why mobile security is not like traditional security
DESCRIPTION
Why Mobile Security is not Like Traditional Security. Part 1: I convince you there is a problem Part 2: I argue that solutions are possible. Markus Jakobsson, PayPal. We do have a problem. Social ( ab)use. Power limitations. Lack of crypto. Our own inertia. Limited user interfaces. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/1.jpg)
Part 1: I convince you there is a problemPart 2: I argue that solutions are possible
Why Mobile Security is not Like Traditional Security
Markus Jakobsson, PayPal
![Page 2: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/2.jpg)
We do have a problem
Lack of crypto
Social (ab)use
Power limitations
Limited user interfacesOur own inertia
![Page 3: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/3.jpg)
Imagine: 30 mins after leaving home…
![Page 4: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/4.jpg)
Some UI problems
Your password must have at least one digit and at least one special character, and …
Please enter the nameof your maternal grandma’s best friend’s first pet
![Page 5: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/5.jpg)
Password Entry Pain
5
1 2 3 4 5
Short battery life
Slow Web connection
Lack of coverage
Poor voice quality
Small screen
size
Difficulty customizing
settings
Difficulty entering
passwords
![Page 6: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/6.jpg)
Password Entry Pain
6
x 2.5
(cumulative distribution)
![Page 7: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/7.jpg)
Translation to reality-speak
“People hate passwords”
“Accept PINs; cache credentials;add remember-me features. Worry about the consequences when they surface.”
![Page 8: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/8.jpg)
Another reaction
“Right now, use signatures for mobile, too. Worry about the consequences when they surface.”
“Mobile malware is here”
![Page 9: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/9.jpg)
How it should be
“Develop secure and less annoying authentication/anti-virus methods.”
![Page 10: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/10.jpg)
So let’s look at what to do!Part 1: Power
![Page 11: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/11.jpg)
Let’s talk about power!
• Software-based attestation: Verify no active malware before running sensitive routine
• This way, only occasional verification
connectionrequest
Ok?
Verify
Ok!
Some more details at www.fatskunk.com + contact me
![Page 12: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/12.jpg)
Let’s talk about power!
• Software-based attestation: Verify no active malware before running sensitive routine
• This way, only occasional verification
connectionrequest
connectionmalware scan (flash)vote caststorage decryptionlogin process
Some more details at www.fatskunk.com + contact me
![Page 13: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/13.jpg)
13
monolithkernel
cache
RAM
1. Swap out all programs (malware may refuse)
How?
![Page 14: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/14.jpg)
14
monolithkernel
cache
1. Swap out all programs (malware may refuse)
2. Overwrite all “free” RAM pseudo-random content(malware refuses again)
How?
![Page 15: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/15.jpg)
15
monolithkernel
cache
1. Swap out all programs (malware may refuse)
2. Overwrite all “free” RAMpseudo-random content(malware refuses again)
How?
![Page 16: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/16.jpg)
16
monolithkernel
cache
1. Swap out all programs (malware may refuse)
2. Overwrite all “free” RAM pseudo-random content(malware refuses again)
3. Compute keyed digest of all RAM(access order unknown a priori)
How?
![Page 17: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/17.jpg)
17
monolithkernel
cache
1. Swap out all programs (malware may refuse)
2. Overwrite all “free” RAM pseudo-random content(malware refuses again)
3. Compute keyed digest of all RAM(access order unknown a priori)
How?
![Page 18: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/18.jpg)
monolithkernel
cache
RAM
1. Swap out all programs (malware may refuse)
2. Overwrite all “free” RAM pseudo-random content(malware refuses again)
3. Compute keyed digest of all RAM(access order unknown a priori)
External verifier provides this
How?
![Page 19: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/19.jpg)
monolithkernel
cache
RAM
1. Swap out all programs (malware may refuse)
2. Overwrite all “free” RAM pseudo-random content(malware refuses again)
3. Compute keyed digest of all RAM(access order unknown a priori)
External verifier will time this(and check result of computation)
How?
![Page 20: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/20.jpg)
Part 2: UIs
![Page 21: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/21.jpg)
21
Smaller Keyboard: Slower = Less Secure
![Page 22: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/22.jpg)
22
Why Not Use Error Correction?
![Page 23: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/23.jpg)
23
A “Fastword”: Several Dictionary Words(Three, For Example)
Enter fastword:
Paper & very crude demo at www.fastword.me
![Page 24: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/24.jpg)
24
Password average (18 bits)
2 out of 3Fastword
3 out of 3Fastword
Fastwords: How Secure?
(cumulative distribution)
![Page 25: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/25.jpg)
25
Fastwords: How Fast?
(cumulative distribution)
![Page 26: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/26.jpg)
Part 3: our inertia
![Page 27: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/27.jpg)
Some issues we all know about
• Pushing back on weak credentials• Dealing with special cases (such as resets)• Discouraging credential reuse• Getting to the bottom with 419, phishing, etc.• Privacy issues – sometimes at odds with security
(Of course, these are not pure mobile problems, but Ibelieve that they will be aggravated as the worldturns mobile.)
(but choose to ignore)
![Page 28: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/28.jpg)
The problem of weak credentials
Q. What is the greatest problem?
A. Identifying when it happens.
Relevant paper at www.fastword.me
![Page 29: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/29.jpg)
ResetsEasy to guess or data mine, yet hard to remember?– What was the brand/color of your first car?– What is your mother’s maiden name?– What address did you grow up at?– What is the brand of your refrigerator?– What is your favorite restaurant?
Hard to use on a handset?
And a big one: Slow registration!
![Page 30: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/30.jpg)
Avoiding credential reuse
Q. Why do people reuse passwords?
A. Because they can!
Relevant paper at visual-blue-moon-authentication.com
![Page 31: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/31.jpg)
Limiting phishing
A phishing attack is successful when:1. Phisher spoofs trusted site, and 2. User reaction to (1) results in leak
of credential.
![Page 32: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/32.jpg)
Privacy intrusion or not?
Keyboard biometrics?Calling behavior? Location?
Face recognition?
![Page 33: Why Mobile Security is not Like Traditional Security](https://reader036.vdocument.in/reader036/viewer/2022062302/56816376550346895dd45538/html5/thumbnails/33.jpg)
Disclaimer• These are my opinions. Not PayPal’s.• I own some of these things. I am not impartial.• Some of this is published. Other stuff is not.
Contact me for more information.
More information atwww.markus-jakobsson.com
www.mobile-blue-moon-authentication.comwww.fatskunk.comwww.fastword.me