Ten Dangerous Beliefs About Smart Phones

← Back to Stories (view on slashdot.org)

Ten Dangerous Beliefs About Smart Phones

Posted by Zonk on Friday March 23, 2007 @03:34AM from the keep-an-eye-out-for-shoulder-surfers-too dept.

jcatcw writes "According to Computerworld, lots of assumptions about the security of smart phones are wrong, and any high-value targets, such as political candidates or organizations with valuable data, should treat them carefully. They are not, contrary to common beliefs: just phones with cool features: 'A phone call over a landline used to be an acceptable method for communicating out-of-band administrative information. For example, a system administrator might call you back at your desk to verbally give you a new password (which you then changed, right?), This worked because the desk phone was isolated from the network and system resources to which you were being given access. Not so anymore. If you lose your smart phone and IT calls you back on that mobile number to confirm the trouble ticket, is it a meaningful method of verifying the identity or location of the person who answers?'"

32 of 49 comments (clear)

Min score:

Reason:

Sort:

Duh by voice_of_all_reason · 2007-03-23 03:38 · Score: 1, Offtopic

They share the same curse as the "Smart Bomb." Given that thing's track record, this was obviously a poorly-chosen adjective.
It's all about secure communication... by Atlantis-Rising · 2007-03-23 03:39 · Score: 2, Insightful

It's a basic security problem that always comes up in encryption. You need a backchannel to communicate- a secure channel that doesn't use the same lines (data, systems, whatever) as the information it's trying to protect.

What are the same solutions? Physical security, for one thing. Access verification. Identity anlysis.

It's certainly not that new a problem.

--
"It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
1. Re:It's all about secure communication... by CrazyTalk · 2007-03-23 03:40 · Score: 3, Insightful
  
  what about post-it attached to underside of keyboard? That same security system (spare key left under doormat) had been in use for generations.
2. Re:It's all about secure communication... by Atlantis-Rising · 2007-03-23 03:46 · Score: 2, Insightful
  
  It's physically secured- presumably access to the building, floor, room, is secured seperately. In either case, the two (key under doormat and post-it under keyboard) are not really comparable.
  
  The reason being that the post-it grants access to the virtual system, while the physical system is seperately secured- the key grants access to the physical system and is a physical thing.
  
  In either case, the secure 'communication' there would be someone from IT walking down and handing you the post-it- hence, a backchannel.
  
  --
  "It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
3. Re:It's all about secure communication... by kimvette · 2007-03-23 04:55 · Score: 1
  
  Why not just use two devices:
  - phone with bluetooth
  - iPaq hx2795
  
  Enable biometric security and encryption, then you can rest assured it is either the authorised individual accessing data, or someone cut that person's finger off and used it to authenticate.
  
  --
  The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
No by gravyface · 2007-03-23 03:39 · Score: 1

there's no problem. IT helpdesk would have to call you back in the first place for there to be any concern.

--
body massage!
Assumption #11 by the_tsi · 2007-03-23 03:48 · Score: 1

There's no ads on smart phones. ...Unless of course you go to ComputerWorld's site and try to read an article. I'm not sure what #5-10 were, because all the blinking and flashing and click-through ads destroyed any sense of conveying actual useful information.
1. Re:Assumption #11 by drinkypoo · 2007-03-23 04:52 · Score: 1
  
  I'm not sure what #5-10 were, because all the blinking and flashing and click-through ads destroyed any sense of conveying actual useful information.
  
  I'm not sure what blinking and flashing you're talking about, because I use Adblock Plus with the Filterset.G updater.
  
  don't get mad, get adblock.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Yawn. by Odiumjunkie · 2007-03-23 03:50 · Score: 4, Insightful
- services enabled by default are a security risk
- security holes can be used by third parties to execute malicious code on your machine
- sending sensitive information in cleartext over the internet is a bad idea
- data sent wirelessly can be intercepted and often reconstructed
- cracked encryption standards don't provide real privacy
- remote data storage is a potential privacy risk
- "deleted" data can be recovered, in some form and to some level of completeness, from many types of storage media
- hackers are clever
All things any moderately-savy computer user should be entirely familiar with.
1. Re:Yawn. by truthsearch · 2007-03-23 03:53 · Score: 1
  
  But these phones are supposedly smart! We shouldn't have to think about them. The phone should!
  
