The only secure mobile is one that is switchedoff with battery removed - Charles Brookson,GSMA/ETSI at #NetworkSecurity
Professor Ed Candy, Technology Strategist, 3 Group: Diversityin devices is great. It allows no collective threats to be poseddue to their diversity of make models, OS’s, apps, etc.Firewalls in the networks are good too but too many of themcan slow the network down. In the beginning when ‘3’ UKrolled out 3G, 14 seconds were being lost due to them. Charles Brookson mentioned that he turns off 3G and usesGSM/GPRS to save battery life Apps should store data on the cloud and not the device so ifthe device is lost or compromised then the user data is notlost to the third parties Users should be made aware of the background functions andservices on the device and also the threat/safety level ofthese.Interesting comments, questions, etc. - #1
The operators can provide more security but it costs them todo this. They have to work out a way to pass this on to theusers. Very little malware on google play. Risk is v.low. Androidmalware hits countries where 3rd party appstores are thenorm Consumer education is key. Good to not be complacent aboutmalware, generally unnecessary to have mob antivirus. Mobile network should not be the only technology for criticalaccess. There should be other means as well A5/3 (security algorithm for GSM/GPRS) was standardised in2001 and is more secure than the previous algorithms butwas not available widely till quite late because it was not IOTtested and mandated by operators.Interesting comments, questions, etc. - #2
Day 1 began with a Panel Discussion moderated by Charles Brookson from GSMA withsome of the points I have already mentioned earlier
David Rogers from Copper Horse spoke on Incident Management for Mobile Malware andon Responsible Disclosure. He also distributed a leaflet prepared for the UK policeregarding phone security. More details on that here.
Eric Gauthier, Head of Technical Fraud and Revenue Assurance, Orange gave anIntroduction on LTE and how Security was handled all the way from 0G (pre-cellular) to4G/LTE.
Talal Faroug, Quality Assurance Manager, MTN, SUDAN gave a talk on Understanding theBusiness Case for Network Security. His main focus was on SIM Box Fraud.
Telecom Concepts Blog has a nice write-up on this topic here -http://telecomconcepts.wordpress.com/2010/02/01/simbox-fraud-detection-and-billing/Another useful writeup on this topic here.
See Also GSMA press release: Raids on SIM box/GSM gateway fraudsters save mobileoperators millions
Feride Cetin, Group Strategy & Innovation Security & Intelligence, Swisscom focussed herpresentation on some of the initiatives taken by Swisscom on Apps Security and Rating
There were some good examples on how developers manage to ignore basic securityguidelines while making excellent apps. The result is they have to go back and fix the issuesat a much later stage and at the same time get a lots of negative publicity that can besometimes harmful for the business.
5 Rating Criteria to understand how apps behave; Permission, Privacy, Data Traffic, DataStorage and Man in the Middle
David Rogers from Copper Horse Solutions Limited chaired the second day proceedings. Ithink his main message is as shown in the slide above and is self explanatory.Ps: In case you are not from the UK, the above picture highlights beef (horsemeat) scandal
Dr. Christoph Peylo, VP Deutsche Telekom Innovation Laboratories started the day with aninteresting presentation on "Remote Control and Device Security: How Cyber-Attacks CanImpact M2M"
The talk was so interesting that I should put up the slides or more detailed presentation onthis topic sometime later
Christoph showing http://www.sicherheitstacho.eu - Real time cyber-attacks.
Gert Pauwels, M2M Marketing Director, Mobistar spoke on the operator Orange’s positionon M2M. The key takeaway was the GMA Certification Program as shown in the slideabove.
Carlos Olea, Network Security Manager, Telefonica International focussed on DDoS(distributed denial-of-service) and how Telefonica handled the Spamhaus and other Ddosattacks and what they have learnt from this.
Adrian Drury, Lead analyst, Ovum spoke about RTB. I don’t remember him mentioning whatRTB is but my understanding it stands for Real Time Bidding -http://en.wikipedia.org/wiki/Real-time_bidding
Raj Samani, Vice President, EMEA CTO, McAfee spoke about how connected devices havechanged our lifestle and the security issues that we are facing in this connected world.
Raj had some very interesting bits that he mentioned but the slides let hima bit down. Here are some that were mentioned on twitter during theevent:• In Germany, the smart meters polling interval was reduced to 2 sec andit can tell the name of movie being watched. This is because each moviehas its own unique energy consumption pattern.• Privacy a big issue for smart meters. Easy to analyse usage; what is beingused and when.• In USA in some new buildings, connected devices are even being put inthe bricks to track humidity, etc.• Everyone has a price when it comes to giving up private data• A powergrid in US said that they face 10K cyber attacks per month as per@Raj_Samani
Jon Howes, Technology Director, Beecham Research spoke on "M2M Solution Security“. Awhitepaper on this topic is also available on their website here.
Reinder Wolthuis, Project Manager Information Security, TNO spoke on "M2M Security"and gave us the results of the etis M2M security survey
Personally I am a bit surprised that M2M devices would move to UMTS. The biggest issuefor M2M devices using UMTS is the battery power consumption. Its better to stay onGSM/GPRS is the amount of data transfer is low or move to LTE if the amount of datatransfer required is high.
“Dutch research found that network operators worry about physical tampering but dontdo anything about it”
The final talk of the day was by Ravishankar Borgaonkar, Researcher, Deutsche Telekom onthe topic of “Small Cells in Hostile Environment“. I have covered earlier presentations byRavi on the blog here and here. One of the issue highlighted above and by others as well isthat a security feature may be asked by the operator but may not be supplied by vendor.
Additional Reading• Small Cells and the City – My presentation from SmallCells Global Congress 2012• Rel-11/12 3GPP Security Update – 3GPP• Present and future Standards for mobile internet andsmart phone information security - ETSI• Evolution of 3GPP Security• Femto Hacking in UMTS and LTE