Dr. Hamilton Turner of Silent Circle discusses real-world case studies of mobile security compromises and the current ecosystem of 2/3/4G mobile security with a focus on LTE. Silent Circle is a secure mobility provider of the world-class Silent Phone product. Dr. Turner holds a degree in mobile privacy and security and has 10 years of experience building and securing mobile devices as CTO of multiple companies.
Bringing Government and Enterprise Security Controls to the Android EndpointHamilton Turner
Why are endpoint security controls on Android devices so lacking when compared to their laptop counterparts? What are the technical challenges to securing Android, and what should you be aware of before signing onto an MDM platform claiming to add security to your business devices.
Symantec Mobile Security Whitepaper June 2011Symantec
Symantec Corp. announced the publication of "A Window Into Mobile Device Security: Examining the security approaches employed in Apple’s iOS and Google’s Android." This whitepaper conducts an in-depth, technical evaluation of the two predominant mobile platforms, Apple’s iOS and Google’s Android, in an effort to help corporations understand the security risks of deploying these devices in the enterprise.
C0c0n 2011 mobile security presentation v1.2Santosh Satam
Mobile phone security has been a hot topic for debate in recent times. The top mobile manufacturers seem to claim that their mobiles and applications are secure, but recent news on mobile hacking and malware suggest otherwise.
One of the key challenges in mobile security is the diverse platforms and multitude of operating systems (both open and proprietary) in the market. This makes it almost impossible to devise a generic catch-all strategy for mobile application security. Every platform whether it is iOS, Android, Blackberry, Windows Mobile, Symbian etc. is unique and requires a specialized treatment.
In this talk, we will demystify mobile and related application security. We will understand the architectures of various mobile operating systems and the native security support provided by the manufacturers and operating system vendors. Then we will look at how hackers have come up with different techniques and tools to break mobile security, and what mobile companies are doing to mitigate these attacks.
Finally, we will look at secure practices for mobile deployment in the Enterprise using policy files and other technology solutions, We will also outline best practices for business users and road warriors, on how to ensure your company data is protected while still continuing to enjoy the flexibility provided by mobile phones.
Mobile Security for Smartphones and TabletsVince Verbeke
Are security concerns for mobile devices, like smartphones and tablets, real? Or, are claims of exponential growth in malware simply FUD? We will explore the major mobile operating systems and security concerns with each. This session will provide tips that can be shared to help your users protect their personal info and data when viewed from a mobile device. Information on mobile security programs will be shared, as well, including a look at whether free or commercial offerings provide better protection.
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceNowSecure
How do you balance UX and security for mobile banking apps? Check out the slides originally presented on May 2 sharing FFIEC guidance and a study of vulnerabilities 30 mobile banking apps (15 iOS and 15 Android) from 15 financial institutions.
The amount of data collected by mobile devices and apps is shocking, and vulnerable mobile apps expose that data to compromise. In our static and dynamic analysis of hundreds-of-thousands of mobile apps, we found that 25 percent of them harbor at least one high-risk vulnerability such as collecting/transmitting location data, credentials, and more in cleartext. Mobile data may only be as secure as the weakest app on someone’s device. Mobile app developers need to protect the users of their apps by building high quality, secure apps. This presentation covers the most common mobile app vulnerabilities (including a real-world demonstration), how to identify those vulnerabilities, and what to do to remediate them.
Slides from NowSecure Senior Solutions Engineer Jon Porter's talk at the OWASP Denver Chapter's July 2017 meeting.
Bringing Government and Enterprise Security Controls to the Android EndpointHamilton Turner
Why are endpoint security controls on Android devices so lacking when compared to their laptop counterparts? What are the technical challenges to securing Android, and what should you be aware of before signing onto an MDM platform claiming to add security to your business devices.
Symantec Mobile Security Whitepaper June 2011Symantec
Symantec Corp. announced the publication of "A Window Into Mobile Device Security: Examining the security approaches employed in Apple’s iOS and Google’s Android." This whitepaper conducts an in-depth, technical evaluation of the two predominant mobile platforms, Apple’s iOS and Google’s Android, in an effort to help corporations understand the security risks of deploying these devices in the enterprise.
