The Smartphone – Security, or Vulnerability? (#3)

Privacy & Smartphones #3

It used to be expensive to make things public and cheap to make them private. Now it’s expensive to make things private and cheap to make them public. 

-Clay Shirky, (Internet scholar and professor at N.Y.U) 


Most of us communicate on a daily basis using e-mail. Ironically e-mail represents an unsecured mode of communications that can be easily intercepted and/or spoofed but very few of us worry about this. And it does not happen very often. Did you ever wonder why not?

Well the economic value of the vast majority of e-mails to a 3rd party is negligible. More importantly the nature of the social and business activities that are mainly conducted over e-mail do not make it worthwhile to try and eavesdrop and analyze the vast volumes of ‘noise’ that we send to each other[1]. And the complexity of such interaction make it resource intensive to build convincing models that can understand evolving sequences of messages and could generate ‘fake messages’ of economic value to be generated.

However when data is agglomerated in a single location it becomes more attractive to professional cyber-criminals. There are regular news stories in the last few years of major data breaches on centralized facilities. These occur because there is a sufficient concentration of data to have significant value. In turn this attracts the attention of professional groups who bring sufficient resources to bear on the problem of compromising the data facility.

Eggs in a Basket … ?

The user’s going to pick dancing pigs over security every time.

-Bruce Schneier

http://www.cnet.com/news/q-a-schneier-warns-of-marketers-and-dancing-pigs/


Now consider your smartphone. It isn’t a centralized facility, but each phone has very powerful capabilities for collection of personal data of many different kinds. On its own, representing a single consumer, it isn’t particularly valuable – unless you have a specific interest in a particular individual. But suppose you can crack one model of phone [1]–[4] – well a scaling of resources would enable you to crack, in theory, all similar models.

And much of today’s secure encryption protocols are based on relatively old cryptographic techniques.

This was brought home a couple of years ago by the heart-bleed bug [5] which exposed vulnerabilities in the SSH algorithms (https://en.wikipedia.org/wiki/Secure_Shell) which underlie secure networking protocols such as HTTPS (https://en.wikipedia.org/wiki/HTTPS ) and TLS (https://en.wikipedia.org/wiki/Transport_Layer_Security). There has been much subsequent research into related risks and vulnerabilities in industry-standard encryption techniques for secure network channels [6]–[12].

Concluding Thoughts …

We are rapidly entering the age of no privacy, where everyone is open to surveillance at all times; where there are no secrets from government.

-William Orville Douglas 

Osborn v. United States, 385 U.S. 341 (1966)


So what can we conclude from these discussions?

That Battle in your Pocket

Well the battle for digital privacy is ongoing and is being largely waged on the smartphone in your pocket. Yes, some of that battle also extends onto the cloud, but the phone is the nexus and the key focal point both for augmentation of your daily lifestyle and for corporations to trade off services in return for greater levels of insight into you and access to your personal data and metadata.

Corporations understand the value of you and your data and have also understood that people want to have greater control over the privacy and access to this data. Accordingly we have seen a wave of new management tools to improve transparency – while some of this was originally driven by legislation and regulations it does now seem that industry has understood that consumers have become increasingly educated on their rights. And thus it has become correspondingly important for industry to be seen to be operating in a transparent and pro-consumer manner when handling our personal data and related privacy issues.

After all it is access to, and analysis of that data is what will separate winners from losers in the online economy. This is why you have recently seen most of the major technology corporations facing up to the US Department of Justice on the side of the consumer’s right to privacy!


Whether it’s Facebook or Google or the other companies, that basic principle that users should be able to see and control information about them that they themselves have revealed to the companies is not baked into how the companies work. But it’s bigger than privacy. Privacy is about what you’re willing to reveal about yourself.

– Eli Pariser 

(Interview with Time Magazine May 16, 2011)


Smartphone as a Target

The key problem here is that as the value of the data that is generated by your phone continues to increase it starts to become an attractive target for cybercriminals. Not just your individual phone, naturally, but the sum of data drawn from very large groups of identical devices provides an extremely tempting target. And these devices are vulnerable!

