This week it is Mobile World Congress, the biggest event in the mobile industry calendar. If you’re interested in meeting for a chat or just hearing about mobile and IoT security & privacy, I’ll be at the following places!
Sunday 25th February 6th GSMA IoT Summit
13:00-17:30
NH Collection Barcelona Tower Hotel
Copper Horse annual security dinner at a secret location in Barcelona
21:00-late (tweet me or message if you want to come along)
Monday 26th February
4YFN – “Hidden Threats and Opportunities to my Business”
Panelist: “Spotlight – How Data and Cyber Security can make or break a new business?”
16:15-17:15 4YFN (at the old Fira), Fira Barcelona Montjuïc, Av. Reina Maria Cristina
Tuesday 27th February
IoT Tuesday, hosted by Cellusys, supported by JT Group and the IoT Security Foundation
17:00-late Cellusys event – I’ll be giving an opening talk on behalf of the IoT Security Foundation, which will be: “The Ticking Clock”: why security in IoT is critical to how you run your business. Tweet me if you want to attend.
Wednesday 28th February
16:30-17:30
Why Should we Trust your Digital Security?
Me having a fireside chat in this session with Jean Gonie, VEON: Data, Consumer Protection and the GDPR
Auditorium 3, Hall 4 (on-site at MWC)
I’ll be at a few other events and will generally be around and about the MWC main site all week so please feel free to get in contact. Speaking of Barcelona, we’re holding our next training, “Foundations of IoT Security” in May in the city. More details and sign-up can be found on the IoTSF website.
At Mobile World Congress this year, I agreed to give an interview introducing the IoT Security Foundation to Latin American audiences. If you’re interested in IoT security and our work at the Foundation, you should find this video interesting. Enjoy!
How can we have an intelligent and reasoned debate about mobile device forensics?
I woke up early this morning after getting back late from this year’s Mobile World Congress in Barcelona. It has been a long week and I’ve been moderating and speaking at various events on cyber security and encryption throughout the week. It won’t have escaped anyone’s notice that the “Apple encryption issue” as everyone seems to have referred to it, has been at the top of the news and I have been asked what I think pretty much every day this week. Late last night, I’d seen a twitter spat kicking off between comedy writer and director Graham Linehan and Piers Morgan on the topic, but went to bed, exhausted from the week.
It was still being talked about this morning. My friend Pat Walshe who is one of the world’s leading mobile industry privacy specialists, had quoted a tweet from Piers Morgan:
I could take that terrorist iPhone down to Tottenham Court Road right now & they'd get into it. Safely. Apple is lying.
This week I’ll be up at York St John University where they’ve asked me to teach cyber security to their undergraduate computer scientists. The reason I agreed to teach there was because they highly value ethical concerns, something which I will be weaving into all our discussions this week. The biggest question these students will have this week will be the “what would you do?” scenario in relation to the San Bernadino case.
The truth is, this is not a question of technology engineering and encryption, it is a question of policy and what we as a society want and expect.
The moral aspects have been widely debated with Apple’s Tim Cook bringing, in my view, the debate to a distasteful low by somehow linking the issue to cancer. I’ve tried to stay out of the debate up until now because it has become a circus of people who don’t understand the technical aspects pontificating about how easy it is to break into devices versus encryption activists who won’t accept anything less than “encrypt all the things” (some of whom also don’t understand the technical bits). I sincerely hope that there isn’t a backlash on me here from either side for just voicing an opinion, some friends of mine have deliberately stayed quiet because of this – I’m exercising my right to free speech and I hope people respect that.
The truth is, this is not a question of technology engineering and encryption, it is a question of policy and what we as a society want and expect. If a member of my family is murdered do I expect the police to be able to do their job and investigate everything that was on that person’s phone? Absolutely. Conversely, if I was accused of a crime that I didn’t commit and I wasn’t in a position to handover the password (see Matthew Green’s muddy puddle test), would I also want them to do it? Of course. It is called justice.