C0c0n 2011 mobile security presentation v1.2Santosh Satam
Mobile phone security has been a hot topic for debate in recent times. The top mobile manufacturers seem to claim that their mobiles and applications are secure, but recent news on mobile hacking and malware suggest otherwise.
One of the key challenges in mobile security is the diverse platforms and multitude of operating systems (both open and proprietary) in the market. This makes it almost impossible to devise a generic catch-all strategy for mobile application security. Every platform whether it is iOS, Android, Blackberry, Windows Mobile, Symbian etc. is unique and requires a specialized treatment.
In this talk, we will demystify mobile and related application security. We will understand the architectures of various mobile operating systems and the native security support provided by the manufacturers and operating system vendors. Then we will look at how hackers have come up with different techniques and tools to break mobile security, and what mobile companies are doing to mitigate these attacks.
Finally, we will look at secure practices for mobile deployment in the Enterprise using policy files and other technology solutions, We will also outline best practices for business users and road warriors, on how to ensure your company data is protected while still continuing to enjoy the flexibility provided by mobile phones.
Mobile Security for Smartphones and TabletsVince Verbeke
Are security concerns for mobile devices, like smartphones and tablets, real? Or, are claims of exponential growth in malware simply FUD? We will explore the major mobile operating systems and security concerns with each. This session will provide tips that can be shared to help your users protect their personal info and data when viewed from a mobile device. Information on mobile security programs will be shared, as well, including a look at whether free or commercial offerings provide better protection.
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceNowSecure
How do you balance UX and security for mobile banking apps? Check out the slides originally presented on May 2 sharing FFIEC guidance and a study of vulnerabilities 30 mobile banking apps (15 iOS and 15 Android) from 15 financial institutions.
The amount of data collected by mobile devices and apps is shocking, and vulnerable mobile apps expose that data to compromise. In our static and dynamic analysis of hundreds-of-thousands of mobile apps, we found that 25 percent of them harbor at least one high-risk vulnerability such as collecting/transmitting location data, credentials, and more in cleartext. Mobile data may only be as secure as the weakest app on someone’s device. Mobile app developers need to protect the users of their apps by building high quality, secure apps. This presentation covers the most common mobile app vulnerabilities (including a real-world demonstration), how to identify those vulnerabilities, and what to do to remediate them.
Slides from NowSecure Senior Solutions Engineer Jon Porter's talk at the OWASP Denver Chapter's July 2017 meeting.
Intense overview of most mobile security related issues
From Clust Education talk on Security Summit in Milan (Italy):
https://www.securitysummit.it/eventi/view/82
Mobile Security: The 5 Questions Modern Organizations Are AskingLookout
The modern organization has recognized the need to embrace mobile devices in the workplace, but this increase in mobile devices brings important security implications.
2012 State of Mobile Survey Global Key FindingsSymantec
Symantec’s 2012 State of Mobility Survey revealed a global tipping point in mobility adoption. The survey highlighted an uptake in mobile applications across organizations with 71 percent of enterprises at least discussing deploying custom mobile applications and one-third currently implementing or have already implemented custom mobile applications.
This presentation covers the challenges and potential risks each device connected to a corporate network creates. It provides some of the recommended security approaches an organisation should comply with and the processes they should follow.
Vetting Mobile Apps for Corporate Use: Security EssentialsNowSecure
What does a sensible approach to approving and denying Android and iOS apps for use by staff look like? It starts with accurate, up-to-date security assessment data. NowSecure VP of Customer Success and Services Katie Strzempka covers how to take a data-driven approach to evaluating mobile apps for use at your organization.
Security Updates Matter: Exploitation for BeginnersEnergySec
Abstract: This is a presentation explaining the purposes behind why security updates should be installed on systems and why it matters to protect the bulk electric system. Many people don’t understand the full purpose of installing security updates and this presentation walks through the reasons at a very high level so that everyone can understand.
