Perimeter
12/15/2011
07:48 AM
Don Bailey
Don Bailey
Commentary
Connect Directly
RSS
E-Mail
50%
50%

For Your Mobile Only

Imagine a modern-day plot for a James Bond movie and how mobile would make his task a whole lot easier

As I sit only a few meters away from the famed Seychelles villa where Ian Fleming penned the Bond book "For Your Eyes Only," I have to chuckle to myself. If only Ian knew what the world would be like almost 50 years later.

While the short stories are quite different, the movie has Bond retrieving a lost transmitter capable of issuing ballistic missile attacks before the KGB can get their hands on it. In modern times, the plot might be vastly different. Rather than a ridiculous transmitter, I wouldn't be surprised to find Bond seducing and sniping his way toward an Apple or Android smartphone. If he had friends like many of us in information security have today, then he might not even need to leave his beautiful Seychelles seaside villa to exact compromise of the targeted control device. After all, cellular technology penetrates almost every corner of the globe today, and the tiny island chain in the Indian Ocean is certainly no exception.

And we do control so much today with our phone, don't we? Checking email and video chatting with friends and family seems almost old hat, even on our mobile phones. This is especially true when applications can be installed on our phones that remotely start our vehicles' engines and unlock its doors. We can turn on and off the lights in our house with a simple swipe of a pixelized button. We can deposit checks through our mobile phones without ever having to submit the physical check to a bank. Even the doors on our homes and offices can be unlocked through security systems accessed via our mobile phone.

Things get even stranger when we consider the use of a phone as an access token. Google Auth and Duo Security help us log in securely to virtual private networks, servers, and other systems. The new NFC technology even assists in automating and validating payment processing.

These are exciting, new technologies. We have no reason to step back and assert that these advances are horrible leviathans creeping about the ether, poised to strike. These are novel ways of interconnecting our world and making it more convenient for us to live our lives. That's definitely a good thing. The danger comes from our eagerness to deploy these technologies too quickly, and not acknowledging the mobile device for what it is: a nexus.

Digital communication was largely isolated to short distances in the consumer space. WiFi networks, Bluetooth, Zigbee, and most other consumer RF technologies we use for communications are rather restricted by distance. Yet these protocols all connect to the most important devices in our personal and business environments: our computers. WiFi connects home offices and corporate networks to meeting rooms and living rooms, where intellectual property and personal financial records are stored. Bluetooth integrates our printers and audio devices, and can synchronize data with laptops, desktops, or mobile devices. Zigbee enables the connection of control systems to sensors and components that govern our physical environment. You would have to be in physically close to these environments to penetrate or circumvent their security controls.

In today's world, cellular devices are constantly connected to the Internet and can be accessed globally. Additionally, more and more mobile devices are being outfitted with 802.11, Bluetooth, RFID/NFC, and even Zigbee capability. If a mobile phone can be compromised over the globally connected cellular link, then attackers can potentially pivot network access from the cellular environment to isolated proximity-based environments, such as the aforementioned. Imagine a single vulnerability in a globally deployed mobile platform that allowed an attacker administrative remote access to the phone's command shell. Now imagine the potential abuses. Eavesdropping? Credential theft? Network pivoting? How about compromise of adjacent mobile devices, such as mobile phones, connected to the same WiFi network? There are endless possibilities because the technology is now globally reachable.

Not only are mobile devices a nexus of information, they're a nexus for connectivity. These devices know where we are, who we're talking to, what we require to live, how much money we can spend, and where to route our most important information through. Mobile devices are the keys to the kingdom, not some large, antiquated metal box blinking red as it transmits ballistic missile instructions to submarines. The mobile phone is a torpedo all on its own, and in a way, we are all James Bond. We can all look over the shoulder of our friends as they unlock their Androids with a finger swipe, and we can all submit prank posts to Facebook when those same friends leave their phones on the table as they grab another beer.

But we could be doing quite a bit worse. We can steal cars, money, and potentially even identities. How can we as consumers and administrators protect ourselves and our enterprise environments? Well, that's what we're looking forward to discussing in this blog. Not only will we analyze novel threats to personal and enterprise security, we'll discuss simple yet robust solutions that allow for agility in mobile environments. After all, Bond would be nothing without his speed and dexterity. Oh ... and, of course, the gadgets. You know Bond wishes he owned an UberTooth.

Don A. Bailey is a senior security consultant with iSEC Partners

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio