2 posts tagged “security”

This is article 1 of a short series about mobile illusions.

For many of us a mobile phone has become a very personal device with modern phones having extended communication and media features. They take pictures, video's, send and receive e-mail, sms. There is support for IM, geo-tagging and grand access to your social internet network via Twitter, Facebook, Hyves, YouTube etc. Image loosing such a phone either by theft or forgetfulness. Image it falling into the wrong hands.

A private phone

Your phone contains a full register of all your friends addresses and phone numbers and your intimate SMS's, e-mails, IM logs twits and personal notes. Not to mention buddytracking on google maps and similar? The satnav in YOUR phone can guide any thief quickly and easily to their houses while they are not there. Not to mention stalking, pestering and or simply 'fungames' from social misfits. It often has location-tagged photo's, saying where and when they were taken. Showing exactly where there there are expensive things to nick. None of this information is protected or encrypted on nearly any phones.

A secure PC

There exists a responsibility to keep personal information of your friends and family safe. Which is a reason my laptop and PC run full-disc encryption at home. You can steal my hardware, but that damage is insured. Sure, high-tech hackers may break through my firewall(s) and hack into my PC's. But it takes skill and more effort (read: cash and time) than it is worth to them. Besides my financial administration is runs from a junk free dedicated OS installed on a secure usb-stick. My PC is powered-off and boots directly from the usb-stick. Fat chance that it is hacked during those few minutes a week it is online for bank transactions and I install no unsigned software from unknown sources.

A secure Phone?

But what about my mobile phone? Hardly any of the big phone manufactures makes any noise about security as a feature. Silently, Nokia's latest market E-series introductions (E71, E75, E55 i.e.) now offer standard out-of-the-box support for device locking, remote device locking (also via SMS) and device and memory card encryption. This might even become more important with the introductions of financial transactions technology like NFC. More and more possibilities are introduced to make payments via your mobile phone. Already virusses have been found that send SMS or calls to make some cash of your phone. Luckily little success has been booked so far with these schemes and for now it seems safe. Still Symbian security has already been broken. So it seems only a matter of time until the s^$%t hits the fan. Your smartphone is a MIMD (mobile internet & media device) and as such is often fed all kinds of nasty web pages, scripts and media and software from an unknown origin. Should you really install software from an unknown source (even if signed) on a device meant to store private data and that can do financial transactions?

With mobiles getting pocket computer aspirations, so should mobile security get beefed up. Think about secure and reliable encryption of private data. The ability to run insecure and unsigned software and games in a sandbox, separated en shielded from the part that does the private and financial things. 

Security options

With the increasing technological options to make payments and money transactions via a mobile phone this becomes more and more essential. Some of these issues have been addressed by some features of some mobile phone manufacturers and some mobile OS manufacturers. Software signing and security certificates already exist, though memory encryption as a default option exists only for a few phones. 3rd party developper options exist but hardly useful or accessible for an average Joe intending personal use. Only Java seems to have a some security model for selecting access to different phone data and functions(phonebook, internet, sms, calling etc.).

Phone and future

Most mobile phone related manufacturers simply consider security an issue of "If we don't mention it, it does not exist". In other words, play dumb. This sadly never works. Security is a big issue, and it should be resolved now by the large manufacturers and Mobile OS designers (Symbian.org, Windows Mobile, Android). They should be scoring points from us now instead of loosing them later on. Apple streamlined the graphic user interface putting touch on the consumers map.Time to streamline security features I should say.

Nokia is already taking a step in the right direction but sadly not far enough and only for some devices. Why design a N97 to be the ultimate social connector and then forget about privacy? How important is touchscreen,  and 5 instead of 3.2 MPixels photos compared to reliability and security. How much value do you put on the knowledge that after your phone is lost or stolen the house will not be ransacked while you have an appointment with the dentist or find your kids pictures back on some crazies website.

Think about it the next time you shop for a new phone!

This is a quick note on how to secure the private data on your phone. Most people are unaware of the security features of your phone. The phone does provide some reasonable security features. The description here is for the N95, but most S60 3rd edition phones should have the same possibilities.

The N95 in its default version allows you to set a lockcode on your phone (Tools/Settings/General/Security). if you do. It asks the code in case of a power on, just after the sim code is asked. You can also set an autolock time, if the phone has been unused for a certain set time it locks itself and requests the proper lockcode. The lockcode of the N95 can not be circumvented unless one reflashes or hard resets (which requires the lockcode) the phone. And reflashing or a hard reset will erase the phone memory clearing all personal data.

So what about the microSD memory card. That's where most of us store our pictures, movies and documents. Well you can set a password on that one too (Tools/Memory). It makes the microSD card unreadable through a card reader on the PC. You can still read and write to the card if you connect the N95 to the PC. But in a  cardreader It tells you there is no disk etc... If you put a password protected card on you phone it will say it is broken, can't read it. But then if you set the password in the phone via Tools/Memory it will be able to read the card correctly. And you can always clear the password via Tools/Memory (proper password required to unlock first) and behold the microSD card becomes readable on the PC again. The card encryption is hardware implemented in the microSD card and not the phone. Thus no cpu capacity is wasted for the encryption.

The symmetric cryptomeria cipher used for microSD cards has only a key of 56 bits, but it is still uncracked todate. In any case it is more than sufficient to keep nosy people from reading your carddata. The phone memorizes the lockcode, so there is no need to reenter the code, not even after a reboot after a power off. Which is why a lockcode on your phone makes sense. Particular sensitive information can be compressed. Zip will do, but a good Huffman encoder is better. This will increase the entropy of the data and makes decoding in general a lot harder. Or one can use a separate encryption program that encodes your passwords with hardier encryption. But for my home videos and pictures I am content with the security level.

My phone's lock time is set to 4 hours. This is a different lock time than the automatic keyboard lock. Any thief will have to sleep some time and I am only bothered once a day to type it in ;-) And I would love to see him go to a service center with my phone and get brough to justice ;-)

Share and enjoy,

Snoyt