Tips and Tricks for Building Secure Mobile AppsTechWell
Mobile application development is now a mission-critical component of IT organizations and a big part of software industry’s landscape. Due to the security threats associated with mobile devices, it is critical we build our apps—from the ground up—to be secure and trustworthy. However, many application developers and testers do not understand how to build and test secure mobile applications. Jeffery Payne discusses the risks associated with mobile platforms/applications and describes proven practices for ensuring the safety of your mobile applications. Jeffery delves into the unique nuances of mobile platforms and how these differences impact the security approach when you are developing and testing mobile applications. Topics include session management, data encryption, securing legacy code, and platform security models. Learn what to watch out for when you start developing your next mobile app and take away tips and tricks for effectively securing and testing existing apps.
IOT Security. Internet of Things impact is everywhere from your bedroom to office. Everyone should be aware about iot security to run it without any hassle and security risk.
Why you should take IOT security training course ?
Learn about risks of unsecured enterprise and home IoT devices connecting to the Internet and able to share the information they generate.
Iot security training covers these topics :
Device and platform vulnerabilities,
Authentication and authorization,
Web interface and software,
Transport encryption,
Management issues,
Privacy and security enhancements and other iot issues
Iot and security risks :
Most serious IoT security risks involve software. Software attacks can exploit entire systems, steal information, alter data, deny service and compromise or damage devices.
In a phishing attack, for example, Attackers also use malware, such as viruses, worms and Trojans, to damage or delete data, steal information, monitor users and disrupt key system functions.
Learn about:
IoT Principles
Principles of IoT Security
IoT Attack Areas
IoT Vulnerabilities
IoT Firmware Analysis
IoT Software Weaknesses
IoT Security Verification, Validation
Assessing IoT devices attack surfaces
Evaluation of IoT device firmware analysis, attack surface, vulnerabilities and exploiting the vulnerabilities
Request more information.
Visit tonex.com for iot security training course and workshop detail.
https://www.tonex.com/training-courses/iot-security-training-iot-security-awareness/
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...Cellebrite
Attorneys are often shocked at how much deeply probative evidence, both live and deleted, can be data mined from today’s smart phones and tablets. With the surging adoption of mobile apps for communications, commerce, navigation, and other capabilities, new issues with data security and privacy are developing. This session will explore new evidence modalities, relevance, admissibility, and topical issues with mobile apps that impact investigations and litigation.
In a world ever more connected to the internet, Security should be paramount. However, to keep pace with the new trends and technologies, companies and individuals, overlook the importance of security and the risks this poses.
In this presentation we discuss the Internet of Things (IoT) and the concept of Bring Your Own Device (BYOD) and the security challenges and risks they can be to companies, systems, and ultimately to the mainframe.
Trends in Mobile Device Data and ArtifactsCellebrite
Data and artifacts from mobile devices reside in so many places that no single approach can yield everything. This session will review some of the latest observations on where artifacts and critical pieces of data can reside on the device, as well as the available tools and methodologies to extract and decode them.
Research presentation for IoT/M2M security
- Paper: Distributed Capability-based Access Control for the Internet of Things
- Security solution in open source IoT platform (OM2M, AllJoyn)
HIPAA, Privacy, Security, and Good BusinessStephen Cobb
HIPAA's implications for privacy and security practices in American businesses, addressed in March of 2001 at the Employers' Summit on Health Care, by Stephen Cobb, CISSP. Uploaded in 2014 for the historical record.
IoT Security Imperative: Stop your Fridge from Sending you SpamAmit Rohatgi
We've all heard the continuing news about or been victims of hacked passwords, data breaches, identity theft and lost privacy, because our heavy reliance on Internet connectivity. Our digital world necessitates ever improving security. But now we're on the cusp of a major revolution where our appliances, cars, clothes and the very fabric of our lives (no pun intended) are also connected. Software and silicon designers must take active design measures for ensuring user data. In this talk, Amit Rohatgi, president of the prpl Foundation, will outline the market and technical challenges as well as the essential measures in the design phase for securing our ever-more-connected digital world. He will also discuss why open-source is appropriately suited for addressing theses challenge and how the prpl Foundation is tackling this from the ground-up.
Security Fundamental for IoT Devices; Creating the Internet of Secure ThingsDesign World
In this webinar we will discuss the state of security for IoT devices, the threats that exists for IoT devices and the challenges for building secure IoT devices. We will also discuss the technologies available to ensure your IoT device is secure.