  Thinking is for suckers. Let's just let the smart phones do it.
  
  --
  Developers: We can use your help.
2. Re:Yawn. by drinkypoo · 2007-03-23 04:49 · Score: 2, Insightful
  
  I realize you were probably kidding, but frankly, I could not agree more with this sentiment! If I wanted to think about my cellphone, I'd be looking for an open platform, I'd want to tweak the OS, I might even want to roll my own distribution. I don't! I want a device, that does some shit, and works. And of course, I want it to be secure, but I may not even think about that. I know that GSM has encryption so I don't even think about it! (Although yes, it's been broken... But no one with just a scanner will be listening in, which for MY purposes is good enough.) But the point is, the consumer wants to simply purchase an appliance that works and does the things it should do. They should not have to think about this kind of thing. Period.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
3. Re:Yawn. by rtb61 · 2007-03-23 12:36 · Score: 1
  
  Smart phones, for when the sneaker net just becomes so much easier and far more secure and as a bonus comes free with a friendly smile ;).
  
  --
  Chaos - everything, everywhere, everywhen
Unsubstantiated fearmongering by Zarhan · 2007-03-23 03:51 · Score: 5, Insightful

The point in the summary is number 6 in the article. Anyway, this is just bollocks.

You authenticated yourself to the phone on your desk with building and room access-controls.

You authenticate yourself to your cellphone with a PIN code.

I don't know what's the thing about "smart" phones - the argument in the article works with any normal phone. Anyway, you still authenticate yourself to the phone. Oh, someone is coming in with a leadpipe and steals the phone from you? Well, if someone wants your precious off-band password that bad they'd probably force you to log into the system anyway. Otherwise, if it's just some street junking running off, you'll have plenty of time to call the operator and tell them about the theft.

Sometimes the phone may even request additional PIN numbers when going for more sensitive areas. My company uses mobile phone as an off-band authentication token for signing in to VPN - when you connect, your phone beeps at the same time and asks you to type in (different) PIN number. No more carrying around that SecurID-key. (And no, this doesn't require anything special, it's a service on the SIM card).

Other arguments are also dubious at best:

3. Communications are encrypted from end to end.

BlackBerry and Sidekick users may have heard that their communications are encrypted "end to end," but e-mail and other communications are encrypted only from the phone to the phone company or service provider's servers.

So who has configured your e-mail client not to use SSL? If you are using webmail, it's encrypted. If you are using IMAP, Pop3, or SyncML, those have encryption options as well.

And bloody well you can also use VPN (yes, latest Nokia E-series phones are quite compatible with Cisco VPN concentrators).

As for their server security...well, WHO IN THEIR BRIGHT MIND would store corporate or state secrets on a Hotmail account?

9. Spying on my smart phone is hard.

Think spying on your activities is hard? Think again. Most smart phones have no equivalent of Bluetooth authentication when plugged in -- they just become slave USB devices and give up all of your data.

Oh phleeze. What does USB and Bluetooth have to do with each other anyway? In anycase, yes, there were phones in the past that didn't include any sort of Bluetooth authentication (such as Nokia 6310i), but that is hardly the case now.

Of all the fearmongering, this is the only even remotely valid argument (with physical access you can of course do almost anything, as with any device, so the USB point is valid), and using a Pointsec or some other file-system encryption in your phone is a good idea.

All the other stuff mostly concern stuff about any backend systems where your precious e-mails are stored. Has nothing to do with phone. If Hotmail leaks my e-mails, it's Hotmail's fault. If I access Hotmail with my phone, it doesn't magically become the phones fault.
1. Re:Unsubstantiated fearmongering by jrumney · 2007-03-23 04:41 · Score: 1
  
  Think spying on your activities is hard? Think again. Most smart phones have no equivalent of Bluetooth authentication when plugged in -- they just become slave USB devices and give up all of your data.
  
  Oh phleeze. What does USB and Bluetooth have to do with each other anyway? In anycase, yes, there were phones in the past that didn't include any sort of Bluetooth authentication (such as Nokia 6310i), but that is hardly the case now.
  
