RE: Endpoint Security and Smartphones

["Naslund, Steve" <SNaslund () medline com>]

Well, I guess it all goes back to my original assumption that unless you control physical access to the device there 
really is no security.  Unless someone can prove to me that the pass code is a part of a cryptographically secure 
system (which is unlikely given the key length of the passcode) that guards the entire file system of the device, then 
it is nothing more than a lock to keep kids out and prevent butt dialing.  This is no different than losing physical 
control of your laptop computer or desktop machine.  Unless you have implemented some of the most draconian security 
measures including full file system encryption with a removable key store (like a smartcard or such), loss of the 
physical device is game over in most cases.

I think this attack might have value if aimed at a single individual target with a high value reason for needing access 
to the phone (think CIA going after a high value target).  To write an app that randomly grabs pass codes from the 
general public is a lot less useful because the pass code does nothing for me without the physical device.  I still 
cannot figure out the practical value of this is other than demonstrate that having all of these sensors on your person 
is a security threat.

Steve

-----Original Message-----
From: Jay Ashworth [mailto:jra () baylink com] 
Sent: Tuesday, February 19, 2013 10:41 AM
To: Naslund, Steve
Subject: Re: Endpoint Security and Smartphones

----- Original Message -----
> From: "Steve Naslund" <SNaslund () medline com>

> My knowledge on mobile device security is pretty limited. I am just 
> trying to wrap my head around the value of your passcode. I suppose it 
> would be good to know if I could get covert access to the device 
> itself so I could see what is on it. I would however have to get some 
> malicious code on the device to get the passcode so it would seem to 
> be easier to put malicious code on your device that sends me whatever 
> I need the passcode to access in the first place. I guess one of my 
> thoughts on computer security in general is that if someone gets 
> physical access to the device, it is history. I would not count on the 
> passcode to be very protective because it would seem that there would 
> be some kind of way around it through the hardware vendor, maybe not 
> but someone would have to convince me that a backdoor does not exist.

Well, certainly it's stored on there, but the received wisdom is that it is somewhere where apps not granted superuser 
by the user can't reach it, so a "normal" trojan couldn't get to it.

It is, of course, in the FBI's best interest to lie about whether they can break this sort of security...

But in fact, the point of the pass-swipe is that no, physical access is not enough -- as long as you're not the 
"disassemble the device and put the flash memory on a scanning-tunnelling microscope" class of attacker; there probably 
really are uses for this attack.

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA               #natog                      +1 727 647 1274