Conspiracy theorist ready your tin hats!
I’ve taken to listening to podcast instead of music while running and heard some interesting news that encouraged me to rush back to my computer this morning and do some research.
History: Most of you will remember the Firestone tire recall from 1990 where more than 100 deaths were attributed to tire separation which was due to over inflation of the tire. In response to this, the Clinton Administration passed the TREAD act. One of the key provisions of this act was that all cars sold after Sept 1 2007 have installed TPMS (Tire Pressure Monitoring Systems) which would give the driver near real time information on the status of tire pressure. The information is fed back to your cars ECU (“computer”) which would presumably know the optimum pressure for your factory tires and warn you of over/under inflation.
If you don’t know how these work, these are small devices which are stuck to the inside of your rim with a small RF sensor that is run by a small watch battery (see image at right). The information is not real time, it is sent periodically (60-90 second intervals) to your cars computer. However your computer is always “listening” for input from these devices.
The news around this is that researchers from Rutgers University have published a press release that they are going to discuss the dangers of spoofing these devices in order to gain access to the computer possibly able to cause issues for the driver or the vehicles control systems. The crux of the issue is that these devices have short (relatively) 32 bit IDs with no encryption between the tag (sensor) and the control unit. According to the researchers the protocol is also quite simple and easy to spoof. They will (presumably) demonstrate this week how they can send/receive signals from these units up to 40 meters away.
So let’s put a privacy spin on this (ready your tin hats!).
- The sensors have a broadcast range of roughly 40 meters
- The IDs are easily spoof able (and easily identified)
- There isn’t any encryption
- The protocol is simple
- Broadcasts occur in timed increments (60-90 seconds)
So do you want to follow me? You could. Building a single sensor that would read the ID from one (or all) of my TPMS would be quite simple. Place it in a location where I’m going 1.5 MPH or less (rough math using 40 meter coverage and a 60 second window) and you have a reasonable chance of being able to authenticate my presence, or at least my car’s presence, at that location. Granted you or I have a small issue here, the ability to do this on any scale that would be effective. If you wanted to cover a large area or a large number of people, this would be quite an undertaking. But if you are a government and control the local infrastructure of a municipality, you have quite an opportunity here.
In presentations I give on security, I have become accustomed to a pattern of presenting the information. Step one, pose questions or situations that allow your audience to immediately identify with you or the subject. Step two, provide case studies or scenarios that provide examples to support the subject. Step three, give the audience some actionable items.
This article is all about supporting step three. If I’ve done a good job of getting a person to identify with the subject and provided a reasonable explanation of the information, the reader/listener usually focuses in on the action items.
In this case, I wanted to provided supporting information to the Does My Cell Phone Have a Virus article. Also this seems very timely with the recent loss of the next generation iPhone at The Gourmet Haus Staudt in Redwood City, California. While I’m certain Apple has many more policies for device management, nevermind the policies around having a prerelease device, if Gray Powell had simply followed the first recommendation below, things would be much different…
But I digress… Most all the offline questions I have received from my last article have had a common theme:
- I did this, did I get a virus?
- My insert_model_phone_name_here is acting funny what do I do?
- I installed this app, is it legit?
Trying to address issues at that level and point is the “whack-a-mole” approach you want to avoid. You want to put preventative measures in place so that these concerns should be minimized.
You will find a number of lists like this on the Internet, but this is my take on steps to take to safeguard your information on your mobile device:
- Loss is your biggest risk, don’t lose your phone. Your cell phone can have the equivalent information as your birth certificate, bank statements, and diary all in one location. Maintaining physical control of the device is the best thing you can do to avoid losing your information.
- Make sure you use a password (or PIN if that’s what your phone supports) to lock out the device. This is the single biggest thing that users complain about the inconvenience of. If anyone were to pick up your device, do not leave it wide open for anyone to read. Protect it.
- If your device offers encryption of the device and any removable media, use it. If you lose a device, the average person who picks it up will not likely have the ability to pull memory chips and decrypt your information. Make it difficult for someone to get the data.
- Just because you can download hundreds of applications, does not mean you should. Be aware that many free applications are made to get personal information from you (again see my other post on this). Others may actually be malicious.
- When downloading applications, be especially careful of banking applications. Only download them from trusted sources. If you can download directly from the bank, that is your best option. If you download from an app store, read the reviews and make sure you are one of the first 10 people to download something.
- Only use Bluetooth if you absolutely require it. If you use Bluetooth, enable a PIN for pairing devices and do not leave your device discoverable.
- If your device supports WiFi, only connect to secure and trusted networks. A network called “FreeWiFi” usually is not the best option.
- Limit the amount of data you store on your phone. If you are working on things like tax documents or have personal information on the device, only leave it on the phone while you need it. Limiting the amount of data on the device limits your risk if the device is lost or stolen.
- From a financial liability standpoint, inquire about cell phone insurance from your provider. In a day where cell phones can initially cost $300 and cost $500 to $600 to replace, it may be worth the couple of dollars a month insurance to be able to replace it.
- If your provider offers the ability to remotely manage or wipe a mobile device, know how this works and be prepared to use it in case your device is lost. If you remove all the data, you can limit your loss to just the device itself.
- Inquire with your provider and check with device manufacturer for device patches and upgrades. Much like your PC, smartphone software is updated on an ongoing basis to fix functionality and increase security.
- If your device supports third party security applications (usually Windows Mobile, Symbian, or Palm devices) look to manufacturers like Symantec and McAfee for firewall, anti-virus and SPAM prevention software.
Some of these are configurations you can do on your phone while the others are things you need to know to modify your behavior while using your phone. If you follow these steps, chances are you should be okay. In the rare case you loose your phone (ahem… next generation iPhone in a bar) and it happens to get picked up by an extremely technical user who can tear it down (Gizmodo) know that all bets may be off. But for the average person, you’re going to be okay.