mobile security

The Long Road to a Law on Product Security in the UK

mobilephonesecurity936843331Leave a comment

As the UK’s Product Security and Telecommunications Infrastructure Bill entered Parliament today, I had some time to reflect on how far we’ve come.

I was reminded today that today was a long time coming. The person who triggered this was someone that I worked with when I was at Panasonic and he was at Nokia. Twenty years ago, we were sat in one of the smallest meeting rooms at Panasonic Mobile, next to the smoking room as it was the only one available – the Head of Security Research from Vodafone, the Head of Security of GSMA, plus the Security Group Chair of GSMA and me.

The topic was hardware (IMEI) security and more broadly mobile phone security and how to deal with embedded systems hacking at an industry level. What kind of new measures could be brought in that would genuinely help to reduce the problem of mobile phone theft and make phones more secure? As they say, from small acorns, mighty oaks grow. I’d also argue it is probably quite a bit about persistence over a very long time.

It takes a very long time to make meaningful changes and while it’s easy to point out flaws, it’s harder to build new technology that addresses those in a game-changing way with complete industry buy-in. That’s pretty much what recommendations and standards bodies do, with the aim of seeking consensus – not complete agreement, but at least broad agreement on the means to effect large scale changes. Gradually and over a long period of time.

So we did that. Both in the Trusted Computing Group (TCG) and through the work of OMTP’s TR1: Advanced Trusted Execution Environment which led to chip-level changes across the industry and ushered in a new era of hardware security in the mobile phone industry, providing the foundation of future trust. All of this work nearly complete before an iPhone was on the market, I might add and well before Android! From our published work, we expected it to be in phones from around 2012 onwards and even then it took a little while before those OS providers hardened their systems sufficiently to be classed as really good security, but I should add that they have done a really good job of security leadership themselves since then.

With saturation in the smartphone space, around 2013/2014 the industry’s focus moved increasingly to the M2M (machine-to-machine) or IoT (Internet of Things) space, which had existed for a while but on a much smaller scale. A lot of things were coming together then – stuff was getting cheaper and more capable and it became increasingly viable to create more connected objects or things. But what we also saw were increasing numbers of companies ‘digitising’ – a washing machine vendor worried that they would be put out of business if they didn’t revolutionise their product by connecting it to the internet. That’s all well and good and I’m all for innovation, but the reality was that products were being put on the market that were really poor. With no experience of creating connected products, companies bought in ready-made solutions and platforms which came with little-to-no security measures. All the ports were exposed to the internet, default passwords were rife and never got changed, oh and software updates, what are they? It was and still is in many parts of the market, a mess.

Remember that this was new products being put into a market that was already a mess – for example, most webcams that had been sold for years were easy to access remotely and lots of tools had been created to make it even easier to discover and get into these devices, allowing intrusion into people’s private lives, their homes and their children.

Work began in organisations like the GSMA on creating security requirements for IoT that would force change. At the same time, hardware companies started to transfer their knowledge from the smartphone space into the hardware they were creating for the growing IoT sector. The IoT Security Foundation was established in late 2015 and the UK’s National Cyber Security Strategy from 2016-2021 stated that “the UK is more secure as a result of technology, products and services hacking cyber security designed into them by default”, setting us down the path that led us to the legislation introduction today. All of that work was an evolution and reinforcement of the growing body of product security recommendations that had already been created over a long period of time. Another thing I’ve observed is that in any particular time period, independent groups of people are exposed to the same set of issues, with the same set of tools and technologies at their disposal to rectify those issues. They therefore can all logically come to the same conclusions on things like how best to tackle the problem of IoT security.

In 2016, the Mirai attack happened (more info in the links below) and that helped to galvanise the support of organisations and politicians in understanding that large-scale insecurity in connected devices was a big and growing problem. A problem that was (mostly) easily solvable too. Other news stories and issues around IoT just added to this corpus of information that things weren’t well. You can also read more about the Code of Practice we created in the UK in the links below, but the key takeaway is this – there are small but fundamental changes that can raise the bar of cybersecurity substantially, reducing harm in a big way. This ranges from taking a firm stance on out-of-date and dangerous business practices e.g. companies and individuals being lazy, taking the easy route about things like default passwords and the hardware and software you use in your product development, to modernising the way that companies deal with security researchers – i.e. not threatening them and actually dealing with security issues that are reported by the good guys. So creating meaningful change is also about taking a stand against baked-in poor practice which has become endemic and so deeply entrenched throughout the world and its supply chains that it seems impossible to deal with.

