210 likes | 389 Views
Smartphones Security. CS 691 Sujeeth Narayan. Agenda. Part 1 - Introduction to Smartphones Part 2 - Security Issues Part 3 - Unified Framework Part 4 - New Authentication Method Part 5 - Conclusion. Motivation. A developing Technology Industry Security is unstable in Mobile phones
E N D
Smartphones Security CS 691 Sujeeth Narayan Sujeeth Narayan
Agenda Part 1 - Introduction to Smartphones Part 2 - Security Issues Part 3 - Unified Framework Part 4 - New Authentication Method Part 5 - Conclusion Sujeeth Narayan
Motivation • A developing Technology Industry • Security is unstable in Mobile phones • Easy to Test Sujeeth Narayan
Part 1: Introduction to Smartphones Sujeeth Narayan
What are Smartphones? • Includes : • Vocal Communications – GSM,GPRS • Web Browsing • eMail • Organizer Functions • Multimedia Capabilities • Media Player • Audio, Video Recorder • Camera Sujeeth Narayan
Smartphones Internals • Capabilities : • Personal Information Management • Synchronize using protocols such as ActiveSync, IntelliSync • Connect using Bluetooth, IrDA or GPRS • Operating Systems : • Windows Mobile TM - Audiovox SMT 5600 • Symbian (Linux) – Motorola A760 Sujeeth Narayan
OS Architecture Sujeeth Narayan
Risks related to Inherent Characteristics • Based on Operating System – Bugs , Security Holes • Data Security – PIN exists but not applied for data Sujeeth Narayan
Risks related to Users • Ease to synchronize data with Personal Computer • Not Enough Data Security Mobile usage Survey by Pointsec Mobile Technologies Sujeeth Narayan
Risks related to Networks • Bluetooth : • Short range wireless connections • Has Security specification but not used many users. • Setting Bluetooth Service in Discoverable Mode • Possible Attacks: • BTBrowser scans for nearby Bluetooth devices and Browses Directories • Buffer overflows attacks in some response messages • Bluejacking : • Putting a message in place of ones device name • Sending with a pairing request • With a prompting message, the victim presses a key • Victim would be allow attacker to access files Sujeeth Narayan
Risks related to Networks • GPRS (General Packet Radio Service) : • Works on Radio waves • Work with Internet connectivity • Possible Attacks: • Attacks from Internet – eMails, Messenger Messages • Compromised backbone of GGSN – Gateway GPRS Support Node Sujeeth Narayan
Enterprises Security Policy • Banning use of Personal Smartphones • Unrealistic • Impossible to physically control • Should Define: • Synchronization • Use of devices in public places (Deactivate Bluetooth) • Information Exchange between Device and Enterprise System Sujeeth Narayan
USF - Unified Security Framework Driven by: NIST – National Institute of Standard and Technology CSRC – Computer Security Resource Center Published on June 2004 http://csrc.nist.gov/mobilesecurity/Publications/PP-UNIsecFramework-fin.pdf Sujeeth Narayan
USF- Addresses Issues • User Authentication – • The first line of defense for an unattended, lost, or stolen device. • Multiple modes of authentication increase the work factor for an attacker. • Content Encryption – • The second line of defense for protecting sensitive information. • Policy Controls – • Policy rules, enforced for all programs regardless of associated privileges, protect critical components from modification, and limit access to security-related information. Sujeeth Narayan
Part 4: New Authentication Method Sujeeth Narayan
Picture Password : A Visual Login Technique for Mobile Devices • Wayne Jansen, Serban Gavrila, • Vlad Korolev, Rick Ayers, • Ryan Swanstrom http://csrc.nist.gov/publications/nistir/nistir-7030.pdf Sujeeth Narayan
Method: • Extracting the selection of Images • Matrix Formation of Images • Associated value for each image • Generate equivalent Password • Extracting the characteristics of Image ??? Sujeeth Narayan
Part 5: Conclusion Sujeeth Narayan
Conclusion • Smartphones are complex in Architecture and Design • Network protocols are complex to implement • Technology is growing and possibly more weaknesses discovered • Organizations should consider these devices in policy making Sujeeth Narayan
References http://csrc.nist.gov/mobiledevices/projects.html http://www.wirelessdev.net http://www.smartphonethoughts.com http://www.AirScanner.com - Mobile Firewall and Antivirus http://www.PointSec.com - Mobile Security Software Sujeeth Narayan
Questions ?? Sujeeth Narayan