My officemate's smartphone was stolen. By the time she got online via her laptop (because she was nowhere near home), the remote lock or wipe couldn't find her phone. It had been stolen/wiped.
Smartphone security paranoia popped up again in conversation when a friend overlooked my shoulder and saw how ridiculously long it took me to type my password. He quipped:
"You know that's not secure".
I said, "I've encrypted the phone."
"Oh I can get around that", he said.
"You mean the USB connection and an Android debugger? Yes I suppose you could eventually brute force it but that will take awhile. By then, I'll remotely wipe the phone."
My hope was to avoid a debate about fundamental problems with IT security, and share my belief that a simple risk/reward exercise (including the annoyance of securing a tech device versus its usability), should result in enough security to give hackers at least a big headache if not full on despair. My belief about consumer electronics security is: hackers with a specific vendetta against YOU personally -- so someone wanting to ruin your life -- will invest considerable effort in tearing down layers of security; versus hackers at large looking to exploit maximum reward with minimum effort by targetting smartphones/PCs/etc en masse will skip over consumers with decent layers of security. In other words, most folks have more to fear from their closest friends and family -- who already have access to private or personal information about you anyways -- than anonymous hackers who only know you as an IP address, but only IF you've dotted your i's and crossed your t's.
So smartphone security should target two camps:
- local / physical access
- remote access
Assume an ex stalks you online, goes covert to get a job as a repairman so she gets access to the building you work at, secretly stalks you at work to figure out when you occasionally leave your smartphone on your desk --, and nabs your phone while you're in the bathroom. OK now your ex has local / physical access to your smartphone. Only a few common security "states" exist for any smartphone:
- unlocked screen
- locked screen
- connected phone
- disconnected phone
The interesting thing to notice about this list smartphone states is they apply to computers generally, especially the old PC from yesteryear. Desktops, laptops, smartphones, etc. consumer technologies have many security traits in common, and this commonality means that basic security concerns for computer technology in general applies to smartphones specifically. A PC from 20 years ago, this list for solutions were:
screensaver w/ password
disconnected PC (no LAN)
encrypted disk
encrypted disk
20 years ago, it was silly to leave a computer screen unlocked, and trivial to get data from the computer if its disks were not encrypted and someone, like your ex, still had physical access to your PC. The same applies to smartphones today.
My friend's theory was a hacker just inserts a USB cable to bypass a smartphone password. Google Android smartphones have had local storage encryption since 2011, and Apple iPhones have had local storage encryption since 2009, so both major smartphone manufacturers finally caught up to Blackberry RIM (which had been encrypting smartphones since insert date to close that security hole. (One technical point: Android still does not encrypt external or expandable storage -- SDCards or any storage media that is not primary storage -- but Blackberry's later OSes did encrypt removable storage media. Another point of digression: Blackberry smartphones so were highly regarded for their security than some governments outlawed their sale or used their own intelligence agencies against Blackberry's secure communications, such as India.)
Seeing the same risk profiles repeat through history, and techies giving newer yet similar security solutions, yet consumers facing the same pitfalls, I ask myself: have we learned anything as consumers of technology??
No comments:
Post a Comment