Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Communications Security Handhelds Technology Hardware

Ten Dangerous Beliefs About Smart Phones 49

jcatcw writes "According to Computerworld, lots of assumptions about the security of smart phones are wrong, and any high-value targets, such as political candidates or organizations with valuable data, should treat them carefully. They are not, contrary to common beliefs: just phones with cool features: 'A phone call over a landline used to be an acceptable method for communicating out-of-band administrative information. For example, a system administrator might call you back at your desk to verbally give you a new password (which you then changed, right?), This worked because the desk phone was isolated from the network and system resources to which you were being given access. Not so anymore. If you lose your smart phone and IT calls you back on that mobile number to confirm the trouble ticket, is it a meaningful method of verifying the identity or location of the person who answers?'"
This discussion has been archived. No new comments can be posted.

Ten Dangerous Beliefs About Smart Phones

Comments Filter:
  • Duh (Score:2, Offtopic)

    They share the same curse as the "Smart Bomb." Given that thing's track record, this was obviously a poorly-chosen adjective.
    • there's no problem. IT helpdesk would have to call you back in the first place for there to be any concern.
  • by Atlantis-Rising ( 857278 ) on Friday March 23, 2007 @10:39AM (#18459391) Homepage
    It's a basic security problem that always comes up in encryption. You need a backchannel to communicate- a secure channel that doesn't use the same lines (data, systems, whatever) as the information it's trying to protect.

    What are the same solutions? Physical security, for one thing. Access verification. Identity anlysis.

    It's certainly not that new a problem.
    • by CrazyTalk ( 662055 ) on Friday March 23, 2007 @10:40AM (#18459419)
      what about post-it attached to underside of keyboard? That same security system (spare key left under doormat) had been in use for generations.
      • Re: (Score:3, Insightful)

        It's physically secured- presumably access to the building, floor, room, is secured seperately. In either case, the two (key under doormat and post-it under keyboard) are not really comparable.

        The reason being that the post-it grants access to the virtual system, while the physical system is seperately secured- the key grants access to the physical system and is a physical thing.

        In either case, the secure 'communication' there would be someone from IT walking down and handing you the post-it- hence, a backc
    • Why not just use two devices:
        - phone with bluetooth
        - iPaq hx2795

      Enable biometric security and encryption, then you can rest assured it is either the authorised individual accessing data, or someone cut that person's finger off and used it to authenticate.
  • There's no ads on smart phones. ...Unless of course you go to ComputerWorld's site and try to read an article. I'm not sure what #5-10 were, because all the blinking and flashing and click-through ads destroyed any sense of conveying actual useful information.
    • I'm not sure what #5-10 were, because all the blinking and flashing and click-through ads destroyed any sense of conveying actual useful information.

      I'm not sure what blinking and flashing you're talking about, because I use Adblock Plus with the Filterset.G updater.

      don't get mad, get adblock.

  • Yawn. (Score:5, Insightful)

    by Odiumjunkie ( 926074 ) on Friday March 23, 2007 @10:50AM (#18459519) Journal
    • services enabled by default are a security risk
    • security holes can be used by third parties to execute malicious code on your machine
    • sending sensitive information in cleartext over the internet is a bad idea
    • data sent wirelessly can be intercepted and often reconstructed
    • cracked encryption standards don't provide real privacy
    • remote data storage is a potential privacy risk
    • "deleted" data can be recovered, in some form and to some level of completeness, from many types of storage media
    • hackers are clever


    All things any moderately-savy computer user should be entirely familiar with.
    • But these phones are supposedly smart! We shouldn't have to think about them. The phone should!

