Making Carriers Shoulder Smartphone Security

alphadogg writes "Georgia Tech researchers have received a $450,000 NSF grant to boost security of iPhones, BlackBerries and other smartphones and the wireless networks on which they run. And it's those networks where the researchers are really zeroing in. The researchers are looking into ways wireless carriers such as AT&T and Verizon can detect malware on devices and clean up the devices before they do further damage. 'While a single user might realize that a phone is behaving differently, that person probably won't know why,' says Patrick Traynor, assistant professor at Georgia Tech’s School of Computer Science. 'But a cell phone provider may see a thousand devices behaving in the same way and have the ability to do something about it.' Georgia Tech is going to build out a cellular network test bed to try out its remote repair techniques."

Anyone else have a bad feeling about this?

[rolfwind]

The researchers are looking into ways wireless carriers such as AT&T and Verizon can detect malware on devices and clean up the devices before they do further damage.

Last time a company had access to the contents of a device (Amazon -> Kindle), they caused a really big uproar.

Re:

[XPeter]

T-Mobile -> Sidekick is another failed example.

Re:Anyone else have a bad feeling about this?

[nine-times]

Yeah, it seems like it has to be a fine line. Like what gets defined as "malware"? Anything that uses more bandwidth than the carrier likes?

It reminds me slightly of broadband providers blocking port 25 in order to prevent spam. I don't mind that as a concept, but if so they should be willing to open it on request without too much of a hassle. Charging an extra $15 a month to open it seems like they're not really trying to cut down on spam, but rather trying to milk their customers by charging for things that really should come free with access.

Re:

[Hurricane78]

It's obvious: If it limits the money-making, it must go.

Programs, freedoms, family life.
All your friends and then your wife.
Leisure, pauses, sleep and fun.

And the redemptory gun.

Re:

[Anonymous Coward]

I am leery of giving unfettered regulatory power to a gatekeeper that has obvious financial interests to act in a manner that conflicts with my own:

No, I dont run spam botnets, nor do I write malware; however, what about people that write SSH proxies to bypass walled garden policies on their devices? If the verbiage of the "agreement" about malware is poorly written, this useful software could (and likely would) be classified as "Malware", and systematically removed from connected devices.

I would settle fo

Re:

[linhux]

Mind you, they don't necessarily need access to the device internals to detect that it's running malware. There are products for ISP's that detect traffic patterns that indicate an infected computer, and then isolate the computer in question in a sandbox network where all HTTP requests go to a support page with cleanup tools and links to anti-virus vendors. I guess you can employ a similar strategy for wireless networks.

(My employer used to have such a product, I think it's still in use in some Finnish broa

Re:

[pnblake]

Agreed. There better be a way to shut it off too. I'm not really afraid of the whole big brother thing, rather I don't want anything inhibiting my ability to run apps that I want to run. That is why I switched to a blackberry from an iphone. I loved the iphone (except for the keyboard) but the appstore was full of shit that had to be approved. With the blackberry I can install/develop whatever I want and not worry about it getting approved before it can be run on the device.

Contract addendums

[Anonymous Coward]

Next, they'll add into their contracts: 'Costumer does not own their phone. We reserve the right to make whatever changes to the device we deem acceptable. Any and all changes made that cause injury or loss of use of the device are not cause for release from this contract.'

Re:Contract addendums

[peragrin]

you forgot all contacts entered into this phone are open to our marketing department. all photos taken can be used by the carrier for advertisements. all calls made will be recored to insure "quality" control

Re:

[Bill, Shooter of Bul]

You assume otherwise? That's why my phone is a phone [sparkfun.com]. Good luck contact/photo sucking off of that.

signs your smartphone's been p0wned

[girlintraining]

Upon turning on your phone, it demands a cookie.

Your phone tells you it needs antivirus installed.

Hold music is replaced by a twisted AI that sings about cake and says it's okay if you want to leave (a message). ...

Re:

[bertoelcon]

Hold music is replaced by a twisted AI that sings about cake and says it's okay if you want to leave (a message). ...

But GLaDOS makes a great answering machine. She is a good way to filter out the messages I didn't need, but I haven't had any voicemails in a month so maybe I should make sure she's working.