Dealing with the world as it is
The mobile phones and digital devices of today replace all of our previous scraps of notepaper, letters, diaries, pictures etc that would have been left around our lives. If someone is murdered or something horrific happens to someone, this information could be used to enable the lawful investigation of a crime. The Scenes of Crime Officer of the past and defence team would have examined all of these items and ultimately present the evidence in court, contributing to a case for or against. Now consider today’s world. Everything is on our phone – our diaries and notes are digital, our pictures are on our phones, our letters are emails or WhatsApp messages. So in the case of the scene of a crime, the police may literally be faced with a body and a phone. How is the crime solved and how is justice done? The digital forensic data is the case.
Remember, someone who has actually committed a crime is probably going to say they didn’t do it. The phone data itself is usually more reliable than witnesses and defendant testimony in telling the story of what actually happened and criminals know that. I’ve been involved with digital forensics for mobile devices in the past and have seen first-hand the conviction of criminals who continually denied having committed a serious crime, despite their phone data stating otherwise. This has brought redress to their victim’s families and brought justice for someone who can no longer speak.
There is no easy answer
On the other side of course, we’re carrying these objects around with us every day and the information can be intensely private. We don’t want criminals or strangers to steal that information. The counter-argument is that the mechanisms and methods to facilitate access to encrypted material would fall into the hands of the bad guys. And this is the challenge we face – there is absolutely no easy answer to this. People are also worried that authoritarian regimes will use the same tools to help further oppress their citizens and make it easier for the state to set people up. Sadly I think that is going to happen anyway in some of those places, with or without this issue being in play.
US companies are also fighting hard to sell products globally and they need to recover their export position following the Snowden revelations. It is in their business interests to be seen to fight these orders in order to s
ell product. It appears that Tim Cook wants to reinforce Apple’s privacy marketing message through this fight. Other less scrupulous countries are probably rubbing their hands in glee watching this show, whilst locally banning encryption, knowing that they’ll continue doing that and attempting to block US-made technology whatever the outcome of the case.
Hacking around
Even now, I have seen tweets from iPhone hackers who are more than capable of an attempt to solve this current case and no doubt they would gain significant amounts financially from doing so – because the method that they develop could potentially be transferable.
Question for those that have actually reversed it: auto erase/time delay for iPhone 5c is implemented in userspace, kernel driver, iboot?
This is the same battle that my colleagues in the mobile world fight on a daily basis – a hole is found and exploited and we fix it; a continual technological arms race to see who can do the better job. Piers Morgan has a point, just badly put – given enough time, effort and money the San Bernadino device and encryption could be broken into – it will just be a hell of a lot. It won’t be broken by a guy in a shop on Tottenham Court Road (see my talk on the history of mobile phone hacking to understand this a bit more).
Something that has not been discussed is that we also have a ludicrous situation now whereby private forensic companies seem to be ‘developing’ methods to get into mobile handsets when in actual fact many of them will either re-package hacking and rooting tools and pass them off as their own solutions, as well as purchasing from black and grey markets for exploits, at premium prices. This is very frustrating for the mobile industry as it contributes to security problems. Meanwhile, the Police are being forced to try and do their jobs with not just one hand tied behind their back, it now seems like two. So what should we do about that? What do we consider to be “forensically certified” if the tools are based on fairly dirty hacks?
How do we solve the problem?
We as democratic societies ask and expect our Police forces to be able to investigate crimes under a legal framework that we all accept via the people we elect to Parliament or Senate. If the law needs to be tested, then that should happen through a court – which is exactly what is happening now in the US. What we’re seeing is democracy in action, it’s just messy but at least people in the US and the UK have that option. Many people around the world do not.
