Endpoint Security and Smartphones

Some time back, the FBI was heard to say in public that draw-your-passpattern
security, as seen on Android smartphones and tablets, was too much for them,
at least as long as you kept your screen clean of skin oil. :slight_smile:

Whether or not that's true, there are apparently ways to attack even that,
using just the sensors on the platform. Specifically, the accelerometers
(which are actually usually just angle sensors):


If you're responsible for security, BTW (and if you're on NANOG, you
probably are), Bruce Schneier should be on your daily bookmark list...
even if you think he's full of crap.

-- jra

Kind of seems to me that if I am deep enough in your mobile device to get your accelerometer data, I probably can get access to your stored data in the device. The only reason I think I would want your passcode would be to physically steal your device and then try to use it.

This is one of those attacks that is probably possible but not practical. Interesting blog however.

Steven Naslund

My knowledge on mobile device security is pretty limited. I am just trying to wrap my head around the value of your passcode. I suppose it would be good to know if I could get covert access to the device itself so I could see what is on it. I would however have to get some malicious code on the device to get the passcode so it would seem to be easier to put malicious code on your device that sends me whatever I need the passcode to access in the first place. I guess one of my thoughts on computer security in general is that if someone gets physical access to the device, it is history. I would not count on the passcode to be very protective because it would seem that there would be some kind of way around it through the hardware vendor, maybe not but someone would have to convince me that a backdoor does not exist.

Steven Naslund

Normal apps can usually get the accelerometer data without breaking device security.

So you download the newest cool free Mine Birds or whatnot, and its server upload traffic eventually includes guesses at your passcode along with your game status...

George William Herbert

I get that part. I guess I am just trying to figure out why having your
passcode is such an advantage. I guess if you really want to physically
steal (or temporarily "borrow") my phone and get into it, that would be
useful. I would be much more concerned about remote exploits because I
have always assumed that if you physically have the device, you are
going to get into it. All I count on my passcode for is to prevent me
from butt dialing.

I think the real value here would be if it were used as more of a
general purpose key stroke grabber that could tell me remotely what you
are doing with your phone. Problem with that is that the accuracy would
have to be much better for that purpose.

Steven Naslund

Well, I guess it all goes back to my original assumption that unless you control physical access to the device there really is no security. Unless someone can prove to me that the pass code is a part of a cryptographically secure system (which is unlikely given the key length of the passcode) that guards the entire file system of the device, then it is nothing more than a lock to keep kids out and prevent butt dialing. This is no different than losing physical control of your laptop computer or desktop machine. Unless you have implemented some of the most draconian security measures including full file system encryption with a removable key store (like a smartcard or such), loss of the physical device is game over in most cases.

I think this attack might have value if aimed at a single individual target with a high value reason for needing access to the phone (think CIA going after a high value target). To write an app that randomly grabs pass codes from the general public is a lot less useful because the pass code does nothing for me without the physical device. I still cannot figure out the practical value of this is other than demonstrate that having all of these sensors on your person is a security threat.