My talk on 23 June at Confraria Security & IT

1. pocket security, your mobile by Vitor Domingos all-around mercenary

2. Vitor Domingos [email_address] http://vitordomingos.com - cloud computing & security consultant - thenextweb editor - mobilemonday PT founder - videocaster - ex failed entrepreneur - ex ITIJ / MJ - ex CGD - ex forumB2B - ex Maxitel - ex Jazztel

6. Phones ... - 15 years of pure unsecurity and few exploits - mobile is the most personal and private item we own - phones are now computers, the personal kind - they even run full operating systems

7. What's in ... - phone calls; - addressbook; - emails; - sms; - mms; - browser history; - pictures and some documents; - calendar; - gps tracking data; - shop details; - credit card info; - other sync evilness

8. TRUST - we trust the carrier - we trust the manufacturer - we trust the users - we trust the the phone - we trust the software - we trust we're safe cause it's not connected or it's in our pocket

10. Mobile Security Levels - Level 1 - Manufacturer - Level 2 - Carrier - Level 3 - User - Level 4 - Application - Level 5 - Enterprise (?)

11. Patching hell ... Problem #1 - if you got a smartphone, then probably you have somewhat upgraded your base software, if not, you're still using what came with it Problem #2 - difficult to patch (OTA is neat, but not used by many) Problem #3 - no enterprise patch; IT people say it's a carrier / user problem and not their own

12. Windows Mobile - digital application signing - limited access to the filesystem - permission requests - device encryption (enterprise) - pin protection (enterprise) - profiles (enterprise) - no granular permission

14. iPhone - OSX Security Model - Appstore - No enterprise security provisioning

16. Android / Symbian - Sandbox - Tight control on application permissions - Digital signature - No enterprise security provisioning

18. Security Community - TSTF.net - Mseclab - Tam Hanna - GSM Association Security Group

19. Password Security - Try to put a real hard password on your phone - Normally it's only 4 digit numbers - Normally if used; it's simple cause it's real hard to input something on the phone - Try K#$"%'º`^!"231Gj - Two factor authentication (?)

21. GSM Cracked - A51 Rainbowtable cracking software (reflextor.com/trac/a51) - GSM interception software (airprobe.org) - Software defined radio (gnuradio.org) - Cheap radion software (ettus.com/products)

23. 2010 - UTMS cracked (on paper) - Sandwich attack - MMS Remote Exploit - iPhone SMS Remote Exploit - Bluetooth Spamming and Attacks (bluesnarfing, bluebug, bluebugging) -$18 bluetooth sniffer - Bluetooth audio flow to headset interception - Over the air wire tapping - ... and what about flash ? :)

26. Look at the screen - what are you running ? - what is it doing ? - are you using network access ? why ? - do you know that it's doing to the filesystem ? to the memory ? to your data ? - where is your data ? - is it using secure protocols ? - where's the backup ?

29. Future (risks?) - Near Field Communications 2008: hacking NFC phones, URI spoofing, NDEF worm; 2010: Nokia announces that all phones are NFC ready - Mobile javascript in the browser (2000 called and their want to block javascript all again) - Phone SSL, VPN - Location Based something - gowalla//forsquare problems

30. Future (risks?) - Spyware disguised as apps (cydia iphone appstore) - Virus/Worm/Botnet - iphone; vodafone memory card spyware bug on android phones - Tinyurl problems (?) - Social phishing from fake call centers