turn to become the host, as Copper Horse welcomed security experts from around the world to attend a dinner – now a well-established MWC tradition! The opportunity to talk with other experts in the field was a hugely interesting experience and the event took place at one of Barcelona’s top restaurants. This year’s security dinner provided a great insight into the week ahead at the Fira. And no sooner had the weekend arrived, then it was time for the congress to officially begin.

Monday

The primary focus of the first day of Copper Horse’s MWC was the Mobile Security Forum sessions held in the Theatre District of Hall 8. Security sponsors that included AdaptiveMobile, antivirus vendor AVG and network solutions provider Juniper Networks all held individual talks and panel discussions in relation to the world of mobile security. The topics debated were:

          Securing the Borderless Network
          Consumer Mobility and Privacy: Monetization without Alienation
          Offense or Defense: Security in an LTE World
The evening saw a great event hosted by Box. More security, good Tapas and red wine rounded off an excellent first proper day of MWC.

Tuesday

On Tuesday morning, Copper Horse Director David Rogers chaired the UKTI event “Cyber Security in theMobile World” – a seminar that identified what is meant by “Cyber Security” for mobile devices and networks, what is on the horizon in the context of threats, how genuine the threats are and what security methods could be put into place to make businesses and consumers more secure.

Following on from this were the Global Mobile Awards – We’ve already had the technology equivalent of the Razzies, now it was the turn of the best of the best to be recognised in the mobile industry equivalent of The Oscars. Over six hundred entries and nominees were in contention for the thirty-seven honours. Copper Horse judged in the ‘Best Mobile Safeguard & Security Products and Services’ category, which was won by Adaptive Mobile and Syniverse.

 

Among the other awards given out were Best Smartphone to the Samsung Galaxy S3, Best Mobile Tablet to Google and Asus for the Nexus 7 and the Judges Choice for Best Overall Mobile App to Waze, a mobile navigation app that allows users to add and see real-time traffic updates. The awards, hosted by comedian David Walliams, concluded, after which the team wound down the day at the annual Northern Ireland Beers and Scottish Whiskies – networking events held in close proximity to one another, in the UK section of the Hall 7 exhibitors.

Wednesday

Wednesday was a busy day for the team, with lots of meetings and events. It featured an early morning start at the MEF Kaspersky Breakfast Briefing. This session focused on the latest threats to app users, highlighting the most recent developments in mobile malware. A roundtable discussion and a series of presentations highlighting the scope of the threats took place. The main point to note was that the threat of mobile malware has never been greater, as there were approximately 4000 cases of it reported in 2012, of which 93% were on the Android platform. One of the primary reasons for the large number of cases being on Android devices, in addition to the fact that it is such an open operating system, was that many users ran older versions of the platform, which no longer had the necessary patches available. Overall, the breakfast was a very interesting event to attend.

In the afternoon, the GSMA’s Pat Walshe hosted an event ‘Mobile App Privacy: What’s Your View?’ with speakers from AT&T, Rovio (the makers of Angry Birds), Mozilla and the App Developers Alliance. There was some robust discussion, but there was a clear view that app developers need to focus on their own software quality and pay attention to security more seriously. There was also a good discussion on how small companies suddenly have to deal with regulators and lawsuits and what that growth experience is like.

After attending a few networking events in the evening, the day concluded with one of the best Barcelona parties – Swedish Beers. It’s a great chance to connect with other people as the week at MWC begins to draw to a close, particularly if you find one of the sponsors, who has the free drink tokens!

Thursday

Thursday was the quietest day of the four during MWC. Whilst some visitors had seen what they had come to see and departed Barcelona, there were still plenty of events to explore and exhibitors to meet. Mobile Monday operated a continuous run of presentations, discussions and talks until the congress reached its 4pm closing time, whilst WIPJam saw mobile developers meet for a busy day of storytelling, pitches and demos. Just to show how busy the event was, meetings carried on right up until the last minute of the show. In the last formal Copper Horse meeting of the day, the Fira staff were taking up the carpet and removing screens while the meeting was still going on! The day ended with a quiet Paella (where another ad hoc meeting happened (!)) before a good night’s rest before the journey home. 

Friday

Inevitably, the airport on Friday morning was chaos, with thousands of exhausted delegates desperate to leave. Some more accidental meetings at the airport and then finally, arrival in the UK!