The reality is that the point-to-point security that secures your phone, your personal data and protects your privacy is based on HTTPS and SSH technologies that date from the 1994-95 period [13], [14]. In fact is it known that the US National Security Agency already has capabilities to break live SSH channels and access the encrypted data [15]. How far behind are the larger cyber-crime consortia?

Yes, the veneer of security protecting your data, your communications, your profile, metadata and presence on social networks is based on encryption technologies that are several decades old. If new, disruptive technologies arrive offering the capability to break these older schemes in real-time, where then is your shield of privacy?

 

Bibliography

[1]      N. Dhanjani, “New Age Application Attacks Against Apple’s iOS (and Countermeasures),” Black Hat Eur., 2011 [Online]. Available: http://media.blackhat.com/bh-eu-11/Nitesh_Dhanjani/BlackHat_EU_2011_Dhanjani_Attacks_Against_Apples_iOS-WP.pdf. [Accessed: 03-Apr-2016]

[2]      T. Wang, K. Lu, L. Lu, S. Chung, and W. Lee, “Jekyll on iOS: When Benign Apps Become Evil.,” Usenix Secur., 2013 [Online]. Available: https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_wang-updated-8-23-13.pdf. [Accessed: 03-Apr-2016]

[3]      I. Mohamed and D. Patel, “Android vs iOS Security: A Comparative Study,” Inf. Technol. …, 2015 [Online]. Available: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=7113562. [Accessed: 03-Apr-2016]

[4]      O. Adebayo and N. Aziz, “The Trend of Mobile Malwares and Effective Detection Techniques,” Crit. Socio-Technical Issues …, 2015 [Online]. Available: https://books.google.com/books?hl=en&lr=&id=zNnHCgAAQBAJ&oi=fnd&pg=PA219&dq=iphone+private+key+vulnerability&ots=OlQUV8okTm&sig=dbg47fz2KchG1ruyI0mwmolC0xw. [Accessed: 03-Apr-2016]

[5]      Z. Durumeric and J. Kasten, “The matter of heartbleed,” Proc. …, 2014 [Online]. Available: http://dl.acm.org/citation.cfm?id=2663755. [Accessed: 03-Apr-2016]

[6]      J. Wang, M. Zhao, Z. Qiang, D. Wu, and P. Liu, “Risk assessment of buffer ‘heartbleed’ over-read vulnerabilities (practical experience report),” 45th Annu. IEEE/IFIP …, 2015 [Online]. Available: https://s2.ist.psu.edu/paper/dsn2015-paper323-rev-final-Jun-W.pdf. [Accessed: 03-Apr-2016]

[7]      D. Yadron, “After Heartbleed bug, a race to plug Internet hole,” Wall Str. J, 2014 [Online]. Available: http://www.sonatype.com/system/resources/W1siZiIsIjIwMTQvMDUvMTkvMTcvMjcvMzgvNTQzL1dTSl9DbGlwXzRfOS5wZGYiXV0/WSJ_Clip 4-9.pdf. [Accessed: 03-Apr-2016]

[8]      G. Hill, “Evading Network Based Intrusion Detection Systems,” 2015 [Online]. Available: http://www.gregoryhill.co.uk/files/IDS Evasion.pdf. [Accessed: 03-Apr-2016]

[9]      D. Adrian and K. Bhargavan, “Imperfect forward secrecy: How Diffie-Hellman fails in practice,” Proc. …, 2015 [Online]. Available: http://dl.acm.org/citation.cfm?id=2813707. [Accessed: 03-Apr-2016]

[10]    B. Delamore and R. Ko, “A Global, Empirical Analysis of the Shellshock Vulnerability in Web Applications,” Trust. 2015 IEEE, 2015 [Online]. Available: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=7345401. [Accessed: 03-Apr-2016]

