Ok, so I’m a very weird guy, I can see that. Mobile phones can be very handy, I can see that too. Combining those things it turns out that mobile phones are still pretty useless to me personally. That fact, I concede, is strange. I participate in less than a dozen actual telephone conversations a year even when including the hardwired telephone sitting in front of me on my desk at work. I can not remember a telephone call that would not have been better served in an email. Many of my telephone calls involve waiting on hold for dozens of minutes. Today, the fundamental advantage of telephones isn’t the frequency-clipped disembodied voice you can hear, it is that the rudeness and imposition of interrupting someone are usually overlooked. But not by me.

Ok, so unless you just like hearing the sound of other people’s voices nattering away while you’re in the grocery store, and I understand there are many such people, the whole 19th century telephony thing is not extremely compelling. But what about all the other great stuff? Throwing enraged birds into pigs? Everyone loves that, right? Nobody knows how to use a paper map any more so it’s not like it’s even optional, right? Everyone wants to know what their friends' lunch looked like and gleefully stalks Pintergramerbook to find out, right? I could go on and on, but, folks, I’m sorry, I’m as aware of the benefits of technology as anyone and I do not find smartphones compelling. Sorry.

I can confidently surmise that I had my Sharp Zaurus SL 6000 before you had a smart phone. That brilliant pocket computer highlights exactly why I find modern small computers so uninteresting. On the Zaurus I could easily open a terminal. It ran a proper Linux kernel and I had full root permissions. I could run a Python interpreter in the normal Linux way. I could install any Linux software, Vim for example, and write my own. I could tape it to my Roomba and steer with it over wifi SSH. I felt like I was in control. But Android revoked almost all of that control. Don’t talk to me about the nightmare of warranty-voiding freakish rooting hacks. The necessity of such tricks is exactly the problem.

eitr.jpg

Now we come to the elephant in the room. What happens to security when you use a networked system which is controllable by clever hacks and back door tricks, but impossible to control by authorized users using ordinary methods? It sucks. When I look at almost any security measure taken by the computing systems that I feel are safe enough to use, they are almost all invalid with modern phone operating systems. For example, why do package maintainers provide MD5 hashes of packages? So you can verify things came from a trusted source. With Android, you can’t verify anything of the kind, and you have no idea who is a trusted source. Or take a simple thing like user accounts. These are designed to restrict privileges so that if some software is acting in bad faith, it can be contained. Android has a disgustingly perverse privilege model that just mocks proper security. The only thing that user accounts seem to restrict with Android is the device’s legitimate owner.

Blah, blah, blah. Ok, ok. There are zillions of Windows users out there who obviously don’t care about terrible security and bizarre conflict-of-interest turf wars in their computers. Fine, fine. What is blowing my mind in the smartphone era are the Linux people. The acquiescence of the people who should know better is what really freaks me out.

The first iPhone I ever saw was being proudly shown off by a sysnet (systems and networking) professor, a guy who studies computer security at the highest level for a living. I remember the thought I had at the time which remains the same to this day, "Hmmm…and you’re ok with that?"

Distrust and caution are the parents of security.

— Benjamin Franklin

Security is hard. In the Linux world at least 50% of knowing roughly what you’re doing involves various security measures. With the advent of smartphones it seems like everyone took the opportunity to make a clean break with the truly onerous task of secure computing. By relinquishing control, even technical people seemed relieved to relinquish responsibility too. Another quick example — I asked the head computer security analyst at my university (largest employer in the 8th largest city in the USA) what he thought about phone security. His answer was, essentially, it’s bad. Very bad. Ridiculous bad. Sure. Whatever. So what does he do about it? Well, nothing special really. He mostly just assumes it’s insecure and behaves accordingly (lucky for him he’s a professional at that). And yet, he believes that his smartphone was responsible for his Amazon account being hacked (and if anyone should know that, it is he). How did that then change his behavior? Amazingly, not much! This is typical! People who know better stop caring for some reason. I don’t understand this. I haven’t been able to stop worrying and love this bomb. I have never been interested in using a computer as a computer that I can’t control with the full force of computer science. I don’t care what magic services it provides. If I don’t have at least theoretical control and it knows who I am, it creeps me out and I want nothing to do with it.

Obviously I have a lot to say about modern telephones, but at the same time, I don’t. I wish I could point to the smoking gun and say, ah, here is why you shouldn’t use this. But I am not an expert in these systems which are designed to prevent me from properly understanding them. I just know what I appreciate and trust about the Linux systems I do use, and I can’t see any similarity to the way smartphones are controlled. For the same reasons I (and people like Richard Stallman) boycotted Microsoft operating systems for almost 20 years now, I can’t accept Android. I feel vindicated that my 1999 assertion that the Linux kernel could be made usable by normal people was true, but at this point Android is worse than Windows. (Do I even need to point out that IOS is worse than Android?)

