Perimeter
12/15/2011
07:48 AM
Don Bailey
Don Bailey
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

For Your Mobile Only

Imagine a modern-day plot for a James Bond movie and how mobile would make his task a whole lot easier

As I sit only a few meters away from the famed Seychelles villa where Ian Fleming penned the Bond book "For Your Eyes Only," I have to chuckle to myself. If only Ian knew what the world would be like almost 50 years later.

While the short stories are quite different, the movie has Bond retrieving a lost transmitter capable of issuing ballistic missile attacks before the KGB can get their hands on it. In modern times, the plot might be vastly different. Rather than a ridiculous transmitter, I wouldn't be surprised to find Bond seducing and sniping his way toward an Apple or Android smartphone. If he had friends like many of us in information security have today, then he might not even need to leave his beautiful Seychelles seaside villa to exact compromise of the targeted control device. After all, cellular technology penetrates almost every corner of the globe today, and the tiny island chain in the Indian Ocean is certainly no exception.

And we do control so much today with our phone, don't we? Checking email and video chatting with friends and family seems almost old hat, even on our mobile phones. This is especially true when applications can be installed on our phones that remotely start our vehicles' engines and unlock its doors. We can turn on and off the lights in our house with a simple swipe of a pixelized button. We can deposit checks through our mobile phones without ever having to submit the physical check to a bank. Even the doors on our homes and offices can be unlocked through security systems accessed via our mobile phone.

Things get even stranger when we consider the use of a phone as an access token. Google Auth and Duo Security help us log in securely to virtual private networks, servers, and other systems. The new NFC technology even assists in automating and validating payment processing.

These are exciting, new technologies. We have no reason to step back and assert that these advances are horrible leviathans creeping about the ether, poised to strike. These are novel ways of interconnecting our world and making it more convenient for us to live our lives. That's definitely a good thing. The danger comes from our eagerness to deploy these technologies too quickly, and not acknowledging the mobile device for what it is: a nexus.

Digital communication was largely isolated to short distances in the consumer space. WiFi networks, Bluetooth, Zigbee, and most other consumer RF technologies we use for communications are rather restricted by distance. Yet these protocols all connect to the most important devices in our personal and business environments: our computers. WiFi connects home offices and corporate networks to meeting rooms and living rooms, where intellectual property and personal financial records are stored. Bluetooth integrates our printers and audio devices, and can synchronize data with laptops, desktops, or mobile devices. Zigbee enables the connection of control systems to sensors and components that govern our physical environment. You would have to be in physically close to these environments to penetrate or circumvent their security controls.

In today's world, cellular devices are constantly connected to the Internet and can be accessed globally. Additionally, more and more mobile devices are being outfitted with 802.11, Bluetooth, RFID/NFC, and even Zigbee capability. If a mobile phone can be compromised over the globally connected cellular link, then attackers can potentially pivot network access from the cellular environment to isolated proximity-based environments, such as the aforementioned. Imagine a single vulnerability in a globally deployed mobile platform that allowed an attacker administrative remote access to the phone's command shell. Now imagine the potential abuses. Eavesdropping? Credential theft? Network pivoting? How about compromise of adjacent mobile devices, such as mobile phones, connected to the same WiFi network? There are endless possibilities because the technology is now globally reachable.

Not only are mobile devices a nexus of information, they're a nexus for connectivity. These devices know where we are, who we're talking to, what we require to live, how much money we can spend, and where to route our most important information through. Mobile devices are the keys to the kingdom, not some large, antiquated metal box blinking red as it transmits ballistic missile instructions to submarines. The mobile phone is a torpedo all on its own, and in a way, we are all James Bond. We can all look over the shoulder of our friends as they unlock their Androids with a finger swipe, and we can all submit prank posts to Facebook when those same friends leave their phones on the table as they grab another beer.

But we could be doing quite a bit worse. We can steal cars, money, and potentially even identities. How can we as consumers and administrators protect ourselves and our enterprise environments? Well, that's what we're looking forward to discussing in this blog. Not only will we analyze novel threats to personal and enterprise security, we'll discuss simple yet robust solutions that allow for agility in mobile environments. After all, Bond would be nothing without his speed and dexterity. Oh ... and, of course, the gadgets. You know Bond wishes he owned an UberTooth.

Don A. Bailey is a senior security consultant with iSEC Partners

Don A. Bailey is a pioneer in security for mobile technology, the Internet of Things, and embedded systems. He has a long history of ground-breaking research, protecting mobile users from worldwide tracking systems, securing automobiles from remote attack, and mitigating ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.