[11]    C. D’Orazio and K. Choo, “A generic process to identify vulnerabilities and design weaknesses in iOS healthcare apps,” Syst. Sci. (HICSS), 2015 48th …, 2015 [Online]. Available: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=7070435. [Accessed: 03-Apr-2016]

[12]    B. Fogel, “A Survey of Web Vulnerabilities,” 2015 [Online]. Available: https://etd.auburn.edu/handle/10415/4569. [Accessed: 03-Apr-2016]

[13]    J. Clark and P. van Oorschot, “SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements,” Secur. Priv. (SP), 2013 …, 2013 [Online]. Available: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6547130. [Accessed: 03-Apr-2016]

[14]    F. Callegati, W. Cerroni, and M. Ramilli, “Man-in-the-Middle Attack to the HTTPS Protocol,” IEEE Secur. Priv., 2009 [Online]. Available: http://dl.acm.org/citation.cfm?id=1512329. [Accessed: 03-Apr-2016]

[15]    “Inside the NSA’s War on Internet Security – SPIEGEL ONLINE.” [Online]. Available: http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html. [Accessed: 03-Apr-2016]

 

[1] There are significant exceptions, but we are mainly interested in consumer requirements, rather than those of business, enterprise or even national security.

The Smartphone – A Nexus for Personal Privacy (#2)

Privacy & Smartphones #2

Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds.   

-John Perry Barlow 

(cofounder, Electronic Freedom Foundation)


We could say that because the smartphone has become so central to our daily lives that it is also at the heart of personal privacy. And as even more compelling and pervasive services and tools are developed on smartphones and continue simplify and augment our daily lives so will more and more of our personal and private life become entangled with these devices.

It seems impossible to avoid this conclusion.

On the positive side the larger corporations appear to have realized that the majority of consumers do still value their privacy. Users are now offered tools and controls to manage and adjust their ‘privacy’ settings. These developments are driven partly by legislation, partly by an increasing user awareness of privacy, but also to a large degree by self-interest.

Large corporations are well aware of the value of keeping their customers ‘close’ and if customers want privacy and security then they will deliver on these promises.

Secure Channels …

The companies that do the best job on managing a user’s privacy will be the companies that ultimately are the most successful.

-Fred Wilson

(Venture Capitalist and Co-Founder of Union Square Ventures, July 2015)


The same corporatons have also begun to take point-to-point security seriously and many core services now offer two-factor authentication. Not surprisingly your smartphone is the second factor and a text message with a numeric code is the typical means to confirm your identity. And once logged onto their service all communication and data transfers are protected by state-of-art point-to-point encryption.

This approach has begun to lead to tensions between the larger tech corporations and government agencies. As I am writing, there is an ongoing legal battle between the US Dept of Justice and a certain corproation from Cupertino who refuses to assist in ‘cracking’ one of their devices. The CEO is taking this stand even though the device was used by a terrorist who caused the deaths of a significant number of US citizens. And quite a few other large tech corporations agree and have filed an amicus brief in support.

This is a scenario that would have been unthinkable a couple of decades ago; even 10 years ago it would have been unlikely that a corporation would stand up to such a government request and puts its customers and their rights before US national security. And even less likely that a cluster of equally large corporations would stand behind it.

To Protect your Privacy … ?

When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else.

– David Brin

(Science Fiction Writer and Author of The Transparent Society: Will Technology Force Us to Choose Between Privacy and Freedom? (1998) ISBN 0-7382-0144-8


But from a corporation’s perspective privacy is primarily a shield between their customers and other 3rd parties. They are happy to protect the curstomer’s privacy, but the philosophy is to shield it against incursion by other competitors. Often, in return for this security blanket you have to sign away certain rights and ownership of your valuable personal data.

Because what corporations really want is to learn about our habits and behaviours. By knowing more about us as individuals, by identifying our patterns of behaviour and consumption, by learning about our individual likes and dislikes they can build and offer even more compelling products and services.

