Guest TonyL Posted November 25, 2003 Report Posted November 25, 2003 I'm doing a project on Smartphone security. Not the handset itself, but more on how secure the device is when in the cradle connected to the PC and the internet. i.e. is it possible to tunnel through the connection to the internet and gain access to the PC. I've searched the internet for ages and drawn a blank. Does anyone have any info or can point me in the right direction. Thanks - Tony
Guest MECX Posted November 26, 2003 Report Posted November 26, 2003 would mean hacking into oranges GPRS system i would think---although each phone does have an IP address so it might be possible. Its not like you would be able to get a virus on to the phone unless (at the minute) the virus is compiled for the ARM processor and the user has unlocked the phone(and still the phone will be locked for communicating through GPRS but a serial output is possible). So in my opinion it would be very very very hard if not impossible (how would you get the IP address of the phone?, the connection is stupidly slow so how usefull would it be) 8)
Guest TonyL Posted November 26, 2003 Report Posted November 26, 2003 Thanks for your reply. I had pretty much the same thoughts: A) pretty damn hard ;) speed would make it a near waste of time c) buy the time you had hijacked the session they would have probably quit the session. The reason I ask is that I do IT Security for a job and the firm I work at wants to ban the use of these phones in the office based on the principle that: "ok we dont know of any published hacks breaking through the connection and we know its damn slow, so its an unknown and we just wont allow it" Pretty daft point of view in my opinion. So I'm now busy ramping up a business case for the bankers and looking to come back with a low rating on the usual CIA risk categories so that we can push this through as approved. I'll keep the thread open for a while, see if I can get any other input but Im coming up with blanks everywhere. :lol:
Guest Arisme Posted November 26, 2003 Report Posted November 26, 2003 well, it would require a skilled attacker and obviously something specific to target one victim, but it doesn't sound impossible * An exploit in Pocket Internet Explorer allows the execution of malicious code (which doesn't look too far fetched seeing the security record of its desktop version) * The malicious code exploits something else (let's say a buffer overflow in Activesync) to execute another piece of code on the PC Proving this cannot be done is not really easy ... of course there's a very low probability it could happen but if the firm really wants to ban Smartphones from their offices, they can use the famous "prove you have no WMD" strategy without problems :lol:
Guest Kallisti Posted November 26, 2003 Report Posted November 26, 2003 OK, essentially this WOULD be a security risk, but a very outside one. If you were to connect up to the net via a dialup through an ISP that gave out public IP addresses, or worse (in a security sense), fixed IP, then the SPV would represent a route AROUND any firewalls that your corporate network had. Now, I'm not aware of any remote holes that would make that a problem, and a portscan would probably reveal no open ports on the phone. However a user could simply run a bit of software on the phone to give access and you'd be away. Using activesync it'd be trivial to write software that gave remote access to the host PC. So, no, out of the box it represents no risk, but yes, it represents a means of bypassing security by a malicious user (or a very very dumb one)
Guest TonyL Posted November 26, 2003 Report Posted November 26, 2003 Thanks chaps - arisme/kallisti I guess I have to look at every avenue on this one. We have some very clever developers (ex MS bods) that know everything known to man. We banned access to web mail sites. So these guys then exploited SSH and tunnelled through our firewalls back to their own machines! Incredible really. I'm in favour of allowing the use of smartphones etc. In fact pretty much everything pocket mobile except those with 802.1x attached in one shape or another. The 802.1x device has to be disabled. ( we scan the buildings regularly so easy to detect ) What I may do is steer the focus away from the security of the connection and get them to focus more on the device and the data it could hold. i.e. Synching mail with attachments - i.e. usually confidential highly business damaging emails i.e. encrypting or enforcing passwords on any device that wants to be connected. I have looked to see if we can get to get the SDK on ActiveSnyc so that we take the syncing mail part out of the options selectable. Then we only have to contend with Contacts and Diary - which isn't so sensitive to us.
Guest Kallisti Posted November 27, 2003 Report Posted November 27, 2003 I'll assume you don't have USB ports (or maybe a group policy against them?), floppy drives etc then? Because short of a body search, there's little way of stopping data from leaving your premesis!
Guest TonyL Posted November 28, 2003 Report Posted November 28, 2003 Believe it or not we assumed that under Win2K and XP the ports were disabled. After a little research - there not! So we plugged in a 256meg memory device and off we went. Ops! I think that rather than police the devices or its form of connectivity, Im looking at formulating a policy stating that "data is not allowed to be transferred etc and that doing so in in breach of such and such and could lead up to and including dismissal." We cant police everything, nor encrypt or protect every device. So just lay down the principles that if caught - not good for them. I was reading a lot of stuff on the net and its a very common problem ;(
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now