      Thinking is for suckers. Let's just let the smart phones do it.
      • Re: (Score:3, Insightful)

        by drinkypoo ( 153816 )
        I realize you were probably kidding, but frankly, I could not agree more with this sentiment! If I wanted to think about my cellphone, I'd be looking for an open platform, I'd want to tweak the OS, I might even want to roll my own distribution. I don't! I want a device, that does some shit, and works. And of course, I want it to be secure, but I may not even think about that. I know that GSM has encryption so I don't even think about it! (Although yes, it's been broken... But no one with just a scanner will
      • by rtb61 ( 674572 )
        Smart phones, for when the sneaker net just becomes so much easier and far more secure and as a bonus comes free with a friendly smile ;).
  • by Zarhan ( 415465 ) on Friday March 23, 2007 @10:51AM (#18459549)
    The point in the summary is number 6 in the article. Anyway, this is just bollocks.

    You authenticated yourself to the phone on your desk with building and room access-controls.

    You authenticate yourself to your cellphone with a PIN code.

    I don't know what's the thing about "smart" phones - the argument in the article works with any normal phone. Anyway, you still authenticate yourself to the phone. Oh, someone is coming in with a leadpipe and steals the phone from you? Well, if someone wants your precious off-band password that bad they'd probably force you to log into the system anyway. Otherwise, if it's just some street junking running off, you'll have plenty of time to call the operator and tell them about the theft.

    Sometimes the phone may even request additional PIN numbers when going for more sensitive areas. My company uses mobile phone as an off-band authentication token for signing in to VPN - when you connect, your phone beeps at the same time and asks you to type in (different) PIN number. No more carrying around that SecurID-key. (And no, this doesn't require anything special, it's a service on the SIM card).

    Other arguments are also dubious at best:

    3. Communications are encrypted from end to end.

    BlackBerry and Sidekick users may have heard that their communications are encrypted "end to end," but e-mail and other communications are encrypted only from the phone to the phone company or service provider's servers.


    So who has configured your e-mail client not to use SSL? If you are using webmail, it's encrypted. If you are using IMAP, Pop3, or SyncML, those have encryption options as well.

    And bloody well you can also use VPN (yes, latest Nokia E-series phones are quite compatible with Cisco VPN concentrators).

    As for their server security...well, WHO IN THEIR BRIGHT MIND would store corporate or state secrets on a Hotmail account?

    9. Spying on my smart phone is hard.

    Think spying on your activities is hard? Think again. Most smart phones have no equivalent of Bluetooth authentication when plugged in -- they just become slave USB devices and give up all of your data.


    Oh phleeze. What does USB and Bluetooth have to do with each other anyway? In anycase, yes, there were phones in the past that didn't include any sort of Bluetooth authentication (such as Nokia 6310i), but that is hardly the case now.

    Of all the fearmongering, this is the only even remotely valid argument (with physical access you can of course do almost anything, as with any device, so the USB point is valid), and using a Pointsec or some other file-system encryption in your phone is a good idea.

    All the other stuff mostly concern stuff about any backend systems where your precious e-mails are stored. Has nothing to do with phone. If Hotmail leaks my e-mails, it's Hotmail's fault. If I access Hotmail with my phone, it doesn't magically become the phones fault.
    • by jrumney ( 197329 )

      Think spying on your activities is hard? Think again. Most smart phones have no equivalent of Bluetooth authentication when plugged in -- they just become slave USB devices and give up all of your data.

      Oh phleeze. What does USB and Bluetooth have to do with each other anyway? In anycase, yes, there were phones in the past that didn't include any sort of Bluetooth authentication (such as Nokia 6310i), but that is hardly the case now.

      I think what the GP is trying to say is that when you plug it in via

    • I agree with your post for the most part, but I think you've missed something. Point 2 is also good. There are a lot of people who think purpose-built devices are more stable and secure. Some of those people even work in IT.

      I was told at one job that I had to replace my Linux PC-based firewall with a 'purpose-built device' like a Cisco ASA because the Linux-based PC was somehow less secure and stable. Like the Cisco ASA, 'smart phones' have usually have some more or less general-purpose OS at their core,
      • These are computer systems like any other, and thus require a skilled administrator to configure them in a secure fashion. Don't assume because some device is 'purpose-built' that it isn't hackable.
        That's actually Cisco's position as well. They provide an expensive and Cisco-specific method of demonstrating that you are a skilled administrator. So from management's point of view, Cisco ASA + CCXX is more secure than Linux + Random Slashdotter.
        • But I am a CCIE!
          • by Zarhan ( 415465 )
            I have only completed the written test - going for lab exam this July (they sure don't have too many open slots...).