Intense overview of most mobile security related issues
From Clust Education talk on Security Summit in Milan (Italy):
https://www.securitysummit.it/eventi/view/82
Mobile Security: The 5 Questions Modern Organizations Are AskingLookout
The modern organization has recognized the need to embrace mobile devices in the workplace, but this increase in mobile devices brings important security implications.
2012 State of Mobile Survey Global Key FindingsSymantec
Symantec’s 2012 State of Mobility Survey revealed a global tipping point in mobility adoption. The survey highlighted an uptake in mobile applications across organizations with 71 percent of enterprises at least discussing deploying custom mobile applications and one-third currently implementing or have already implemented custom mobile applications.
This presentation covers the challenges and potential risks each device connected to a corporate network creates. It provides some of the recommended security approaches an organisation should comply with and the processes they should follow.
Vetting Mobile Apps for Corporate Use: Security EssentialsNowSecure
What does a sensible approach to approving and denying Android and iOS apps for use by staff look like? It starts with accurate, up-to-date security assessment data. NowSecure VP of Customer Success and Services Katie Strzempka covers how to take a data-driven approach to evaluating mobile apps for use at your organization.
Security Updates Matter: Exploitation for BeginnersEnergySec
Abstract: This is a presentation explaining the purposes behind why security updates should be installed on systems and why it matters to protect the bulk electric system. Many people don’t understand the full purpose of installing security updates and this presentation walks through the reasons at a very high level so that everyone can understand.
Tips and Tricks for Building Secure Mobile AppsTechWell
Mobile application development is now a mission-critical component of IT organizations and a big part of software industry’s landscape. Due to the security threats associated with mobile devices, it is critical we build our apps—from the ground up—to be secure and trustworthy. However, many application developers and testers do not understand how to build and test secure mobile applications. Jeffery Payne discusses the risks associated with mobile platforms/applications and describes proven practices for ensuring the safety of your mobile applications. Jeffery delves into the unique nuances of mobile platforms and how these differences impact the security approach when you are developing and testing mobile applications. Topics include session management, data encryption, securing legacy code, and platform security models. Learn what to watch out for when you start developing your next mobile app and take away tips and tricks for effectively securing and testing existing apps.
IOT Security. Internet of Things impact is everywhere from your bedroom to office. Everyone should be aware about iot security to run it without any hassle and security risk.
Why you should take IOT security training course ?
Learn about risks of unsecured enterprise and home IoT devices connecting to the Internet and able to share the information they generate.
Iot security training covers these topics :
Device and platform vulnerabilities,
Authentication and authorization,
Web interface and software,
Transport encryption,
Management issues,
Privacy and security enhancements and other iot issues
Iot and security risks :
Most serious IoT security risks involve software. Software attacks can exploit entire systems, steal information, alter data, deny service and compromise or damage devices.
In a phishing attack, for example, Attackers also use malware, such as viruses, worms and Trojans, to damage or delete data, steal information, monitor users and disrupt key system functions.
Learn about:
IoT Principles
Principles of IoT Security
IoT Attack Areas
IoT Vulnerabilities
IoT Firmware Analysis
IoT Software Weaknesses
IoT Security Verification, Validation
Assessing IoT devices attack surfaces
Evaluation of IoT device firmware analysis, attack surface, vulnerabilities and exploiting the vulnerabilities
Request more information.
Visit tonex.com for iot security training course and workshop detail.
https://www.tonex.com/training-courses/iot-security-training-iot-security-awareness/
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...Cellebrite
Attorneys are often shocked at how much deeply probative evidence, both live and deleted, can be data mined from today’s smart phones and tablets. With the surging adoption of mobile apps for communications, commerce, navigation, and other capabilities, new issues with data security and privacy are developing. This session will explore new evidence modalities, relevance, admissibility, and topical issues with mobile apps that impact investigations and litigation.
In a world ever more connected to the internet, Security should be paramount. However, to keep pace with the new trends and technologies, companies and individuals, overlook the importance of security and the risks this poses.
In this presentation we discuss the Internet of Things (IoT) and the concept of Bring Your Own Device (BYOD) and the security challenges and risks they can be to companies, systems, and ultimately to the mainframe.
