Sunday, 1 March 2015

Cyber Security in the Mobile World: MWC Lunchtime Seminar Series

I've been running a cyber session on behalf of UKTI and BIS for the past few years. The event has been an increasing draw as a hub for security and privacy discussion at Mobile World Congress. We have an absolutely stellar line-up this year, across three days of lunchtime sessions and I'm really looking forward to MCing! If you're around at MWC, come along to the UKTI stand in Hall 7 (7C40) at the times below.

#MWC15

Cyber Security in the Mobile World: MWC Lunchtime Seminar Series

In the fourth year of our MWC Cyber Security in the Mobile World event, the topic remains at the top of the headlines. 2014 saw a large number of attacks which were both news-grabbing and serious. Are things getting better or are they going to get worse?

Securing the Internet of Things
Mon 2nd March
12:00 to 12:40
Location: Hall 7, UKTI stand 7C40

The Internet of Things (IoT) has exploded in the last year. Many machine-to-machine (M2M) and IoT devices being purchased by consumers and being implemented within technology from cars to chemical plants, are we adequately prepared to handle the increased cyber risk?

Introduction:

Richard Parris, Intercede: Introduction to the Cyber Growth Partnership

Keynote speakers:

Richard Parris, Intercede: The Role of SMEs in Securing IoT
Marc Canel, Vice President of Security, ARM: Hardware security in IoT
Svetlana Grant, GSMA: End to End IoT Security

Mobile Cyber Security for Businesses
Tues 3rd March
12:45 to 13:25
Location: Hall 7, UKTI stand 7C40

The Prime Minister recently said that 8 of 10 large businesses in Britain have had some sort of cyber attack against them. With a big increase in the number of mobile devices, how can businesses defend themselves, their data and their employees? What cyber standards are being developed and what enterprise security mechanisms are being put into the devices themselves?

4 person keynote panel, moderated by David Rogers:

ETSI, Adrian Scrase, CTO
Samsung, KNOX, Rick Segal, VP KNOX Group
Good Technologies, Phil Barnett, Head of EMEA
Adaptive Mobile, Ciaran Bradley


Innovation in Cyber Security: Secure by Default
Wed 4th March
11:40 to 12:20
Location: Hall 7, UKTI stand 7C40

Our speakers will get straight to the point by giving 3 minute lightning talks on a variety of innovations in cyber security.

1. Symantec, IoT Security, Brian Witten
2. W3C, Web Cryptography, Dominique Hazaƫl-Massieux
3. NCC Group, Innovative Security Assessment Techniques, Andy Davis
4. Plextek, Automotive Security, Paul Martin, CTO
5. SQR Systems, End-to-End Security for Mobile Networks, Nithin Thomas, CEO
6. CSIT, Queens University, Belfast, Philip Mills & David Crozier
7. Trustonic, Your Place or Mine? Trust in Mobile Devices, Jon Geater, CTO
8. NquiringMinds, Picosec: Secure Internet of Things, Nick Allott, CEO
9. Blackphone, Blackphone update, Phil Zimmermann
10. GSMA, The Future of Mobile Privacy, Pat Walshe

Friday, 13 February 2015

Security and Privacy Events at Mobile World Congress 2015



We’ve listed out some interesting Security and Privacy events from 2015’s Mobile World Congress in Barcelona. This year sees a general shift in topic focus to Software Defined Networking (SDN), Network Function Virtualisation (NFV) and Internet of Things (IoT). Security still isn’t a ‘core’ part of MWC – it doesn’t have a dedicated zone for example on-site, but as it pervades most topics, it gets mentioned at least once in every session!

