Thursday, February 6, 2014

The War for Your Mobile Pwn

Photo: Security Researcher Kyle Willhoit, Courtesy of NBCNEWS
[Updated on, February 7, 2014]

It's possible the news report may not be accurate.  Robert Graham of Errata Security posts his opinions,
 "That NBC story 100% fraudulent".  I'm interested to see if other researchers provide their opinion.

Mark Nunnikhoven (Twitter @marknca) and Kyle Willhoit (Twitter @lowcalspam) security researchers at Trend Micro (Twitter @TrendMicro) comment on the news segment in two blog posts, "Remember the Audience" and "Details Behind the NBC Honeypots: Part 2".

[Original Post, January 28, 2014]
[Original Post, February 6, 2014]

NBCNEWS reporter Richard Engel (Twitter @RichardEngel) describes the security situation on the ground in Sochi for those traveling to the 2014 Olympic events.  Engel working with security researcher Kyle Willhoit, executed a series of security experiments designed to measure the length of time it takes hackers to compromise decoy laptops and phones loaded with fake information.  You won’t like the results, there are broad security implications for all mobile device users.  If you have not watched the NBCNEWS Nightly News segment, (video) "Hacked Within Minutes: Sochi Visitors Face Internet Minefield", you should take a look.

During the segment Engel describes their security experiments and concludes, "malicious software hijacked our phone, before we even finished our coffee".  The point is that popular mobile devices are easily penetrated and exploited for personal gain by computer hackers in Sochi.  The security problem is attributed to local Sochi factors like, proliferation of skilled computer hackers, inadequate investment in law enforcement, and a strong criminal underworld.

 "Malicious software hijacked our phone, before we even finished our coffee."[Richard Engel, NBCNEWS]

I appreciated the news segment but the problem with mobile security is not unique to Sochi.  If your phone can be hacked in Sochi - it can be hacked anywhere.  The skill of hackers, investments in law enforcement, and number of criminals should be irrelevant factors.  Technology has been around for years to ensure secure communications between distant endpoints.  Strong security begins on your mobile device and is a manufacturing design choice.

When swimming in known shark infested waters, we don’t wait to see sharks before we jump into the protective shark cage.  In the same sense, the Internet infrastructure is a known hostile environment.  If mobile security problems are less obvious in the United States than Sochi it's not a positive indicator of a strong security posture.  Highlighting security weaknesses in Sochi serves to elevate public awareness to lack of shark cages along with a critical dependency of no sharks for maintaining confidence in mobile security posture.

--Milton

Share It!