Wednesday, September 28, 2011

Comments on tablet/smartphone security

My friends - and competitors - at - has published a report on tablet security (Warning: Norwegian!), evaluating 3 different tablets. Conclusion? iPad2 as the winner with the best out-of-the-box security features. While I do agree on the conclusion, Norwegian media has given this report a lot of coverage that I need to comment on. "Out-of-the-box" security, or default security parameters, are *rarely* to be considered "good enough" in most cases.

Watchcom did an analysis of iPad2 (iOS 4.3.5), Acer Iconia Tab A500 (Android 3.0.1) and the BlackBerry PlayBook (OS 1.0.7), looking at security features such as:

  1. Security
    • Authentication
    • Encryption & communication
    • Blocking various features
    • Secure sync of critical applications
  2. Administration
    • Administration and policy
  3. Application security
    • Application security
    • Security extensions
  4. Security evaluations and certifications 
I think their PDF files with evaluation criteria and point scale system (1-3) should be fairly easy to understand, even when written in Norwegian.

As for my comments; I am both surprised of the media not asking any obvious and critical questions to this evaluation, as well as Watchcom seemingly not saying anything about the limitations surrounding their evaluation.

A few comments from me, that organisations should consider before making their decision & purchase:

1. iPad (iOS) security
Using the Elcomsoft iOS Forensic Toolkit, any 4-digit PIN on an iPad (or iPhone) can be bruteforced within <1 hour. Default security parameters in iOS and Microsoft Activesync requires a 4-digit PIN, while there are options available for requiring longer PINs and/or complex passwords.

While a 4-digit PIN will protect your data from the casual prying eyes (random theft/loss of your device), an organized and targeted attack will most likely succeed with a rather low cost compared to the data possibly stored on the device. I'll leave it to you to do the risk analysis including the value of your on-device stored data such as MS Exchange calendar including telephone conference numbers and codes, meeting attachments (word, excel, powerpoint, pdf files) and more. 

With Apple and iOS so obviously in the lead above all else, there's no doubt they will draw even more attention to their security - or lack of it - in the very near future. From my perspective they really don't have that much of a reputation so far on discussing, disclosing and admitting security bugs and weaknesses found. Usually not a good sign to me, but I won't to the full open vs responsible vs closed disclosure discussion here.

2. Remote device management security
Remote wipe, as well as a wide range of other security features will actually require the tablet to connect to a wlan or gsm/3g connection in order to "phone home" and receive instructions such as "the device has been lost or stolen. Please wipe the entire contents of the device and set it back to its factory default". 

While a GSM/3G jammer is illegal to operate here in Norway, it can still be obtained for pocket money from other countries. This will effectively block such communication, prohibiting any remote wipe command to ever reach the device. All this of course, in cases where the attacker can't simply remove the SIM card from the device of course. :-)

A simple "faraday cage" will additionally block any wlan connections, easily allowing an attacker to gain more time to successfully break the security of the device in order to gain information access. Evaluating your employees ability to actually report lost or stolen devices will be of high importance, as the timeframe needed for a successful compromise of your device could be as little as <= 1 hour. (This is something I will blog and talk about more in the near future.)

3. The gaping password hole left by Microsoft Activesync
Yes, I know I am a fanatic on passwords. I took the red pill a long time ago on this, and it keeps expanding. When you configure Activesync on your smartphone or tablet, the default configuration is to use a SSL (https) connection to a website providing Outlook Web Access (OWA). Default login here is username and password from the internal Active Directory, with password policy being whatever you have configured in your domain. Again; the default is nowhere good enough in this situation as well.

While many discussions have been raised on the security of the sync & storage of activesync data (contacts, calendar, mail), I haven't seem much talk regarding that fact of such a configuration opening up 1-factor password guessing (or pure bruteforcing) against OWA. As I have said before, like many others like me that are "excessively" interested in passwords, allowing for 1-factor access to internal systems from the Internet is generally not a good idea any longer. In fact, many security policies of large organisations disallow it.

From an attackers perspective; why waste time tracking down your CEO in order to steal or "borrow" his or hers tablet for a few hours, when finding the username and guessing the password of the CEO directly towards https://webmail.some.domain can be even faster and easier?

(Yes Watchcom, I already know that you provide solutions for VPN access and 2-factor authentication to secure this stuff. I have yet to see any evidence of acceptable usability on this :-) )

4. Android vs Android security
Watchcom has tested the Acer Iconia Tab A500 with Android 3.0.1. Fair enough. 

I've got a Samsung Galaxy S II smartphone, featuring on-device hardware encryption of both internal storage as well as my inserted memory card. According to Samsung's commercial, it supports more Activesync policies than any other product on the market (or something like that). Working on verifying that, but at least it seems to be working. The same applies to the Galaxy Tab tablets, as well as other tablets now available in the stores. 

I would say that Watchcom should consider updating their report ASAP with at least one or more Android based tablets from other vendors, say Samsung and the Lenovo Thinkpad, where the Thinkpad is specifically targeted at corporate business use.

As for the media: did you ask anyone to comment or question the findings from Watchcom? I'd sure as h**l appreciate it if you continue doing that every time you quote me on anything, thank you. :-)


  1. Per, I tried to fit this in 140 chars but have apparently failed. Sorry for that.

    Evaluation criteria isn't quite clear for me. Maybe because I do not speak Norwegian, maybe because the report is not clear enough in the first place. Google translate suggests that the evaluation is based on whether particular feature is implemented, partially implemented, or not implemented. I really do hope that Google translate skipped something relating to the quality of that implementation. Guys, you're doing security evaluation, not reviewing Angry Birds!

    The conclusion is fair and predictable, though. However, it always amazes me how come an iPad 2 can be a best tablet for corporate users when it is nearly the only one not supporting S/MIME :).

    It is also quite amusing to see "encryption evaluation" based merely on what gets encrypted. With crypto the devil is in the details, so that approach is not reliable enough. Consider, for example, encrypted backups. Both iPad and PlayBook can encrypt backups. The difference is that iPad will encrypt data on the device while PlayBook will not – it will send plaintext to the desktop application and the application will handle the encryption. While the end result is the same – backup is encrypted – the difference in approaches is huge and must be reflected in fair evaluations.

    The certification is also a nice thing. PlayBook is certified according to FIPS 140-2. Sort of. What actually certified is software "BlackBerry Tablet Cryptographic Kernel". Certification confirms that it correctly implements cryptographic algorithms. Well, this FIPS 140-2 certificate doesn't stop RIM from encrypting backups using variant of Rijndael cipher that does not conform to AES (and isn't a FIPS-approved algorithm, by the way). It also does not stop them from storing WLAN password in cleartext in backups. I think this list can grow pretty big.

    Android is a different world. I have zero experience there. One thing I am certain is that there is no such thing as "Android security". This doesn't mean that Android is insecure or otherwise bad; it just means that there are so many vendors and devices running Android that abstract "Android security" doesn't work. Different devices require separate evaluation.

    Bottom line? I do not see any particular value in evaluations like this if environment and goals are not set clearly.

  2. Quoting @iamleeg from Twitter:
    "X is more secure than Y" means little, "is X suitable for this purpose?" is the real question.

    We can discuss the technicalities forever of course, but his comment just summarized it all before we really got started.

    Unfortunately one might say, the media loves those simple "which is the best, X or Y" comparisons. They're everywhere. For better or worse.

  3. I’m impressed!! Really informative blog post here my friend I just wanted to comment & say keep up the quality work.


All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.