panel on secure mobile computing at hotmobile2006

Can We Achieve Secure Mobile Computing Anytime Soon?

Jason I. Hong

WMCSA2006

April 7 2006

My Position

No Secure Mobile Computing Soon

• Lots of important info on mobile devices• Usability issues• Cultural issues• Economic issues

Lots of important info on mobile devices

This was just March 2006

Lots of important info on mobile devices

• More and more devices out there• More and more valuable data and services on

devices– M-Commerce with mobile phones– Browser history and passwords– Unlock doors to home– Paris Hilton photos!!!!

• Observation: More and more incentives for theft– Steal and resell on EBay– Steal and punch through corporate firewalls– Mobile spyware (tracks location, already starting)

Usability Issues

• ~20% of WiFi access points returned– People couldn’t figure out how to make it work

• My guess: ~80% of unsecured WiFi access points– When you are mobile, risk of eavesdroppers

– Computer security too hard to understand, too hard to setup

Usability Issues

• Phishing really really works– Exact numbers hard to find, but LOTS of people fall for them

• Semantic gap between us and everyday users– SSL, certificates, encryption, man-in-the-middle attacks

– But simple phishing is stunningly effective

• Observation: need security models that are invisible (managed by others) or extremely easy to understand

“Civilization advances by extending the number of operations we can perform without thinking about them.” - Alfred North Whitehead

Cultural Issues

• Browser Cookies– Originally meant for maintaining state

– Now a pervasive means for tracking people online

– Embedded in every browser, hard to change

• Observation: Security hard issue to wrap brain around– Hard to assess risk of low-probability event in future

– Adds to cost of development for uncertain benefit

– Thus, often done as an afterthought (ie too late)

Economic Issues

Economic Issues

• Estimated cost of phishing in US is ~$5 billion• Solutions already exist

– Two-factor authentication– Email authentication

• But:– Non-computer scams ~$200 billion– Estimated cost of implementation > $5 billion

• Observation: Many solutions are out there, but: – Need to align needs of various parties (politics)– Need incentives (cost-benefit, law)

• Observation: Scammers getting more sophisticated– Market for scammers (setup + steal, mules, bookkeeping)– “Build it, and scammers will also come”

No Secure Mobile Computing Soon

• Lots of important info on mobile devices• Usability issues• Cultural issues• Economic issues

IEEE Computer, Dec 2005“Minimizing Security Risks in Ubicomp Systems”Invisible Computing Column

Cultural Issues 1

• Algorithm for handling important societal issues in the United States

Wait for disaster to Happen

If (disaster == true) {

willSomeonePleaseThinkOfTheChildren()

legislate() || overreact()

}

Repeat

• Observation: Slow and suboptimal