Uncategorized

Mobile Technology and Silicon Heaven

mobilephonesecurity9368433312 Comments

I’ve been thinking for a while about the number of technologies that get announced, don’t really do anything, then die rather quickly. It’s just over a month before I head over to Barcelona for Mobile World Congress and I’m expecting to hear about a lot of new things that are destined for a quick entry to the “electronic afterlife” of Silicon Heaven. For those of you who don’t know what Silicon Heaven is, I’ll let the web explain:

Silicon Heaven

From Red Dwarf “The Last Day”, Season 3, Episode 6:

Lister: How can you just lie back and accept it? 
Kryten: Oh, it’s not the end for me, sir, it’s just the beginning. I have served my human masters, now I can look forward to my reward in silicon heaven. 
Lister: [Stunned pause] Silicon WHAT? 
Kryten: Surely you’ve heard of silicon heaven? 
Lister: Has it got anything to do with being stuck opposite Brigitte Nielsen in a packed lift? 
Kryten: No, sir. It’s the electronic afterlife. It’s the gathering place for the souls of all electronic equipment. Robots, toasters, calculators. It’s our final resting place. 
Lister: I don’t mean to say anything out of place here, Kryten, but that is completely whacko Jacko. There is no such thing as ‘Silicon Heaven’. 
Kryten: Then where do all the calculators go? 
Lister: They don’t go anywhere. They just die. 
Kryten: Surely you believe that God is in all things? Aren’t you a pantheist? 
Lister: Yeah, but I just don’t think it applies to kitchen utensils. I’m not a FRYING pantheist. Machines do not have souls. Computers and calculators do not have an afterlife. You don’t get hairdryers with tiny little wings, sitting on clouds and playing harps. 
Kryten: But of course you do. For is it not written in the Electronic Bible, “The Iron shall lie down with the Lamp”. 

Source: http://www.imdb.com/title/tt0684183/quotes?qt=qt0310031

So what mobile technologies do you think should qualify for the past year? Who is most worthy (if that’s the word!) of the Silicon Heaven prize? Answers in the comments please! I’ll let you know my own thoughts very soon.

 

Facebook: No ‘Likes’ for Security and Privacy?

mobilephonesecurity936843331Leave a comment

Matt Williams discusses recent changes to Facebook:

Facebook announced on Tuesday that only 660,000 of its 1 billion users responded to proposals by the site to allow changes to be made to the governing of the social networking giant. The primary modifications included; increasing the sharing of data between its services, making the rules regarding who can message users more lax and removing the voting system. These refer to every version of Facebook, including the mobile application.

On the face of it, a turnout of 0.06% is a very small figure. And considering that most of the points that the proposals were setting out are security and privacy related, it begs the immediate question; do Facebook users really care about their account security?

http://www.epa.gov/win/winnews/images05/0510keyboard.gif

As a young person, who has been studying a security related degree, security and privacy on social networking sites is something that I think about regularly. Who is able to contact me? What details am I giving out? And are my embarrassing photos only being limited to a particular number of people or are they being made public?

So why didn’t I answer? I’ve had a Facebook account for a while now. But my allegiances to social networking sites have now switched. Twitter, the growing threat to Facebook, now occupies most of my networking time, so it seems I’ve deemed Facebook to be second in importance in this department. And with a reduction in its value to me, Facebook’s changes to my account fall to the bottom of my ‘to-do list’.

Speaking to my friends about it, they were saying much of the same. For many of them, Twitter is their new top social networking site, so they’re more interested in the security of that rather than Facebook now. It was too time consuming and a response would have been made if longer had been given to answer were other reasons given also. Some simply didn’t care.

But although the impression gathered from the response to the poll is that the changes involved are not important to users, approximately 90% of the respondents to the proposals were against planned changes. So does this actually mean the opposite? If people actually do care about security, why are they so against the changes? A 0.06% response rate might appear small at first, but considering Facebook’s global popularity, it is in fact a sizeable number of people. After all, online petitions to the UK government are gated at only 100,000 respondents.

In my opinion, people are fed up with data sharing to third parties becoming such a prominent feature of Facebook. Details put on the site by users are in the majority of cases for their friends and only for their friends, not for Facebook and the extended services offered, such as advertising. It could also be that there’s a growing element of mistrust between the users and the online giant. Some feel that they cannot trust the social network and may think the changes are one too many. Users are so worn down that they feel their voices won’t be heard anyway, so just resign themselves in apathy, in the hope that they’ll be able to one day export their photos and friends and finally get out.

