Perimeter
12/15/2011
07:48 AM
Don Bailey
Don Bailey
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

For Your Mobile Only

Imagine a modern-day plot for a James Bond movie and how mobile would make his task a whole lot easier

As I sit only a few meters away from the famed Seychelles villa where Ian Fleming penned the Bond book "For Your Eyes Only," I have to chuckle to myself. If only Ian knew what the world would be like almost 50 years later.

While the short stories are quite different, the movie has Bond retrieving a lost transmitter capable of issuing ballistic missile attacks before the KGB can get their hands on it. In modern times, the plot might be vastly different. Rather than a ridiculous transmitter, I wouldn't be surprised to find Bond seducing and sniping his way toward an Apple or Android smartphone. If he had friends like many of us in information security have today, then he might not even need to leave his beautiful Seychelles seaside villa to exact compromise of the targeted control device. After all, cellular technology penetrates almost every corner of the globe today, and the tiny island chain in the Indian Ocean is certainly no exception.

And we do control so much today with our phone, don't we? Checking email and video chatting with friends and family seems almost old hat, even on our mobile phones. This is especially true when applications can be installed on our phones that remotely start our vehicles' engines and unlock its doors. We can turn on and off the lights in our house with a simple swipe of a pixelized button. We can deposit checks through our mobile phones without ever having to submit the physical check to a bank. Even the doors on our homes and offices can be unlocked through security systems accessed via our mobile phone.

Things get even stranger when we consider the use of a phone as an access token. Google Auth and Duo Security help us log in securely to virtual private networks, servers, and other systems. The new NFC technology even assists in automating and validating payment processing.

These are exciting, new technologies. We have no reason to step back and assert that these advances are horrible leviathans creeping about the ether, poised to strike. These are novel ways of interconnecting our world and making it more convenient for us to live our lives. That's definitely a good thing. The danger comes from our eagerness to deploy these technologies too quickly, and not acknowledging the mobile device for what it is: a nexus.

Digital communication was largely isolated to short distances in the consumer space. WiFi networks, Bluetooth, Zigbee, and most other consumer RF technologies we use for communications are rather restricted by distance. Yet these protocols all connect to the most important devices in our personal and business environments: our computers. WiFi connects home offices and corporate networks to meeting rooms and living rooms, where intellectual property and personal financial records are stored. Bluetooth integrates our printers and audio devices, and can synchronize data with laptops, desktops, or mobile devices. Zigbee enables the connection of control systems to sensors and components that govern our physical environment. You would have to be in physically close to these environments to penetrate or circumvent their security controls.

In today's world, cellular devices are constantly connected to the Internet and can be accessed globally. Additionally, more and more mobile devices are being outfitted with 802.11, Bluetooth, RFID/NFC, and even Zigbee capability. If a mobile phone can be compromised over the globally connected cellular link, then attackers can potentially pivot network access from the cellular environment to isolated proximity-based environments, such as the aforementioned. Imagine a single vulnerability in a globally deployed mobile platform that allowed an attacker administrative remote access to the phone's command shell. Now imagine the potential abuses. Eavesdropping? Credential theft? Network pivoting? How about compromise of adjacent mobile devices, such as mobile phones, connected to the same WiFi network? There are endless possibilities because the technology is now globally reachable.

Not only are mobile devices a nexus of information, they're a nexus for connectivity. These devices know where we are, who we're talking to, what we require to live, how much money we can spend, and where to route our most important information through. Mobile devices are the keys to the kingdom, not some large, antiquated metal box blinking red as it transmits ballistic missile instructions to submarines. The mobile phone is a torpedo all on its own, and in a way, we are all James Bond. We can all look over the shoulder of our friends as they unlock their Androids with a finger swipe, and we can all submit prank posts to Facebook when those same friends leave their phones on the table as they grab another beer.

But we could be doing quite a bit worse. We can steal cars, money, and potentially even identities. How can we as consumers and administrators protect ourselves and our enterprise environments? Well, that's what we're looking forward to discussing in this blog. Not only will we analyze novel threats to personal and enterprise security, we'll discuss simple yet robust solutions that allow for agility in mobile environments. After all, Bond would be nothing without his speed and dexterity. Oh ... and, of course, the gadgets. You know Bond wishes he owned an UberTooth.

Don A. Bailey is a senior security consultant with iSEC Partners

Don A. Bailey is a pioneer in security for mobile technology, the Internet of Things, and embedded systems. He has a long history of ground-breaking research, protecting mobile users from worldwide tracking systems, securing automobiles from remote attack, and mitigating ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.