Convenience product securityCollin Busch

What is a convenience product?• A convenience product is a device or application that makes

your life easier• For the purpose of this presentation, we will examine different

cell phones, apps, and the security behind them• Security software such as findmyphone• Browser security on mobile devices

The default• By default, a brand new phone or tablet will not have basic

levels of security• There will be no password or lock until it is set up• Different applications on the phone may handle their own

security• Email clients may use SSL/TLS depending on the client/server• Browsers accessing certain websites may use https instead of http• Certain programs such as banking apps may have built in

encryption

Default vulnerabilities• If you keep your device or

program at base security, your entire phone is vulnerable.

• In the case of an iPhone or iPad, one swipe will let anyone access all of the data stored on your phone.

• The most important thing you can do to a mobile device to keep it safe is to require a passcode or pattern

Security Breach in IOS 7• Even if your device is protected by a password lock, it may still

be accessible.• Due to bugs or bad programming, a sequence of actions may

allow you access to a mobile device.• On an iPhone running IOS 7, you could bypass the lock screen

without a passcode, and have access to the camera and stored photos as well as any app that would share these photos, such as Twitter, Facebook, and email apps.

Patching IOS 7 breach• In IOS 7.0.2 it was documented that this breach was now

closed, and that you could no longer bypass the IOS 7 lockscreen

• 7.0.2 was released September 26 2013, 8 days after IOS 7 was release and 7 days after the exploit was discovered.

• For an entire week, brand new software release by a huge and experienced software company had a gaping security hole

• A simple lock screen is not enough.

Android vulnerabilities • Many android users are still using the “gingerbread” operating

system, which is version 2.3.3 to 2.3.7, which was released in 2011.

• This out of date OS has a number of vulnerabilities, including”• SMS message trojans which continually text a premium rate

unknown to the user, resulting in extremely high charges that are usually only noticed at the end of the month/billing cycle

• Rootkits: in 2011 a software developers rootkit was found on millions of android phones, which logged keystrokes, passwords, and user location data without the user’s knowledge

• Malicious google play software- the play store is not as strictly monitored as the Apple store, so there are a number of malware programs masquerading as legitimate programs.

Biometric bypassing• The iPhone 5s implemented a fingerprint biometric scanner to

allow “secure” access to the phone• This biometric scanner was fooled when a hacking team

photographed a fingerprint that had been left on a glass surface.

• Retina scanners can also be bypassed because the scanner reads the “code” of the retina without checking that there is actually an eye.

• Synthetic retina “codes” can be used to bypass most retina scanners, such as the one available for android.

• As demonstrated in the previous vulnerabilities, you need some sort of security past lock screens

How to protect yourself• During web browsing, try to use sites that have https:// in

their header.• You may be able to download software such as

httpseverywhere to further secure browsers (this is also relevant on computers)

• Disable automatic connections so that your device does not automatically connect to what could be a wifi network that will steal data from your phone

• Encrypt your data so that if it is transmitted it is not realistically usable.

• Consider anti malware software- malware for both android and IOS exists

Works cited• http://www.bbb.org/blog/2013/09/warning-security-holes-fo

und-in-new-iphone-ios7-update/

• http://en.wikipedia.org/wiki/IOS_7• http://www.businessinsider.com/android-security-vulnerabilit

y-2013-8#!JOv0m

• http://publicintelligence.net/dhs-fbi-android-threats/• http://www.entrust.com/bypassing-fingerprint-biometrics-not

hing-new/

• http://allgsmtips.com/default-security-code-of-all-mobile-phones/