Ten Dangerous Beliefs About Smart Phones

jcatcw writes "According to Computerworld, lots of assumptions about the security of smart phones are wrong, and any high-value targets, such as political candidates or organizations with valuable data, should treat them carefully. They are not, contrary to common beliefs: just phones with cool features: 'A phone call over a landline used to be an acceptable method for communicating out-of-band administrative information. For example, a system administrator might call you back at your desk to verbally give you a new password (which you then changed, right?), This worked because the desk phone was isolated from the network and system resources to which you were being given access. Not so anymore. If you lose your smart phone and IT calls you back on that mobile number to confirm the trouble ticket, is it a meaningful method of verifying the identity or location of the person who answers?'"

It's all about secure communication...

[Atlantis-Rising]

It's a basic security problem that always comes up in encryption. You need a backchannel to communicate- a secure channel that doesn't use the same lines (data, systems, whatever) as the information it's trying to protect.

What are the same solutions? Physical security, for one thing. Access verification. Identity anlysis.

It's certainly not that new a problem.

Re:It's all about secure communication...

[CrazyTalk]

what about post-it attached to underside of keyboard? That same security system (spare key left under doormat) had been in use for generations.

Re:It's all about secure communication...

[Atlantis-Rising]

It's physically secured- presumably access to the building, floor, room, is secured seperately. In either case, the two (key under doormat and post-it under keyboard) are not really comparable.

The reason being that the post-it grants access to the virtual system, while the physical system is seperately secured- the key grants access to the physical system and is a physical thing.

In either case, the secure 'communication' there would be someone from IT walking down and handing you the post-it- hence, a backchannel.

Yawn.

[Odiumjunkie]

• services enabled by default are a security risk
• security holes can be used by third parties to execute malicious code on your machine
• sending sensitive information in cleartext over the internet is a bad idea
• data sent wirelessly can be intercepted and often reconstructed
• cracked encryption standards don't provide real privacy
• remote data storage is a potential privacy risk
• "deleted" data can be recovered, in some form and to some level of completeness, from many types of storage media
• hackers are clever

All things any moderately-savy computer user should be entirely familiar with.

Re:Yawn.

[drinkypoo]

I realize you were probably kidding, but frankly, I could not agree more with this sentiment! If I wanted to think about my cellphone, I'd be looking for an open platform, I'd want to tweak the OS, I might even want to roll my own distribution. I don't! I want a device, that does some shit, and works. And of course, I want it to be secure, but I may not even think about that. I know that GSM has encryption so I don't even think about it! (Although yes, it's been broken... But no one with just a scanner will be listening in, which for MY purposes is good enough.) But the point is, the consumer wants to simply purchase an appliance that works and does the things it should do. They should not have to think about this kind of thing. Period.

Unsubstantiated fearmongering

[Zarhan]

The point in the summary is number 6 in the article. Anyway, this is just bollocks.

You authenticated yourself to the phone on your desk with building and room access-controls.

You authenticate yourself to your cellphone with a PIN code.

I don't know what's the thing about "smart" phones - the argument in the article works with any normal phone. Anyway, you still authenticate yourself to the phone. Oh, someone is coming in with a leadpipe and steals the phone from you? Well, if someone wants your precious off-band password that bad they'd probably force you to log into the system anyway. Otherwise, if it's just some street junking running off, you'll have plenty of time to call the operator and tell them about the theft.

Sometimes the phone may even request additional PIN numbers when going for more sensitive areas. My company uses mobile phone as an off-band authentication token for signing in to VPN - when you connect, your phone beeps at the same time and asks you to type in (different) PIN number. No more carrying around that SecurID-key. (And no, this doesn't require anything special, it's a service on the SIM card).

Other arguments are also dubious at best:

3. Communications are encrypted from end to end.

BlackBerry and Sidekick users may have heard that their communications are encrypted "end to end," but e-mail and other communications are encrypted only from the phone to the phone company or service provider's servers.

So who has configured your e-mail client not to use SSL? If you are using webmail, it's encrypted. If you are using IMAP, Pop3, or SyncML, those have encryption options as well.

And bloody well you can also use VPN (yes, latest Nokia E-series phones are quite compatible with Cisco VPN concentrators).

As for their server security...well, WHO IN THEIR BRIGHT MIND would store corporate or state secrets on a Hotmail account?

9. Spying on my smart phone is hard.

Think spying on your activities is hard? Think again. Most smart phones have no equivalent of Bluetooth authentication when plugged in -- they just become slave USB devices and give up all of your data.

Oh phleeze. What does USB and Bluetooth have to do with each other anyway? In anycase, yes, there were phones in the past that didn't include any sort of Bluetooth authentication (such as Nokia 6310i), but that is hardly the case now.

Of all the fearmongering, this is the only even remotely valid argument (with physical access you can of course do almost anything, as with any device, so the USB point is valid), and using a Pointsec or some other file-system encryption in your phone is a good idea.

All the other stuff mostly concern stuff about any backend systems where your precious e-mails are stored. Has nothing to do with phone. If Hotmail leaks my e-mails, it's Hotmail's fault. If I access Hotmail with my phone, it doesn't magically become the phones fault.

Re:Assumptions, not beliefs

[WinterSolstice]

One answer - know what matters. Then make your own judgements. Am I talking about buying milk on the way home, or missile launch codes?

http://www.military-information-technology.com/art icle.cfm?DocID=36

Some security is user's responsibility

[192939495969798999]

This is like assuming that because A called B and asked for their social security number, that social security numbers are insecure. You still are your own best line of defense against security breaches. Just because you get a call on your deskline doesn't mean it really is I.T. calling back for your password, for example.

Furthermore, If a smartphone is too great a security risk, then choose a different option... I don't understand why people insist on using the latest "security-unknown-or-not-good" device(s) when perfectly good methods of "understood-amount-of-risk" security already exist.

Re:Some security is user's responsibility

[Rob+T+Firefly]

I don't understand why people insist on using the latest "security-unknown-or-not-good" device(s) when perfectly good methods of "understood-amount-of-risk" security already exist.

Because the first round of early adopters of the latest bleeding-edge devices are typically the overpaid executives eager to blow the cash on the latest status symbol gadget to prove how advanced and important they are, while the educated nerds will continue using the old perfectly good methods for vital things while waiting for said early adopters to get zapped by the fist wave of major bugs. Only after the canon fodder has done its job will most nerds depend on said gadget for anything important.