Securing Mobile Devices

publicyardΚινητά – Ασύρματες Τεχνολογίες

10 Δεκ 2013 (πριν από 3 χρόνια και 10 μήνες)

87 εμφανίσεις

Mobile Device Security
Securing Mobile Devices
National Institute of Standards and
Technology
U.S. Department of Commerce
Tom Karygiannis
email: karygiannis@nist.gov
Washington, DC
June 2, 2011
Mobile Device Security
Presentation Outline
• About NIST
• Mobile Security in Context
• Mobile Device Security
• NIST Research
• Contact
Mobile Device Security
NIST Provides Innovation
Infrastructure…


Non
Non
-
-
regulatory agency within U.S.
regulatory agency within U.S.
Department of Commerce.
Department of Commerce.


Founded in 1901 as National Bureau of
Founded in 1901 as National Bureau of
Standards
Standards


~2900 employees
~2900 employees


Nobel Prize Winner in Physics in 1997,
Nobel Prize Winner in Physics in 1997,
2001, 2005
2001, 2005


NIST Mission: To promote U.S. innovation
NIST Mission: To promote U.S. innovation
and industrial competitiveness by advancing
and industrial competitiveness by advancing
measurement science, standards, and
measurement science, standards, and
technology in ways that enhance economic
technology in ways that enhance economic
security and improve our quality of life.
security and improve our quality of life.
• Provide the measurement “tool box”

for
the nation
– Provide solutions to measurement
problems
– Try to assure that the necessary
measurements and quality are available
to meet the nations most significant
needs
• Absolute correctness of results is
paramount to NIST Labs.
Mobile Device Security
NIST Laboratories
NIST’s work enables
•Science
•Technology innovation
•Trade
•Public benefit
Mobile Device Security
Mobile Security in Context
• How did we get here?
• What is new?
• Why should I care?
• What is a security model?
Mobile Device Security
Mobile Devices around 2005
Destination Network
(wired or wireless)
Access Point
Wire Transmission Path
Radio Transmission Path
Mobile Devices
Cell Phone
Palm Pilot
Laptop
Network
Cell Phone Fraud
- Cloning
Mobile Device Security
Mobile Devices - New Security Risks
• Risk of Theft or Loss
• User Authentication
• Connecting to Enterprise
• Provisioning
• Limited Computing Power? –

Not
Anymore
• Multiple Wireless Interfaces
• Mobility
• Mixed Personal & Professional Use
• Lack of User Awareness
Mobile Device Security
Lost Mobile Devices
• An estimated 11,300 laptop
computers, 31,400 handheld
computers and 200,000 mobile
telephones were left in taxis
around the world during the last
six months, a survey found on
Monday. January 24th, 2005
Reuters
• The survey's findings were
extrapolated to reflect the total
number of taxis in each city
• How do you protect data at
rest?
Mobile Device Security
Video and Camera Phones
• Accountability
• Privacy
• Mercedes-Benz and Honda
have banned the phones
to ensure the technology
in their factories won't fall
into a competitor's hands
• Health Club Ban
• Classrooms
• Government Agencies
Mobile Device Security
SMS
• Republican Convention in New
York
• TXTMob

members who share
TXT messages via cellphone
• SMS Text and VideoPhone
Cheating in Classroom
• Social Media and “Arab
Spring”
Mobile Device Security
Bluetooth
• Bluejacking
• Cabir/Caribe

Virus -

Long-

standing virus writer group 29A
• Emptying the battery in the
phone quicker as it tries to
beam itself out to other
Bluetooth devices.
• Cell phones running
SymbianOS, requires users to
accept and execute the
downloaded package.
Mobile Device Security
Cell Phone Jammers
• Quiet Cars
• Hotels
• Restaurants
• Theaters
• Classrooms
Mobile Device Security
Disposable Cell Phone
• PrePaid

