I promised you all that I’d publish an amusing story about the RIM Porsche 911 at Mobile World Congress last week. For those who don’t know about the background, RIM purchased QNX in 2010 who just happen to also do the embedded software for Porsche and others. There is a video explaining all that stuff below:
I was very impressed by this demo by the way. The coolest part is the live map of the Nurburgring giving you the right braking points because of the GPS link-up (if anyone is reading this from Porsche or RIM I would love to take it round the Ring by the way!).
Anyway, so I was standing there, the Porsche was sitting there unattended as was the Blackberry handset that was part of the demo. I can tell you that the password for the Blackberry was not “porsche” ;-). I opened up the glove box and had a quick look inside only to be presented with a Cradlepoint WiFi router filling the entirety of the space inside:
|RIM Porsche glove box
Staring at me from the top of the router was a white label on the top. I’ve enhanced this in the picture below so you can see it properly. Yes, that’s right, they had a label with a default password (a reasonably weak one too) stuck to the top of the router! 🙂 Obviously I’ve blanked out the actual password in the pics:
|Default password anyone?
Now I just want to say here that if anyone from RIM is reading this, please do not crank this up as a security incident or go mental at the QNX guys, this is just an amusing story. After all, it’s a demo and chances are the default password was not being used, someone had probably changed it.
Security is only as good as its weakest link
However, here is the serious bit – with all the convergence of mobile tech and the emergence of connected homes, cars and cities, it just goes to show that security is often only as good as its weakest link. That may not be the mobile technology itself, just something it’s connected to. Oh yes, another security message here – don’t leave phones unattended on trade show stands and always lock your glove box!
|#MWC10 – I could have sworn we’ve been here before 😉
Mobile World Congress T minus 1 and I already feel like I’ve had too many Long Island Iced Teas. I woke up to lots of leaks about Mozilla’s Boot-to-Gecko (B2G) project. It looks like they’re teaming up with LG and a lot of others to launch a web runtime based phone. I have already seen a lot of cynical comment, to the extent that a lot of people are saying it is dead on arrival. I’m not so sure. It is clear there is a market for low-end devices with front-ends for SMS-based services in emerging countries (Smart in the Philippines have already launched a phone with this in mind). HTML5 implementations have matured to the state that is ready for mobile devices too and a lot of work has gone on in industry over the years to head in this direction.
Mobile web coverage is rubbish
The biggest issue that I see is the continuing assumption that mobile web / cloud access is ubiquitous. This kind of wrong-headed thinking is sadly typical of projects which live on Silicon Roundabout in London or in the valley with great 3G or WiFi connections. This simply isn’t the case for the vast majority of users in the world. Even in the UK, rural network coverage is horrific. Attention to caching and offline browsing has been lacking.
Don’t ignore the security concerns
I worked on this exact subject for quite a while. My biggest concern however is the way in which a lot of the people involved in these projects pay complete lip service to security and privacy. If you look at the B2G wiki, there is not one single mention of security in the FAQs.
What Mozilla are doing is connecting the web to the physical features of the device. Want access to the entire user’s phonebook or location from a web application? Yep, that’s right you can have it. Authorisation is difficult (as Android permissions have shown) and history shows that both users and system developers end up going for the least common denominator when it comes to security and privacy options – they take the one that is the most easy and requires the least intervention (which in the user’s case is pretty much setting everything to no protection).
The W3C Device APIs working group have spent years wrangling with these issues and haven’t come up with a meaningful answer. Lots of people will remember me regularly telling the group that they needed to take security seriously. The EU webinos project is continuing to work on it and are thankfully taking a better approach (based on its origins, OMTP BONDI).
My hope is that more focus on B2G’s security will ensure that mobile users are not exposed to the high number of web application security issues out there.
Here is a re-post of the blog I did for the Smart UK site (@smartukproject) in preparation for Mobile World Congress. I’m doing quite a few things out there, but I’m looking forward to this on the Tuesday morning (28th), it is going to be a great event,. There are still places available and I encourage anyone interested in mobile security and fraud related topics to sign-up.
The UK government recently published the Cyber Security Strategy. What implications does this have for the mobile industry and society at large? With the mobile device at the centre of nearly everyone’s life, the integrity of mobility is paramount. The mobile industry has weathered a variety of security incidents over the years but has been relatively successful in comparison to other industries. Can any lessons be learnt from the past successes of mobile that will help for the future? Is the industry living on borrowed time?
This year’s UKTI and ICT KTN Mobile World Congress seminar: Cyber Security in the Mobile World; will look at the vast array of subjects which now come under mobile security – including cyber bullying between children, fraud against telephony systems through to emerging technologies such as machine-to-machine and LTE infrastructure. Crossing all of these varied topics are industry needs such as the lack of security-aware software engineers and the need to prosecute criminals who defraud or attack electronic systems.
While the mobile industry has made great efforts to learn the past mistakes of the PC world in terms of security, the anti-virus industry has reached saturation in its traditional space. Do mobile devices really need anti-virus or can newer operating systems and technologies negate the need for this type of end point security? Can these companies transform their business models to the changing mobile security landscape and continue to provide a useful service to consumers? How can application stores and developer programmes be improved?
We are pleased to have some of the world’s leading mobile security experts speaking at the event next week. Make sure you sign up as soon as possible in order to reserve your place.
David Rogers runs http://blog.mobilephonesecurity.org. He is also advising the UK Department for Business, Innovation & Skills on Cyber Security for mobile.
As we head towards the annual descent to Barcelona for Mobile World Congress, I thought I’d tell you about my mobile security dinner. This event is open for people interested in any aspect of mobile or network security, to share ideas and hopefully solve all the world’s problems. It’ll be held on the Sunday night (the 26th) from 9pm onwards at a secret location in Barcelona…
|This is not the dinner you’re looking for…
Use the contact form above to get in touch if you’re interested in coming along. An important point to note – we split the bill at the end, so this is not a free meal 🙂
So here we are, before Christmas talking about Mobile World Congress (MWC). This is normal in the mobile industry – most companies in the industry are busily working on demos, deciding who to meet and sorting out stands. #mwc12 is after all, the biggest event in the 2012 calendar for the mobile industry. As a regular, it was sad not to be able to make it to 2011’s MWC, but I’m really looking forward to going back in 2012. Like most Brits, I made sure I had my flights from Heathrow booked back in March!
This year, I am also heading over as a judge for the Global Mobile Awards 2012. I am very honoured to have been asked to judge in the Best Technology category – for Best Technology Product or Solution for Safeguarding and Empowering Customers. The product or solution must have been launched and commercially available prior to the closing deadline – which is very soon – the 30th of November 2011. I’d like to encourage entries. If you think your product or solution fits the bill, make sure you register your entry. More details on the criteria can be found on the award page. The judging criteria will be as follows:
- How does the use of your technology safeguard and protect mobile users’ privacy and/or security?
- Does your technology prevent fraud against the operator?
- How does this technology improve the end user experience
- Does this technology allow access to new services by illuminating privacy and security issues?
If you know anyone who you think should enter this, make sure you spread the word! Good luck to all the entrants and to the rest of you, let me know if you’re coming to Barcelona!