Samsung Galaxy SIII data wiping on Android – just by visiting a website

mobilephonesecurity9368433315 Comments

Yesterday, Ravi Bogaonkar (@raviborgaonkar) released to the world an issue that could be one of the most serious to hit the mobile industry in a very long time.

Ravi who is based at the Technical University of Berlin’s SecT lab (who has previously been in the news for his research around hacking femtocells) had discovered that there were proprietary codes for wiping devices entirely (this is not a USSD code as per spec which has incorrectly been reported). Ironically for the mobile industry, SecT is sponsored by Deutsche Telekom.

These commands can be entered via the user interface, but can also be sent remotely, via visiting a rigged webpage which calls the dialler function. Normally, the user would have to physically confirm the number to dial by pressing the green receiver button, but not in this case.

Currently, reports are coming in saying that a number of Android devices may be affected, including not only Samsung devices (the Galaxy SIII being amongst them) but also the HTC One X. It seems that devices in the UK may not be affected as they’re not using Samsung’s TouchWiz user interface, but details are still emerging.

Dangerous disclosure?

Ravi apparently made a responsible disclosure to a number of affected manufacturers and operators but after apparently getting frustrated with months of delays from certain operators decided to go public. My take on this is that there appears to have been a failing on both sides here. Without knowing all the details it is difficult to make a judgement, however I feel that making this public when the vulnerability is so easy to reproduce and has such massive destructive implications for users is bordering on criminal. Equally, if an operator has been sat on this fix for months for no good reason (and I don’t know if that is the case), then that is just as bad.

Just imagine how you would feel if you lost all of your pictures on your phone just because you visited a website.

How to test if you’re vulnerable and how to fix it temporarily

German mobile security researcher Collin Mulliner has released a temporary fix to Google Play called ‘telstop‘, which people can download if they’re concerned.

A test page setup by Ravi is available which will send the user interface command to display the IMEI number (*#06#). Just navigate with your phone to this link: http://www.isk.kth.se/~rbbo/testussd.html – if you see your IMEI number displayed instead, then you are vulnerable.

17:00 26/09/12 Update: Ravi’s test page was using Google Analytics to track who is testing. I have setup a separate test page that does not use analytics. Just point your mobile browser at: http://mobilephonesecurity.org/tel

More detail can be found in this article and a video of Ravi’s presentation is below:

 

"Apple does not have a process to track or flag lost or stolen product"

mobilephonesecurity9368433311 Comment

“Apple does not have a process to track or flag lost or stolen product”. That’s exactly what the Apple support pages say.

Having worked on the problem for years and seen the human consequences of violent theft, it appears a fairly arrogant statement to make. It’s not a safe, fluffy world out there (unless you live your life permanently in a gated development).

As Intel’s Robert Siciliano told Reuters in January‘Apple seems to have not considered stolen devices and instead is relying on the honor system’….’The honor system is devised with the mindset that we are all sheep and there are no wolves.’

There are certainly lots of wolves out there. Mobile phone theft appears to be starting to grow again.

Apple’s Q3 figures released in July 2012 showed a net profit of $8.8B. So is it too much to ask Apple to spend a bit of that profit on a process that helps consumers and reduces the desirability and ease of theft? They certainly have the global reach to do it (and currently, much more than the mobile network operators). It seems to me a little unfair for them to put everything on the mobile network operator just because they have the contract with the end user.

The Police (particularly in the UK) are doing their best against street crime and it is surely incumbent upon Apple as a good corporate citizen to try and help minimise theft of hot products such as the iPhone. 

Channel 4 did a great report on the situation in London last month:

Criminals are getting savvy – they’re also turning off the find and locate features of modern smartphones and wiping the devices so you’ll never get them back. They can even continue using the phones in the country they were stolen in, even if the IMEI number is blocked. They just don’t use the core “phone” functionality. WhatsApp and everything else will work just fine.

Phone theft is a tough nut to crack, as I pointed out in this talk. However, if certain companies are just putting their head in the sand and responding to the media with ‘no comment’, we’re in a bad place.