Cell Phone
• Disposable
• Anonymity
• Inexpensive
• Prepaid reduces risk
of Telecom fraud, but
introduces other
security issues.
Mobile Device Security
Law Enforcement and Privacy
Issues
• Google Voice
• Skype
• Communications
Assistance for Law
Enforcement Act
(CALEA)
Mobile Device Security
WMATA Smart Trip
• Short Range
• Tracks time of entry
and exit to metro
stations
• Registered
– $5
• Unregistered
– Anonymous
Mobile Device Security
EZ Pass
TAG USE
• a) Use of your E-ZPasstag binds
you to the Terms and Conditions of
this agreement.
• b) Your E-ZPasstag(s) may be
used on the vehicle(s)
specifically listed on this
account.
• c) Your E-ZPasstag is good
wherever you see the E-ZPasslogo.
• d) You must approach and pass
through an E-ZPass lane at the
posted speed and obey
• other traffic signs.
Mobile Device Security
RFID
• Supply Chain
Management
• Industrial Espionage
• Consumer Privacy
• RFID Constellation
Mobile Device Security
GPS
• Rental Car Companies
• Commercial Fleet
Management
• Military
• Consumer Electronics
Mobile Device Security
GPS Child Finder
Mobile Device Security
Mobile Payment Systems
• Near Field Communication
technology, developed by
Sony and Royal Philips
Electronics, lets wireless
devices connect to other
devices nearby and
transfer data, from
payment information to
digital pictures.
• Samsung Electronics and
Philips are developing cell
phones with embedded
NFC chips that could
double as debit cards or
electronic IDs.
Mobile Device Security
Wireless in
Automotive Industry
Interface Devices
(Built-in Display, Annunciator,
Microphone, Keypad, etc.
connected to the Computer,
which is connected to the
IDB)
909.75-921.75 MHz
Toll & Parking
OBU
(Add-on when
needed)
5.850-5.925 GHz
Multi-Application OBU/w
360 degree antenna
(factory installation)
(connected to the IDB)
Computer
(factory installation)
(connected to the IDB)
87.5-107.9 MHz
FM sub carrier
1575.42 MHz
GPS Receiver
Other ITS
Communications
Equipment
Multiple Bands
Two-way Radio
76-77 GHz
Collision
Avoidance Radar2322.5-2345 MHz
for XM Radio
Satellite Radio band
1800 to 1900 MHz
2.5/3G PCS Phone
(which is connected to the
IDB)
Infrared
OBU
(Add-on when
needed for super
high data rates)
800 to 900 MHz
and
1800 to 1900 MHz
Cellular Phone Antenna
Mobile Device Security
Wi-Fi in the Sky
• Boeing and iPass

set up
wireless hotspots in the
sky by using satellites to
deliver the internet to
planes and extending
these links to passengers'
laptops with Wi-Fi.
• The companies are betting
that business travelers,
who already connect their
laptop computers
wirelessly in hotels, cafes
and airports around the
world, want to stay
connected on the plane.
Mobile Device Security
Mobile Facial Recognition
• Los Angeles Police Department
• Hand-held computer with camera
• Luis Li, chief of the Los Angeles city attorney's criminal
branch, said the technology should not present legal
problems because it was used only as an initial means of
identification.
• "If you are standing in the street, you have no expectation
of privacy," he said.
• Associated Press, Dec. 26, 2004
Mobile Device Security
Mobile Entertainment
• Betting
• Multiplayer Gaming
• Wallet Phone
Mobile Device Security
Web 2.0
• Social Media
• Privacy?
• Censorship
• P2P
Mobile Device Security
Brave New World or 1984?
• Orwell feared that the truth
would be concealed from us.
• Orwell feared we would become
a captive culture.
• Orwell feared those who would
ban books.
• Huxley feared the truth would
be drowned in a sea of
irrelevance.
• Huxley feared we would
become a trivial culture.
• Huxley feared that there would
be no reason to ban a book, for
there would be no one who
wanted to read one.
• Civil libertarians and rationalists
who are ever on the alert to
oppose tyranny "failed to take
into account man's almost
infinite appetite for distractions".
Mobile Device Security
Smart Phones Today
Mobile Device Security
Illustrative Smart Phone
Capabilities
• Internal 16 GB storage, 1 GB RAM
• Card slot microSD, up to 32GB, buy memory
• CPU Dual-core 1GHz ARM Cortex-A9 proccessor, ULP GeForce