Trends in Mobile Device Data and ArtifactsCellebrite
Data and artifacts from mobile devices reside in so many places that no single approach can yield everything. This session will review some of the latest observations on where artifacts and critical pieces of data can reside on the device, as well as the available tools and methodologies to extract and decode them.
Research presentation for IoT/M2M security
- Paper: Distributed Capability-based Access Control for the Internet of Things
- Security solution in open source IoT platform (OM2M, AllJoyn)
HIPAA, Privacy, Security, and Good BusinessStephen Cobb
HIPAA's implications for privacy and security practices in American businesses, addressed in March of 2001 at the Employers' Summit on Health Care, by Stephen Cobb, CISSP. Uploaded in 2014 for the historical record.
IoT Security Imperative: Stop your Fridge from Sending you SpamAmit Rohatgi
We've all heard the continuing news about or been victims of hacked passwords, data breaches, identity theft and lost privacy, because our heavy reliance on Internet connectivity. Our digital world necessitates ever improving security. But now we're on the cusp of a major revolution where our appliances, cars, clothes and the very fabric of our lives (no pun intended) are also connected. Software and silicon designers must take active design measures for ensuring user data. In this talk, Amit Rohatgi, president of the prpl Foundation, will outline the market and technical challenges as well as the essential measures in the design phase for securing our ever-more-connected digital world. He will also discuss why open-source is appropriately suited for addressing theses challenge and how the prpl Foundation is tackling this from the ground-up.
Security Fundamental for IoT Devices; Creating the Internet of Secure ThingsDesign World
In this webinar we will discuss the state of security for IoT devices, the threats that exists for IoT devices and the challenges for building secure IoT devices. We will also discuss the technologies available to ensure your IoT device is secure.
Security Requirements in IoT Architecture Vrince Vimal
Security Requirements in IoT Architecture - Security in Enabling Technologies - Security Concerns in IoT Applications. Security Architecture in the Internet of Things - Security Requirements in IoT - Insufficient Authentication/Authorization - Insecure Access Control - Threats to Access Control, Privacy, and Availability - Attacks Specific to IoT. Vulnerabilities – Secrecy and Secret-Key Capacity - Authentication/Authorization for Smart Devices - Transport Encryption
Presentation by Larry Clinton, President of the Internet Security Alliance (ISA) to the 66th Annual Fowler Seminar on Oct 12 2012 titled Evolution of the Cyber Threat - A Unified Systems Approach.
Intense and wide workshop on major voice encryption technologies for private, business, military, public safety and internet.
Strong review of wiretapping technical and political context.
IT Security and Wire Fraud Awareness Slide DeckDon Gulling
A presentation on IT security, wire fraud and trends in information technology. The information is focused on making the audience aware of the new threats, how to protect against them, and what measures you can take to keep your critical information secure.
How to Secure Your iOs Device and Keep Client Data SafeRocket Matter, LLC
There’s a lot more to mobile security than enabling the password on your iPhone or iPad.
Unfortunately, very few small law firms have the proper measures in place to protect their confidential client data. If needed, could you convince a Board of Ethics that you had done your due diligence to protect your client’s data?
Strong iOS security starts with becoming familiar with the most common threats to compromising firm data on your iPhone or iPad. While many assume they are not at risk since they are not a ‘big’ law firm, the opposite is true.
Can You Steal From Me Now? Mobile and BYOD Security RisksMichael Davis
Presentation I gave at BriForum 2012 where I discuss Mobile Security Risks, BYOD and mobile privacy issues. Lastly, I wrap up with a discussion of Document Rights Management and mobile.
