Endpoint Security and Smartphones
Some time back, the FBI was heard to say in public that draw-your-passpattern security, as seen on Android smartphones and tablets, was too much for them, at least as long as you kept your screen clean of skin oil. :-) Whether or not that's true, there are apparently ways to attack even that, using just the sensors on the platform. Specifically, the accelerometers (which are actually usually just angle sensors): http://www.schneier.com/blog/archives/2013/02/guessing_smart.html If you're responsible for security, BTW (and if you're on NANOG, you probably are), Bruce Schneier should be on your daily bookmark list... even if you think he's full of crap. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Kind of seems to me that if I am deep enough in your mobile device to get your accelerometer data, I probably can get access to your stored data in the device. The only reason I think I would want your passcode would be to physically steal your device and then try to use it. This is one of those attacks that is probably possible but not practical. Interesting blog however. Steven Naslund -----Original Message----- From: Jay Ashworth [mailto:jra@baylink.com] Sent: Tuesday, February 19, 2013 9:20 AM To: NANOG Subject: Endpoint Security and Smartphones Some time back, the FBI was heard to say in public that draw-your-passpattern security, as seen on Android smartphones and tablets, was too much for them, at least as long as you kept your screen clean of skin oil. :-) Whether or not that's true, there are apparently ways to attack even that, using just the sensors on the platform. Specifically, the accelerometers (which are actually usually just angle sensors): http://www.schneier.com/blog/archives/2013/02/guessing_smart.html If you're responsible for security, BTW (and if you're on NANOG, you probably are), Bruce Schneier should be on your daily bookmark list... even if you think he's full of crap. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Normal apps can usually get the accelerometer data without breaking device security. So you download the newest cool free Mine Birds or whatnot, and its server upload traffic eventually includes guesses at your passcode along with your game status... George William Herbert Sent from my iPhone On Feb 19, 2013, at 8:07 AM, "Naslund, Steve" <SNaslund@medline.com> wrote:
Kind of seems to me that if I am deep enough in your mobile device to get your accelerometer data, I probably can get access to your stored data in the device. The only reason I think I would want your passcode would be to physically steal your device and then try to use it.
This is one of those attacks that is probably possible but not practical. Interesting blog however.
Steven Naslund
-----Original Message----- From: Jay Ashworth [mailto:jra@baylink.com] Sent: Tuesday, February 19, 2013 9:20 AM To: NANOG Subject: Endpoint Security and Smartphones
Some time back, the FBI was heard to say in public that draw-your-passpattern security, as seen on Android smartphones and tablets, was too much for them, at least as long as you kept your screen clean of skin oil. :-)
Whether or not that's true, there are apparently ways to attack even that, using just the sensors on the platform. Specifically, the accelerometers (which are actually usually just angle sensors):
http://www.schneier.com/blog/archives/2013/02/guessing_smart.html
If you're responsible for security, BTW (and if you're on NANOG, you probably are), Bruce Schneier should be on your daily bookmark list... even if you think he's full of crap.
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Kind of seems to me that if I am deep enough in your mobile device to get your accelerometer data, I probably can get access to your stored data in the device. The only reason I think I would want your passcode would be to physically steal your device and then try to use it.
This is one of those attacks that is probably possible but not
I get that part. I guess I am just trying to figure out why having your passcode is such an advantage. I guess if you really want to physically steal (or temporarily "borrow") my phone and get into it, that would be useful. I would be much more concerned about remote exploits because I have always assumed that if you physically have the device, you are going to get into it. All I count on my passcode for is to prevent me from butt dialing. I think the real value here would be if it were used as more of a general purpose key stroke grabber that could tell me remotely what you are doing with your phone. Problem with that is that the accuracy would have to be much better for that purpose. Steven Naslund -----Original Message----- From: George Herbert [mailto:george.herbert@gmail.com] Sent: Tuesday, February 19, 2013 10:47 AM To: Naslund, Steve Cc: NANOG; George Herbert Subject: Re: Endpoint Security and Smartphones Normal apps can usually get the accelerometer data without breaking device security. So you download the newest cool free Mine Birds or whatnot, and its server upload traffic eventually includes guesses at your passcode along with your game status... George William Herbert Sent from my iPhone On Feb 19, 2013, at 8:07 AM, "Naslund, Steve" <SNaslund@medline.com> wrote: practical. Interesting blog however.
Steven Naslund
-----Original Message----- From: Jay Ashworth [mailto:jra@baylink.com] Sent: Tuesday, February 19, 2013 9:20 AM To: NANOG Subject: Endpoint Security and Smartphones
Some time back, the FBI was heard to say in public that
draw-your-passpattern security, as seen on Android smartphones and tablets, was too much for them, at least as long as you kept your screen clean of skin oil. :-)
Whether or not that's true, there are apparently ways to attack even
that, using just the sensors on the platform. Specifically, the accelerometers (which are actually usually just angle sensors):
http://www.schneier.com/blog/archives/2013/02/guessing_smart.html
If you're responsible for security, BTW (and if you're on NANOG, you
probably are), Bruce Schneier should be on your daily bookmark list...
even if you think he's full of crap.
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
participants (3)
-
George Herbert
-
Jay Ashworth
-
Naslund, Steve