GPU,
Tegra

2 chipset
• OS Android OS, v2.2 (Froyo)
• GPRS Class 12 (4+1/3+2/2+3/1+4 slots), 32 -

48 kbps
• EDGE Class 12
• 3G HSDPA, 14.4 Mbps; HSUPA, 2.0 Mbps
• WLAN Wi-Fi 802.11 a/b/g/n, DLNA, Wi-Fi hotspot
• Bluetooth Yes, v2.1 with A2DP, EDR
• Infrared port No
• USB Yes, microUSB

v2.0
• 2G Network GSM 850 / 900 / 1800 / 1900
• 3G Network HSDPA 850 / 900 / 1900 / 2100
• Primary 5 MP, 2592х1944 pixels, autofocus, LED flash
• Features Geo-tagging, image stabilization
• Video Yes, 720p@30fps, 1080p (via future update)
Mobile Device Security
1943/1944 – Colossus Mark I & II
• The Colossus Mark I & II are widely acknowledged as the first
programmable electric computers, and were used at Bletchley Park to
decode German codes encrypted by the Lorenz SZ40/42.
Mobile Device Security
1981 – IBM PC
• The IBM PC is introduced
running the Microsoft Disk
Operating System (MS-DOS)
along with CP/M-86. The IBM
PC's open architecture made
it the de-facto standard
platform, and it was
eventually replaced by
inexpensive clones.
• CPU: Intel 8088 @ 4.77 MHz
• RAM: 16 kB ~ 640 kB
• Price: $5,000 - $20,000
Mobile Device Security
1984 – Apple Macintosh
• Apple introduces the first
successful consumer
computer with a WIMP
user interface (Windows
Icons Mouse & Pointer),
modelled after the
unsuccessful Xerox Alto
computer.
• Motorola 68000 @8Mhz
• 128KB Ram
• US$1,995 to US$2,495
Mobile Device Security
NIST Research
NIST Mobile Security Research
Mobile Device Security
Traditional Device Concerns
Security Requirements

Confidentiality

Integrity

Authenticity

Availability

Accountability

Non Repudiation
Threats
• Eavesdropping
• Integrity
• Data Exfiltration
• Denial of Service
• Masquerading
Attacks
• Physical Attacks
• Application Attacks
• Telecommunications
• Infrastructure –

App Store
• Supply Chain
Vulnerabilities
• Hardware
• Software
• OS
• Communication
Protocols
Mobile Device Security
Operational Requirements
Assumptions


Networked or Stand‐alone Apps


Public or Private Network


Tethered or Untethered

Synchronization


Standard or Proprietary Protocols


Ad Hoc Network or Base Station


Configuration Management


Classification Level of Data


Connect back to Enterprise 

Networks


Interoperable with Enterprise


Federated or Enterprise Model


Cloud Computing 
Threats


Capture or loss of device


Poor configuration management, 

administrative backdoor, automatic 

updates


Eavesdropping wireless communications 


Infection from compromised PC during 

data synchronization


Peer smart‐phone attack or infection (via 

Bluetooth or WiFi)