On the technical side, we will need to also consider that there are also a multitude of connected devices coming to the market for smart homes, connected cars and things we haven’t even thought of yet as part of the rapidly increasing “Internet of Things”. I hate to say it, but in the future, digital forensics is going to become ever more complex and perhaps the privacy issues for individuals will centre on what a few large technology companies are doing behind your back with your own data rather than the Police trying to do their job with a legal warrant. Other companies need to be ready to step up to ensure consumers are not the product.
I don’t have a clear solution to the overall issue of encrypted devices and I don’t think you’ll thank me for writing another thousand words on the topic of key escrow. Most of the time I respond to people by saying it is significantly complex. The issues we are wrestling with now do need to be debated, but that debate needs to be intellectually sound and unfortunately we are hearing a lot from people with loud voices, but less from the people who really understand. The students I’m meeting next week will be not only our future engineers, but possibly future leaders of companies and even politicians so it is important that they understand every angle. It will also be their future and every other young person’s that matters in the final decision over San Bernadino.
Personally, I just hope that I don’t keep getting angry and end up sat in my dressing gown until lunchtime writing about tweets I saw at breakfast time.
We’ve listed out some interesting Security and Privacy events from 2015’s Mobile World Congress in Barcelona. This year sees a general shift in topic focus to Software Defined Networking (SDN), Network Function Virtualisation (NFV) and Internet of Things (IoT). Security still isn’t a ‘core’ part of MWC – it doesn’t have a dedicated zone for example on-site, but as it pervades most topics, it gets mentioned at least once in every session!
Sunday 1st March
1) Copper Horse Mobile Security Dinner
21:00 – Secret Location in Barcelona
If you’d like a meet up with the Copper Horse team to talk mobile security, IoT or drones, please drop us an email or tweet us @copperhorseuk. We’ll also be demonstrating our progress on securing IoT in the Picosec project on the NQuiringMinds stand in Hall 7: 7C70.
Feel free to leave a comment with information on any presentations or events we may have missed and we’ll look to add them.
Note: update 13/02/15 to correct Monday time order and add Quobis event.
Here’s a list of the main security and privacy related events at Barcelona (some of which I’ll be speaking at). You’ll need a specific pass to get into some of them and that is shown next to the event.
Of course plenty of the other presentations have security aspects – all the Connected Home, mHealth and Intenet of Things talks to mention but a few! Also, if you’d like to meet me, you’ll see me at a few of these events or you can email to make an appointment out there.
Please feel free to let me know in the comments if I’ve missed any.
Another year and we’re back again. This year’s Copper Horse security dinner will take place as usual at a secret location in Barcelona on the 23rd of February. With some of the world’s leading minds in mobile security present, it’s the hottest ticket for Sunday night. Contact us if you’d like to attend, there’s a limited number of places. As always, we split the bill at the end.
This is far too early for the dinner and in the wrong location…
Copper Horse’s Mobile Security Intern Matt Williams experienced Mobile World Congress for the first time this year. Here’s his write-up on what went on out there:
It was that time of year again. When everyone in the mobile industry gathered in one place to exhibit, network and discover the latest updates in the ever-growing world of mobile phones. As usual, the Copper Horse team were there, from the Friday before the event to the Friday after. And here is a short summary of our experience of the largest ever Mobile World Congress!
The word “ever-growing” used earlier is a more than appropriate term to describe the current state of the mobile industry, as was evident by the scale of this year’s event. Mobile World Congress had moved from its previous home, the Fira Montjuic, across the city of Barcelona (the congress’s current and future host until at least 2018), to the substantially larger Fira Gran Via exhibition centre. The 2013 event consisted of nine Walmart sized halls, six of which were for exhibition stands, with the other three carrying out the roles of registration, a conference village and a theatre district. To walk from the Southern Entrance at Hall 1 to the Northern Entrance at Hall 8 would typically take 15-20 minutes; such was the enormity of the occasion. Consequently, a record 65,000 people were expected to attend (the final totals were over 72,000!). But prior to the new venue even being looked at, the Copper Horse team had a busy weekend of events to attend and people to meet.
