Your Cell Phone isCovered in SpidersAn overview of the cell phonesecurity landscapeCooper Quintin@cooperqcooper@radicaldes...
We are becoming increasingly dependenton mobile devices●We are storing more and more data on them●Pictures●Videos●Contacts...
●As the amount of data increases●The complexity increases●The desirability increases●The number of vulnerabilities increases
And there are a lot ofvulnerabilities!
Things to Keep in MindIf an attacker gains physical access phone canand will be completely compromised.Also, you should as...
Security is a Journey Not a DestinationThe more hurdles that you put up, the harder youmake it for an attacker.Time to com...
Threat Model●Random attacks●Malicious apps●Stolen / Lost phone●Targeted attacker●Law Enforcement●Corporate Espionage●Perso...
Burner Phones●No encryption●Trivial for Forensic Investigators●Closed Source●Usually no Screen Lock
iPhoneThe Bad●Closed source●Very little in the way of security apps●Default screen lock is a four digit number●Privacy too...
BlackBerry● BEST USED IN COMBINATION WITH BES● Otherwise about as good as any other smartphone● BBM and Pin to Pin messagi...
Android●IMO The best phone for security●Open source●Lots of security tools●Lots of encryption tools●Full Disk Encryption●G...
Lets Talk About Threat ModelsAgain
Law Enforcement Investigators are Lookingfor:●Subscriber & Equipment Identifiers●Contacts●Appointment Calendar●SMS, Text M...
Forensic Methods● Recovering screen lock● Recovery Mode● Cellbrite and UFED● JTAG
Solutions●Have a strong screen lock and a short timeout●Dont tell them your password●Encryption (Text Secure, LUKS, Device...
Signal InterceptionThreats●Fake Cellular Towers / Drones●USRP/GNU Radio●Snooping as a Service●Cellular companies will prov...
Lost and Stolen Phones●Phone Finding and Remote Wipe●Android: Lookout, Prey●BlackBerry Protect●Find My Iphone●Strong Scree...
MalwareVendor and Espionage malware●This stuff is extremely sophisticated●FinFisher●CarrierIQ●Voodo carrierIQStandard, unt...
Malware Solutions● Be careful what you install!● Dont install apps from untrusted sources● Dont run updates when on insecu...
Other Attacks● NFC● QR Phishing● Baseband Attacks
Disk Encryption●Exists on Android●Exists on Blackberry if you have BES●Does not exist on iPhone●Vulnerable to many differe...
Call Encryption● SecureGSM● Android: Redphone, OSTN
To Root or Not to Root(AKA Jailbreaking)Rooting your phone is the process of gaining superadministrator control over your ...
To Root or Not to RootThe Good● Custom Firmware● Better Security Tools● Remove Spyware● More Cool Apps● PerformanceImprove...
In Conclusion...●Its healthy to be paranoid about your phone●Dont loose your phone!●Trust what you install (Open Source)●R...
Thank You!Cooper Quintincooper@radicaldesigns.orgTwitter: @cooperqJabber: cooperq@jabber.ccc.deOTR: 9B3470B9 B1F10651 B584...
Upcoming SlideShare
Loading in …5
×

Cell phone security lite

295 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
295
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cell phone security lite