Oh gawd, she's using my phone as a sonic weapon against me. HEEEEEEELLLLLLLL

LOST CARRIER

Re:signs your smartphone's been p0wned

[highbulp]

Upon turning on your phone, it demands a cookie.

And if you give your phone a cookie, it's going to ask for a glass of milk. One thing will lead to another, and soon it will want your social security number.

Re:

[lamapper]

And if you give your phone a cookie, it's going to ask for a glass of milk. One thing will lead to another, and soon it will want your social security number.

Then it will want your first born's social security number,

Oh great

[the_Bionic_lemming]

So they are going to deploy the ability to remotely update the users device. Because the bad guys will never figure out how the company does it. I can see it now. An entire carriers smart cell line bricked by a remote exploit that updates phones.

Re:

[Mike1024]

So they are going to deploy the ability to remotely update the users device. Because the bad guys will never figure out how the company does it. I can see it now. An entire carriers smart cell line bricked by a remote exploit that updates phones.

People often say things like this here on Slashdot, but automatic update tools like Debian's apt-get and Microsoft's Windows Update have never been hacked and used to distribute virus-ridden updates*. My Ubuntu netbook has never been "bricked by a remote exploit" even though it's open source, so be bad guys know exactly how the update mechanism works.

In other words, we have the technology to make secure remote update software. Technology like public/private key cryptography to digitally sign updates, and on

Re:

[CRiMSON]

I personally can't wait for everyone smartphone in North America to just one damn stop working lol.

I think it would be fucking hilarious.

Rather not...

[Anonymous Coward]

I'd really rather not allow a company access to "clean up" my devices. While this might be good in certain corporate or university based environments where all the equipment is owned by a central group, is isn't a good idea for public cellular networks where individuals own the phones. That is, unless we go to a phone lease system instead of purchase. I should really shutup before I give the networks more ideas on how to screw us over...

Bitpipe

[BodeNGE]

Wireless Internet Providers are just that, ISP's. They should have the same level of monitoring and control of the sites I surf and the applications I run as a terrestrial ISP, ie NONE. I can see that they would welcome this move, it helps them disguise the fact that they have become dumb bitpipes and are losing money on value added services.

In the corporate space however there are device management solutions available for Windows Mobile, Blackberry and Symbian that have seldom been rolled out at carrier level. These can lock down devices so that malware cannot be installed, and unauthorized applications removed. I cannot see that working as a consumer proposition, it really doesn't work well at the corporate level either. importantly these solutions are all at the IP layer (dumb bitpipe) and don't care how the device connects to the management server. ActiveSync, WiFi, cellular connection (and yes, via SMS too) will all trigger a wiped device or an app uninstall.

Nothing to do with telcos. Move along.

Re:

[sacrilicious]

Agreed. And the headline that slashdot tacked on to this article: "Making Carriers Shoulder Smartphone Security"... "MAKING" them "SHOULDER" it like it's some kind of burden?? wow, you'd think the editors of /. were in bed with the cell industry, doing their NewSpeak PR for them. A more accurate headline would be "Cell carriers delighted to portray naked power grab as good for users".

Re:

[TubeSteak]

Wireless Internet Providers are just that, ISP's. They should have the same level of monitoring and control of the sites I surf and the applications I run as a terrestrial ISP, ie NONE.

The difference between wired and wireless is that one is a shared & finite resource.
Your suggestion, that they both get treated the same way, ignores reality.

The worst thing a wired internet connection can do is max its own bandwidth.
One mobile device behaving badly can bring an area's network to a standstill.

Re:

[hitmark]

only way i can see that happen is if the attack can reach the rafio firmware...

Why is the NSF?

[joocemann]

Spending money to facilitate better service for these private businesses who have not only made billions from customers, but took billions of tax dollars and screwed us as citizens.

NSF should not be paying a cent for this. The issues need to become prominent enough for the customers to demand better products from the oligopoly of telcos.

Re:

[OctoberSky]

Spending money to facilitate better service for these private businesses who have not only made billions from customers, but took billions of tax dollars and screwed us as citizens.

