Mobile and Internet of Things (IOT) security
Questions/salient issues/things we want to know
- Use phone for two-factor authentication (Google Authenticator)
- What does increased surveillance mean for our mobile devices?
- How do we balance our use of phones as vectors of surveillance vs phone as tool for security (how do we decide when to use our phones at home?)
- Can we transfer data from phones through peer to peer networks in a way that is HIPAA compliant?
- How can consumers lock down IoT devices?
- Strategies for minimizing threat of devices that are already compromised?
- How similar are IoT devices to phones and are there standards emerging in the field? (Answer: there are similarities and differences.)
What is a mobile device?
- 2 complete operating systems--one for calls/data (baseband processor) and one that operates the apps. The calls/data one is even less secure than the other.
- Phones and IoT devices have in common: GPS, gyroscope, sensors, a new set of issues that come from data being collected all the time.
- How cell networks work: Phone connects to towers, which each have own radius. Towers connect to each other. Difft infrastructures (4G, LTE, etc) Towers connect to a center. Then back out to other towers and out to the receiving device. Towers connect to each other in the same way but in and out of the centers is different from that. Signals between the phone and the tower are easy to intercept/attack. (Stingrays eg)
- Baseband processor is what sends and receives this data as described above.
- Phones are hard to secure because you don't own/control the hardware, firmware, software. As a user you don't see anything that the baseband processor does. It is possible to send messages from the cell tower to the baseband processor to make it do things like turn the microphone one.
- Two methods to get your location info from a phone: GPS, which you can turn off via permissions; triangulating your location from what towers are receiving a signal from your phone. This is the tech that allows you to make calls/get texts/data, so there is no way to obfuscate your location if you want to use the calling or text functionality.
- The phone also records what tower is communicating with it.
- Who has access to this location info?
- If the govt already knows what you are doing or doesn't care/it doesn't create a risk, this location info leakage may not matter to you.
- Law enforcement can get access to where you are, who you are talking to, how long etc.
- This info is accessed by a cellular company or law enforcement stingray usage.
- Using VPN on your phone does not obfuscate location info
- Disagreement in the room about how secure mobile devices can be
- iOS and Android have different permissioning systems--iOS is more granular
Mobile security practices we in the room use
- Not using fingerprint sensor b/c law enforcement has fingerprints--using passcodes instead.
- Regular software updates (if you can--Android you are dependent on your provider to supply the update)
- Minimizing information kept on the phone
- Not backing up to iCloud
- Devices talk in insecure ways to cloud servers and the storage is often not secure.
- Devices have hard coded passwords that can't be changed by users and they can be remote accessed and then used for DDoS attacks. There is a list of devices at shodan.io.
- There are some compliance guidelines coming down the pike in the US for IoT devices. The ability to update is one of them.
- Newer iOS devices--it is hard to get into your phone without tremendous sophistication. BUT iCloud is vulnerable to subpoena bc the data on iCloud Apple has the encryption keys.
- This went by so fast, there is so much more to cover! Maybe more sessions.