The Smartphone – Security, or Vulnerability? (#3)

Privacy & Smartphones #3

It used to be expensive to make things public and cheap to make them private. Now it’s expensive to make things private and cheap to make them public. 

-Clay Shirky, (Internet scholar and professor at N.Y.U) 


Most of us communicate on a daily basis using e-mail. Ironically e-mail represents an unsecured mode of communications that can be easily intercepted and/or spoofed but very few of us worry about this. And it does not happen very often. Did you ever wonder why not?

Well the economic value of the vast majority of e-mails to a 3rd party is negligible. More importantly the nature of the social and business activities that are mainly conducted over e-mail do not make it worthwhile to try and eavesdrop and analyze the vast volumes of ‘noise’ that we send to each other[1]. And the complexity of such interaction make it resource intensive to build convincing models that can understand evolving sequences of messages and could generate ‘fake messages’ of economic value to be generated.

However when data is agglomerated in a single location it becomes more attractive to professional cyber-criminals. There are regular news stories in the last few years of major data breaches on centralized facilities. These occur because there is a sufficient concentration of data to have significant value. In turn this attracts the attention of professional groups who bring sufficient resources to bear on the problem of compromising the data facility.

Eggs in a Basket … ?

The user’s going to pick dancing pigs over security every time.

-Bruce Schneier

http://www.cnet.com/news/q-a-schneier-warns-of-marketers-and-dancing-pigs/


Now consider your smartphone. It isn’t a centralized facility, but each phone has very powerful capabilities for collection of personal data of many different kinds. On its own, representing a single consumer, it isn’t particularly valuable – unless you have a specific interest in a particular individual. But suppose you can crack one model of phone [1]–[4] – well a scaling of resources would enable you to crack, in theory, all similar models.

And much of today’s secure encryption protocols are based on relatively old cryptographic techniques.

This was brought home a couple of years ago by the heart-bleed bug [5] which exposed vulnerabilities in the SSH algorithms (https://en.wikipedia.org/wiki/Secure_Shell) which underlie secure networking protocols such as HTTPS (https://en.wikipedia.org/wiki/HTTPS ) and TLS (https://en.wikipedia.org/wiki/Transport_Layer_Security). There has been much subsequent research into related risks and vulnerabilities in industry-standard encryption techniques for secure network channels [6]–[12].

Concluding Thoughts …

We are rapidly entering the age of no privacy, where everyone is open to surveillance at all times; where there are no secrets from government.

-William Orville Douglas 

Osborn v. United States, 385 U.S. 341 (1966)


So what can we conclude from these discussions?

That Battle in your Pocket

Well the battle for digital privacy is ongoing and is being largely waged on the smartphone in your pocket. Yes, some of that battle also extends onto the cloud, but the phone is the nexus and the key focal point both for augmentation of your daily lifestyle and for corporations to trade off services in return for greater levels of insight into you and access to your personal data and metadata.

Corporations understand the value of you and your data and have also understood that people want to have greater control over the privacy and access to this data. Accordingly we have seen a wave of new management tools to improve transparency – while some of this was originally driven by legislation and regulations it does now seem that industry has understood that consumers have become increasingly educated on their rights. And thus it has become correspondingly important for industry to be seen to be operating in a transparent and pro-consumer manner when handling our personal data and related privacy issues.

After all it is access to, and analysis of that data is what will separate winners from losers in the online economy. This is why you have recently seen most of the major technology corporations facing up to the US Department of Justice on the side of the consumer’s right to privacy!


Whether it’s Facebook or Google or the other companies, that basic principle that users should be able to see and control information about them that they themselves have revealed to the companies is not baked into how the companies work. But it’s bigger than privacy. Privacy is about what you’re willing to reveal about yourself.

– Eli Pariser 

(Interview with Time Magazine May 16, 2011)


Smartphone as a Target

The key problem here is that as the value of the data that is generated by your phone continues to increase it starts to become an attractive target for cybercriminals. Not just your individual phone, naturally, but the sum of data drawn from very large groups of identical devices provides an extremely tempting target. And these devices are vulnerable!

The reality is that the point-to-point security that secures your phone, your personal data and protects your privacy is based on HTTPS and SSH technologies that date from the 1994-95 period [13], [14]. In fact is it known that the US National Security Agency already has capabilities to break live SSH channels and access the encrypted data [15]. How far behind are the larger cyber-crime consortia?

Yes, the veneer of security protecting your data, your communications, your profile, metadata and presence on social networks is based on encryption technologies that are several decades old. If new, disruptive technologies arrive offering the capability to break these older schemes in real-time, where then is your shield of privacy?