  I think what the GP is trying to say is that when you plug it in via USB, you don't have to authenticate the connection, like you do with bluetooth. But at least with Windows Mobile, you do have to enter the phone's PIN before you can access it, so this is more a problem for non-smart mobile phones in my experience.
2. Re:Unsubstantiated fearmongering by morgan_greywolf · 2007-03-23 04:46 · Score: 1
  
  I agree with your post for the most part, but I think you've missed something. Point 2 is also good. There are a lot of people who think purpose-built devices are more stable and secure. Some of those people even work in IT.
  
  I was told at one job that I had to replace my Linux PC-based firewall with a 'purpose-built device' like a Cisco ASA because the Linux-based PC was somehow less secure and stable. Like the Cisco ASA, 'smart phones' have usually have some more or less general-purpose OS at their core, along with complex applications.
  
  These are computer systems like any other, and thus require a skilled administrator to configure them in a secure fashion. Don't assume because some device is 'purpose-built' that it isn't hackable.
  
  --
  My blog
3. Re:Unsubstantiated fearmongering by Fred+Ferrigno · 2007-03-23 05:41 · Score: 1
  
  These are computer systems like any other, and thus require a skilled administrator to configure them in a secure fashion. Don't assume because some device is 'purpose-built' that it isn't hackable. That's actually Cisco's position as well. They provide an expensive and Cisco-specific method of demonstrating that you are a skilled administrator. So from management's point of view, Cisco ASA + CCXX is more secure than Linux + Random Slashdotter.
4. Re:Unsubstantiated fearmongering by morgan_greywolf · 2007-03-23 05:54 · Score: 1
  
  But I am a CCIE!
  
  --
  My blog
5. Re:Unsubstantiated fearmongering by Zarhan · 2007-03-23 07:04 · Score: 1
  
  I have only completed the written test - going for lab exam this July (they sure don't have too many open slots...).
  
  And I still prefer OpenBSD pf over PIX or IOS inspect features. And so far the training material has failed to convert me (granted, routing&switching exam's security features are mostly limited to reflexive access-lists...)
Re:Assumptions, not beliefs by WinterSolstice · 2007-03-23 03:53 · Score: 4, Insightful

One answer - know what matters. Then make your own judgements. Am I talking about buying milk on the way home, or missile launch codes?

http://www.military-information-technology.com/art icle.cfm?DocID=36

--
An operating system should be like a light switch... simple, effective, easy to use, and designed for everyone.
Re:Assumptions, not beliefs by Spazntwich · 2007-03-23 03:55 · Score: 1

Ah yes, BarrettAnderson, my old foe. I thought you might be behind these spammed poll links.
Inaccuracy by efence · 2007-03-23 03:56 · Score: 1

TFA:
Now most converged devices run commodity operating systems, such as Sony Ericsson's Symbian OS
Symbian is owned 47% by Nokia and only 13% by Sony Ericsson. It is not "Sony Ericsson's OS".
That's why... by Billosaur · 2007-03-23 03:56 · Score: 1

...you have policies in place to prevent the transmission of sensitive material through easily corrupted/tapped systems. For example, where I work, passwords cannot be transmitted via email, IM, or text message. If I need a password for something, I have to write it down on paper, then destroy the paper. Of course you can stick the paper in your pocket, but without any other identifying information, it wouldn't do someone a lot of good.

--
GetOuttaMySpace - The Anti-Social Network
Some security is user's responsibility by 192939495969798999 · 2007-03-23 03:58 · Score: 2, Insightful

This is like assuming that because A called B and asked for their social security number, that social security numbers are insecure. You still are your own best line of defense against security breaches. Just because you get a call on your deskline doesn't mean it really is I.T. calling back for your password, for example.

Furthermore, If a smartphone is too great a security risk, then choose a different option... I don't understand why people insist on using the latest "security-unknown-or-not-good" device(s) when perfectly good methods of "understood-amount-of-risk" security already exist.

--
stuff |
1. Re:Some security is user's responsibility by Rob+T+Firefly · 2007-03-23 04:10 · Score: 2, Insightful
  
  I don't understand why people insist on using the latest "security-unknown-or-not-good" device(s) when perfectly good methods of "understood-amount-of-risk" security already exist.
  Because the first round of early adopters of the latest bleeding-edge devices are typically the overpaid executives eager to blow the cash on the latest status symbol gadget to prove how advanced and important they are, while the educated nerds will continue using the old perfectly good methods for vital things while waiting for said early adopters to get zapped by the fist wave of major bugs. Only after the canon fodder has done its job will most nerds depend on said gadget for anything important.
  