NSF should not be paying a cent for this. The issues need to become prominent enough for the customers to demand better products from the oligopoly of telcos.

I'm usually quite on board with the government not paying money to help businesses further their own causes, but there are exceptions to every rule.

This should be seen as acceptable, just like it's seen as acceptable for the government to pay for the NHSTA to crash cars to test them. Those tests are given back to the manufacturers to make... wait for it... better cars. Sure it helps the manufacturers, but more importantly it helps the consumer, or more important to the governments cause, the citizenry.

No go

Re:

[Paco103]

There's a huge difference here though. Nobody is going to die if a cellphone performs horribly in a security test (ruling out side effects such as not being able to call 911). Also, testing the phones does not require them to be destroyed, unlike testing a car. Understandably, auto manufacturers are not interested in crashing thousands of cars, and those tests have to be standardized to have an fair comparison between the different brands.

There's also a line between what they're attempting to do. With a

Re:

[joocemann]

I can agree with that.

Akin to what Paco103 said, though, these phones aren't a necessity to human life, and the backdoors they're looking at are also inherently a security issue.

Personally, I don't agree with the money, but you've reasoned me enough to not disagree with the notion of others thinking it is being appropriated well enough. They can think that and I can agree that they are being reasonable enough.

Re:

[CodeBuster]

But there has to be exceptions, and this one, I think falls under such exceptions.

If your fancy-pants smartphone gets p0wned nobody gets killed. If you want a reliable emergency phone there are cheaper basic alternatives. Think about this whenever you think about the government spending money: if the government is going to spend money it first must take it from somebody else by force (taxes aren't optional...and yes inflation is a tax too). That is an extremely disagreeable process which should be reserved only for the greatest collective needs of society. This should include the branc

Re:

[CodeBuster]

NSF should not be paying a cent for this.

That is absolutely correct. Why should public money go to yet another private company? Is Apple going to give the US Treasury a cut of the profits from future iPhone sales (not likely)? The whole bailout mentality is such bullshit; what ever happened to taking responsibility for one's own successes and failures? Another 200,000 ordinary Americans lost their jobs last month, joining millions already on the unemployment rolls. The taxpayer is drowning in red ink, our kids will curse us when they are old enoug

Re:

[lamapper]

Why should public money go to yet another private company?...bailout mentality is such bullshit... These damn NSF bureaucrats should spend a month or two working a real job for ordinary working class wages; maybe then they would better appreciate the real value of the money they so frivolously spend.

I could not agree more, with your quotes and especially the last couple of lines. The fact that the Republicans dug Americans a very DEEP financial hole is enough of a reason never to see them ever elected to office again as they put party politics ahead of the citizens they take an oath to serve and protect. Hypocrisy. And do not get me started on lying to start unnecessary wars killing Americans, makes me sick. Profanes the sacrifice that many in my family have made serving in our US military. As far

Froth much?

[chihowa]

NSF should not be paying a cent for this.

That is absolutely correct. Why should public money go to yet another private company?

Where did you read that the NSF was giving money to a private company? This is a research grant that is being paid to faculty at a university to fund research on how to make smartphones more secure. This is spelled out in the first sentence of the summary.

Seriously, sometimes the game of rabid-emotional-frenzy telephone that goes on here is a little much.

Re:

[CodeBuster]

Improving the products of private companies benefits primarily the private companies because any additional profits from increased sales accrue to the owners and not taxpayers. Investments in technology can be done quite adequately by the private sector. IMHO, unless the technologies in question have a clear public use, as part of other necessary functions of government, research and development should be left to the private sector and private money.

Non-sufficient funds

[JaZz0r]

And to think that each time I get an NSF check, *I* have to pay.

Re:

[JustOK]

I thought it was Not Safe For

Not a big issue...

[Darkness404]

There is hardly any malware for mobile platforms out in the wild. I don't see how security is a huge issue. Sure, some may point to the jailbroken iPhone worms but that is because they were running SSH with a default password! I'm surprised it took this long, whats next having the government sniff our Facebooks in the name of "security" because a few people with the password of "password" were hacked? This is opening a can of worms we should leave unopened.

Re:

[arminw]

...There is hardly any malware for mobile platforms....

