CSE 543 - Computer Security Lecture 26 - Mobile phone security - - PowerPoint PPT Presentation

cse 543 computer security
SMART_READER_LITE
LIVE PREVIEW

CSE 543 - Computer Security Lecture 26 - Mobile phone security - - PowerPoint PPT Presentation

Dec 16, 2022 179 likes •302 views

CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Mobile Phones Networked device

slide-1
SLIDE 1

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

CSE 543 - Computer Security

Lecture 26 - Mobile phone security December 11, 2007

URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/

1

slide-2
SLIDE 2

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Mobile Phones

  • Networked device capable of making

phone calls

  • But it could do so much more!
  • Messaging (Text messaging and Email)
  • Entertainment (Web and Games)
  • Safety (Mobile communicator)
  • Personal computing token (Hey, let’s improve

security too!)

  • Q: What is the difference between a

mobile phone and a personal computer?

2

slide-3
SLIDE 3

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Mobile Phone Security

  • In some ways, mobile phones

and their infrastructure are potentially more difficult to control

  • Networking: everyway imaginable
  • Systems: security not a major focus
  • Applications: all kinds
  • Personal: seen as more personal,

so the tendency is to depend on it for more, rather than less, security

3

slide-4
SLIDE 4

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Networking

  • Multiple ways to communicate
  • Then connect to multiple networks
  • And communicate different types of data
  • Wireless (E.g., CDMA): Transmit voice,

data, multimedia data

  • SMS/MMS: Text and multimedia messages
  • WAP: Wireless Application Protocol
  • SS7: Eventually calls get to phone network
  • IP: Vendors moving to IP networks
  • Bluetooth: Short distance networking
  • Communicate with neighboring devices

4

slide-5
SLIDE 5

CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page

Bluetooth

  • A standard for building very small personal area

networks (PANs)

  • Connects just everything you can name: PDAs,

phones, keyboards, mice, your car

  • Very short range range network: 1 meter, 10

meters, 100 meters (rare)

  • Advertised as solution to "too many cables"
  • Authentication

– "pairing" uses pass-phrase style authentication to establish relationship which is often stored indefinitely (problem?)

CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page

5

slide-6
SLIDE 6

CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page

Bluetooth

  • Devices “pair” to establish a communication channel
  • A pair is associated with a PIN selected by the users
  • 4-digit PIN would be a problem, but...
  • There are so many other problems
  • BlueSnarf: pull known files from remote phone
  • BlueBug: execute commands on victim
  • BlueSmack: “Ping of death”
  • Long distance attacks

6

slide-7
SLIDE 7

CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page

WAP (Wireless Application Protocol)

  • A set of protocols for implementing applications over

thin (read wireless) pipes.

  • Short version: a set of protocols to implement the

web over wireless links as delivered to resource limited devices

– reduce overhead and flabby content (image rich HTML) – support limited presentation and content formats

  • Wireless Markup Language (XML-based language)

– reduce the footprint of the rendering engine (browser)

  • Security: WTLS

– SSL/TLS protocol -- public keys, key negotiation, etc.

  • Success in Japan, little elsewhere (currently)

CSE543 Computer and Network Security - Fall 2007 - Professor Jaeger Page

7

slide-8
SLIDE 8

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Systems

  • Common operating systems
  • Symbian (85% of market), Windows Mobile, and

now Linux

  • Symbian protection model
  • Installer
  • Symbian-signed programs
  • Everything else (e.g., games)
  • Everything else is limited in its writing, but can

read most anything

  • Thus, some phone models using Symbian

disallow ‘everything else’

8

slide-9
SLIDE 9

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Applications

  • Typical application problems
  • Buffer overflows
  • User administration (Install an MMS attachment with a

virus)

  • New vectors (e.g., download and install a file from

bluetooth)

  • But more trust permitted to Symbian applications
  • Contacts database
  • Pairing database
  • Phone identity
  • Also, more vectors for propagation

9

slide-10
SLIDE 10

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Personal

  • But, people have found that since everyone carries a

mobile phone, it would be useful to add security function to it

  • User authentication support
  • Generate one-time passwords
  • Face authentication
  • Secure web authentication
  • Keep cookies on cell phone
  • Seeing is believing
  • Use cell phone for authorization system
  • Q: Should we trust phones?

10

slide-11
SLIDE 11

CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

Take Away

  • Mobile phones are flexible computing devices
  • But, security has not yet been a focus

11