Sunday 1st March 
1) Copper Horse Mobile Security Dinner
21:00 - Secret Location in Barcelona

Monday 2nd March
1) UKTI Cyber Security in the Mobile World lunchtime series: Securing the Internet of Things
12:00 - 12:40, Hall 7, Stand 7C40

14:00 - 15:30 Hall 4, Auditorium 3

3) Security and IdM on WebRTC
15:00 - 14:00 Spanish Pavilion (Congress Square)

3) Ensuring User-Centred Privacy in a Connected World
16:00 - 17:30 Hall 4, Auditorium 3


Tuesday 3rd March 
1) GSMA Seminar Series at Mobile World Congress: Mobile Connect – Restoring trust in online services by implementing identity solutions that offer convenience and privacy for consumers and enterprises 
09:00 – 12:00 Theatre 1 CC1.1

2) Mobile Security Forum presented by AVG 
11:45 - 14:00 - Hall 8.0 - Theatre District -Theatre D

 3) UKTI Cyber Security in the Mobile World lunchtime series: Mobile Cyber Security for Businesses 12:45 - 13:25 Hall 7, Stand 7C40

4) Mobile, Mobility and Cyber Security
17:00 – 21:00 Happy Rock Bar and Grill, 373-385 Gran Via de les Corts Catalanes 08015

5) Wireless and Internet Security B2B Matchmaking Event 
18:30 – 22:00 CTTI Carrer Salvador Espriu, 45-51 08908 L'Hospitalet de Llobregat

Wednesday 4th March 
1) UKTI Cyber Security in the Mobile World lunchtime series: Innovation in Cyber Security: Secure by Default 
11:40 to 12:20 Hall 7, Stand 7C40

2) The Explosion of Imaging 
14:00 – 15:00 Hall 4, Auditorium 5

3) The New Security Challenges: Perspectives from Service Providers
16:30 – 17:30 Hall 4, Auditorium 4

Thursday 5th March 
1) Everything is Connected: Enabling IoT
11:30 – 13:00 Hall 4, Auditorium 2

If you’d like a meet up with the Copper Horse team to talk mobile security, IoT or drones, please drop us an email or tweet us @copperhorseuk. We’ll also be demonstrating our progress on securing IoT in the Picosec project on the NQuiringMinds stand in Hall 7: 7C70.

 Picosec Project


 Feel free to leave a comment with information on any presentations or events we may have missed and we’ll look to add them.

Note: update 13/02/15 to correct Monday time order and add Quobis event.

Thursday, 2 October 2014

Master of the House? Who Controls the Home in the Internet of Things?

I had an interesting conversation with an American friend recently about how the AT&T Digital Life product had helped him take control of the temperature in his house.... from his wife!

I've experienced air conditioning wars at a company I used to work at - the thermostat was at the end of the office near the door. At various points, certain people would go and turn it up to full heat, whilst others would go and turn it fully down to cold. It was a mess. In the end facilities resolved it by taking control away entirely and nobody was happy.

Whilst slightly amusing, it does raise interesting questions for the future home internet-of-things (IoT) solutions.

Is the administrator or 'Master' of the house IoT system de facto the most tech-savvy person in the house? Statistics on technical career choices would dictate that is probably usually a man. Does that put women in an unfair or weak position when it comes to privacy?
What rights do other family members have to privacy and control?
What about visitors?

Rental Homes and Holiday Lets

What about rented homes? In the future home automation, monitoring and other IoT solutions are likely to be built in to new homes. What rights do people who are leasing homes have when it comes to ensuring that the Landlord cannot monitor or control such a system?

Abusive and Controlling Relationships

What happens in cases of domestic violence, controlling behaviour and abuse? Spyware applications are often used by jealous partners so there is nothing to say that such people wouldn't also use IoT technology as part of their controlling behaviour.

The Good Side

On the flip-side, there are plenty of examples of cameras being used by home owners which have caught thieves, discovered abuse by child minders and by carers for the elderly. For some vulnerable people, door cameras have been helpful to deter and detect cold callers who would take financial advantage of them.

These new social realities are happening now. Whilst home IoT solutions are generally fantastic, for some people, even being at home may become a problem.

Tuesday, 27 May 2014

Phone Hacking: A lucrative, but largely hidden history

I'm giving a talk at Defcon London DC4420 tonight. I decided to talk about the history of some stuff that is not really well known about outside of the mobile industry and a few embedded systems hacking circles.

For years, the mobile industry and its suppliers have fought an ongoing battle with people hacking mobile devices. This mainly started out with greyhat crackers from the car radio scene supplying tools to 'reset' your car radio PIN code (I'm not sure whether really driven by thieves or end users?).