All in all, MWC 2013 was a terrific experience and the busiest year yet for the Copper Horse team. Now starts the planning for next year!  

Only fools eat horses

mobilephonesecurity936843331Leave a comment

There’s a scandal raging across the UK and Europe at the moment involving horse meat which has been passed off as beef. Lots of retailers have been affected as well as pubs, prisons and schools. There was also a worry that people would ingest the painkillers used for horses.

This whole issue is primarily a point about food labelling – people were expecting beef and they got horse, but the other point is that this food was really cheap, so the pressure within the supply chain to get cheap ingredients was very high. This was highlighted again in today’s Sunday Telegraph article: “Why meat can no longer be considered a cheap commodity“. Mark Price, the CEO of Waitrose says in the article that “if.. ..there is a requirement to hit a price point for consumers under financial pressure then there will be an inevitable strain in the supply chain. If the question is “Who can sell the cheapest stuff?” I’m afraid it is inevitable that there will be a slackening of product specifications”.

You get what you pay for

This is also the case in other industries. The mobile industry has for years been ruled by the device purchasers of the mobile network operators. Inevitably, on the security side they don’t want to pay for it. This is because a) they don’t understand it and b) they don’t see the consequences of not having the security included. It has only been recently that there is a ‘mild’ expectation that security is included, but it should be part of the standard feature set. This is also the attitude of the consumer (rightly). Customers have the right to expect that what they buy is safe and secure and isn’t going to harm them. They also expect that if a bank provides them with a secure banking app, that it does what it says on the tin – that it is labelled correctly and they’re not getting horse meat when they paid for beef.

Supply Chain Value, Integrity and Security

The race to the bottom of the mobile supply chain has been typified by the first thing to go, security – security in terms of secure hardware components that add $1 to the bill of materials and security that is gained through software quality – proper security testing and secure coding costs money. You can see this in many areas of the mobile industry, from equipment vendors who sell really poor quality product at super-cheap prices for inclusion inside the mobile networks, through to femtocell vendors and device manufacturers who again sell devices without adequate security which end up in consumer hands. Not only this but the supply chain integrity of such cheap products is questionable – what if the chip that you thought was made by Qualcomm was actually a counterfeit device? What are the implications for security? One of the key questions for cyber security is the security and integrity of the supply chain for key equipment. Another should be what the acceptable level of security is in equipment sold to consumers and how to assure that.

You Get What You Pay For

The same applies to mobile applications. The economics of the current apps ecosystem just don’t stack up properly. For mobile apps stores to test every application properly would cost more than the companies would make for them and the vast majority of apps are free. So what incentive is there for anyone in the apps supply chain to securely code them or check that they are ok? Luckily in the main app stores there is (at the moment at least) an adequate level of testing and checks in place, but for the rest of the world that don’t have access to those app stores, the situation is dire. Just as with the horse meat scandal, it is the poorest people in the world that suffer the most. They have no choice – they’re almost forced to download apps from questionable sources and they’ve got to like it, because there is no other choice for them. Unlike the food safety world, the weird situation in the app environment is that you also have an industry that constantly tells consumers that they might be eating horse (even though they’re not) – that is the anti-virus industry. Also, completely unregulated and free to make unsubstantiated statements by making incredibly tenuous links to rare incidents in other countries that are not linked to the phone you use. This wanton manipulation of statistics for profit is as irresponsible as selling poor quality and mis-labelled products and needs to be reined in.

Horse Meat for Beef Prices

A few years ago when new European health and safety legislation was introduced around abattoirs in the UK, the smaller abattoirs were up in arms saying that they couldn’t afford to implement the new rules. They also argued that consumer choice would be impacted as only the big abattoirs would be able to supply, what would be a limited choice of meat. However, look at this from the consumer point of view – what they’re really saying is that they can’t meet adequate requirements to supply you meat that isn’t going to harm you. What would you want: safe meat or a bit more choice?

With global austerity in full swing, scrimping on things that people don’t consider to be essential is going to happen. The problem is, security in mobile communications products is essential these days for lots of reasons. Perhaps there need to be minimum standards for industry around getting ‘adequate’ security in order to prevent this race to the bottom for cost reasons. As a consumer, I’m paying beef prices and often getting horse meat.

Copper Horse Mobile Security dinner in Barcelona – 2013

mobilephonesecurity936843331Leave a comment

Well here we are again, preparing for more Mobile World Congress mayhem in Barcelona (albeit at a new venue).