I’ll never forget one meeting I was in where I presented a draft of the Code of Practice, where a guy from a technology company said “what we need is user education, not this”. I felt like I was on really solid ground when I was able to say “no, that’s rubbish. We need products that are built properly. For over 20 years, people have been saying we only need user education – it is not the answer”. I was empowered mainly because I could demonstrably show that user education hadn’t worked and perhaps that’s depressingly one of the reasons why we’re finally seeing change. Only in the face of obvious failure will things start to get better. But maybe I’m being too cynical. A head-of-steam was building for years. For example I was only able to win arguments about vulnerability disclosure and successfully countering “never talk to the hackers” because of the work of lots of people in the security research community who have fought for years to normalise vulnerability reporting to companies in the face of threats from lawyers and even getting arrested in some cases. And now we’re about to make it law that companies have to allow vulnerability reporting – and that they must act on it. Wow, just let that sink in for a second.

In the hacking and security research community, are some of the brightest minds and freest thinkers. The work of this community has been the greatest in effecting change. It may not be, in the words of someone I spoke to last week ‘professional’, when what I think they mean is ‘convenient’. The big splash news stories about hacks to insecure products actually force change in quite a big and public way and sadly the truth is that change wouldn’t have happened if it wasn’t for these people making it public, because it would have been mostly swept under the carpet by the companies. It is that inconvenient truth that often makes large companies uncomfortable – fundamental change is scary, change equals cost and change makes my job harder. I’m not sure this culture will ever really change, but uniquely in the tech world we have this counter-balance when it comes to security – we have people who actively break things and are not part of an established corporate ecosystem that inherently discourages change.

Over the past 10 years, we’ve seen a massive change in attitudes towards the hacking community as cyber security becomes a real human safety concern and our reliance on the internet becomes almost existential for governments and citizens. They’re now seen as part of the solution and governments have turned to the policy-minded people in that community to help them secure their future economies and to protect their vital services. The security research community also needs the lawyers and civil servants – because they know how to write legislation, they know how to talk to politicians and they can fit everything into the jigsaw puzzle of existing regulation, making sure that everything works! So what I’ve also had reinforced in me is a huge respect for the broad range of skills that are needed to actually get stuff done and most of those are not actually the engineering or security bit.

A lot of the current drive towards supporting product security is now unfortunately driven by fear. There is a big ticking clock when it comes to insecure connected devices in the market. The alarm attached to that ticking clock is catastrophe – it could be ransomware that as an onward impact causes large-scale deaths in short order or it could be major economic damage, whether deliberate or unintended. A ‘black swan of black swan events’ as my friend calls it. Whatever it is, it isn’t pretty. The initial warnings have been there for a while now from various cyber attacks and across a range of fronts, positive work has been taking place to secure supply chains, encourage ‘secure by design / default’ in the product development lifecycle and to increase resilience in networks – which is the right thing to do – the security should be commensurate with usage and in reality the whole world really, really relies on the internet for literally everything in their lives.

This is another factor in the success of current cyber security work around the world. I work with people from all corners of the earth, particularly in the GSMA’s Fraud and Security Group. Everyone has the same set of issues – there are fraudsters in every country, everyone is worried about their family’s privacy, everyone wants to be safe. This makes this topic less political in the IoT space than people would imagine and every country’s government wants their citizens to be safe. This is something that everyone can agree on and it makes standards setting and policy making a whole lot easier. With leadership from a number of countries (not just the UK, but I have to say I’m incredibly proud to be British when it comes to the great work on cyber security), we’re seeing massive defragmentation in standards such that we are seeing a broad global consensus on what good looks like and what we expect secure products and services to look like. If you step back and think about it – thousands and thousands of individuals working to make the world a safer place, for everyone. So the acorn twenty years ago was actually lots of acorns and the oak tree is actually a forest.

So to everyone working on IoT security around the world I raise a glass – Cheers! and keep up the fantastic work.