IET Security for Mobile Devices – 20th June 2012, London

mobilephonesecurity936843331Leave a comment

Next Wednesday, I’ll be chairing the Institute of Engineering and Technology’s Security for Mobile Devices event, which takes place at the impressive RIBA building in London. With topics ranging from the complex subject of mobile forensics to the good and bad of Bring Your Own Device (BYOD) policies in businesses, it is going to be an interesting day with some lively debate. I’m also pleased with the stellar line-up of speakers there. The programme includes:

  • An opening address by Mike Short of Telefonica (and also President of the IET)
  • Charles Brookson – the GSMA Security Group Chair
  • Former RIM Security Research guru and bluetooth hacking pioneer, Ollie Whitehouse
  • Head of the Metropolitan Police’s Digital and Electronic Forensics unit, Mark Stokes
  • Co-Founder of the Trusted Computing Group (TCG) and CEO of Wave Systems, Steven Sprague
  • …and many more excellent speakers and panellists!
I’m really excited about the event. There are a few places still available. To sign up, head over to this site: http://conferences.theiet.org/mobile/registration/index.cfm

Cyberbullying: Victims to unmask public perpetrators, but what about bullying in private?

mobilephonesecurity936843331Leave a comment

I invited Matt Williams to write a guest post on cyber bullying. Thanks for a great article Matt!

Cyberbullying is a topic of discussion that is becoming increasingly mentioned in today’s electronic world. In a time where the Internet is a staple part of our everyday lives, the ability to communicate one’s feelings by the click of a button is often taken for granted. This is particularly the case when referring to the mobile arena, as thoughts and ideas can translate to an SMS, Tweet or Facebook post almost instantly. Whilst many welcome the advancement with open arms, such steps forward naturally arrive with significant disadvantages. Cyberbullying is one of the most profound, and after a recent case of the practice came to light in the media, the UK Government is now being put under pressure to increase its efforts in a bid to address the matter.

Unmasking trolls and cyberbullies

The consistent rise in pressure began to escalate last week, when a British woman successfully won a court order allowing the identities of the individualsharassing her online to be revealed. Nicola Brookes had suffered a barrage of abuse from other users of the popular social media website, Facebook. Having achieved the court order, the users who posted defamatory comments against Mrs Brookes will now have a select amount of their personal details made known. This includes the IP addresses of the devices used by the cyberbullies. It is hoped that the added threat of having parts of a person’s personal profile revealed will help in the fight to combat the ever-growing threat of cyberbullying.

However, some organisations have expressed great concern about having the ability to reveal the proposed information. Privacy International states its position on the matter, claiming that on an international scale, certain operators may become too lax on the ability given to them. They fear that such organisations are at risk of exposing personal details, even in the event that only an allegation has been made. Therefore, the appearance of this ability in the social media market comes with new considerations, in many other aspects and on a much wider scale. But how would this tie in to mobile devices?

Image by Adam Clarke

Well, the clear advantage of the portability of mobiles phones poses as a threat in itself, as it presents one of the best methods of allowing cyberbullying to take place. These days, it is difficult to find a person in the UK without some form of mobile device. For many, the simplicity of being able to communicate with another individual has never been greater, thanks to the mobile phone. It is for this reason that mobile devices can more easily act as a catalyst to such an act as cyberbullying.

Cyberbullying in Private via Mobile

Another reason why cyberbullies prefer to use mobile to carry out their attacks is because phones often come with a lack of parental interference. Considering that the issue is most common within the teenage demographic, parents of younger phone users tend to distance themselves from their child’s mobile communications and online lives. Likewise, it is common for adolescents to find a means of preventing their parents from accessing their messages. It is this separation that can pave the way for cyberbullying to take place on a more private scale. In many aspects, this is more significant than a public example of online harassment, as the issue can steadily manifest itself and worsen with time.

But it is important to remember that cyberbullying isn’t only exclusive to text communications. Photos, videos and audio recordings, that demonstrate offensive behavior, also contribute to the problem. In many situations offensive material of any form is deleted soon after having being sent, especially on mobiles. This is often the case for both the architect of such material and the victim themselves. As a result, a record of the exchange becomes difficult for parents, teachers and the Police to trace, as the evidence is no longer present on the front end.

Government pressure on cyberbullying should continue

However, this recent development enabling victims to unmask cyberbullies can ultimately be considered to be a significant step forward, when attempting to tackle online perpetrators. Consequently, it is a move by the Government that will be well received. But it is important to remember that the private side of cyberbullying will continue to take place, and the Government must maintain its interest in combating the matter in the long run.