The Weekend Before
After some initial settling in on the Friday and Saturday, consisting of networking, tapas tasting at local bars and collecting our badges, we headed up to the Nou Camp, home of Barcelona FC for a once in a lifetime trip to see them play. Along with some other industry colleagues we watched them beat Seville 2-1 in a hard fought game.
Copper Horse’s team were now ready to attend the first mobile-related event of the week – Innovation on the Fringe at MOB (Makers of Barcelona). Hosted by Heroes of the Mobile Fringe, Innovation on the Fringe is the speed-dating equivalent of mobile app demonstrations – time-wise at least! App demonstrators had two minutes to present their ideas, with a further two minutes of questions from an audience containing potential investors. A wide variety of ideas were presented – from neighbourhood change to online authentication with pictures.
Copper Horse’s main role in the event was not to witness the app presentations, but to give out an inaugural award. Namely, the Dead Technology Award – A golden calculator trophy presented to the technology that has either died off or flopped spectacularly in the past year.
Essentially the tech equivalent of the Golden Raspberry Award (Razzie) for Worst Film, attendees at the fringe event were given the opportunity to vote from a shortlist of nine nominees via SMS. At the end of the event, it was decided by the audience that Sony Ericsson’s demise as it was finally subsumed into Sony was to be the first ever winner of this prestigious title. And so it came to be that Sony Ericsson was propelled into Silicon Heaven (as they say in Red Dwarf). So congratulations (or should that be condolences?) to the now ‘deceased’ Sony Ericsson! RIP. You can watch the video of the shortlist below:
It was a quick dash for some filmed interviews, then back into town. Later on in the evening, it was our turn to become the host, as Copper Horse welcomed security experts from around the world to attend a dinner – now a well-established MWC tradition! The opportunity to talk with other experts in the field was a hugely interesting experience and the event took place at one of Barcelona’s top restaurants. This year’s security dinner provided a great insight into the week ahead at the Fira. And no sooner had the weekend arrived, then it was time for the congress to officially begin.
Monday
The primary focus of the first day of Copper Horse’s MWC was the Mobile Security Forum sessions held in the Theatre District of Hall 8. Security sponsors that included AdaptiveMobile, antivirus vendor AVG and network solutions provider Juniper Networks all held individual talks and panel discussions in relation to the world of mobile security. The topics debated were:
–Securing the Borderless Network
–Consumer Mobility and Privacy: Monetization without Alienation
–Offense or Defense: Security in an LTE World
The evening saw a great event hosted by Box. More security, good Tapas and red wine rounded off an excellent first proper day of MWC.
Tuesday
On Tuesday morning, Copper Horse Director David Rogers chaired the UKTI event “Cyber Security in theMobile World” – a seminar that identified what is meant by “Cyber Security” for mobile devices and networks, what is on the horizon in the context of threats, how genuine the threats are and what security methods could be put into place to make businesses and consumers more secure.
Following on from this were the Global Mobile Awards – We’ve already had the technology equivalent of the Razzies, now it was the turn of the best of the best to be recognised in the mobile industry equivalent of The Oscars. Over six hundred entries and nominees were in contention for the thirty-seven honours. Copper Horse judged in the ‘Best Mobile Safeguard & Security Products and Services’ category, which was won by Adaptive Mobile and Syniverse.
Among the other awards given out were Best Smartphone to the Samsung Galaxy S3, Best Mobile Tablet to Google and Asus for the Nexus 7 and the Judges Choice for Best Overall Mobile App to Waze, a mobile navigation app that allows users to add and see real-time traffic updates. The awards, hosted by comedian David Walliams, concluded, after which the team wound down the day at the annual Northern Ireland Beers and Scottish Whiskies – networking events held in close proximity to one another, in the UK section of the Hall 7 exhibitors. Wednesday
Wednesday was a busy day for the team, with lots of meetings and events. It featured an early morning start at the MEF Kaspersky Breakfast Briefing. This session focused on the latest threats to app users, highlighting the most recent developments in mobile malware. A roundtable discussion and a series of presentations highlighting the scope of the threats took place. The main point to note was that the threat of mobile malware has never been greater, as there were approximately 4000 cases of it reported in 2012, of which 93% were on the Android platform. One of the primary reasons for the large number of cases being on Android devices, in addition to the fact that it is such an open operating system, was that many users ran older versions of the platform, which no longer had the necessary patches available. Overall, the breakfast was a very interesting event to attend.