The Mobile Security Risks as adapted and updated from the Veracode Top 10 Mobile Security issues (With permission from Chris Wysopal)
The New frontiers in Information SecurityVineet Sood
With New Dimensions getting Introduced @ Work every year this Presentation to Top CIO's in India showcases changing trends in Information Security
Trend 1 – Keeping the Bad Guys Out
Trend 2 – Letting the Good Guys In
Trend 3 – Keeping Good things In
2. About Silent Circle
Launched in 2012 by security industry experts
Phil Zimmerman – co-founder PGP
Jon Callas, co-founder of PGP Corporation & CSO Apple
Mike Janke – Seal Team 6
HQ in Columbia, MD
Committed to Secure, Private Communications
Silent Phone – Enterprise-managed secure talk, text, file sharing
Silent World – Global coverage + traditional telephone numbers
GoSilent – Portable Next-Gen Firewall + VPN
Financial, Utilities, Logistics, Legal, Healthcare, Government, IoT
2
3. Cybersecurity Risks in the Mobile Environment
Real-world financial case studies
The forgotten risks of using smartphones as phones
Practical steps to protect the organization
Presentation by Dr. Hamilton Turner, CTO
10+ years of mobile security experience
3
4. Stories From the Silent Circle
Four real Silent Circle customer cases
All financial or investment firms
Most based in NY
Events span 2015 to 2018
4
5. Case 1: Intercepting Board Calls To Short Stock
• Very large public fin. services company
• Mid 2015, preparing to announce quarterly loss
• Board meeting scheduled in Manhattan office
• Multiple pre-meeting phone calls to strategize
• Targeted by well-known organized crime
• Rogue cell towers were installed near NYC office
• Calls & SMS were intercepted
• From many levels e.g. C-level, assistants, others
• Stock shorted, criminals gained 30M
• FBI caught & convicted criminals
6. Case 2: Widespread Intelligence Gathering
• Early 2017, NYC Police detect Russian mafia activity focused on multiple
financial services companies
• Brooklyn-based criminals were tapping cell phones
• Both phones and network towers were targeted
• Numerous companies included – dragnet approach
• Concluded goal - intelligence gathering with intent to damage reputation
• Attacks were not detected or reacted to in real time
• Main conclusion came after criminals stole significant data
7. Case 3: M&A Espionage
Large investment bank
Late 2017 – detected compromise of CEO & COO devices
Traditional voice communications were recommended
3rd party apps were intercepting voice
IA determined multiple M&A opportunities were affected
Including multiple that were not closed successfully
IA response included recommendation for secure voice
telecommunications
8. Case 4: On-device Call Interception
Ongoing
American-based multinational financial
services
Early 2018
Malicious application on-device
App intercepts outbound calls and switched
the telephone number to fraudsters
App intercepts inbound fraudster call and
shows bank logo
9. Understanding the Mobile Ecosystem
• The three pillars of secure mobile
• Mobile Device
• Hardware, OS, Security APIs
• Applications
• Securing Distribution & Execution, Prevent Forgery &
Misleading Actions, App Management
• Network
• Call interception, call monitoring, message interception,
monitoring,
• Disproportionate focus on two pillars – securing
the network is hard!
10. What about the network?
“As early as 1996, members of Congress experienced calls being illegally
intercepted, however no technological solution to this problem has been
systematically deployed and it remains to this day.”
April 2017 Dept. Homeland Security. Study on Mobile Device Security
“In the United States, there are
no regulations requiring carriers
to run encryption or provide
privacy protections to users on
their networks”
“The caller ID display is
unauthenticated and can be
made to display any data,
including fraudulent
information.”
“[mobile devices] remain fully functional when running on non-encrypted
networks; no notification is provided to the user when operating in this mode.”
11. What about the network?
“LTE standards do not provide confidentiality protection for user traffic as
the default configuration”
“integrity protection for user traffic is explicitly prohibited”
“…security capabilities provided by LTE are markedly more
robust [than previous]…yet [LTE systems] coexist with
previous cellular infrastructure.”
“Current mobile devices do not provide the option for a user to know if
their [device’s] connection is encrypted...”
December 2017 NIST SP 800-187 Guide to LTE Security
[1] Jian A. Zhang, Peng Cheng, Andrew R. Weily, Y. Jay Guo. 2014. Towards 5th Generation Cellular Mobile Networks . Australian Journal of Telecommunications and the Digital Economy, Vol 2,
No 2, Article 34. http://doi.org/10.18080/ajtde.v2n2.34(link is external). Published by Telecommunications Association Inc. ABN 34 732 327 053. https://telsoc.org
12. Is Old News still News?
• To security professionals, telecommunication risk is
nothing new[1]!