Attacks on Telecom Network ‐

Base 

Station DoS


Malware ‐

viruses, trojans, or worms 

spread the same way as PCs


Location tracking


Proper Device disposal –forensic tools


DoS



Spam
Mobile Device Security
Security Design Goals and Objectives
End-to-End Security that encompasses ALL Participating Entities
Device Security
Application Security
Application Store Security
Provisioning Security
Identity Management of Users & Applications
Security Customization of each device for the Mission
Device and Application Security tailored to the Organizational Objectives
Automatic & Flexible Provisioning & Phone Reconfiguration
Mobile Device Security
Security Design Goals and Objectives
Transparent Security Architecture that uses FIPS-140 Validated and
NSA Approved Crypto Libraries
Conform to Existing Standards for Information Assurance
Provably Secure and Cryptographically Strong
Take into consideration the Resource Constraints
Smartphones are CPU and Power-limited
SDCardStorage is relative slow compared to RAM
Where do you keep the Cryptographic Keys?
NSA-Grade Suite B Cryptography Compliance
Mobile Device Security
Application Vetting & Testing
Device Lock-down and Encryption of ALL Data and
Communications
Enforcement of Security Policies in the Android Framework
Second-level Defenses placed in the Android Linux Kernel
Prevent Attacks that bypass Android Security Framework
Android has Inherited some (if not all) of the Linux
Vulnerabilities
Java Native Interface to Linux Libraries a potential Avenue
for Exploitation
Defense in-Depth: Multiple Levels of Security
Mobile Device Security
Software Assurance
Mobile Device Security
Static vs. Dynamic
• Dynamic
reliability and performance measurement of the
product in the lab under assumed operational profiles.
• Static
analysis of the source code using COTS and open
source tools that search for programming errors such as
buffer overflows.
– Top 25 Common Programming Weaknesses CWEs)
[http://cwe.mitre.org/top25/#ProfileAutomatedManual]
– Capability to identify Application Bugs and Unwanted
Functionality
Mobile Device Security
App Instrumentation
Mobile Device Security
Monitoring

Data collected may include:
Amount of time an app is executed
Type and amount of data transmitted
Feature usage within an app
Number of exception calls

Benefits include:

Usage data that can be used for billing,

Reducing bloatware

Additional app testing
Note: Instrumentation can be turned on and off easily, and done selectively as
well. Also, instrumentation does incur performance and footprint hits.
Mobile Device Security
Static & Dynamic Analysis not enough…
• Static & Dynamic Analysis have limitations
• Cannot guarantee complete coverage of the application code
• Remote Content Exploitation still possible
• Applications can cause Power Exhaustion
• Static & Dynamic analysis do not measure the Application
Behavior
• Badly Designed or Malicious code can deplete the battery
quickly
There is a need for Power Metering and Behavior Analysis
Mobile Device Security
Challenges for Power Metering
• A process can evade energy metering
• Outsource the “expensive operations” to the Kernel
• Network operations
• Storage operations
• Use Devices that themselves cause power drain
• Wi-Fi, GPS, Bluetooth
• Display
• Spawn other sub-processes
• Changing Energy Consumption
• Over Time
• Per User
• Based on Location
Mobile Device Security
Evaluation
Mobile Device Security
Device Security Challenges
Increased Operational Complexity with Securing the Deployment of Devices
Many Android Devices Manufacturers (Motorola, Dell, HTC, etc.)
Each Manufacturer has Many Devices (Droid, Droid 2 , Streak,
Nexus 1)
Each Device has many software version of Android
Each Android release has a lot of Application Updates
Both Encompassing & Scalable
Device and Android Kernel and Version Independent
Initial Design & Engineering
Lock-Down Phone I/O
Defenses for both Android Kernel and Applications
Verify Application Updates and Vendors
Mobile Device Security
Device Security Architecture
Mobile Device Security
Computer-to-Phone Attacks
• Gaining Root Access to the Smart Phone Device
Official: simulate screen tap event to the oemunlock menu on selected
devices
Universal: linuxlocal root exploit (CVE-2009-1185, RLIMIT_NPROC
exhaustion) send via USB
• Insert malicious payload
Kernel-level: disassemble boot partition
Replace kernel image with your own
Replace Applications
• Remove traces by un-rooting to avoid detection
We can quickly cleanup, not need for traces
Next reboot, not traces at all
Very very difficult to identify, it has to happen before next reboot
Mobile Device Security
Encrypted File System
OpenSSL
Library
OpenSSL
Library
Mobile Device Security
Conclusions
Assuring the Secure Operation of Smart Devices has a wide-range of
requirements
Application Testing
Static & Dynamic
In-Field Instrumentation
Power Behavior Metering & Policing
Physical Device Security
Lock-Down of the Device I/O (USB, WiFi, etc.)
Encryption of Data both on the Phone & Network
Securing Provisioning Process
Mobile Device Security
Contact
Tom Karygiannis
NIST
Computer Security Division
karygiannis@nist.gov
URL: http://csrc.nist.gov/