In the afternoon, the GSMA’s Pat Walshe hosted an event ‘Mobile App Privacy: What’s Your View?’ with speakers from AT&T, Rovio (the makers of Angry Birds), Mozilla and the App Developers Alliance. There was some robust discussion, but there was a clear view that app developers need to focus on their own software quality and pay attention to security more seriously. There was also a good discussion on how small companies suddenly have to deal with regulators and lawsuits and what that growth experience is like.
After attending a few networking events in the evening, the day concluded with one of the best Barcelona parties – Swedish Beers. It’s a great chance to connect with other people as the week at MWC begins to draw to a close, particularly if you find one of the sponsors, who has the free drink tokens!
Thursday
Thursday was the quietest day of the four during MWC. Whilst some visitors had seen what they had come to see and departed Barcelona, there were still plenty of events to explore and exhibitors to meet. Mobile Monday operated a continuous run of presentations, discussions and talks until the congress reached its 4pm closing time, whilst WIPJam saw mobile developers meet for a busy day of storytelling, pitches and demos. Just to show how busy the event was, meetings carried on right up until the last minute of the show. In the last formal Copper Horse meeting of the day, the Fira staff were taking up the carpet and removing screens while the meeting was still going on! The day ended with a quiet Paella (where another ad hoc meeting happened (!)) before a good night’s rest before the journey home. Friday
Inevitably, the airport on Friday morning was chaos, with thousands of exhausted delegates desperate to leave. Some more accidental meetings at the airport and then finally, arrival in the UK!
All in all, MWC 2013 was a terrific experience and the busiest year yet for the Copper Horse team. Now starts the planning for next year!
I’ve been thinking for a while about the number of technologies that get announced, don’t really do anything, then die rather quickly. It’s just over a month before I head over to Barcelona for Mobile World Congress and I’m expecting to hear about a lot of new things that are destined for a quick entry to the “electronic afterlife” of Silicon Heaven. For those of you who don’t know what Silicon Heaven is, I’ll let the web explain:
Silicon Heaven
From Red Dwarf “The Last Day”, Season 3, Episode 6:
Lister: How can you just lie back and accept it? Kryten: Oh, it’s not the end for me, sir, it’s just the beginning. I have served my human masters, now I can look forward to my reward in silicon heaven. Lister: [Stunned pause] Silicon WHAT? Kryten: Surely you’ve heard of silicon heaven? Lister: Has it got anything to do with being stuck opposite Brigitte Nielsen in a packed lift? Kryten: No, sir. It’s the electronic afterlife. It’s the gathering place for the souls of all electronic equipment. Robots, toasters, calculators. It’s our final resting place. Lister: I don’t mean to say anything out of place here, Kryten, but that is completely whacko Jacko. There is no such thing as ‘Silicon Heaven’. Kryten: Then where do all the calculators go? Lister: They don’t go anywhere. They just die. Kryten: Surely you believe that God is in all things? Aren’t you a pantheist? Lister: Yeah, but I just don’t think it applies to kitchen utensils. I’m not a FRYING pantheist. Machines do not have souls. Computers and calculators do not have an afterlife. You don’t get hairdryers with tiny little wings, sitting on clouds and playing harps. Kryten: But of course you do. For is it not written in the Electronic Bible, “The Iron shall lie down with the Lamp”. Source: http://www.imdb.com/title/tt0684183/quotes?qt=qt0310031
So what mobile technologies do you think should qualify for the past year? Who is most worthy (if that’s the word!) of the Silicon Heaven prize? Answers in the comments please! I’ll let you know my own thoughts very soon.
