Perimeter
12/15/2011
07:48 AM
Don Bailey
Don Bailey
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

For Your Mobile Only

Imagine a modern-day plot for a James Bond movie and how mobile would make his task a whole lot easier

As I sit only a few meters away from the famed Seychelles villa where Ian Fleming penned the Bond book "For Your Eyes Only," I have to chuckle to myself. If only Ian knew what the world would be like almost 50 years later.

While the short stories are quite different, the movie has Bond retrieving a lost transmitter capable of issuing ballistic missile attacks before the KGB can get their hands on it. In modern times, the plot might be vastly different. Rather than a ridiculous transmitter, I wouldn't be surprised to find Bond seducing and sniping his way toward an Apple or Android smartphone. If he had friends like many of us in information security have today, then he might not even need to leave his beautiful Seychelles seaside villa to exact compromise of the targeted control device. After all, cellular technology penetrates almost every corner of the globe today, and the tiny island chain in the Indian Ocean is certainly no exception.

And we do control so much today with our phone, don't we? Checking email and video chatting with friends and family seems almost old hat, even on our mobile phones. This is especially true when applications can be installed on our phones that remotely start our vehicles' engines and unlock its doors. We can turn on and off the lights in our house with a simple swipe of a pixelized button. We can deposit checks through our mobile phones without ever having to submit the physical check to a bank. Even the doors on our homes and offices can be unlocked through security systems accessed via our mobile phone.

Things get even stranger when we consider the use of a phone as an access token. Google Auth and Duo Security help us log in securely to virtual private networks, servers, and other systems. The new NFC technology even assists in automating and validating payment processing.

These are exciting, new technologies. We have no reason to step back and assert that these advances are horrible leviathans creeping about the ether, poised to strike. These are novel ways of interconnecting our world and making it more convenient for us to live our lives. That's definitely a good thing. The danger comes from our eagerness to deploy these technologies too quickly, and not acknowledging the mobile device for what it is: a nexus.

Digital communication was largely isolated to short distances in the consumer space. WiFi networks, Bluetooth, Zigbee, and most other consumer RF technologies we use for communications are rather restricted by distance. Yet these protocols all connect to the most important devices in our personal and business environments: our computers. WiFi connects home offices and corporate networks to meeting rooms and living rooms, where intellectual property and personal financial records are stored. Bluetooth integrates our printers and audio devices, and can synchronize data with laptops, desktops, or mobile devices. Zigbee enables the connection of control systems to sensors and components that govern our physical environment. You would have to be in physically close to these environments to penetrate or circumvent their security controls.

In today's world, cellular devices are constantly connected to the Internet and can be accessed globally. Additionally, more and more mobile devices are being outfitted with 802.11, Bluetooth, RFID/NFC, and even Zigbee capability. If a mobile phone can be compromised over the globally connected cellular link, then attackers can potentially pivot network access from the cellular environment to isolated proximity-based environments, such as the aforementioned. Imagine a single vulnerability in a globally deployed mobile platform that allowed an attacker administrative remote access to the phone's command shell. Now imagine the potential abuses. Eavesdropping? Credential theft? Network pivoting? How about compromise of adjacent mobile devices, such as mobile phones, connected to the same WiFi network? There are endless possibilities because the technology is now globally reachable.

Not only are mobile devices a nexus of information, they're a nexus for connectivity. These devices know where we are, who we're talking to, what we require to live, how much money we can spend, and where to route our most important information through. Mobile devices are the keys to the kingdom, not some large, antiquated metal box blinking red as it transmits ballistic missile instructions to submarines. The mobile phone is a torpedo all on its own, and in a way, we are all James Bond. We can all look over the shoulder of our friends as they unlock their Androids with a finger swipe, and we can all submit prank posts to Facebook when those same friends leave their phones on the table as they grab another beer.

But we could be doing quite a bit worse. We can steal cars, money, and potentially even identities. How can we as consumers and administrators protect ourselves and our enterprise environments? Well, that's what we're looking forward to discussing in this blog. Not only will we analyze novel threats to personal and enterprise security, we'll discuss simple yet robust solutions that allow for agility in mobile environments. After all, Bond would be nothing without his speed and dexterity. Oh ... and, of course, the gadgets. You know Bond wishes he owned an UberTooth.

Don A. Bailey is a senior security consultant with iSEC Partners

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web