My Security Thoughts – Your Cell Phone

Melvin: I know that I am old. I remember when you had to be at home for someone to reach you by phone. I remember when you paid for everything with either cash or check, well you had credit cards but it was mostly cash or checks. Oh yeah airline tickets were paper. For that matter all of your documents were paper.

Now thanks to advances in technology we can put all of that on your cell phone. Yes every piece of identifying documentation can go on your phone. All of your financial transactions can be done via your phone within the next 5 years. Think of it the police pull you over for speeding you bring up your license and registration on the phone and hand it to them to scan into the system. They may even be able to bill you right there on the spot and you pay with a tap on the screen.

You can even unlock your doors at home with your phone. Soon all cars will be able to be unlocked and started via your phone. I am sure that I have left things out that can be done with your phone besides make calls, search the web, and post selfies. Which leads to why am I discussing cell phones on this forum.

I feel that these phones are one of the greatest threats to personal security. The phones are growing to be the center of our lives. They will soon contain every aspect of our digital lives. It is a wave that will turn into a tsunami of unstoppable ingress into everyone’s lives.

Now there are some that might say that the average wallet of an American contained their lives. Not only might there be a driver’s license but you could also find a social security card, health insurance card, credit cards, ATM cards, and possibly phone numbers.

As a side note, are there any out there like me that cannot remember phone numbers now that we have the contact lists on our phones. I search by name and never see the phone number. Does that mean that the smart phone is making me dumber? Probably.

Okay back to the discussion, even with the wallet and lets not discuss a woman’s purse, I still feel that there is more stored on a smart phone then can ever be placed into a similar physical space carried on one’s person.

Thoughts?

 

Brian: You are correct on a number of issues – first, I can’t remember anyone’s phone number, or birthday, or E-mail – all of that is in the phone – heck, it’s to the point that I don’t recognize the number unless the phone tells me who it is that is calling – I have better things to dedicate those neurons to. I figure whomever is calling will leave a message, and I’ll listen in – if I can… And answer if it’s someone I want to talk to. One of the advantages of the old answering machines on an old land-line, well that and the fact that they worked without electricity (they used something like 6 volts over the old copper wire) – now that everything is a packet – my land line sends via Ethernet – so if power is out, the hub is down, or overloaded. Phone is useless when power is out today… Remember 9/11 and all of the busy-signals? Expect that to be the norm in any emergency these days… Unless you have a satellite phone – then you may be able to reach someone that is outside of the area affected… But your cell will be as useful as a rock.

I remember being in a cave (Carlsbad) and some idiot in the group pulled out his cell phone to call his wife… Are people really that dumb? Um, you’re underground, I think the area was like 164 feet underground, your cell phone can barely go through the walls of your house, and you want to call your wife? Although these days they probably have an access point that goes over the wire up to the surface – but they didn’t back then… Of course, I was the guy on the tour that wore a glow in the dark tee-shirt, so when they tried to show was “real darkness” looks like, I could see people and they were all looking at ME… Then I looked down and saw my little bats glowing on my shirt… D’uh…

Anyway, as far as security – encrypt, encrypt, encrypt… (And I mean that literally, if you can – multiple encryption methods.) I’ve taken to running hashes on passphrases so if someone tries to force me to reveal the password, I can honestly say that I don’t know the password. True – I know what will yield a hash. And while the law can force you to yield a password, they cannot force you to take an action, or reveal a procedure. (That’s to protect you from being forced to commit a crime, then be charged for it, so if you have to call a program to generate a hash from the passphrase – that you then cut and paste the 128 character string generated to decrypt your drive, you cannot be forced to tell them that process – and if your hash is then simply ROT-64 encoded, hey – it’s not your fault they can’t get that pass-phrase to work.) Anyway… My passphrases all a miss-spelled phrase, including numbers, and keyboard positions so I may know the pattern, but not the keys. So I literally cannot “write down” the pass-phrase doesn’t matter how much I want to I can’t do it. Now that’s a bit much for a cell phone – but we’re getting close to needing something like that… Scan your fingerprint, scan your IRIS, and it’s in standby so you have to enter a swipe-pattern…