I promised you all that I’d publish an amusing story about the RIM Porsche 911 at Mobile World Congress last week. For those who don’t know about the background, RIM purchased QNX in 2010 who just happen to also do the embedded software for Porsche and others. There is a video explaining all that stuff below:
I was very impressed by this demo by the way. The coolest part is the live map of the Nurburgring giving you the right braking points because of the GPS link-up (if anyone is reading this from Porsche or RIM I would love to take it round the Ring by the way!).
Anyway, so I was standing there, the Porsche was sitting there unattended as was the Blackberry handset that was part of the demo. I can tell you that the password for the Blackberry was not “porsche” ;-). I opened up the glove box and had a quick look inside only to be presented with a Cradlepoint WiFi router filling the entirety of the space inside:
RIM Porsche glove box
Staring at me from the top of the router was a white label on the top. I’ve enhanced this in the picture below so you can see it properly. Yes, that’s right, they had a label with a default password (a reasonably weak one too) stuck to the top of the router! 🙂 Obviously I’ve blanked out the actual password in the pics:
Default password anyone?
Now I just want to say here that if anyone from RIM is reading this, please do not crank this up as a security incident or go mental at the QNX guys, this is just an amusing story. After all, it’s a demo and chances are the default password was not being used, someone had probably changed it.
Security is only as good as its weakest link
However, here is the serious bit – with all the convergence of mobile tech and the emergence of connected homes, cars and cities, it just goes to show that security is often only as good as its weakest link. That may not be the mobile technology itself, just something it’s connected to. Oh yes, another security message here – don’t leave phones unattended on trade show stands and always lock your glove box!
#MWC10 – I could have sworn we’ve been here before 😉
Mobile World Congress T minus 1 and I already feel like I’ve had too many Long Island Iced Teas. I woke up to lots of leaks about Mozilla’s Boot-to-Gecko (B2G) project. It looks like they’re teaming up with LG and a lot of others to launch a web runtime based phone. I have already seen a lot of cynical comment, to the extent that a lot of people are saying it is dead on arrival. I’m not so sure. It is clear there is a market for low-end devices with front-ends for SMS-based services in emerging countries (Smart in the Philippines have already launched a phone with this in mind). HTML5 implementations have matured to the state that is ready for mobile devices too and a lot of work has gone on in industry over the years to head in this direction.
Mobile web coverage is rubbish
The biggest issue that I see is the continuing assumption that mobile web / cloud access is ubiquitous. This kind of wrong-headed thinking is sadly typical of projects which live on Silicon Roundabout in London or in the valley with great 3G or WiFi connections. This simply isn’t the case for the vast majority of users in the world. Even in the UK, rural network coverage is horrific. Attention to caching and offline browsing has been lacking.
Don’t ignore the security concerns
I worked on this exact subject for quite a while. My biggest concern however is the way in which a lot of the people involved in these projects pay complete lip service to security and privacy. If you look at the B2G wiki, there is not one single mention of security in the FAQs.
What Mozilla are doing is connecting the web to the physical features of the device. Want access to the entire user’s phonebook or location from a web application? Yep, that’s right you can have it. Authorisation is difficult (as Android permissions have shown) and history shows that both users and system developers end up going for the least common denominator when it comes to security and privacy options – they take the one that is the most easy and requires the least intervention (which in the user’s case is pretty much setting everything to no protection).
The W3C Device APIs working group have spent years wrangling with these issues and haven’t come up with a meaningful answer. Lots of people will remember me regularly telling the group that they needed to take security seriously. The EU webinos project is continuing to work on it and are thankfully taking a better approach (based on its origins, OMTP BONDI).
My hope is that more focus on B2G’s security will ensure that mobile users are not exposed to the high number of web application security issues out there.