My RSA talk on the UK’s Code of Practice for Consumer IoT Security in 2019.

Further reading:

Phone Hacking: A lucrative, but largely hidden history

mobilephonesecurity936843331Leave a comment

I’m giving a talk at Defcon London DC4420 tonight. I decided to talk about the history of some stuff that is not really well known about outside of the mobile industry and a few embedded systems hacking circles.

For years, the mobile industry and its suppliers have fought an ongoing battle with people hacking mobile devices. This mainly started out with greyhat crackers from the car radio scene supplying tools to ‘reset’ your car radio PIN code (I’m not sure whether really driven by thieves or end users?).

This matured into SIMlock and IMEI hacking on handsets at the end of the 1990s, driven by very cheap pre-pay handsets. By the way, I was never a big fan of SIMlock, as it just increased targeting of the devices and it just wasn’t that sensible as the time we didn’t have the hardware available in the industry to protect it properly. Mobile phone theft (and re-enablement) was another driver.

Ordinary users were sufficiently motivated to want to pay to remove their SIMlocks and a cottage industry built up to serve it, supplied by tools from some very clever hackers and groups. This made some people very, very rich.

As skills have grown on both sides, the war between industry and the hacking community has grown increasingly sophisticated and tactical. Today it is mostly being played out within the rooting and jailbreaking community, but it looks like so-called ‘kill switch’ and anti-theft mechanisms will be a new motivator.

Anyway, I hope you find this taster presentation to the subject interesting!

Copper Horse Mobile Security Dinner – Mobile World Congress 2014

mobilephonesecurity936843331Leave a comment

Another year and we’re back again. This year’s Copper Horse security dinner will take place as usual at a secret location in Barcelona on the 23rd of February. With some of the world’s leading minds in mobile security present, it’s the hottest ticket for Sunday night. Contact us if you’d like to attend, there’s a limited number of places. As always, we split the bill at the end.

This is far too early for the dinner and in the wrong location…

 

Mobile World Congress 2013 – The Copper Horse Experience

mobilephonesecurity936843331Leave a comment

Copper Horse’s Mobile Security Intern Matt Williams experienced Mobile World Congress for the first time this year. Here’s his write-up on what went on out there:

It was that time of year again. When everyone in the mobile industry gathered in one place to exhibit, network and discover the latest updates in the ever-growing world of mobile phones. As usual, the Copper Horse team were there, from the Friday before the event to the Friday after. And here is a short summary of our experience of the largest ever Mobile World Congress!

The word “ever-growing” used earlier is a more than appropriate term to describe the current state of the mobile industry, as was evident by the scale of this year’s event. Mobile World Congress had moved from its previous home, the Fira Montjuic, across the city of Barcelona (the congress’s current and future host until at least 2018), to the substantially larger Fira Gran Via exhibition centre. The 2013 event consisted of nine Walmart sized halls, six of which were for exhibition stands, with the other three carrying out the roles of registration, a conference village and a theatre district. To walk from the Southern Entrance at Hall 1 to the Northern Entrance at Hall 8 would typically take 15-20 minutes; such was the enormity of the occasion. Consequently, a record 65,000 people were expected to attend (the final totals were over 72,000!). But prior to the new venue even being looked at, the Copper Horse team had a busy weekend of events to attend and people to meet.

The Weekend Before

After some initial settling in on the Friday and Saturday, consisting of networking, tapas tasting at local bars and collecting our badges, we headed up to the Nou Camp, home of Barcelona FC for a once in a lifetime trip to see them play. Along with some other industry colleagues we watched them beat Seville 2-1 in a hard fought game.

Copper Horse’s team were now ready to attend the first mobile-related event of the week – Innovation on the Fringe at MOB (Makers of Barcelona). Hosted by Heroes of the Mobile Fringe, Innovation on the Fringe is the speed-dating equivalent of mobile app demonstrations – time-wise at least! App demonstrators had two minutes to present their ideas, with a further two minutes of questions from an audience containing potential investors. A wide variety of ideas were presented – from neighbourhood change to online authentication with pictures.