That is because there is a huge variety of mutually incompatible devices. Manufacturers of phones also tend to design security in, rather than an afterthought, such as happened with Windows. When a device is hacked, such as jail broken iPhone's, the built in security from the manufacturer is nullified. Even though millions of iPhones have been sold, none of them, except for the jail broken ones have any problems with rogue software. Because Apple checks

Re:Not a big issue...

[bertoelcon]

Because Apple checks all programs for the iPhone, no bad programming can ever get through.

You in the market for a bridge in the Brooklyn area?

Re:

[L4t3r4lu5]

Are there many tigers around your neighbourhood? *grin*

Re:

[socsoc]

no bad programming can ever get through

You realize that Apple doesn't vet the programming and there have been approved apps that later got revoked or the ire of the community for being shady?

Re:

[Darkness404]

No. The fact that your iPhone is jailbroken or not doesn't make it any less secure. The fact was it had SSH running with a default password. Having SSH running is of course a huge flag that says "Connect to me!", having the default password means that anyone can connect to it. Its not the difference between it being jailbroken that it is insecure its the stupidity of having SSH running with a default password.

Re:

[mdwh2]

Most mobile platforms adopted a common standard - there are something like 2 billion Java smartphones out there. I can download an app from anywhere, and run it on my Motorola with no hassles.

Unfortunately Apple have decided to go with an incompatible phone, but that's only about 1% of the market anyway, so hopefully we won't return to the bad old days of the 80s where there were millions of platforms all incompatible with each other.

Re:

[arminw]

....but that's only about 1% of the market....

Last time I looked, there were about 18 million happy owners of the iPhone, about 17% of the total smartphone market. Most users don't care if there's a mouse running around inside the phone making it do its thing, but what matters is that it is easy to use and works reasonably well. They could care less about Java or any other technical details. That's just for us Slashdot users to talk about. There is nothing standard about phones from other manufacturers tha

how about stop useing network locks & custom s

[Joe The Dragon]

how about stop useing network locks & custom software this more like the same carp that you get on new pc's.

My Phone, No Touch!

[Anonymous Coward]

I hate to be an obnoxious twit, but I REALLY don't like the idea of a carrier messing with my phone, even for the sake of carrier network stability. I would rather have the phone's carrier network access locked down so all IP traffic is stopped and all non-emergency voice calls get redirected to a call center who can inform me that my phone behaves like a virus laden whore. When and if I want to modify my phone OS and applications is my call. At least for GSM, the SIM card is by design an easily transferabl

Uuum what??

[Hurricane78]

Are we cattle or what?

"Ohh, I don't know what's... happening to me."
"Ohh, it all happens... automatically."
"Ohh, you keep me well and safe."
"Ohh, you rule all of my life."

"You are just... too kind my masters."

Mobile devices are the same as your computer!

[Anonymous Coward]

Seriously, how many people think it's a good idea to let your ISP into your computer. Controlling it, installing/removing software, etc. Nobody would stand for that.

Mobile devices are not that different. They are still your personal computer and nobody should be screwing with it unless you explicitly allow it.

Now the phone company is certainly within their rights to degrade or isolate malfunctioning devices on their network but they better be doing that at the network level and not actually touch your de

Re:

[RMH101]

Agreed. A lot of FUD gets spouted about network stability, but what we should bear in mind is that the comms part of your phone - e.g. the GSM radio - isn't hackable by the OS. It's effectively addressed a little like a hardware modem - being passed specific AT commands. A rogue app isn't going to be able to bring down a cell tower - unless it's by something low tech like just making an awful lot of calls. I'd expect the network to be able to notice a specific handset that does anything that might inter

Do govs really want Smartphone security?

[AHuxley]

What would the NSA's, CIA's, DIA's, GCHQ's ect do if the public started running heavy encryption in their pockets?
Part of the charm is tracking, easy to tap, seeing who you phone and getting a voice print.
Some computer company could upset this balance of total information awareness that is the phone.
Costas Tsalikidis, the Greek telco whistleblower who was found hanged.
Adamo Bove head of security at Telecom Italia who exposed the CIA renditions via cell phones ‘fell’ to his death.
Or http://w [wired.com]