We’re running our annual Copper Horse Mobile Security dinner on the Sunday night once more (that’s the 24th this year). The event will held in a secret location in Barcelona from 9pm onwards. Expect experts on security and mobile and some generally good intellectual conversation (unless you’re sat next to me!).

Definitely not being held here

Use the contact link above to get in touch if you’re interested in coming along. An important point to note – we split the bill at the end, so this is not a free meal 🙂

An interview with a tech journalist

mobilephonesecurity936843331Leave a comment

I was slightly misquoted in an article yesterday on mobile malware, so I thought I’d re-post my exact responses to the journalist as I spent a fair amount of time out of my evening to respond to the request instead of relaxing! With Mobile World Congress coming up, some of the topics covered are relevant to things that will be discussed in Barcelona.

Good tech journalism?

My comments were in response to a BlueCoat Systems report on mobile malware that came out the on the 11th of February. I didn’t get the chance to see the report until the very end, so my last comment is based on my skim read of the report. The questions you see below are from the journalist to me.

Here was my response (me in blue):

Here are my responses, let me know if you need anything else. I didn’t read the report yet.
They are marked [DAVID]:

David –

I’m doing a story on a recent report from Blue Coat about mobile malware. No link yet.

My questions, if you have a few minutes:

It predicts that delivery of mobile malware with malnets will be a growing problem this year. Agree? Why or why not?

[DAVID] It’s possible, but the question is really ‘where’. Most mobile malware has taken root in places like China and Russia where there has been traditionally a lack of official app stores, (which has only recently changed). It’s like the wild west out there with a complete lack of controls on the ingestion side to check that developers aren’t peddling malware and on the consumer side because the devices are outside the ‘safe’ app store world we see in the West.

So we almost have two worlds at the moment: the first is the western world, mainly the Europe and the US where generally no-one gets infected (a tiny, tiny percentage of maliciousness gets through the official app store checks or gets intentionally side-loaded by the user, usually when they’re trying to get pirated software!). The second is the vast majority of the rest of the world, usually poorer countries where the controls and regulations on piracy and malware are lax. It is like putting a street market next to a high-end city shopping mall. The mobile industry isn’t static and will continue to evolve in terms of security and threat management both on the network and device side when it comes to the potential for botnets (at least in the more controlled environment of the West).

It says mobile devices are still relatively secure at the OS level, but that users are “set up to fail” because it is more difficult to avoid phishing –  URL and links are shortened, passwords are visible to an onlooker when you enter them – apps are not well vetted and mobile versions of websites are often hosted by third parties, making it difficult to tell which are legit. Do you agree? Why or why not? And if you do agree, is there anything developers ought to change?

[DAVID] Mobile OSs and their underlying hardware are getting very advanced in terms of security which is great news. The problem is that there hasn’t been enough invested into educating developers about how to develop secure software and in most cases the tools and libraries they use are not designed to help them make the right security decisions, resulting in very basic flaws which have serious security consequences (for example poor implementation of SSL). For some, it is just too difficult or too much effort to bother putting security in from the start. We need to break down that kind of mentality and I think we really need to improve considerably in terms of ‘cyber’ security skills around for mobile developers. In terms of usability and the lack of screen real-estate, then yes developers have a role to play in helping the user make the decision they want to – some QR readers now present the ‘real’ URI behind a shortened one in order that the user can decide whether that was what they were expecting.

Users can be very impulsive when it comes to mobile, so you have to try and save them from themselves, but balance this with not resorting to bombarding them with prompts. Human behaviour dictates that we’ll susceptible to social engineering and will get over any hurdle presented to us if the prize is worth enough (something which is called the ‘dancing pigs’ problem). This is a real problem for both the OS and application developers. One thing that hasn’t really been deployed yet in the mobile world is trusted 3rd party management of policy. Users could choose a policy provider they trust to take the security management problem away from them. Obviously it can’t solve everything – the user has to take responsibility for their own actions at some point, but it will go a long way to resolving current issues permissions and policy with mobile platforms. The key to it all is that the user themselves has to be ultimately in charge of who they choose as a policy provider, not the operator, OS vendor or manufacturer.