Copper Horse’s main role in the event was not to witness the app presentations, but to give out an inaugural award. Namely, the Dead Technology Award – A golden calculator trophy presented to the technology that has either died off or flopped spectacularly in the past year.

Essentially the tech equivalent of the Golden Raspberry Award (Razzie) for Worst Film, attendees at the fringe event were given the opportunity to vote from a shortlist of nine nominees via SMS. At the end of the event, it was decided by the audience that Sony Ericsson’s demise as it was finally subsumed into Sony was to be the first ever winner of this prestigious title. And so it came to be that Sony Ericsson was propelled into Silicon Heaven (as they say in Red Dwarf). So congratulations (or should that be condolences?) to the now ‘deceased’ Sony Ericsson! RIP. You can watch the video of the shortlist below:

It was a quick dash for some filmed interviews, then back into town. Later on in the evening, it was our turn to become the host, as Copper Horse welcomed security experts from around the world to attend a dinner – now a well-established MWC tradition! The opportunity to talk with other experts in the field was a hugely interesting experience and the event took place at one of Barcelona’s top restaurants. This year’s security dinner provided a great insight into the week ahead at the Fira. And no sooner had the weekend arrived, then it was time for the congress to officially begin.

Monday

The primary focus of the first day of Copper Horse’s MWC was the Mobile Security Forum sessions held in the Theatre District of Hall 8. Security sponsors that included AdaptiveMobile, antivirus vendor AVG and network solutions provider Juniper Networks all held individual talks and panel discussions in relation to the world of mobile security. The topics debated were:

          Securing the Borderless Network
          Consumer Mobility and Privacy: Monetization without Alienation
          Offense or Defense: Security in an LTE World
The evening saw a great event hosted by Box. More security, good Tapas and red wine rounded off an excellent first proper day of MWC.

Tuesday

On Tuesday morning, Copper Horse Director David Rogers chaired the UKTI event “Cyber Security in theMobile World” – a seminar that identified what is meant by “Cyber Security” for mobile devices and networks, what is on the horizon in the context of threats, how genuine the threats are and what security methods could be put into place to make businesses and consumers more secure.

Following on from this were the Global Mobile Awards – We’ve already had the technology equivalent of the Razzies, now it was the turn of the best of the best to be recognised in the mobile industry equivalent of The Oscars. Over six hundred entries and nominees were in contention for the thirty-seven honours. Copper Horse judged in the ‘Best Mobile Safeguard & Security Products and Services’ category, which was won by Adaptive Mobile and Syniverse.

 

Among the other awards given out were Best Smartphone to the Samsung Galaxy S3, Best Mobile Tablet to Google and Asus for the Nexus 7 and the Judges Choice for Best Overall Mobile App to Waze, a mobile navigation app that allows users to add and see real-time traffic updates. The awards, hosted by comedian David Walliams, concluded, after which the team wound down the day at the annual Northern Ireland Beers and Scottish Whiskies – networking events held in close proximity to one another, in the UK section of the Hall 7 exhibitors.

Wednesday

Wednesday was a busy day for the team, with lots of meetings and events. It featured an early morning start at the MEF Kaspersky Breakfast Briefing. This session focused on the latest threats to app users, highlighting the most recent developments in mobile malware. A roundtable discussion and a series of presentations highlighting the scope of the threats took place. The main point to note was that the threat of mobile malware has never been greater, as there were approximately 4000 cases of it reported in 2012, of which 93% were on the Android platform. One of the primary reasons for the large number of cases being on Android devices, in addition to the fact that it is such an open operating system, was that many users ran older versions of the platform, which no longer had the necessary patches available. Overall, the breakfast was a very interesting event to attend.

In the afternoon, the GSMA’s Pat Walshe hosted an event ‘Mobile App Privacy: What’s Your View?’ with speakers from AT&T, Rovio (the makers of Angry Birds), Mozilla and the App Developers Alliance. There was some robust discussion, but there was a clear view that app developers need to focus on their own software quality and pay attention to security more seriously. There was also a good discussion on how small companies suddenly have to deal with regulators and lawsuits and what that growth experience is like.

After attending a few networking events in the evening, the day concluded with one of the best Barcelona parties – Swedish Beers. It’s a great chance to connect with other people as the week at MWC begins to draw to a close, particularly if you find one of the sponsors, who has the free drink tokens!

