Smartphones Security
description
Transcript of Smartphones Security
05-05-2005 Sujeeth Narayan 1
Smartphones Security
CS 691 Sujeeth Narayan
05-05-2005 Sujeeth Narayan 2
Agenda
Part 1 - Introduction to Smartphones
Part 2 - Security Issues
Part 3 - Unified Framework
Part 4 - New Authentication Method
Part 5 - Conclusion
05-05-2005 Sujeeth Narayan 3
Motivation
• A developing Technology Industry
• Security is unstable in Mobile phones
• Easy to Test
05-05-2005 Sujeeth Narayan 4
Part 1: Introduction to Smartphones
05-05-2005 Sujeeth Narayan 5
What are Smartphones?
Includes :
•Vocal Communications – GSM,GPRS•Web Browsing•eMail•Organizer Functions•Multimedia Capabilities
•Media Player•Audio, Video Recorder•Camera
05-05-2005 Sujeeth Narayan 6
Smartphones Internals
Capabilities : •Personal Information Management
•Synchronize using protocols such as ActiveSync, IntelliSync
•Connect using Bluetooth, IrDA or GPRS
Operating Systems :•Windows Mobile TM - Audiovox SMT 5600
•Symbian (Linux) – Motorola A760
05-05-2005 Sujeeth Narayan 7
OS Architecture
05-05-2005 Sujeeth Narayan 8
•Based on Operating System – Bugs , Security Holes
•Data Security – PIN exists but not applied for data
Risks related to Inherent Characteristics
05-05-2005 Sujeeth Narayan 9
Risks related to Users
Mobile usage Survey by Pointsec Mobile Technologies
•Ease to synchronize data with Personal Computer
•Not Enough Data Security
05-05-2005 Sujeeth Narayan 10
Risks related to Networks
Bluetooth :•Short range wireless connections•Has Security specification but not used many users.•Setting Bluetooth Service in Discoverable Mode
Possible Attacks: •BTBrowser scans for nearby Bluetooth devices and Browses Directories
•Buffer overflows attacks in some response messages
•Bluejacking : •Putting a message in place of ones device name•Sending with a pairing request•With a prompting message, the victim presses a key •Victim would be allow attacker to access files
05-05-2005 Sujeeth Narayan 11
Risks related to Networks
GPRS (General Packet Radio Service) :
•Works on Radio waves •Work with Internet connectivity
Possible Attacks:
•Attacks from Internet – eMails, Messenger Messages•Compromised backbone of GGSN – Gateway GPRS Support Node
05-05-2005 Sujeeth Narayan 12
Enterprises Security Policy
Banning use of Personal Smartphones• Unrealistic • Impossible to physically control
Should Define:• Synchronization • Use of devices in public places (Deactivate Bluetooth)• Information Exchange between Device and Enterprise System
05-05-2005 Sujeeth Narayan 13
USF - Unified Security Framework
Driven by: NIST – National Institute of Standard and TechnologyCSRC – Computer Security Resource Center
Published on June 2004 http://csrc.nist.gov/mobilesecurity/Publications/PP-UNIsecFramework-fin.pdf
05-05-2005 Sujeeth Narayan 14
• User Authentication – •The first line of defense for an unattended, lost, or stolen device.• Multiple modes of authentication increase the work factor for an attacker.
• Content Encryption – • The second line of defense for protecting sensitive information.
• Policy Controls – •Policy rules, enforced for all programs regardless of associated privileges, protect critical components from modification, and limit access to security-related information.
USF- Addresses Issues
05-05-2005 Sujeeth Narayan 15
Part 4: New Authentication Method
05-05-2005 Sujeeth Narayan 16
Picture Password :A Visual Login Technique for Mobile Devices
http://csrc.nist.gov/publications/nistir/nistir-7030.pdf
Wayne Jansen, Serban Gavrila, Vlad Korolev, Rick Ayers, Ryan Swanstrom
05-05-2005 Sujeeth Narayan 17
Method: Extracting the selection of Images
•Matrix Formation of Images•Associated value for each image•Generate equivalent Password
Extracting the characteristics of Image ???
05-05-2005 Sujeeth Narayan 18
Part 5: Conclusion
05-05-2005 Sujeeth Narayan 19
• Smartphones are complex in Architecture and Design
• Network protocols are complex to implement
• Technology is growing and possibly more weaknesses discovered
• Organizations should consider these devices in policy making
Conclusion
05-05-2005 Sujeeth Narayan 20
References
http://csrc.nist.gov/mobiledevices/projects.html
http://www.wirelessdev.net
http://www.smartphonethoughts.com
http://www.AirScanner.com -Mobile Firewall and Antivirus
http://www.PointSec.com - Mobile Security Software
05-05-2005 Sujeeth Narayan 21
Questions ??