What Keeps Me Up @ Night and what should keep you up as well is a short series on different tech items that worry me as we march to the future. The first topic will be on mobile devices.
This is Part II of the mobile theme. Please read part I so that you can follow my thoughts on this topic. Now in part I, I talked about the trend of placing large amounts of PII, financial, and other data on mobile devices.
Part II, I am going to talk about user access to these devices. I break mobile devices into three categories: a) mobile phones (cell phones), b) tablets, and c) netbooks/laptops with cellular connectivity. Accessing these devices is typically through a username and password/passcode. The exceptions to this rule are usually categories a and b.
The exceptions take the form of not having a username and only using the password/passcode. Why do these exceptions exist, one reason is that the devices in these two categories typically have only one user. Therefore there is no need for a username from the OEM’s perspective. OEM stands for original equipment manufacturer.
Now for cell phones, after you lock the device you need to put in a 4 digit PIN (personal identification number) also known as a passcode. This is not a password. Passwords can have letters, numbers, and/or special characters. Passwords tend to be stronger, read more secure, than passcodes/PINs.
Thus the security control for cell phones and most tablets is a 4 digit PIN. This is what is protecting the users data, your data. Now some cell phones and tablets will turn the device into a brick (lock down the device so it is unusable) or erase the data if someone enters the wrong PIN/passcode a certain number of times. This means that some devices will shutdown if someone enters the wrong 4 digits 4 or more times. The number of times is usually determined by the owner.
One of the problems is that most people who own these devices do not know about this feature and either don’t enable it or forget their code and are then locked out of their device and must reset it to factory settings and start all over again.
The other problem is that the 4 digit PIN is not that secure. Some people will use numbers that are easy to remember say their address, birthdates, or even 1111. Yes 1111 has been used by some individuals. Scary right? The 4 digit PIN is also susceptible to shoulder surfing.
Shoulder surfing is the art of looking over someone’s shoulder as they enter information. This has been used to get individual’s PIN’s while at ATM’s. Experienced shoulder surfers can look at the position and movement of the person’s fingers to determine which numbers were entered at an ATM. This method can be used to determine the PIN of a mobile device.
There are other ways to determine the 4 digit code besides shoulder surfing. Another method would be to look at which keys were used to enter the pin. The attacker (person trying to get to your data) may not know the correct sequence to enter the numbers but knowing the numbers will decrease the number of combinations that needed to be tested.
Now most tablets and netbooks/laptops allow you to use a true password rather than a simple PIN. This provides greater security than a PIN. As stated earlier a password may contain letters, numbers, and even special characters. Passwords are usually longer than 4 characters in length. The longer the password and the more variation in the characters used makes for greater strength of the password.
From Wikipedia, Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.
There is still one thing missing and that is username. Netbooks/laptops typically make use of usernames in the login process. The username, if implemented correctly, is associated with one and only one user. Each username has one and only one password associated with it.
If the mobile device makes use of passwords and usernames then the device has close to adequate access control. This is usually strong access control for the average user. But as was discussed above most mobile devices do not employ username and passwords, instead they rely on the 4 digit PIN.
I hope this keeps you up at night thinking about how much information is stored on the mobile device and how little security protects access to that data. I will discuss other aspects of the mobile device in Part III.
1. “Cyber Security Tip ST04-002”. Choosing and Protecting Passwords. US CERT. Retrieved June 20, 2009.