Ok, I don’t like telephones. I don’t like proprietary operating systems that exclude you from control, destroy your privacy, and prey on you at every opportunity. With all that baggage, in comes a new topic that is of particular importance to fancy computer people taking care with security: multi-factor authentication. Abbreviated as MFA or 2FA, this basically is about using your phone to add another layer of security to unrelated services. I think you can guess by now how I feel about that. I’m not impressed. I’m horrified.

But again, I’m not the head of some nation state’s hacking agency. Although I take a serious and diligent interest in security concepts, I don’t make a career of studying the dark corners of proprietary software. When I step out of the light of the non-proprietary, free software world, I am overwhelmed and terrified.

This post is just a starting point, a way to dump my rough misgivings along with some links to why someone might feel this way. Make of it what you will.

Phone Insecurity

  • An amazing article in the NYT about Chinese surveillance of your phone. "Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages."

  • Cheating at poker… damn, that’s scary.

  • App proves Rowhammer can be exploited to root Android phones – and there’s little Google can do to fully kill it

  • The real vector is bad apps. "For years, most Android malware has spread by social engineering campaigns that trick a user into installing a malicious app posing as something useful and benign." MFA still safe? Maybe for a "phone" that does nothing but serve as a MFA fob. Note that the article is actually saying the problem is substantially worse than that because now malware can be contracted from concomitant ads you wanted nothing to do with.

  • UPDATE 2017-07-06: Incredible hardware attacks from repair shops.

MFA With Phones Is Bad

  • Can we agree that whoever has complete control over your device can completely subvert MFA? Please?

  • Given the history of large companies' security (Sony, LinkedIn, Home Depot, etc), if you give your phone number out to companies the odds are high that it will end up in the hands of criminals.

  • What happens if your phone is lost, stolen, out of batteries, left at home, etc. — MFA using that phone is worse than useless. MFA always suffers from the problem of what to do if the various components fail.

  • Why is a mobile phone considered an additional factor for multi-factor authentication, but email is not? This is absurd. For some of us anyway.

  • Is it multi-factor when someone uses their phone to access a service and then receives the MFA token on the same phone?

  • In my AWS attack they had me before I ever would have had a chance to register MFA. In theory, they’d have had my phone as well, compromising all other MFA schemes.

  • NIST is No Longer Recommending Two-Factor Authentication Using SMS. NIST Recommends SMS Two-Factor Authentication Deprecation.

  • Krebs talking about a phone based MFA scam.

  • Social Security security apparantly requires an insecure telephoneAnd rescinded!

  • This bizarre article argues for phone 2FA but do carefully check out the utterly insane contradictory section "Faking Two-Factor Authentication".

  • Dedicated MFA authentication devices seem like a reasonable idea. Using another computer, one which is likely to be insecure, does not.

  • UPDATE 2017-05-15: Because of SS7 attacks 2FA Is Screwed. No kidding?

  • UPDATE 2017-06-21: Password reset problems with phones.

Cell Network Attacks

SIM Card Attacks

Client OS/App Vulnerabilities/Malware

In this paper, we will demonstrate how to quietly mount practical, context-aware clickjacking attacks, perform (unconstrained) keystroke recording, steal user’s credentials, security PINs, and two factor authentication tokens, and silently install a God-mode app with all permissions enabled.

We note that this behaviour seems to appear to be a deliberate decision by Google, and not an oversight. To the best of our understanding, Google’s rationale behind this decision is that an explicit security prompt would interfere too much with the user experience, especially because it is requested by apps used by hundreds of millions of users.

…none of the users actually managed to understand what happened even after we told them the app they played with was malicious…

…the majority of presented attacks are possible due to inherent design issues… Thus, it is challenging to develop and deploy security patches as they would require modifications of several core Android components.

My Absurd Telephone

  • Providers and vendors sell tweaked versions of Android that may not properly implement security updates. My phone’s Android version is from 2011 though the phone says it’s up to date. What could go wrong?

  • "Settings → About Phone → System updates → Update Android" → "Your system is currently up to date."

  • "Settings → About Phone → Android Version" → "2.2.2"

  • Futex attack vulnerable on Android versions 4.0 through 4.3. So am I immune? Ha.

  • Linux is currently on kernel version 4.9. Here’s my "up-to-date" phone’s Linux kernel.

$ cat /proc/version
Linux version 2.6.32.9 (jinyoung.chon@Sprint14) (gcc version 4.4.1
(Sourcery G++ Lite 2009q3-67) ) #1 Mon Mar 7 11:55:10 KST 2011
  • The last 2.6.32.9 kernel was packaged on 23-Feb-2010 15:43. This means that when the vendor compiled this Linux kernel for their Android system, it was already a year old.

UPDATE 2017-04-04 - Google Project Zero tells us what to expect when you rely on proprietary drivers in Android devices. Remote attacks over wifi.