 

Bibliography

[1]      N. Dhanjani, “New Age Application Attacks Against Apple’s iOS (and Countermeasures),” Black Hat Eur., 2011 [Online]. Available: http://media.blackhat.com/bh-eu-11/Nitesh_Dhanjani/BlackHat_EU_2011_Dhanjani_Attacks_Against_Apples_iOS-WP.pdf. [Accessed: 03-Apr-2016]

[2]      T. Wang, K. Lu, L. Lu, S. Chung, and W. Lee, “Jekyll on iOS: When Benign Apps Become Evil.,” Usenix Secur., 2013 [Online]. Available: https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_wang-updated-8-23-13.pdf. [Accessed: 03-Apr-2016]

[3]      I. Mohamed and D. Patel, “Android vs iOS Security: A Comparative Study,” Inf. Technol. …, 2015 [Online]. Available: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=7113562. [Accessed: 03-Apr-2016]

[4]      O. Adebayo and N. Aziz, “The Trend of Mobile Malwares and Effective Detection Techniques,” Crit. Socio-Technical Issues …, 2015 [Online]. Available: https://books.google.com/books?hl=en&lr=&id=zNnHCgAAQBAJ&oi=fnd&pg=PA219&dq=iphone+private+key+vulnerability&ots=OlQUV8okTm&sig=dbg47fz2KchG1ruyI0mwmolC0xw. [Accessed: 03-Apr-2016]

[5]      Z. Durumeric and J. Kasten, “The matter of heartbleed,” Proc. …, 2014 [Online]. Available: http://dl.acm.org/citation.cfm?id=2663755. [Accessed: 03-Apr-2016]

[6]      J. Wang, M. Zhao, Z. Qiang, D. Wu, and P. Liu, “Risk assessment of buffer ‘heartbleed’ over-read vulnerabilities (practical experience report),” 45th Annu. IEEE/IFIP …, 2015 [Online]. Available: https://s2.ist.psu.edu/paper/dsn2015-paper323-rev-final-Jun-W.pdf. [Accessed: 03-Apr-2016]

[7]      D. Yadron, “After Heartbleed bug, a race to plug Internet hole,” Wall Str. J, 2014 [Online]. Available: http://www.sonatype.com/system/resources/W1siZiIsIjIwMTQvMDUvMTkvMTcvMjcvMzgvNTQzL1dTSl9DbGlwXzRfOS5wZGYiXV0/WSJ_Clip 4-9.pdf. [Accessed: 03-Apr-2016]

[8]      G. Hill, “Evading Network Based Intrusion Detection Systems,” 2015 [Online]. Available: http://www.gregoryhill.co.uk/files/IDS Evasion.pdf. [Accessed: 03-Apr-2016]

[9]      D. Adrian and K. Bhargavan, “Imperfect forward secrecy: How Diffie-Hellman fails in practice,” Proc. …, 2015 [Online]. Available: http://dl.acm.org/citation.cfm?id=2813707. [Accessed: 03-Apr-2016]

[10]    B. Delamore and R. Ko, “A Global, Empirical Analysis of the Shellshock Vulnerability in Web Applications,” Trust. 2015 IEEE, 2015 [Online]. Available: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=7345401. [Accessed: 03-Apr-2016]

[11]    C. D’Orazio and K. Choo, “A generic process to identify vulnerabilities and design weaknesses in iOS healthcare apps,” Syst. Sci. (HICSS), 2015 48th …, 2015 [Online]. Available: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=7070435. [Accessed: 03-Apr-2016]

[12]    B. Fogel, “A Survey of Web Vulnerabilities,” 2015 [Online]. Available: https://etd.auburn.edu/handle/10415/4569. [Accessed: 03-Apr-2016]

[13]    J. Clark and P. van Oorschot, “SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements,” Secur. Priv. (SP), 2013 …, 2013 [Online]. Available: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6547130. [Accessed: 03-Apr-2016]

[14]    F. Callegati, W. Cerroni, and M. Ramilli, “Man-in-the-Middle Attack to the HTTPS Protocol,” IEEE Secur. Priv., 2009 [Online]. Available: http://dl.acm.org/citation.cfm?id=1512329. [Accessed: 03-Apr-2016]

[15]    “Inside the NSA’s War on Internet Security – SPIEGEL ONLINE.” [Online]. Available: http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html. [Accessed: 03-Apr-2016]

 

[1] There are significant exceptions, but we are mainly interested in consumer requirements, rather than those of business, enterprise or even national security.

Leave a Reply