Confraria Security & IT - Mobile Security

1,222 views

Published on

My talk on 23 June at Confraria Security & IT

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,222
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
44
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Confraria Security & IT - Mobile Security

  1. 1. pocket security, your mobile by Vitor Domingos all-around mercenary
  2. 2. Vitor Domingos [email_address] http://vitordomingos.com - cloud computing & security consultant - thenextweb editor - mobilemonday PT founder - videocaster - ex failed entrepreneur - ex ITIJ / MJ - ex CGD - ex forumB2B - ex Maxitel - ex Jazztel
  3. 6. Phones ... - 15 years of pure unsecurity and few exploits - mobile is the most personal and private item we own - phones are now computers, the personal kind - they even run full operating systems
  4. 7. What's in ... - phone calls; - addressbook; - emails; - sms; - mms; - browser history; - pictures and some documents; - calendar; - gps tracking data; - shop details; - credit card info; - other sync evilness
  5. 8. TRUST - we trust the carrier - we trust the manufacturer - we trust the users - we trust the the phone - we trust the software - we trust we're safe cause it's not connected or it's in our pocket
  6. 10. Mobile Security Levels - Level 1 - Manufacturer - Level 2 - Carrier - Level 3 - User - Level 4 - Application - Level 5 - Enterprise (?)
  7. 11. Patching hell ... Problem #1 - if you got a smartphone, then probably you have somewhat upgraded your base software, if not, you're still using what came with it Problem #2 - difficult to patch (OTA is neat, but not used by many) Problem #3 - no enterprise patch; IT people say it's a carrier / user problem and not their own
  8. 12. Windows Mobile - digital application signing - limited access to the filesystem - permission requests - device encryption (enterprise) - pin protection (enterprise) - profiles (enterprise) - no granular permission
  9. 14. iPhone - OSX Security Model - Appstore - No enterprise security provisioning
  10. 16. Android / Symbian - Sandbox - Tight control on application permissions - Digital signature - No enterprise security provisioning
  11. 18. Security Community - TSTF.net - Mseclab - Tam Hanna - GSM Association Security Group
  12. 19. Password Security - Try to put a real hard password on your phone - Normally it's only 4 digit numbers - Normally if used; it's simple cause it's real hard to input something on the phone - Try K#$"%'º`^!"231Gj - Two factor authentication (?)
  13. 21. GSM Cracked - A51 Rainbowtable cracking software (reflextor.com/trac/a51) - GSM interception software (airprobe.org) - Software defined radio (gnuradio.org) - Cheap radion software (ettus.com/products)
  14. 23. 2010 - UTMS cracked (on paper) - Sandwich attack - MMS Remote Exploit - iPhone SMS Remote Exploit - Bluetooth Spamming and Attacks (bluesnarfing, bluebug, bluebugging) -$18 bluetooth sniffer - Bluetooth audio flow to headset interception - Over the air wire tapping - ... and what about flash ? :)
  15. 26. Look at the screen - what are you running ? - what is it doing ? - are you using network access ? why ? - do you know that it's doing to the filesystem ? to the memory ? to your data ? - where is your data ? - is it using secure protocols ? - where's the backup ?
  16. 29. Future (risks?) - Near Field Communications 2008: hacking NFC phones, URI spoofing, NDEF worm; 2010: Nokia announces that all phones are NFC ready - Mobile javascript in the browser (2000 called and their want to block javascript all again) - Phone SSL, VPN - Location Based something - gowalla//forsquare problems
  17. 30. Future (risks?) - Spyware disguised as apps (cydia iphone appstore) - Virus/Worm/Botnet - iphone; vodafone memory card spyware bug on android phones - Tinyurl problems (?) - Social phishing from fake call centers

×