CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1
Mobile Phones • Networked device capable of making phone calls • But it could do so much more! • Messaging (Text messaging and Email) • Entertainment (Web and Games) • Safety (Mobile communicator) • Personal computing token (Hey, let’s improve security too!) • Q: What is the difference between a mobile phone and a personal computer? 2 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger
Mobile Phone Security • In some ways, mobile phones and their infrastructure are potentially more difficult to control • Networking : everyway imaginable • Systems : security not a major focus • Applications : all kinds • Personal : seen as more personal, so the tendency is to depend on it for more, rather than less, security 3 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger
Networking • Multiple ways to communicate • Then connect to multiple networks • And communicate different types of data • Wireless (E.g., CDMA): Transmit voice, data, multimedia data • SMS/MMS: Text and multimedia messages • WAP: Wireless Application Protocol • SS7: Eventually calls get to phone network • IP: Vendors moving to IP networks • Bluetooth: Short distance networking • Communicate with neighboring devices 4 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger
Bluetooth • A standard for building very small personal area networks (PANs) • Connects just everything you can name: PDAs, phones, keyboards, mice, your car • Very short range range network: 1 meter, 10 meters, 100 meters (rare) • Advertised as solution to "too many cables" • Authentication – "pairing" uses pass-phrase style authentication to establish relationship which is often stored indefinitely (problem?) 5 CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page Page
Bluetooth • Devices “pair” to establish a communication channel • A pair is associated with a PIN selected by the users • 4-digit PIN would be a problem, but... • There are so many other problems • BlueSnarf : pull known files from remote phone • BlueBug : execute commands on victim • BlueSmack : “Ping of death” • Long distance attacks 6 CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page
WAP (Wireless Application Protocol) • A set of protocols for implementing applications over thin (read wireless) pipes. • Short version: a set of protocols to implement the web over wireless links as delivered to resource limited devices – reduce overhead and flabby content (image rich HTML) – support limited presentation and content formats • Wireless Markup Language (XML-based language) – reduce the footprint of the rendering engine (browser) • Security : WTLS – SSL/TLS protocol -- public keys, key negotiation, etc. • Success in Japan, little elsewhere (currently) 7 CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page Page
Systems • Common operating systems • Symbian (85% of market), Windows Mobile, and now Linux • Symbian protection model • Installer • Symbian-signed programs • Everything else (e.g., games) • Everything else is limited in its writing, but can read most anything • Thus, some phone models using Symbian disallow ‘everything else’ 8 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger
Applications • Typical application problems • Buffer overflows • User administration (Install an MMS attachment with a virus) • New vectors (e.g., download and install a file from bluetooth) • But more trust permitted to Symbian applications • Contacts database • Pairing database • Phone identity • Also, more vectors for propagation 9 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger
Personal • But, people have found that since everyone carries a mobile phone, it would be useful to add security function to it • User authentication support • Generate one-time passwords • Face authentication • Secure web authentication • Keep cookies on cell phone • Seeing is believing • Use cell phone for authorization system • Q: Should we trust phones? 10 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger
Take Away • Mobile phones are flexible computing devices • But, security has not yet been a focus 11 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger
Recommend
More recommend
