Tuesday, 27 May 2014

Phone Hacking: A lucrative, but largely hidden history

I'm giving a talk at Defcon London DC4420 tonight. I decided to talk about the history of some stuff that is not really well known about outside of the mobile industry and a few embedded systems hacking circles.

For years, the mobile industry and its suppliers have fought an ongoing battle with people hacking mobile devices. This mainly started out with greyhat crackers from the car radio scene supplying tools to 'reset' your car radio PIN code (I'm not sure whether really driven by thieves or end users?).

This matured into SIMlock and IMEI hacking on handsets at the end of the 1990s, driven by very cheap pre-pay handsets. By the way, I was never a big fan of SIMlock, as it just increased targeting of the devices and it just wasn't that sensible as the time we didn't have the hardware available in the industry to protect it properly. Mobile phone theft (and re-enablement) was another driver.

Ordinary users were sufficiently motivated to want to pay to remove their SIMlocks and a cottage industry built up to serve it, supplied by tools from some very clever hackers and groups. This made some people very, very rich.

As skills have grown on both sides, the war between industry and the hacking community has grown increasingly sophisticated and tactical. Today it is mostly being played out within the rooting and jailbreaking community, but it looks like so-called 'kill switch' and anti-theft mechanisms will be a new motivator.

Anyway, I hope you find this taster presentation to the subject interesting!


Tuesday, 20 May 2014

How could voicemail insecurity affect your Facebook, Google or Yahoo! account?



It is nearly three years since the News of the World voicemail hacking scandal erupted (a case that's in court right now). The blog and article I wrote at the time are still the most popular posts I've written. I was involved in drafting a set of guidelines for network operators which was published very soon after.

I was therefore quite surprised when a friend sent me the following link which explains how web application security researcher Shubham Shah managed to use voicemail vulnerabilities within network operators to exploit two-factor authentication (2FA) for some pretty major services (e.g. Google, Yahoo!, LinkedIn and so on). The way that 2FA is setup sometimes is that it will call your mobile number. Obviously an automated system isn't usually setup to determine if you actually answered the call, so the code can go through to voicemail. And that's how the attack goal is achieved. If the attacker can get into your voicemail account via a vulnerability in procedures or via CLI (Calling Line Identity) spoofing (i.e. faking your phone number), then they can get access to the rest of your life. Sounds simple and it is.

Monday, 10 February 2014

Security and Privacy Events at Mobile World Congress 2014

Here's a list of the main security and privacy related events at Barcelona (some of which I'll be speaking at). You'll need a specific pass to get into some of them and that is shown next to the event.

Sunday 23rd February

1) Copper Horse Mobile Security Dinner
21:00 - Secret Location in Barcelona

Monday 24th February

1) Mobile Security Forum presented by AVG
12:15-14:30 - Hall 8.0 - Theatre District -Theatre F
2) Mobile Security Forum presented by FingerQ
14:30-16:45 - Hall 8.0 - Theatre District -Theatre F

Tuesday 25th February

1) Secure all the things! - the changing future of mobile identity, web, policy and governance
10:00-12:00 (09:15 for networking) UKTI / ICT KTN seminar - in the main conference area, CC1 Room 1.2
2) GSMA Personal Data Seminar (with the FIDO Alliance)
11:00-14:30 Room CC 1.1
3) Global Mobile Awards 2014 - Category 6d - Best Mobile Identity, Safeguard & Security Products/Solutions [Gold passes only]
14:30-16:30 - Hall 4, Auditorium 1

Wednesday 26th February

1) Cyber Security Workshop: The Role of the Mobile Network Operator in Cyber Security [Ministerial Programme Access only]
15:30–16:30 - Minsterial Programme, Hall 4, Auditorium B

Thursday 27th February

1) Privacy - Mobile and Privacy - Transparency, choice and control: building trust in mobile
11:00-13:00 - GSMA Seminar Theatre 2 - CC1.1


Of course plenty of the other presentations have security aspects - all the Connected Home, mHealth and Intenet of Things talks to mention but a few! Also, if you'd like to meet me, you'll see me at a few of these events or you can email to make an appointment out there.

