Perimeter
12/15/2011
07:48 AM
Don Bailey
Don Bailey
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

For Your Mobile Only

Imagine a modern-day plot for a James Bond movie and how mobile would make his task a whole lot easier

As I sit only a few meters away from the famed Seychelles villa where Ian Fleming penned the Bond book "For Your Eyes Only," I have to chuckle to myself. If only Ian knew what the world would be like almost 50 years later.

While the short stories are quite different, the movie has Bond retrieving a lost transmitter capable of issuing ballistic missile attacks before the KGB can get their hands on it. In modern times, the plot might be vastly different. Rather than a ridiculous transmitter, I wouldn't be surprised to find Bond seducing and sniping his way toward an Apple or Android smartphone. If he had friends like many of us in information security have today, then he might not even need to leave his beautiful Seychelles seaside villa to exact compromise of the targeted control device. After all, cellular technology penetrates almost every corner of the globe today, and the tiny island chain in the Indian Ocean is certainly no exception.

And we do control so much today with our phone, don't we? Checking email and video chatting with friends and family seems almost old hat, even on our mobile phones. This is especially true when applications can be installed on our phones that remotely start our vehicles' engines and unlock its doors. We can turn on and off the lights in our house with a simple swipe of a pixelized button. We can deposit checks through our mobile phones without ever having to submit the physical check to a bank. Even the doors on our homes and offices can be unlocked through security systems accessed via our mobile phone.

Things get even stranger when we consider the use of a phone as an access token. Google Auth and Duo Security help us log in securely to virtual private networks, servers, and other systems. The new NFC technology even assists in automating and validating payment processing.

These are exciting, new technologies. We have no reason to step back and assert that these advances are horrible leviathans creeping about the ether, poised to strike. These are novel ways of interconnecting our world and making it more convenient for us to live our lives. That's definitely a good thing. The danger comes from our eagerness to deploy these technologies too quickly, and not acknowledging the mobile device for what it is: a nexus.

Digital communication was largely isolated to short distances in the consumer space. WiFi networks, Bluetooth, Zigbee, and most other consumer RF technologies we use for communications are rather restricted by distance. Yet these protocols all connect to the most important devices in our personal and business environments: our computers. WiFi connects home offices and corporate networks to meeting rooms and living rooms, where intellectual property and personal financial records are stored. Bluetooth integrates our printers and audio devices, and can synchronize data with laptops, desktops, or mobile devices. Zigbee enables the connection of control systems to sensors and components that govern our physical environment. You would have to be in physically close to these environments to penetrate or circumvent their security controls.

In today's world, cellular devices are constantly connected to the Internet and can be accessed globally. Additionally, more and more mobile devices are being outfitted with 802.11, Bluetooth, RFID/NFC, and even Zigbee capability. If a mobile phone can be compromised over the globally connected cellular link, then attackers can potentially pivot network access from the cellular environment to isolated proximity-based environments, such as the aforementioned. Imagine a single vulnerability in a globally deployed mobile platform that allowed an attacker administrative remote access to the phone's command shell. Now imagine the potential abuses. Eavesdropping? Credential theft? Network pivoting? How about compromise of adjacent mobile devices, such as mobile phones, connected to the same WiFi network? There are endless possibilities because the technology is now globally reachable.

Not only are mobile devices a nexus of information, they're a nexus for connectivity. These devices know where we are, who we're talking to, what we require to live, how much money we can spend, and where to route our most important information through. Mobile devices are the keys to the kingdom, not some large, antiquated metal box blinking red as it transmits ballistic missile instructions to submarines. The mobile phone is a torpedo all on its own, and in a way, we are all James Bond. We can all look over the shoulder of our friends as they unlock their Androids with a finger swipe, and we can all submit prank posts to Facebook when those same friends leave their phones on the table as they grab another beer.

But we could be doing quite a bit worse. We can steal cars, money, and potentially even identities. How can we as consumers and administrators protect ourselves and our enterprise environments? Well, that's what we're looking forward to discussing in this blog. Not only will we analyze novel threats to personal and enterprise security, we'll discuss simple yet robust solutions that allow for agility in mobile environments. After all, Bond would be nothing without his speed and dexterity. Oh ... and, of course, the gadgets. You know Bond wishes he owned an UberTooth.

Don A. Bailey is a senior security consultant with iSEC Partners

Don A. Bailey is a pioneer in security for mobile technology, the Internet of Things, and embedded systems. He has a long history of ground-breaking research, protecting mobile users from worldwide tracking systems, securing automobiles from remote attack, and mitigating ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.