Thursday

Thursday was the quietest day of the four during MWC. Whilst some visitors had seen what they had come to see and departed Barcelona, there were still plenty of events to explore and exhibitors to meet. Mobile Monday operated a continuous run of presentations, discussions and talks until the congress reached its 4pm closing time, whilst WIPJam saw mobile developers meet for a busy day of storytelling, pitches and demos. Just to show how busy the event was, meetings carried on right up until the last minute of the show. In the last formal Copper Horse meeting of the day, the Fira staff were taking up the carpet and removing screens while the meeting was still going on! The day ended with a quiet Paella (where another ad hoc meeting happened (!)) before a good night’s rest before the journey home. 

Friday

Inevitably, the airport on Friday morning was chaos, with thousands of exhausted delegates desperate to leave. Some more accidental meetings at the airport and then finally, arrival in the UK!

All in all, MWC 2013 was a terrific experience and the busiest year yet for the Copper Horse team. Now starts the planning for next year!  

Only fools eat horses

mobilephonesecurity936843331Leave a comment

There’s a scandal raging across the UK and Europe at the moment involving horse meat which has been passed off as beef. Lots of retailers have been affected as well as pubs, prisons and schools. There was also a worry that people would ingest the painkillers used for horses.

This whole issue is primarily a point about food labelling – people were expecting beef and they got horse, but the other point is that this food was really cheap, so the pressure within the supply chain to get cheap ingredients was very high. This was highlighted again in today’s Sunday Telegraph article: “Why meat can no longer be considered a cheap commodity“. Mark Price, the CEO of Waitrose says in the article that “if.. ..there is a requirement to hit a price point for consumers under financial pressure then there will be an inevitable strain in the supply chain. If the question is “Who can sell the cheapest stuff?” I’m afraid it is inevitable that there will be a slackening of product specifications”.

You get what you pay for

This is also the case in other industries. The mobile industry has for years been ruled by the device purchasers of the mobile network operators. Inevitably, on the security side they don’t want to pay for it. This is because a) they don’t understand it and b) they don’t see the consequences of not having the security included. It has only been recently that there is a ‘mild’ expectation that security is included, but it should be part of the standard feature set. This is also the attitude of the consumer (rightly). Customers have the right to expect that what they buy is safe and secure and isn’t going to harm them. They also expect that if a bank provides them with a secure banking app, that it does what it says on the tin – that it is labelled correctly and they’re not getting horse meat when they paid for beef.

Supply Chain Value, Integrity and Security

The race to the bottom of the mobile supply chain has been typified by the first thing to go, security – security in terms of secure hardware components that add $1 to the bill of materials and security that is gained through software quality – proper security testing and secure coding costs money. You can see this in many areas of the mobile industry, from equipment vendors who sell really poor quality product at super-cheap prices for inclusion inside the mobile networks, through to femtocell vendors and device manufacturers who again sell devices without adequate security which end up in consumer hands. Not only this but the supply chain integrity of such cheap products is questionable – what if the chip that you thought was made by Qualcomm was actually a counterfeit device? What are the implications for security? One of the key questions for cyber security is the security and integrity of the supply chain for key equipment. Another should be what the acceptable level of security is in equipment sold to consumers and how to assure that.

You Get What You Pay For

The same applies to mobile applications. The economics of the current apps ecosystem just don’t stack up properly. For mobile apps stores to test every application properly would cost more than the companies would make for them and the vast majority of apps are free. So what incentive is there for anyone in the apps supply chain to securely code them or check that they are ok? Luckily in the main app stores there is (at the moment at least) an adequate level of testing and checks in place, but for the rest of the world that don’t have access to those app stores, the situation is dire. Just as with the horse meat scandal, it is the poorest people in the world that suffer the most. They have no choice – they’re almost forced to download apps from questionable sources and they’ve got to like it, because there is no other choice for them. Unlike the food safety world, the weird situation in the app environment is that you also have an industry that constantly tells consumers that they might be eating horse (even though they’re not) – that is the anti-virus industry. Also, completely unregulated and free to make unsubstantiated statements by making incredibly tenuous links to rare incidents in other countries that are not linked to the phone you use. This wanton manipulation of statistics for profit is as irresponsible as selling poor quality and mis-labelled products and needs to be reined in.