Anyway – treat your phone like you do your IRS software – I’m assuming that you have all of that data multiply encrypted as well. And if you have a phone for your family, you should be establishing encrypted communication tunnels. If it’s good for the military – it’s good for you… I’ve always lived by the phrase, “just because you’re paranoid, doesn’t mean someone isn’t out to get you”… Heck, I have Tor on my phone, and recently added a VPN… Yes, it’s slow – so I’ll use the VPN most of the time, but some searches, I want to keep to myself – that is what Tor is for.. That’s why I have USB sticks that boot up computer systems at home – no traces… Yeah, you can do forensics all you want – good luck with that… The only down side to all of the above is I had a drive die that wasn’t being backed up – couldn’t even get one of the latest forensic tools to see the partition on the drive… Can’t read something that you can’t see…

I’ve been looking for tools like peer-block for my phone – the CPU is fast enough to monitor comms, so there should be tools to do it…

 

Melvin: I agree with you that encryption is the key. You have no other option to protect your data on your electronic device. I just assume that if they want to get into my gear then they probably can with enough time and effort. I also assume that strong encryption will protect my data.

Now I don’t believe that they can force you to reveal your password. I believe that you cannot self incriminate. You can be forced to use your finger to unlock your phone if you enable that feature. I, myself, do not have that feature enabled.

I know that I am not as hardcore as Brian but I have started using a VPN application even when at home. It also gives me a certain level of comfort to use my laptop at Starbucks. Though I still will not do any online shopping or banking.

This conversation has made me think of other things that people are using their phones to accomplish. One of those is the use of the phone as a key. Drone Mobile and Viper are two vendors that have products that will allow you to unlock, start, and track your vehicle. Tesla has an app for iPhone that allows remote start. It just seems to me that if you lose your phone or it is stolen your car, data, and electronic wallet could be lost to you.

Sad part is how many people know their master passwords so that they can start to get back to normal. How many people backup their phones so that they can restore to a new phone?

I am seeing an avoidable trend of using the smart phone to control or store every aspect of a person’s life. What will be the outcome when people ‘s phones are compromised? I don’t even want to guess.

 

Tony: Hmm, I would separate personal security into two categories – 1) physical security and 2) information security.

Arguably, phones do not do hurt are physical security in any way. My wallet is still more important than my phone to the average criminal. In fact, I would be safer if the criminal knew I only had a phone and no wallet; that way the reward or payoff would be much less certain for the criminal…no immediate cash or credit card payoff. The phone provides a much greater physical barrier to information than my wallet…access barriers are a big deterrent to the criminal element. +1 phones

Information security is a much bigger issue and certainly not limited to phones, but I agree, it is hard to argue against the information security risk presented by phones, they contain a lot of information. Basically, it is the price you pay for having all your data at your finger-tips…there is no *free* lunch. However, I think the risk is greatly mitigated by biometric access, lock screens and other mechanisms like that. I mean, who does not password protect their phone these days? What phone OS does not provide a remote security-wipe feature? This is common stuff and it will probably get better with features that track your location or your biometrics (i.e., how far is the phone from your Fitbit?) I envision lots of cool stuff in the future with respect to securing access to the phone. Bottomline, it is pretty good now and going to get much better in the future. +1 phones

Ok, I cannot help but laugh a little about smartphones making people dumber. Well, if access to information makes you dumber than…yeah I guess it does. The whole notion of attaching a number to a person is a bit wonky anyway. The goal is to communicate with the other person…not to remember numbers? The phone just provides access to a variety of mechanisms to communicate with the other person. The “number” is a detail that should not be so prominent/important. Plus, numbers just do not scale well and is definitely a very limited abstraction for “communication”. I mean c’mon…Captain Kirk probably does not know Spock’s or Scotty’s number…oh…wait…1-ENT-ERP-RISE!

Comments?

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.