This matured into SIMlock and IMEI hacking on handsets at the end of the 1990s, driven by very cheap pre-pay handsets. By the way, I was never a big fan of SIMlock, as it just increased targeting of the devices and it just wasn't that sensible as the time we didn't have the hardware available in the industry to protect it properly. Mobile phone theft (and re-enablement) was another driver.

Ordinary users were sufficiently motivated to want to pay to remove their SIMlocks and a cottage industry built up to serve it, supplied by tools from some very clever hackers and groups. This made some people very, very rich.

As skills have grown on both sides, the war between industry and the hacking community has grown increasingly sophisticated and tactical. Today it is mostly being played out within the rooting and jailbreaking community, but it looks like so-called 'kill switch' and anti-theft mechanisms will be a new motivator.

Anyway, I hope you find this taster presentation to the subject interesting!


Tuesday, 20 May 2014

How could voicemail insecurity affect your Facebook, Google or Yahoo! account?



It is nearly three years since the News of the World voicemail hacking scandal erupted (a case that's in court right now). The blog and article I wrote at the time are still the most popular posts I've written. I was involved in drafting a set of guidelines for network operators which was published very soon after.

I was therefore quite surprised when a friend sent me the following link which explains how web application security researcher Shubham Shah managed to use voicemail vulnerabilities within network operators to exploit two-factor authentication (2FA) for some pretty major services (e.g. Google, Yahoo!, LinkedIn and so on). The way that 2FA is setup sometimes is that it will call your mobile number. Obviously an automated system isn't usually setup to determine if you actually answered the call, so the code can go through to voicemail. And that's how the attack goal is achieved. If the attacker can get into your voicemail account via a vulnerability in procedures or via CLI (Calling Line Identity) spoofing (i.e. faking your phone number), then they can get access to the rest of your life. Sounds simple and it is.

Monday, 10 February 2014

Security and Privacy Events at Mobile World Congress 2014

Here's a list of the main security and privacy related events at Barcelona (some of which I'll be speaking at). You'll need a specific pass to get into some of them and that is shown next to the event.

Sunday 23rd February

1) Copper Horse Mobile Security Dinner
21:00 - Secret Location in Barcelona

Monday 24th February

1) Mobile Security Forum presented by AVG
12:15-14:30 - Hall 8.0 - Theatre District -Theatre F
2) Mobile Security Forum presented by FingerQ
14:30-16:45 - Hall 8.0 - Theatre District -Theatre F

Tuesday 25th February

1) Secure all the things! - the changing future of mobile identity, web, policy and governance
10:00-12:00 (09:15 for networking) UKTI / ICT KTN seminar - in the main conference area, CC1 Room 1.2
2) GSMA Personal Data Seminar (with the FIDO Alliance)
11:00-14:30 Room CC 1.1
3) Global Mobile Awards 2014 - Category 6d - Best Mobile Identity, Safeguard & Security Products/Solutions [Gold passes only]
14:30-16:30 - Hall 4, Auditorium 1

Wednesday 26th February

1) Cyber Security Workshop: The Role of the Mobile Network Operator in Cyber Security [Ministerial Programme Access only]
15:30–16:30 - Minsterial Programme, Hall 4, Auditorium B

Thursday 27th February

1) Privacy - Mobile and Privacy - Transparency, choice and control: building trust in mobile
11:00-13:00 - GSMA Seminar Theatre 2 - CC1.1


Of course plenty of the other presentations have security aspects - all the Connected Home, mHealth and Intenet of Things talks to mention but a few! Also, if you'd like to meet me, you'll see me at a few of these events or you can email to make an appointment out there.

Please feel free to let me know in the comments if I've missed any.

Wednesday, 5 February 2014

Copper Horse Mobile Security Dinner - Mobile World Congress 2014

Another year and we're back again. This year's Copper Horse security dinner will take place as usual at a secret location in Barcelona on the 23rd of February. With some of the world's leading minds in mobile security present, it's the hottest ticket for Sunday night. Contact us if you'd like to attend, there's a limited number of places. As always, we split the bill at the end.

This is far too early for the dinner and in the wrong location...