Horse Meat for Beef Prices

A few years ago when new European health and safety legislation was introduced around abattoirs in the UK, the smaller abattoirs were up in arms saying that they couldn’t afford to implement the new rules. They also argued that consumer choice would be impacted as only the big abattoirs would be able to supply, what would be a limited choice of meat. However, look at this from the consumer point of view – what they’re really saying is that they can’t meet adequate requirements to supply you meat that isn’t going to harm you. What would you want: safe meat or a bit more choice?

With global austerity in full swing, scrimping on things that people don’t consider to be essential is going to happen. The problem is, security in mobile communications products is essential these days for lots of reasons. Perhaps there need to be minimum standards for industry around getting ‘adequate’ security in order to prevent this race to the bottom for cost reasons. As a consumer, I’m paying beef prices and often getting horse meat.

Copper Horse Mobile Security dinner in Barcelona – 2013

mobilephonesecurity936843331Leave a comment

Well here we are again, preparing for more Mobile World Congress mayhem in Barcelona (albeit at a new venue).

We’re running our annual Copper Horse Mobile Security dinner on the Sunday night once more (that’s the 24th this year). The event will held in a secret location in Barcelona from 9pm onwards. Expect experts on security and mobile and some generally good intellectual conversation (unless you’re sat next to me!).

Definitely not being held here

Use the contact link above to get in touch if you’re interested in coming along. An important point to note – we split the bill at the end, so this is not a free meal 🙂

An interview with a tech journalist

mobilephonesecurity936843331Leave a comment

I was slightly misquoted in an article yesterday on mobile malware, so I thought I’d re-post my exact responses to the journalist as I spent a fair amount of time out of my evening to respond to the request instead of relaxing! With Mobile World Congress coming up, some of the topics covered are relevant to things that will be discussed in Barcelona.

Good tech journalism?

My comments were in response to a BlueCoat Systems report on mobile malware that came out the on the 11th of February. I didn’t get the chance to see the report until the very end, so my last comment is based on my skim read of the report. The questions you see below are from the journalist to me.

Here was my response (me in blue):

Here are my responses, let me know if you need anything else. I didn’t read the report yet.
They are marked [DAVID]:

David –

I’m doing a story on a recent report from Blue Coat about mobile malware. No link yet.

My questions, if you have a few minutes:

It predicts that delivery of mobile malware with malnets will be a growing problem this year. Agree? Why or why not?

[DAVID] It’s possible, but the question is really ‘where’. Most mobile malware has taken root in places like China and Russia where there has been traditionally a lack of official app stores, (which has only recently changed). It’s like the wild west out there with a complete lack of controls on the ingestion side to check that developers aren’t peddling malware and on the consumer side because the devices are outside the ‘safe’ app store world we see in the West.

So we almost have two worlds at the moment: the first is the western world, mainly the Europe and the US where generally no-one gets infected (a tiny, tiny percentage of maliciousness gets through the official app store checks or gets intentionally side-loaded by the user, usually when they’re trying to get pirated software!). The second is the vast majority of the rest of the world, usually poorer countries where the controls and regulations on piracy and malware are lax. It is like putting a street market next to a high-end city shopping mall. The mobile industry isn’t static and will continue to evolve in terms of security and threat management both on the network and device side when it comes to the potential for botnets (at least in the more controlled environment of the West).

It says mobile devices are still relatively secure at the OS level, but that users are “set up to fail” because it is more difficult to avoid phishing –  URL and links are shortened, passwords are visible to an onlooker when you enter them – apps are not well vetted and mobile versions of websites are often hosted by third parties, making it difficult to tell which are legit. Do you agree? Why or why not? And if you do agree, is there anything developers ought to change?

[DAVID] Mobile OSs and their underlying hardware are getting very advanced in terms of security which is great news. The problem is that there hasn’t been enough invested into educating developers about how to develop secure software and in most cases the tools and libraries they use are not designed to help them make the right security decisions, resulting in very basic flaws which have serious security consequences (for example poor implementation of SSL). For some, it is just too difficult or too much effort to bother putting security in from the start. We need to break down that kind of mentality and I think we really need to improve considerably in terms of ‘cyber’ security skills around for mobile developers. In terms of usability and the lack of screen real-estate, then yes developers have a role to play in helping the user make the decision they want to – some QR readers now present the ‘real’ URI behind a shortened one in order that the user can decide whether that was what they were expecting.

