The document discusses security issues related to cell phones and provides recommendations. As people store more personal data on cell phones, the number of vulnerabilities increases. An attacker who gains physical access can completely compromise a phone. The document advises treating your phone as untrustworthy and outlines threats such as law enforcement, signal interception, lost/stolen phones, and malware. It recommends using encryption, a strong screen lock, and open source security tools to improve phone security. Rooting your phone can help security but may also decrease it. The overall message is to be paranoid about phone security.

1. Your Cell Phone is
Covered in Spiders
An overview of the cell phone
security landscape
Cooper Quintin
@cooperq
cooper@radicaldesigns.org

2. We are becoming increasingly dependent
on mobile devices
●
We are storing more and more data on them
●
Pictures
●
Videos
●
Contacts
●
Email
●
Social Graphs
●
Location History
●
Etc

3. ●
As the amount of data increases
●
The complexity increases
●
The desirability increases
●
The number of vulnerabilities increases

4. And there are a lot of
vulnerabilities!

5. Things to Keep in Mind
If an attacker gains physical access phone can
and will be completely compromised.
Also, you should assume that your phone will
be compromised at some point.
Generally, you will be safest if you just take the
attitude that YOU SHOULD NOT TRUST YOUR
PHONE

6. Security is a Journey Not a Destination
The more hurdles that you put up, the harder you
make it for an attacker.
Time to compromise > Determination of attacker
Don't get demoralized! There are many things you
can do to improve your security.

7. Threat Model
●Random attacks
●
Malicious apps
●
Stolen / Lost phone
●Targeted attacker
●
Law Enforcement
●
Corporate Espionage
●
Personal Enemies
●Signal Interception
●Your Phone Company

8. Burner Phones
●
No encryption
●
Trivial for Forensic Investigators
●
Closed Source
●
Usually no Screen Lock

9. iPhone
The Bad
●
Closed source
●
Very little in the way of security apps
●
Default screen lock is a four digit number
●
Privacy tools that aren't free or open source
The Good
●
There is a stronger screen lock that can be enabled
●
A couple of decent privacy apps
●
Less Malware

10. BlackBerry
● BEST USED IN COMBINATION WITH BES
● Otherwise about as good as any other smartphone
● BBM and Pin to Pin messaging NOT SECURE
– Not encrypted, just 'scrambled'
– RIM can read all of your messages if a govt demands
● Your data is only as secure as the company is trustworthy
● RIM admitted to providing backdoors to govt. in India and
has helped UK and middle east govts.
● Less Malware
● Without BES, Security on Blackberry is not so good.

11. Android
●
IMO The best phone for security
●
Open source
●
Lots of security tools
●
Lots of encryption tools
●
Full Disk Encryption
●
Good security options
●
Guardian Project
●
Your data is in the hands of google
●
How much do you trust google?

12. Lets Talk About Threat Models
Again

13. Law Enforcement Investigators are Looking
for:
●
Subscriber & Equipment Identifiers
●
Contacts
●
Appointment Calendar
●
SMS, Text Messages, Instant Messages, Email
●
Call Logs
●
Photos, Audio and Video
●
Documents
●
Location Data

14. Forensic Methods
● Recovering screen lock
● Recovery Mode
● Cellbrite and UFED
● JTAG

15. Solutions
●
Have a strong screen lock and a short timeout
●
Don't tell them your password
●
Encryption (Text Secure, LUKS, Device encryption)

16. Signal Interception
Threats
●
Fake Cellular Towers / Drones
●
USRP/GNU Radio
●
Snooping as a Service
●
Cellular companies will provide wiretaps without even
a warrant
●
Insecure apps like BBM and whatsapp
Solutions
●
Encrypted Calls (PrivateGSM, Redphone,
SilentCircle )
●
Encrypted Text on Android (Textsecure)
●
Talk in Person (This is the Most Secure)

17. Lost and Stolen Phones
●
Phone Finding and Remote Wipe
●
Android: Lookout, Prey
●
BlackBerry Protect
●
Find My Iphone
●
Strong Screen lock
●
Will not stop a sophisticated attacker
●
Report to The Provider?
●
They probably don't give a damn.

18. Malware
Vendor and Espionage malware
●
This stuff is extremely sophisticated
●
FinFisher
●
CarrierIQ
●
Voodo carrierIQ
Standard, untargeted malware
●
Personal Data Theft
●
Premium SMS
●
The usual suspects (spyware, trojans, phishing)
●
Facebook, Angry Birds?

19. Malware Solutions
● Be careful what you install!
● Don't install apps from untrusted sources
● Don't run updates when on insecure networks
● Anti Virus won't save you!
● Don't assume that because you have an iPhone or
Blackberry that you are immune to malware
● Use the same precautions as you would on any
computer.

20. Other Attacks
● NFC
● QR Phishing
● Baseband Attacks

21. Disk Encryption
●
Exists on Android
●
Exists on Blackberry if you have BES
●
Does not exist on iPhone
●
Vulnerable to many different attacks
●
You should NOT rely solely on disk encryption.

22. Call Encryption
● SecureGSM
● Android: Redphone, OSTN

23. To Root or Not to Root
(AKA Jailbreaking)
Rooting your phone is the process of gaining super
administrator control over your phone.
This means you can do
ANYTHING YOU WANT
To your phone.
Including mess it up in fantastic ways!

24. To Root or Not to Root
The Good
● Custom Firmware
● Better Security Tools
● Remove Spyware
● More Cool Apps
● Performance
Improvements
● Tinkering is Fun!
The Bad
● Can significantly
decrease security
● You can permanently
break your phone
● Will Void Your
Warranty

25. In Conclusion...
●
It's healthy to be paranoid about your phone
●
Don't loose your phone!
●
Trust what you install (Open Source)
●
Root and install custom firmware
●
Use a stronger screen lock
●
Audit your phone
●
Encrypt Everything!

26. Thank You!
Cooper Quintin
cooper@radicaldesigns.org
Twitter: @cooperq
Jabber: cooperq@jabber.ccc.de
OTR: 9B3470B9 B1F10651 B5840FEB 026D6CF7 2D949F6F
PGP: 75FB9347 FA4B22A0 5068080B D0EA7B6F F0AFE2CA