Please feel free to let me know in the comments if I've missed any.

Wednesday, 5 February 2014

Copper Horse Mobile Security Dinner - Mobile World Congress 2014

Another year and we're back again. This year's Copper Horse security dinner will take place as usual at a secret location in Barcelona on the 23rd of February. With some of the world's leading minds in mobile security present, it's the hottest ticket for Sunday night. Contact us if you'd like to attend, there's a limited number of places. As always, we split the bill at the end.

This is far too early for the dinner and in the wrong location...

Saturday, 4 January 2014

Mobile World Congress 2014 - Planning to Eat...

Happy New Year everyone! That must mean that the entire mobile industry has to start going into overdrive for Mobile World Congress in February in Barcelona. Over at linkedin, there is a pretty useful thread for discussing what kind of tips and suggestions you'd give first time attendees to MWC.

Parties aside, my best personal advice for Mobile World Congress is actually about eating. Having been to Barcelona for every MWC since it moved there, I've worked out what is best for me and really what is not good at all for me. I've described it to some people as doing a year's worth of meetings in one week. It is pretty intense - you definitely work hard and play hard. In my experience, you walk about a million miles (maybe just slightly less), drink far too much alcohol and go to bed way too late for a couple of hours sleep before doing it all again the next day, all without eating much more than a couple of bites of tapas and maybe a Jamon baguette. The biggest thing that has at least helped me sleep better and feel better is to address the food problem head-on.

Not sure how healthy this sandwich is Mr. Messi...

Here's my addition to to the thread:

One thing that I'd add, make sure you eat properly and heathily. It is a crazy week of early mornings, late nights and lots of walking. Also, if you're like most of the attendees and therefore not 'entirely' tee-total, you may need to soak up some of that booze ;-) 

It can be difficult to get food during a really hectic week and what food is on-site is usually limited. Mostly jamon / spanish tortilla baguettes, crisps and maybe some fairly rank salads (unless you can eat in the Gold pass areas). The queues at lunchtimes are mental, so if you are going to grab something, try and get it early on and stick it in your bag for later if you can. 

Don't expect to be eating well at any of the parties unless you can get by on a couple of cocktail snacks and a bit of Paella. 

As someone who needs food to keep me going, I generally try to eat as follows each day: 

* a healthy, large breakfast with some fruit 
* get some early coffee on-site 
* make time for lunch - I now resist the temptation to skip it and fill it with a meeting 
* eat something substantial if I can early on in the evening that isn't just tapas at a party 

Hope this helps!

 I'd be interested in any other thoughts people have on how to eat properly at MWC. Anyway, with that slight detour I have to get back to judging entries for the GMAs and preparing our own Copper Horse trip out there!

Thursday, 5 December 2013

Shiny Expensive Things: The Global Problem of Mobile Phone Theft

I was kindly invited down to Bournemouth University the other day by Shamal Faily, to give a talk as part of their Cyber Seminar series. I decided to talk about a quite hot topic which I'm very familiar with, mobile phone theft. The slides are updated from an earlier talk, but cover some of the political involvement in 2012/13 and some information on recent industry action and what should happen next.

Wednesday, 6 November 2013

Global Mobile Awards 2014



I'll once again be judging in the Global Mobile Awards "Best Mobile Identity, Safeguard & Security Products/Solutions" category this year. The deadline for entry submissions is Friday, the 29th of November 2013 at 5pm (GMT). The shortlist will be announced in January 2014 and the awards will be presented at Mobile World Congress.

If you're planning to enter, there'll be a live Q&A on the awards on Friday, November the 8th. Follow the GSMA's twitter account @GSMA and the hashtag #GMA14 for more details!

If you want to show off your organisation's success and innovation in the world of telecoms, please enter at the awards page: www.globalmobileawards.com

Good luck!