Probing mobile (cell) networks

Mobile networks have many disparate types of devices.  You can probably guess what some of them are, or even go to the provider’s store or kiosk and get a list.  But there are going to be more devices out there.  So why not scan the IP addresses on your subnet?

Well, the access points for mobile networks generally don’t allow promiscuous access.  So you may have to go to ARIN and other lists in order to start getting some ranges to check.  You can also check access logs of a Website to find visitors with mobile devices.  (Of course, there is always the NATting that the providers do, not to mention DHCP, and the fact that most mobile devices don’t run servers or services.)

Colin Mulliner, of the Berlin Institute of Technology, did manage to find a fair amount of interesting stuff.  Windows Mobile tended to be a useful source of open ports and services (usually open FTP services on mobile devices).  He also found and was able to identify a number of specialized devices that were identifiable from responses to probes.  Some of the most interesting were mobile access points: connecting to the mobile networks and then providing local wifi for computers.  Others were HTTP servers for surveillance cameras.  (Others were GPS tracking devices which, oddly, had no security against “guest” login  🙂  (Some were smart meters.  With smart meters rolling out here in BC, lets hope they are more secure …)

Possibly of concern was the large number of jailbroken iOS devices.  Many of them still had the default “alpine” password.  (If you hack your own device, you’d better be prepared to secure it.)  This could form the basis of a fair sized worm and/or botnet.  Then again, iOS users aren’t alone here.  An awful lot of people seem to think nothing of creating mobile devices and hooking them up to mobile networks with very little in the way of security.

Smartphone vulnerabilities

Scott Kelly, platform architect at Netflix, gets to look at a lot of devices.  In depth.  He’s got some interesting things to say about smartphones.  (At CanSecWest.)

First of all, with a computer, you are the “tenant.”  You own the machine, and you can modify it any way you want.

On a smartphone, you are not the only tenant, and, in fact, you are the second tenant.  The provider is the first.  And where you may want to modify and customize it, the provider may not want you to.  They’d like to lock you in.  At the very least, they want to maintain some control because you are constantly on their network.

Now, you can root or jailbreak your phone.  Basically, that means hacking your phone.  Whether you do that or not, it does mean that your device is hackable.

(Incidentally, the system architectures for smartphones can be hugely complex.)

Sometimes you can simply replace the firmware.  Providers try to avoid doing that, sometimes looking at a secure boot system.  This is usually the same as the “trusted computing” (digital signatures that verify back to a key that is embedded in the hardware) or “trusted execution” (operation restriction) systems.  (Both types were used way back in AV days of old.)  Sometimes the providers ask manufacturers to lock the bootloader.  Attackers can get around this, sometimes letting a check succeed and then doing a swap, or attacking write protection, or messing with the verification process as it is occurring.  However, you can usually find easier implementation errors.  Sometimes providers/vendors use symmetric enryption: once a key is known, every device of that model is accessible.  You can also look at the attack surface, and with the complex architectures in smartphones the surface is enormous.

Vendors and providers are working towards trusted modules and trustzones in mobile devices.  Sometimes this is virtual, sometimes it actually involves hardware.  (Personally, I saw attempts at this in the history of malware.  Hardware tended to have inherent advantages, but every system I saw had some vulnerability somewhere.)

Patching has been a problem with mobile devices.  Again, the providers are going to be seen as responsible for ongoing operation.  Any problems are going to be seen as their fault.  Therefore, they really have to be sure that any patch they create is absolutely bulletproof.  It can’t create any problems.  So there is always going to be a long window for any exploit that is found.  And there are going to be vulnerabilities to exploit in a system this complex.  Providers and vendors are going to keep trying to lock systems.

(Again, personally, I suspect that hacks will keep on occurring, and that the locking systems will turn out to be less secure than the designers think.)

Scott is definitely a good speaker, and his slides and flow are decent.  However, most of the material he has presented is fairly generic.  CanSecWest audiences have come to expect revelations of real attacks.