  1. 1. Your Cell Phone isCovered in SpidersAn overview of the cell phonesecurity landscapeCooper Quintin@cooperqcooper@radicaldesigns.org
  2. 2. We are becoming increasingly dependenton mobile devices●We are storing more and more data on them●Pictures●Videos●Contacts●Email●Social Graphs●Location History●Etc
  3. 3. ●As the amount of data increases●The complexity increases●The desirability increases●The number of vulnerabilities increases
  4. 4. And there are a lot ofvulnerabilities!
  5. 5. Things to Keep in MindIf an attacker gains physical access phone canand will be completely compromised.Also, you should assume that your phone willbe compromised at some point.Generally, you will be safest if you just take theattitude that YOU SHOULD NOT TRUST YOURPHONE
  6. 6. Security is a Journey Not a DestinationThe more hurdles that you put up, the harder youmake it for an attacker.Time to compromise > Determination of attackerDont get demoralized! There are many things youcan do to improve your security.
  7. 7. Threat Model●Random attacks●Malicious apps●Stolen / Lost phone●Targeted attacker●Law Enforcement●Corporate Espionage●Personal Enemies●Signal Interception●Your Phone Company
  8. 8. Burner Phones●No encryption●Trivial for Forensic Investigators●Closed Source●Usually no Screen Lock
  9. 9. iPhoneThe Bad●Closed source●Very little in the way of security apps●Default screen lock is a four digit number●Privacy tools that arent free or open sourceThe Good●There is a stronger screen lock that can be enabled●A couple of decent privacy apps●Less Malware
  10. 10. BlackBerry● BEST USED IN COMBINATION WITH BES● Otherwise about as good as any other smartphone● BBM and Pin to Pin messaging NOT SECURE– Not encrypted, just scrambled– RIM can read all of your messages if a govt demands● Your data is only as secure as the company is trustworthy● RIM admitted to providing backdoors to govt. in India andhas helped UK and middle east govts.● Less Malware● Without BES, Security on Blackberry is not so good.
  11. 11. Android●IMO The best phone for security●Open source●Lots of security tools●Lots of encryption tools●Full Disk Encryption●Good security options●Guardian Project●Your data is in the hands of google●How much do you trust google?
  12. 12. Lets Talk About Threat ModelsAgain
  13. 13. Law Enforcement Investigators are Lookingfor:●Subscriber & Equipment Identifiers●Contacts●Appointment Calendar●SMS, Text Messages, Instant Messages, Email●Call Logs●Photos, Audio and Video●Documents●Location Data
  14. 14. Forensic Methods● Recovering screen lock● Recovery Mode● Cellbrite and UFED● JTAG
  15. 15. Solutions●Have a strong screen lock and a short timeout●Dont tell them your password●Encryption (Text Secure, LUKS, Device encryption)
  16. 16. Signal InterceptionThreats●Fake Cellular Towers / Drones●USRP/GNU Radio●Snooping as a Service●Cellular companies will provide wiretaps without evena warrant●Insecure apps like BBM and whatsappSolutions●Encrypted Calls (PrivateGSM, Redphone,SilentCircle )●Encrypted Text on Android (Textsecure)●Talk in Person (This is the Most Secure)
  17. 17. Lost and Stolen Phones●Phone Finding and Remote Wipe●Android: Lookout, Prey●BlackBerry Protect●Find My Iphone●Strong Screen lock●Will not stop a sophisticated attacker●Report to The Provider?●They probably dont give a damn.
  18. 18. MalwareVendor and Espionage malware●This stuff is extremely sophisticated●FinFisher●CarrierIQ●Voodo carrierIQStandard, untargeted malware●Personal Data Theft●Premium SMS●The usual suspects (spyware, trojans, phishing)●Facebook, Angry Birds?
  19. 19. Malware Solutions● Be careful what you install!● Dont install apps from untrusted sources● Dont run updates when on insecure networks● Anti Virus wont save you!● Dont assume that because you have an iPhone orBlackberry that you are immune to malware● Use the same precautions as you would on anycomputer.
  20. 20. Other Attacks● NFC● QR Phishing● Baseband Attacks
  21. 21. Disk Encryption●Exists on Android●Exists on Blackberry if you have BES●Does not exist on iPhone●Vulnerable to many different attacks●You should NOT rely solely on disk encryption.
  22. 22. Call Encryption● SecureGSM● Android: Redphone, OSTN
  23. 23. To Root or Not to Root(AKA Jailbreaking)Rooting your phone is the process of gaining superadministrator control over your phone.This means you can doANYTHING YOU WANTTo your phone.Including mess it up in fantastic ways!
  24. 24. To Root or Not to RootThe Good● Custom Firmware● Better Security Tools● Remove Spyware● More Cool Apps● PerformanceImprovements● Tinkering is Fun!The Bad● Can significantlydecrease security● You can permanentlybreak your phone● Will Void YourWarranty
  25. 25. In Conclusion...●Its healthy to be paranoid about your phone●Dont loose your phone!●Trust what you install (Open Source)●Root and install custom firmware●Use a stronger screen lock●Audit your phone●Encrypt Everything!
  26. 26. Thank You!Cooper Quintincooper@radicaldesigns.orgTwitter: @cooperqJabber: cooperq@jabber.ccc.deOTR: 9B3470B9 B1F10651 B5840FEB 026D6CF7 2D949F6FPGP: 75FB9347 FA4B22A0 5068080B D0EA7B6F F0AFE2CA

×