            And I still prefer OpenBSD pf over PIX or IOS inspect features. And so far the training material has failed to convert me (granted, routing&switching exam's security features are mostly limited to reflexive access-lists...)
  • TFA:

    Now most converged devices run commodity operating systems, such as Sony Ericsson's Symbian OS
    Symbian is owned 47% by Nokia and only 13% by Sony Ericsson. It is not "Sony Ericsson's OS".
  • ...you have policies in place to prevent the transmission of sensitive material through easily corrupted/tapped systems. For example, where I work, passwords cannot be transmitted via email, IM, or text message. If I need a password for something, I have to write it down on paper, then destroy the paper. Of course you can stick the paper in your pocket, but without any other identifying information, it wouldn't do someone a lot of good.

  • This is like assuming that because A called B and asked for their social security number, that social security numbers are insecure. You still are your own best line of defense against security breaches. Just because you get a call on your deskline doesn't mean it really is I.T. calling back for your password, for example.

    Furthermore, If a smartphone is too great a security risk, then choose a different option... I don't understand why people insist on using the latest "security-unknown-or-not-good" device(s) when perfectly good methods of "understood-amount-of-risk" security already exist.
    • Re: (Score:3, Insightful)

      I don't understand why people insist on using the latest "security-unknown-or-not-good" device(s) when perfectly good methods of "understood-amount-of-risk" security already exist.

      Because the first round of early adopters of the latest bleeding-edge devices are typically the overpaid executives eager to blow the cash on the latest status symbol gadget to prove how advanced and important they are, while the educated nerds will continue using the old perfectly good methods for vital things while waiting for s

  • Here's the printable, all on one page version of the article:
    http://www.computerworld.com/action/article.do?com mand=printArticleBasic&articleId=9014118 [computerworld.com]
  • by Anonymous Coward
    To anyone involved with security and operating systems, this is like a big "duh!". Fortunately, some people who are experts in this area are taking this problem seriously.

    First, you start with the library which talks to the Telecommunications chip. And you make absolutely certain that security is the top priority (ala OpenBSD):
    http://libgsmc.sourceforge.net/ [sourceforge.net]

    Second, you add a completely Open Source effort, for both the hardware and the software.
  • This worked because the desk phone was isolated from the network and system resources to which you were being given access

    Sounds like someone missed the digital PBX, VOIP, convergence etc. - in short almost a decade of telcoms change. Whoever wrote that probably thinks callerID is reliable as well.

    For at least the last 7 years _all_ the desk phones I've had at various jobs have been digital (and most have been VOIP). The desk phone system is _not_ isolated from the rest of the network, or in any way relia
  • BlackBerry and Sidekick users may have heard that their communications are encrypted "end to end," but e-mail and other communications are encrypted only from the phone to the phone company or service provider's servers. Beyond that point, e-mail, instant messages and file transfers may be transmitted unencrypted over the public Internet by default.

    I neither know nor care about the Sidekick, but in the Blackberry case "end to end" means between the device and the BES server on the customer's site. Whilst it would be possible to allow web browsing directly from the device, in most cases companies configure them to go via the server, subject to the usual restrictions. It's also possible (but optional) to allow random dodgy downloads to the device, but citing that as a security problem would be like saying that there is a security problem with my car

  • A possible abuse that hasn't been mentioned, or I have just missed it, is the ability to use any cell phone as a microphone and as a method of locating you. The FBI in a mafia case used roving wire taps without the cell phone owners permission to listen to mafia members that just happened to be in the area of the mafia members. The potential for abuse is extremely disturbing to me.

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...