It is the aggregate data of many, many users that reveals trends and patterns that can lead to new insights and confer subtle business advantage to those who curate your personal life.

Naturally it is all presented as a series of choices for us to make as individuals, but often the trade-off will be too good to refuse. The danger, over time, is a gradual but persistent erosion of personal privacy. But perhaps more importantly this trend is leading to a concentration of personal data with our smartphones as the nexus point.

And, I’ve made this point on many occasions in the past – the data from a single person isn’t very valuable on its own, but when this is repeated across hundreds of millions, even billions of users then it becomes a very attractive target.

Today the smartphone is the emerging battlefield for personal privacy. It is not the only front on which our privacy is challenged, but it is undoubtedly the most important one. And while today we see large corporations stand up against the government and insist on the integrity of their security protocols it is clear that things could change quicky driven through legislative changes, or indeed new disruptive technologies.

 

 

 

The Age of the Smartphone (#1)

Privacy & Smartphones #1

This is the first of a set of 3 short articles looking at the role of smartphones in personal privacy. These blogs are modified from my main editorial in the July 2016 issue IEEE Consumer Electronics Magazine.

As editor of the IEEE Consumer Electronics Magazine for the past 5 years I get to see and review quite a few topical and contemporary articles on various aspects of consumer electronic devices. In the last 2-3 years there is a growing stream of articles with a focus on the security of personal data and communications, and on more broadly scoped topics such as privacy, trust and variatious forms of ‘veillance’.

There is no doubt that we live in an age of persistent connectedness and are increasingly empowered as individuals to generate large volumes of digital data. This can range from simple text messages and e-mails, to photographs, videos clips and a broad range of metadata ranging from our location throughout the day to the web pages we browse, the online stores we visit, the travel arrangements we make, the financial transactions we initiate and the social networks we participate in.

Getting Intimate …

Increasingly our smartphone is the go-to portal for much of these activities. It has become our portal to the Internet and the hub of an increasingly connected digital lifestyle. And all the data passing through this portal has become the key to commercial success for many of today’s larger corporations. Handling and managing that data gives them direct and often near-exclusive access to you, the consumer.

It is an intimate one-on-one relationship that corporations have longed for but could not achieve in the past. Television was the first generation of electronic technology that allowed them to reach out to consumers. It was better than newspapers as the visual impact enabled a stronger level of intimacy, but still the relationship was with demographic groups rather than individuals.

Then the personal computer arrived, but it wasn’t possible to get a foothold on these devices which were too ‘serious’ for people to use for leisure activities. But the World-Wide-Web started to change all that, providing a more visual and interactive mechanism to link computer users to networked information and services. And as the Web evolved it became more visual and more interactive reaching the point were it has started to displace traditional TV.

Augmented Lifestyles …

Still, a computer is fixed to a desktop so you have to sit down and dedicate some time to spend with it. And typically it sits on a desk in a home office rather than in your living room. The real breakthrough could only start with the arrival of the smartphone.

Smartphones are used for a continuously expanding array of applications, from Internet browsing to e-mailing, to gaming, to banking, to shopping, and managing travel arrangements – airfares, car rental, etc.. In combination with new network services they are replacing traditional taxi services, short-let accommodation and even your local gym with more flexible and available ‘network sourced’ alternatives. And for many of us they have become the primary tool to record and document our personal lives in pictures and video – a connected gateway that you carry with you all day long. .

The ‘smarter’ and more capable these devices become, the more they infiltrate our daily activities and blend themselves into our personal lives.

The ability of a smart-phone to augment our daily lives has already effected substantial changes in social behavior and enhanced our lives in many ways. It enables us to make better use of slack-time during the daily commute or while waiting at the airport or for everyone to arrive and settle before a meeting. And it provides a portable gateway to growing range of networked services and technologies from shopping to making travel arrangmenets, to managing our growing collections of personal images & videos.

Very few of us could envisage a life without our phone, yet these devices are still less than a decade old!

Like it or not we have entered the age of the smartphone.