Click to edit Master title style
Click to edit Master title style
• Non-profit application oriented research institution – focus on IT
• GTS – Godkendt Teknologisk Service Institut
• 100+ employees
About ”Alexandra Instituttet A/S”
R&D
• Researchers
• Providers
• Users
generating
Commercial
• Development
• Consultancy
• Ideation
• Networks
• Dissemination
inspiration
Click to edit Master title style The Security Lab
Security Lab focuses on developing solutions and concepts that enable secure utilization of current and future IT and internet-based solutions. We focus on four leading technological trends:
• Smartphones security
• SCADA systems and Smart Grid Security
• Pervasive Computing
• Cloud Computing
• Mutual Computing
• Privacy
Common to these trends is that the associated IT security issues cannot be dealt with using conventional security solutions. This is further complicated by two parallel developments: a soaring growth in
cybercrime, which exposes both citizens and companies to an increasing number of threats, and Digital Natives.
To address these issues, Security Lab develops innovative concepts and solutions based on a number of core competences: Secure Multiparty Computation, authentication and privacy-enhancing technologies (PETs), usable security, secure communication, security architecture and business understanding.
Our daily work focuses on concrete research and development projects. Furthermore, we provide a number of ad hoc services, such as presentations, courses and technical advice on IT security.
Related subjects: we also contribute expertise to other fields of activity at the Alexandra Institute, where focus is on tracking, tagging and positioning, mobile applications, interaction, healthcare IT, and software.
Click to edit Master title style
Click to edit Master title style
SMARTPHONE OS
Click to edit Master title style 4G LTE NETWORK
Click to edit Master title style
• that can provide PC-like browsing capabilities
Rich web clients and browsers
• (supporting SMTP/POP/IMAP/ActiveSync)
Fully fledged Email clients
• support (VOIP services, Instant Messengers, Social networking)
Advanced internet based application
• (Contacts/calendar entries/Organizer)
Advanced PC syncing capabilities
• Support for running multiple applications simultaneously
Multiple applications (Multitasking)
• Support for custom GPS navigation applications (e.g.: Google Maps, Garmin, etc.)
GPS navigation applications
• access all the hardware features of the phone (this has led to the development of so many creative and innovative applications)
3rd party applications
What is so special about Smartphone -
Software
WHO ARE YOUR RIVALS?
Click to edit Master title style Bluetooth
Click to edit Master title style BlueSniper rifle
The BlueSniper rifle for capturing data from Bluetooth-enabled phones is
constructed from a Choate Ruger Mini-
14 stock, 14dbi semi-directional Yagi
antenna, standard rifle scope, electrical
tape, zip ties and cardboard
Click to edit Master title style Bluetooth attacks
Bluejacking
• is the sending of
unsolicited messages over Bluetooth to
Bluetooth-enabled
devices such as mobile phones
Bluesnarfing
• is the unauthorized
access of information
from a wireless device
through a Bluetooth
Click to edit Master title style Wifi
Wireless network
Click to edit Master title style Camera & Video
Click to edit Master title style Silence Monitoring
Fallow your Location
Activate your camera
Listen to
your call Fallow your calling
list
Click to edit Master title style
MOBILE SECURITY
Isolation
Traditional Access control Encryption
Application Provenance
Permissions-based access control
IPHONE
Click to edit Master title style Traditional Access control
iPhone iPad
Click to edit Master title style Application Provenance
Developers
• Register
• Pay fee
• Digitally signed
App store
• 1-2 weeks
• signed
Corporations
• clean track record.
• Sign by the
corporate
Click to edit Master title style Pulled out from AppStore*
* Both applications are back on App Store after updating their privacy policy.
Aurora Feint – Jul 2008
• Sent contact emails in clear
• 20 million downloads
MogoRoad – Sep 2009
• Sent phone number in clear
• Customers got commercial calls
Click to edit Master title style Storm8 Lawsuit
Click to edit Master title style Create your own Trusted Certificate
Click to edit Master title style Lost iPhone? – Lost Passwords!
Click to edit Master title style Lost iPhone? – Lost Passwords!
Click to edit Master title style
Restricts applications access to OS resources A list of deny/allow rules at kernel level
/usr/share/sandbox/SandboxTemplate.sb
iPhone Isolation (Sandboxing)
(version 1) (deny default)
; Sandbox violations get logged to syslog via kernel logging.
(debug deny) (allow sysctl-read)
; Mount / umount commands
(deny file-write-mount file-write-umount)
; System is read only (allow file-read*) (deny file-write*)
; Private areas (deny! file-write*
(regex "^/private/var/mobile/
Applications/.*$")) (deny! file-read*
(regex "^/private/var/mobile/
Applications/.*$"))
Click to edit Master title style iPhone Isolation (Sandboxing)
Communicate to any computer over the wireless Internet.
Access the device’s address book including mailing
addresses, notes associated with each contact, etc.
Access the device’s calendar entries.
Access the device’s unique identifier (a proprietary ID issued to each device by Apple).
Access the device’s phone number (this may be disabled via a simple configuration change by the user).
Access the device’s
music/video files and its photo gallery.
Access the recent safari search history.
Access items in the device’s auto-completion history.
Access recently viewed items in the YouTube application.
Access the Wi-Fi connection logs.
Access the device’s microphone and video camera.
Click to edit Master title style
To access location data
from the device’s global
positioning system
To receive remote notification alerts from the
Internet
To initiate an outgoing phone call. To send an outgoing SMS
or email message.
Permissions-based Access Control
Click to edit Master title style IPhone Security Issues Timeline
Apple iOS Privacy Nicolas Seriot
Click to edit Master title style Jailbreak
Source:http://en.wikipedia.org/wiki/IOS_jailbreaking
Click to edit Master title style Root Exploit through PDF Handling
http://arstechnica.com/apple/news/2010/08/web-based-jailbreak-relies-on-unpatched- mobile-safari-flaw.ars
Click to edit Master title style iPHONE Security Breach
Click to edit Master title style libtiff
libtiff – July 2007
• Multiple buffer overflows by Tavis Ormandy,
exploited by Rik Farrow
• Patched in iPhone OS
1.1.2
Click to edit Master title style
Ikee and Dutch 5 € ransom worms
Dutch 5 € ransom
SMS FUZZING
Click to edit Master title style Analytics
CARRIER IQ
SIRI
Click to edit Master title style SIRI – Apple Terms and Conditions
Click to edit Master title style Android
Click to edit Master title style
Click to edit Master title style Exploits Android
TRADITIONAL ACCESS CONTROL
Click to edit Master title style
List of apps
SD card
Launch application
Click to edit Master title style
TEXT
Application Provenance
Click to edit Master title style Permissions-based Access Control
Click to edit Master title style Encryption
Click to edit Master title style Who is winning?
Click to edit Master title style Who is winning?
A Window Into Mobile Device Security - Carey Nachenberg Symantec