Users can be very impulsive when it comes to mobile, so you have to try and save them from themselves, but balance this with not resorting to bombarding them with prompts. Human behaviour dictates that we’ll susceptible to social engineering and will get over any hurdle presented to us if the prize is worth enough (something which is called the ‘dancing pigs’ problem). This is a real problem for both the OS and application developers. One thing that hasn’t really been deployed yet in the mobile world is trusted 3rd party management of policy. Users could choose a policy provider they trust to take the security management problem away from them. Obviously it can’t solve everything – the user has to take responsibility for their own actions at some point, but it will go a long way to resolving current issues permissions and policy with mobile platforms. The key to it all is that the user themselves has to be ultimately in charge of who they choose as a policy provider, not the operator, OS vendor or manufacturer.

There’ll always be attackers – the arbiters of trust in the mobile world have great responsibility to the millions of users out there and they themselves will become targets. I like the way that Google Bouncer (the automated security testing tool of Android apps being submitted by developers) has now become the target of attacks. To me, Google have forced attackers back away from the ‘Keep’ to the castle walls which can only be a good thing.

[I’ve lumped all these questions together]

The report says user behavior is the major weakness. Hasn’t this been the case all along?

Is there any truly effective way to change user behavior?

Is it possible for security technology to trump user weaknesses? If so, how?

[DAVID] Yes user behaviour is a weakness, but usability and security don’t usually sit well together. Developers should not just consider the technical security of an application but make security as friendly and seamless as possible from the user’s perspective. Resorting to prompting is usually the lazy way out and it pushes the burden of responsibility onto a user who probably doesn’t have a clue what you just asked them. I think OS level and web APIs could benefit from different design patterns – how about building in more intelligence to the responses? For example in a geolocation API a developer could ‘negotiate’ access by understanding what the user is comfortable with, all in the background. This avoids binary behaviour – for example: apps, that fall over if you don’t enable geolocation and users that never install apps that have geolocation. Both situations are not very good for helping the apps world advance and grow! However, if the user had been able to say that they were happy to share their location to city level, then the API could negotiate the request from a developer for location down to 1 metre by offering up city level instead. It would make for a much smoother world and would apply very easily across many different APIs.

If a user makes a critically bad decision, for example going to an infected website, I think Google have taken a strong lead in this respect by clearly showing to the user that really bad things are happening. Perhaps this could extend to other things on mobile, but we still need to get the basics of security right first from a technology and manufacturer’s perspective. I think some manufacturers have a long way to go to improve their security in this respect.

It says users will go outside VPNs if the “user experience” is not good within it. Is it realistic to expect enterprises to make their user experience better?

[DAVID] I think there are some interesting things coming along in terms of more ‘usable’ VPN technology, but usually the reason a VPN doesn’t work is a technical one that an ordinary user isn’t going to understand. They just want to get their job done and may take risky decisions because there are generally no visible security consequences. Most people in big companies have to deal with inflexible IT departments with inflexible policies. The intrusion into people’s own lives with the introduction of BYOD has muddled things further. I can certainly see more societal issues than security ones for the overall user experience – for example it might be very tempting for companies to start intruding on their users if there is a big industrial dispute involving unions. I don’t think these questions have properly hit companies yet, but mobile companies like RIM are looking at proper separation of work and personal life from a technical point of view, after that it is really down to the paperwork – the rules of use and the enforcement of those.

The report said Android is more vulnerable to attacks because of unregulated apps and the diversity of Android-based devices. What, if anything, can/should be done about that?

