Making Carriers Shoulder Smartphone Security 57
alphadogg writes "Georgia Tech researchers have received a $450,000 NSF grant to boost security of iPhones, BlackBerries and other smartphones and the wireless networks on which they run. And it's those networks where the researchers are really zeroing in. The researchers are looking into ways wireless carriers such as AT&T and Verizon can detect malware on devices and clean up the devices before they do further damage. 'While a single user might realize that a phone is behaving differently, that person probably won't know why,' says Patrick Traynor, assistant professor at Georgia Tech’s School of Computer Science. 'But a cell phone provider may see a thousand devices behaving in the same way and have the ability to do something about it.' Georgia Tech is going to build out a cellular network test bed to try out its remote repair techniques."
Anyone else have a bad feeling about this? (Score:5, Insightful)
Last time a company had access to the contents of a device (Amazon -> Kindle), they caused a really big uproar.
Contract addendums (Score:2, Insightful)
Next, they'll add into their contracts: 'Costumer does not own their phone. We reserve the right to make whatever changes to the device we deem acceptable. Any and all changes made that cause injury or loss of use of the device are not cause for release from this contract.'
Re:Anyone else have a bad feeling about this? (Score:5, Insightful)
Yeah, it seems like it has to be a fine line. Like what gets defined as "malware"? Anything that uses more bandwidth than the carrier likes?
It reminds me slightly of broadband providers blocking port 25 in order to prevent spam. I don't mind that as a concept, but if so they should be willing to open it on request without too much of a hassle. Charging an extra $15 a month to open it seems like they're not really trying to cut down on spam, but rather trying to milk their customers by charging for things that really should come free with access.
Bitpipe (Score:5, Insightful)
In the corporate space however there are device management solutions available for Windows Mobile, Blackberry and Symbian that have seldom been rolled out at carrier level. These can lock down devices so that malware cannot be installed, and unauthorized applications removed. I cannot see that working as a consumer proposition, it really doesn't work well at the corporate level either. importantly these solutions are all at the IP layer (dumb bitpipe) and don't care how the device connects to the management server. ActiveSync, WiFi, cellular connection (and yes, via SMS too) will all trigger a wiped device or an app uninstall.
Nothing to do with telcos. Move along.
Why is the NSF? (Score:5, Insightful)
Spending money to facilitate better service for these private businesses who have not only made billions from customers, but took billions of tax dollars and screwed us as citizens.
NSF should not be paying a cent for this. The issues need to become prominent enough for the customers to demand better products from the oligopoly of telcos.
Re:Why is the NSF? (Score:3, Insightful)
Spending money to facilitate better service for these private businesses who have not only made billions from customers, but took billions of tax dollars and screwed us as citizens.
NSF should not be paying a cent for this. The issues need to become prominent enough for the customers to demand better products from the oligopoly of telcos.
I'm usually quite on board with the government not paying money to help businesses further their own causes, but there are exceptions to every rule.
This should be seen as acceptable, just like it's seen as acceptable for the government to pay for the NHSTA to crash cars to test them. Those tests are given back to the manufacturers to make... wait for it... better cars. Sure it helps the manufacturers, but more importantly it helps the consumer, or more important to the governments cause, the citizenry.
No government can safely doll out money and not expect it to get back into the pockets of big business somewhere down stream in commerce. To think so is asinine (and I'm not suggesting that's what your suggesting). But there has to be exceptions, and this one, I think falls under such exceptions.
My Phone, No Touch! (Score:1, Insightful)
I hate to be an obnoxious twit, but I REALLY don't like the idea of a carrier messing with my phone, even for the sake of carrier network stability. I would rather have the phone's carrier network access locked down so all IP traffic is stopped and all non-emergency voice calls get redirected to a call center who can inform me that my phone behaves like a virus laden whore. When and if I want to modify my phone OS and applications is my call. At least for GSM, the SIM card is by design an easily transferable token confering network access and an authentication token. Whomever holds this token is authorized as far as the system is concerned.
While putting a stop to virus outbreaks may be altruistic, fundamentally allowing such functionality is dangerious. That recent incident of carrier spyware being slipped into a fake blackberry update (in Dubai?) illustrates this, and that's probably only the tip of the iceberg. Only until very recently, consumers have put up with carriers getting root access to their phones.
Fuck that noise.
If I need an OS update, I get it from the phone manufacturer. If I need mobile antivirus, I get that from a vendor. The carriers are still living in the fantasyland that they are not a provider of dumb bandwidth pipes and can bleed their customers dry for things from bluetooth activation to single character charges in SMS.
If anything, this is the reason why a real opensource phone like OpenMoko was necessary.
Re:Anyone else have a bad feeling about this? (Score:3, Insightful)
I am leery of giving unfettered regulatory power to a gatekeeper that has obvious financial interests to act in a manner that conflicts with my own:
No, I dont run spam botnets, nor do I write malware; however, what about people that write SSH proxies to bypass walled garden policies on their devices? If the verbiage of the "agreement" about malware is poorly written, this useful software could (and likely would) be classified as "Malware", and systematically removed from connected devices.
I would settle for the following scenario though:
$Telco detects that I have $Malware installed on $Device. They call me on either my landline or my cell, and inform me of the infection-- THEN-- OFFER to remove it for me.
Depending on my decision, they remove it remotely, or they don't remove it.
This way, the control of what is running on my phone is still ultimately MY decision as the consumer, and is not the authority of an outside and financially motivated regulator.
Re:Not a big issue... (Score:4, Insightful)
Because Apple checks all programs for the iPhone, no bad programming can ever get through.
You in the market for a bridge in the Brooklyn area?
Mobile devices are the same as your computer! (Score:2, Insightful)
Seriously, how many people think it's a good idea to let your ISP into your computer. Controlling it, installing/removing software, etc. Nobody would stand for that.
Mobile devices are not that different. They are still your personal computer and nobody should be screwing with it unless you explicitly allow it.
Now the phone company is certainly within their rights to degrade or isolate malfunctioning devices on their network but they better be doing that at the network level and not actually touch your device. They also better not completely disconnect a device just because it's malfunctioning. People's lives can depend on a phone working. In the case of a virus infected or otherwise malfunctioning device they could isolate its functionality on the network so that it can only be used with certain critical functions.