Last night’s Channel 4 News in the UK carried a piece on cyberbullying and guidance on what to do if you are being bullied: http://www.channel4.com/news/cyberbullying-what-should-i-do 

About Matt Williams

Matt Williams has just completed his second year as a student at the University of Derby, pursuing an undergraduate degree in Computer Forensics and Security. He has a keen interest in up-and-coming mobile technologies, particularly in reference to mobile security.

Playstation Network mysteriously down – security again?

mobilephonesecurity9368433311 Comment

Not mobile security, but possibly big emerging security news (more on why I think so below). The Sony Playstation Network is currently down (as of 20:39 UK on the 9th of June).

Germany-Portugal 0-0 you say?

Just before 8pm, I noticed I was signed out of the PSN, so went to the “Sign In” menu. This immediately took me to a change password menu. It said that my password was “no longer valid”. The dialog asked me to enter and then re-enter a password. Quite painful on a PS3 controller with complicated passwords, but it did slightly concern me that it hadn’t asked me for my old password (I need to spend some more time thinking about this though but my first thoughts were about whether I could get access to my credit card info etc, once I had done this). Anyway, I didn’t even get that far as the system locked up on me. After a restart, I submitted the new password and it timed-out, with “This service is currently undergoing maintenance”.

The PSN website says that the service is “Partially available” but there is no statement at all about what is going on. Obviously it could just be a major hardware failure somewhere, but equally we could be seeing the effects of an emergency shutdown due to a security issue (like last time). And, it was about this time last year it all happened. Added to that the fact that there have been a lot of password related breaches this week (LinkedIn et al), could this be linked?

As I write this (now 20:51), I’ve just been able to sign in again. No password change screen or anything, so it is all a bit strange.

To be updated…

Update 14/06/12 – No word on what happened the other day from Sony by the looks of things, but this afternoon (c.14:30 ish) the PSN network is down again, with some tweets giving very similar symptoms to the ones I had above. Again, nothing from Sony as to what is going on…

This Computer is Dead [it must be a virus]

mobilephonesecurity9368433312 Comments

I’ve dug up an old copy of Amstrad Action (issue no.85, October 1992) which has quite a funny letter from a reader in its technical forum section. You can see a scan of the letter below:

This is a really good example of the kind of paranoia users get into. It also probably reflects what was being touted around the media at the time. Earlier in 1992, the Michelangelo virus had caused a bit of a media storm after some hardware and software manufacturers accidentally shipped infected products.

I can’t find any reference on the web to the German Amstrad CPC virus referred to, but I do remember seeing some CPCs in Dixons in Scarborough in about 1990 which had some kind of anarchistic screen displayed saying it had been hacked, which as a kid I found pretty cool. Someone had obviously sneaked in and loaded it up on the machines while the salesmen weren’t looking.

Anyway, fast forward to today and we find this ludicrous – why were users jumping to conclusions about viruses on a machine like the CPC? Similar events are happening today – users seem to jump to extremes – either they ignore the possibility completely that they have clicked on something bad and are now part of a botnet or, at the other end of the scale (like the guy above), that because their computer is running slowly or broken, it must absolutely be a virus. This also extends to either the misplaced notion that Apple machines are immune to malware or that Android devices are riddled with maliciousness. Both incorrect views, but popular ones (and perpetuated by the media in many cases).

Users need independent trusted sources of honest advice and that isn’t necessarily found in those who have a vested interest in selling a fix to them.

Daily Mail violates privacy of dead babies

mobilephonesecurity936843331Leave a comment

A couple of weeks ago I spoke at the London event of the International Association of Privacy Professionals (IAPP). During my panel, I outlined a few scenarios where there were problems with privacy. The first one was  about a person who was very open and didn’t have many privacy requirements. This person was murdered and the media descended on their open data, putting their photos in the paper to the extreme distress of the family.

A very real example of this happened last week. In a very sad case, a father discovered his two babies dead at home. The Daily Mail subsequently took pictures from Facebook of the father, the mother and both babies and printed them in this article. How is this acceptable? Even if their Facebook settings were such that the pictures were not private to them, I fail to see how it is in the public interest to post the pictures of the babies? This can only have compounded the sorrow for a devastated family.