[DAVID] Well to a certain extent yes, but this has been vastly overplayed by anti-virus vendors desperate to get into mobile. The vast majority of maliciousness has been caused outside of the trusted app store world that we see in the US and the UK. I wouldn’t have designed the app signing process in the same way as the Android guys did, but then identification of individuals can be difficult anyway – I know lots of registration systems that can be broken just by photocopies of ‘official’ documents. Google wanted a more open ecosystem and you have to take the good with the bad. In terms of the diversity or fragmentation in Android, this could become an issue as device lifecycles get longer. The mobile industry is looking at the software update problem and rightly so. For the network operators it is going to be a question of how to identify and manage out those threats on the network side if it comes to it. I don’t think software upgrade issues are confined to Android but we don’t want any of the industry to lag behind because in the future there is nothing to say that huge distributed cross-platform (automotive, mobile, home) threats could exist, so we should pay attention to resilience and good cyber house-keeping now before it is too late.

Sorry to be on a deadline crunch – 5:30 p.m. EST today.

And my final comment to the journalist after I’d seen the report:

So just had a quick look through, only one final comment:

One thing that we all should remember is that the bad guys are not the mobile industry – it is the people who perpetrate malware, spam and scams. At the moment, cyber criminals run rings around law enforcement by operating across lots of countries in the world, relying on fragmented judicial systems and the lack of international agreements to take action. We should build the systems and laws through which we can arrest and prosecute criminals at a global level. 

I hope readers find it useful to see what I really wanted to say – I don’t claim to be right, but these are my opinions on the subjects in question. Readers should also understand how much effort sometimes gets put into helping journalists, with varying results 😦. If you want to read the original article and compare my responses with the benefit of context, you can find it at CSO online.

IET Security for Mobile Devices – 20th June 2012, London

mobilephonesecurity936843331Leave a comment

Next Wednesday, I’ll be chairing the Institute of Engineering and Technology’s Security for Mobile Devices event, which takes place at the impressive RIBA building in London. With topics ranging from the complex subject of mobile forensics to the good and bad of Bring Your Own Device (BYOD) policies in businesses, it is going to be an interesting day with some lively debate. I’m also pleased with the stellar line-up of speakers there. The programme includes:

  • An opening address by Mike Short of Telefonica (and also President of the IET)
  • Charles Brookson – the GSMA Security Group Chair
  • Former RIM Security Research guru and bluetooth hacking pioneer, Ollie Whitehouse
  • Head of the Metropolitan Police’s Digital and Electronic Forensics unit, Mark Stokes
  • Co-Founder of the Trusted Computing Group (TCG) and CEO of Wave Systems, Steven Sprague
  • …and many more excellent speakers and panellists!
I’m really excited about the event. There are a few places still available. To sign up, head over to this site: http://conferences.theiet.org/mobile/registration/index.cfm

Mobile World Congress – RIM Porsche fun

mobilephonesecurity9368433313 Comments

I promised you all that I’d publish an amusing story about the RIM Porsche 911 at Mobile World Congress last week. For those who don’t know about the background, RIM purchased QNX in 2010 who just happen to also do the embedded software for Porsche and others. There is a video explaining all that stuff below:

I was very impressed by this demo by the way. The coolest part is the live map of the Nurburgring giving you the right braking points because of the GPS link-up (if anyone is reading this from Porsche or RIM I would love to take it round the Ring by the way!).

Anyway, so I was standing there, the Porsche was sitting there unattended as was the Blackberry handset that was part of the demo. I can tell you that the password for the Blackberry was not “porsche” ;-). I opened up the glove box and had a quick look inside only to be presented with a Cradlepoint WiFi router filling the entirety of the space inside:

RIM Porsche glove box

Staring at me from the top of the router was a white label on the top. I’ve enhanced this in the picture below so you can see it properly. Yes, that’s right, they had a label with a default password (a reasonably weak one too) stuck to the top of the router! 🙂 Obviously I’ve blanked out the actual password in the pics:

Default password anyone?

Now I just want to say here that if anyone from RIM is reading this, please do not crank this up as a security incident or go mental at the QNX guys, this is just an amusing story. After all, it’s a demo and chances are the default password was not being used, someone had probably changed it.

Security is only as good as its weakest link

However, here is the serious bit – with all the convergence of mobile tech and the emergence of connected homes, cars and cities, it just goes to show that security is often only as good as its weakest link. That may not be the mobile technology itself, just something it’s connected to. Oh yes, another security message here – don’t leave phones unattended on trade show stands and always lock your glove box!