Paper safe

I first saw this, appropriately enough, on Improbable Research.  It’s appropriate, because, when you see it, first it makes you laugh.  Then it makes you think.

This guy has created a paper safe.  Yeah, you got that right.  A safe, made out of paper.  No, not special paper: plain, ordinary paper, the kind you have in your recycling bin.  He’s even posted a video on YouTube showing how it works.

Right, so everyone’s going to have a good laugh, yes?  Paper isn’t going to provide any protection, right?  It’s a useless oddity, of interest only to those with an interest in origami, and more free time on their hands than any security professional is likely to get.

Except, then you start thinking about it (if you are any kind of security pro.)  First off, it’s a nice illustration of at least one form of combination lock.  And then you realize that the lock is going to be useless unless it’s obscured.  So that brings up the topic of maybe security-by-obscurity does have a function sometimes.

Then you start thinking that maybe it isn’t great as a preventive control, but it sure works as a detective control.  Yeah, it’s easy to smash and get out whatever was in there.  But it’ll sure be obvious if you do.

So that brings up different types of controls, and the reasons you might want different controls in different situations, and whether some perfectly adequate controls may be a) overkill, or b) useless under certain conditions.

It’s not just a cute toy.  It’s pretty educational, too.  No, I’m not going to keep my money in it.  But it makes you think …

New computers – Kindle – Ebooks and education

Recently I was discussing the use of technology in education, when an odd (to me) question came up.  It was about the use of ebooks.  That wasn’t really high on my radar on the tech-in-ed landscape.  When I started (good grief, more than 30 years ago) the use of computers for textbooks was a vague, blue-sky idea that a guy named Vannevar Bush had once talked about.  (Actually, he was talking about a desk, rather than a book.)

Recently, of course, there has been a lot of discussion about ebooks.  School boards have been looking into cost savings.  Major tech corporations and publishing conglomerates are getting on the bandwagon.  So, her interest was natural.

Specifically, she wanted to know:

> Perhaps you talk to me a bit about why (from a non-environmental
> standpoint) it’s important for students to use digital e-books?
> Is there a learning curve when it comes to learning from an ebook
> rather than a textbook? Is there a shorter attention span?
> What about eye strain?
> How would this effect the structure of learning?

This I could do, having been given a Kindle for Christmas this year.  I have just finished doing my first review for the series, using an ebook on the device.  Definite tradeoffs: it was easier to grab quotes, much harder to make notes, easier to search, and a right royal pain to try and flip back and forth to check notes, index, etc.  Also a complete pain to check references in other works.

In terms of education, and using study materials in school, it was easier to grab quotes — which would make copying and plagiarism easy and very tempting.  That’s a bad thing.  It is much harder to make notes, and makes study, or writing your own paper, more difficult.  Again, given that the purpose of many assignments is to get students to practice creating their own writing, this is a bad thing.

On the other hand, it’s easier to search, and that’s good for studying.

But it’s a right royal pain to try and flip back and forth to check notes (most books don’t have footnotes any longer, they are no endnotes–at the back of the book), the index, appendices, and other material in the book.  It is also a complete pain to check references in other works — definitely bad for studying and learning.

In terms of it being “important” for students to use ebooks: as a former public school teacher I don’t think it is.  The only reasons would be cost, and getting up to date materials.  Frankly, the quality of almost all school texts is absolutely appalling, so having the latest version of tripe isn’t all that important.  So, that just leaves cost.

There is a learning curve to using an e-reader, but a fairly small one.  No, I take that back.  Actual reading isn’t that hard, but you do have to learn something about filing, arranging, and accessing material on the device, particularly in a school/learning situation.

The small screen size is a bit annoying, although you generally can increase the font size.  (The book I just finished reviewing was in PDF, and the options for font size for that are very much less.)  Generally I didn’t find much eye strain, although I’m used to reading small print, but in low light it was pretty awful.

In terms of learning structure, there could be some advantages.  As a teacher, I could create notes and send them to the devices of all the students: it would help that they could not say they didn’t have the assignment  🙂