  --
  Slashdot Burying Stories About Slashdot Media Owned
Article on one page, not 5! by internewt · 2007-03-23 04:00 · Score: 1

Here's the printable, all on one page version of the article:
http://www.computerworld.com/action/article.do?com mand=printArticleBasic&articleId=9014118

--
Car analogies break down.
Re:The First Church of Smartphones by hal2814 · 2007-03-23 05:04 · Score: 1

"When did smartphones become a religion?" Well I didn't expect the Spanish Inquisition.
Re:The First Church of Smartphones by Rob+the+Bold · 2007-03-23 05:27 · Score: 5, Funny

Well I didn't expect the Spanish Inquisition..

Nobody expects the Spanish Inquisition!

--
I am not a crackpot.
Re:The First Church of Smartphones by Ilgaz · 2007-03-23 05:29 · Score: 1

When did smartphones become a religion? "Dangerous Beliefs"?! Could have been labeled better... like misconceptions... something - anything - somebody help me If people are sure that a team of tag abusers will sure add "FUD" to the story, it is a religion.
Fortunately some are taking this seriously by Anonymous Coward · 2007-03-23 05:53 · Score: 1, Informative

To anyone involved with security and operating systems, this is like a big "duh!". Fortunately, some people who are experts in this area are taking this problem seriously.

First, you start with the library which talks to the Telecommunications chip. And you make absolutely certain that security is the top priority (ala OpenBSD):
http://libgsmc.sourceforge.net/

Second, you add a completely Open Source effort, for both the hardware and the software.
http://hbmobile.org/

Experience and history has shown that there's no other solution for secure solutions.

Now there are other Open Source efforts out there, most notably OpenMoko and TrollTech's Green Phone. But neither of these efforts have impressed me as taking security seriously. They certainly haven't said as much. They are both doing an otherwise excellent job, but I do wish they'd change their attitude here.
Desk Phone by ray-auch · 2007-03-23 06:13 · Score: 1

This worked because the desk phone was isolated from the network and system resources to which you were being given access

Sounds like someone missed the digital PBX, VOIP, convergence etc. - in short almost a decade of telcoms change. Whoever wrote that probably thinks callerID is reliable as well.

For at least the last 7 years _all_ the desk phones I've had at various jobs have been digital (and most have been VOIP). The desk phone system is _not_ isolated from the rest of the network, or in any way reliable for security / location ID purposes.
Article just plain wrong by Curmudgeonlyoldbloke · 2007-03-23 06:14 · Score: 1

BlackBerry and Sidekick users may have heard that their communications are encrypted "end to end," but e-mail and other communications are encrypted only from the phone to the phone company or service provider's servers. Beyond that point, e-mail, instant messages and file transfers may be transmitted unencrypted over the public Internet by default. I neither know nor care about the Sidekick, but in the Blackberry case "end to end" means between the device and the BES server on the customer's site. Whilst it would be possible to allow web browsing directly from the device, in most cases companies configure them to go via the server, subject to the usual restrictions. It's also possible (but optional) to allow random dodgy downloads to the device, but citing that as a security problem would be like saying that there is a security problem with my car because I parked it in the centre of town with the keys in the ignition and it got nicked.

With Windows Mobile you're essentially dealing with an SSL or VPN connection from the device to the company server. There are security issues to consider, but being "transmitted unencrypted over the public Internet by default" isn't one of them.
The choice of installable applications ought to be from a whitelist -- or no list. It is, depending on the service and devices that a company rolls out. From my experience many if not most large companies do enforce restrictions like this.

There's a serious article to be written somewhere asking why companies should make security a higher priority BEFORE something goes wrong, and why they don't use what security measures are available, or allow secure communications to take place over device (e.g. employee-owned ones) that they have no control over, but this isn't it.
Roving wire taps by pjhurst · 2007-03-23 14:03 · Score: 1

A possible abuse that hasn't been mentioned, or I have just missed it, is the ability to use any cell phone as a microphone and as a method of locating you. The FBI in a mafia case used roving wire taps without the cell phone owners permission to listen to mafia members that just happened to be in the area of the mafia members. The potential for abuse is extremely disturbing to me.