There’ll always be attackers – the arbiters of trust in the mobile world have great responsibility to the millions of users out there and they themselves will become targets. I like the way that Google Bouncer (the automated security testing tool of Android apps being submitted by developers) has now become the target of attacks. To me, Google have forced attackers back away from the ‘Keep’ to the castle walls which can only be a good thing.

[I’ve lumped all these questions together]

The report says user behavior is the major weakness. Hasn’t this been the case all along?

Is there any truly effective way to change user behavior?

Is it possible for security technology to trump user weaknesses? If so, how?

[DAVID] Yes user behaviour is a weakness, but usability and security don’t usually sit well together. Developers should not just consider the technical security of an application but make security as friendly and seamless as possible from the user’s perspective. Resorting to prompting is usually the lazy way out and it pushes the burden of responsibility onto a user who probably doesn’t have a clue what you just asked them. I think OS level and web APIs could benefit from different design patterns – how about building in more intelligence to the responses? For example in a geolocation API a developer could ‘negotiate’ access by understanding what the user is comfortable with, all in the background. This avoids binary behaviour – for example: apps, that fall over if you don’t enable geolocation and users that never install apps that have geolocation. Both situations are not very good for helping the apps world advance and grow! However, if the user had been able to say that they were happy to share their location to city level, then the API could negotiate the request from a developer for location down to 1 metre by offering up city level instead. It would make for a much smoother world and would apply very easily across many different APIs.

If a user makes a critically bad decision, for example going to an infected website, I think Google have taken a strong lead in this respect by clearly showing to the user that really bad things are happening. Perhaps this could extend to other things on mobile, but we still need to get the basics of security right first from a technology and manufacturer’s perspective. I think some manufacturers have a long way to go to improve their security in this respect.

It says users will go outside VPNs if the “user experience” is not good within it. Is it realistic to expect enterprises to make their user experience better?

[DAVID] I think there are some interesting things coming along in terms of more ‘usable’ VPN technology, but usually the reason a VPN doesn’t work is a technical one that an ordinary user isn’t going to understand. They just want to get their job done and may take risky decisions because there are generally no visible security consequences. Most people in big companies have to deal with inflexible IT departments with inflexible policies. The intrusion into people’s own lives with the introduction of BYOD has muddled things further. I can certainly see more societal issues than security ones for the overall user experience – for example it might be very tempting for companies to start intruding on their users if there is a big industrial dispute involving unions. I don’t think these questions have properly hit companies yet, but mobile companies like RIM are looking at proper separation of work and personal life from a technical point of view, after that it is really down to the paperwork – the rules of use and the enforcement of those.

The report said Android is more vulnerable to attacks because of unregulated apps and the diversity of Android-based devices. What, if anything, can/should be done about that?

[DAVID] Well to a certain extent yes, but this has been vastly overplayed by anti-virus vendors desperate to get into mobile. The vast majority of maliciousness has been caused outside of the trusted app store world that we see in the US and the UK. I wouldn’t have designed the app signing process in the same way as the Android guys did, but then identification of individuals can be difficult anyway – I know lots of registration systems that can be broken just by photocopies of ‘official’ documents. Google wanted a more open ecosystem and you have to take the good with the bad. In terms of the diversity or fragmentation in Android, this could become an issue as device lifecycles get longer. The mobile industry is looking at the software update problem and rightly so. For the network operators it is going to be a question of how to identify and manage out those threats on the network side if it comes to it. I don’t think software upgrade issues are confined to Android but we don’t want any of the industry to lag behind because in the future there is nothing to say that huge distributed cross-platform (automotive, mobile, home) threats could exist, so we should pay attention to resilience and good cyber house-keeping now before it is too late.

Sorry to be on a deadline crunch – 5:30 p.m. EST today.

And my final comment to the journalist after I’d seen the report:

So just had a quick look through, only one final comment:

One thing that we all should remember is that the bad guys are not the mobile industry – it is the people who perpetrate malware, spam and scams. At the moment, cyber criminals run rings around law enforcement by operating across lots of countries in the world, relying on fragmented judicial systems and the lack of international agreements to take action. We should build the systems and laws through which we can arrest and prosecute criminals at a global level. 

I hope readers find it useful to see what I really wanted to say – I don’t claim to be right, but these are my opinions on the subjects in question. Readers should also understand how much effort sometimes gets put into helping journalists, with varying results 😦. If you want to read the original article and compare my responses with the benefit of context, you can find it at CSO online.