• Why hasn’t this situation (drastically)?
• Thousands of companies in hundreds of countries
• Tens of technologies
• ~4.7 billion deployed phones
• 2G/3G fallback is consistent – GSM is still prevalent
• Making cellular networks at scale is very hard work
• CVEs may not exist – pentesting can be illegal!
[1] April 2016, NISTR 8071. Jeffrey Cichonski (NIST), Joshua Franklin (NIST), Michael Bartock (NIST) LTE Architecture Overview and Security Analysis
http://theinternetofthings.report/Resources/Whitepapers/
8965b6c5-40e0-448b-950a-a3adc428144b_
The%20Global%20State%20of%202G,%203G,%204G,%20and%205G.pdf
13. Is Old News still News?
• Why has this situation changed, drastically?
• Access to low-cost radio hardware
• In 2014
• “Baseband attacks are considered extremely difficult”[1]
• “system costs as much as $400,000”[2]
• In 2016, GSM ISMI Catcher for $1400[3]
• In 2018, “The cost of the hardware is about €1,250…”[4]
• Ettus USRP, HackRF, BladeRF, etc
• Prevalence of readily-available software
• OpenBTS, OpenBSC, OpenLTE
• Proactive nation-state attackers[5] puts backhaul & core at greater risk
[1] https://www.welivesecurity.com/2014/08/28/android-security-2/
[2] https://resources.infosecinstitute.com/stingray-technology-government-tracks-cellular-devices/
[3] https://securityaffairs.co/wordpress/41513/hacking/low-cost-imsi-catcher-lte.html
[4] https://www.evilsocket.net/2016/03/31/how-to-build-your-own-rogue-gsm-bts-for-fun-and-profit/
[5] https://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/
14. “Call me on the phone, I don’t want to write this down”
• Voice communications is frequently less secure than Wi-Fi
• But fewer CVEs – pentesting can be illegal
• Also…the logs are only in hands of MNOs/malicious entities
• Passive monitoring of un/poorly-encrypted air-traffic
• From ground or space!
• Calls or messages, device tracking
• Rogue towers
• Active intercept
• Downgrade, de-auth attacks
• Backhaul / Core network attacks
• No end-to-end security of user data
• User data can be sniffed from core network
• Malicious attacks on carrier
• Malicious carrier
15. But isn’t LTE more secure
• GSM is still the most common global connection
• Smart jamming 3G/UMTS and 4G/LTE triggers fallback to 2G/GSM
• Regardless of LTE, the device is not secure due to fallback
• Rogue base stations are still very real
• LTE has poor support for user data security
• By default, no user data encryption by default
• Disallows user data integrity
• No notice to user about non control connection
• No regulations about backhaul/core network
• Prior evidence of nation-state interest here
• Lack of confidentiality – sniff SMS/call traffic
• Physical access is always a weakness
• Geographic deployment of PKI onto towers
• Femtocell-based key theft
• No clear mandate forcing secure backhaul
https://opensignal.com/reports/2018/02/state-of-lte
Feb 2017
Global LTE Availability
16. What should an enterprise do to protect itself?
• Select ‘secure communication’ tools for your organization
• Multiple over-the-top options
• Many are easy to use
• Silent Phone supports management, PSTN integration, etc
• Review your sensitive communication policy
• NIST SP 800-171 - Compliance impossible with LTE-based cellular networks
• ISO 27001 – Does not address cellular well, but A.9.2.3 is difficult
• Short answer – recommend a ‘sensitive calling’ app
• Train your employees
• Traditional voice calls are insecure
• Traditional calls are being attacked
• Use a ‘secure communication’ tool
Steve Davis | Silent Circle
Silent Phone stephendavis
Office 646.681.6841
Mobile 908.285.4525
Editor's Notes
For the first two pillars, you will find tens of companies, and gartner quadrants. For the network….not so much ;-)
To be fair, global rollout of LTE is fairly high – 450+ netowrks before 2015
If you’re saying that to skirt compliance, let me remind you that the folks who would get a record of your conversation are exactly the type of individuals interested in your decision to skirt compliance