Security Review: Portable Computing

By dravir at 1:56 pm on March 5, 2009 | 4 Comments

Portable computing continues to increase in diversity and use.  While a few years ago the number of average people that carried a laptop around with them were relatively few, increases in the capabilities of cell phones as well as the rise of the netbooks are resulting in a society where any given person walking around on the street is likely to be carrying a portable computing device on them with the capability to store sensitive documents and browse the web.  This means that it’s more and more likely that the average person has with them a device that is designed to make it convenient for them to access their bank accounts and sensitive personal documents.

 

While this is certainly a very broad area to analyze, there are some specific areas that pose a security threat to these devices that haven’t really applied to using one’s desktop at home or work.  Two of these areas will be analyzed below.  First is that because these devices are so portable, they are susceptible to both accidental loss (left it behind on the table in the coffee shop, in a booth at a restaurant, etc) as well as physical theft by both pickpockets and muggers.  Second, as these devices are used out in the open they are susceptible to “over the shoulder” attacks, including everything from physically watching the screen or keystrokes from a distance to recording the pitch or timing of keystrokes to acquire personal information.  A third area is the security of the wireless communications of these devices, but I will not analyze that aspect here.

 

One important security goal of these devices should be “secure by default”.  These are devices that are used by the average person with limited technical or security knowledge, and home users lack the corporate IT department to ensure that security practices are being followed/implemented.  Thus unless the default settings and usability scenarios implement security, the devices will be left vulnerable.  The main assert of these devices is secure information contained on the device or inputted through the device.  This includes sensitive documents physically stored on the device, as well as cached credentials to login to various webpages and user history.

 

One adversary/threat, as has been mentioned, is anyone who is willing to attempt to physically steal the device to gain access to it’s information, for whatever reason.  Thus the threat is an adversary having physical, unrestricted access to the device.  Another threat is an adversary that will only collect information from a distance, and thus information displayed on screen in a public setting or input in a public setting can be vulnerable to discovery.

 

The weakness I am considering have already been mentioned.  They are the weakness of small size and portability (through obviously this is simultaneously a strength for the purpose of these devices) as well as the weakness of insecure input and output in public settings (the input is visible to more than just the user, and the screen is visible to more than just the user).

 

While many possible defenses could be thought of, they all have the difficulty of decreasing convenience for a device that is designed to be convenient.  One such defense could be automatic encryption of the entire persistent storage of the device, with a password required every time one wanted to use the device.  This would not only slow down performance of the device once logged on, but would also generally irritate most users if they had to input a password every time they wanted to use their portable device.  A more feasible approach would probably be to have some way for the device to detect who it’s being used by (biometrics, a separate RFID chip carried by the user, etc), but each of these options carry with them their own pros and cons.

 

Another defense that could be considered is polarized screens for portable devices, such that the viewable angle for the screen is limited to nearly straight-on.  This again increases security, but the reduction in image quality and other effects of this may be undesirable to the user.  Other options for increasing the security of both input devices and output displays in public settings seems to be an area that could benefit from further research.

 

The risks associated with these devices will continue to increase as they become more and more a part of every day life for the average member of society.  The more these devices enable a user to access, the more valuable they will be to an adversary.  As this technology continues to evolve, maintaining security and privacy on a device used in public should be a constant consideration.  To conclude, portable computing devices provide a wide range of possibilities and convenience.  These devices will continue to become both more powerful and more widely used as time goes on.  As this happens, the security of these devices, especially in the presence of average non-technical users, will become more and more of an issue.  Thought must be given to maintaining the security of powerful, private devices used in public settings.

 

Filed under: Security Reviews4 Comments »

4 Comments

  • 1
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Kevin Wallace

    March 5, 2009 @ 6:03 pm

    It will be interesting to see the security dynamic that emerges here next year as CSE wants to give every student a netbook.

  • 2
    Get your own gravatar for comments by visiting gravatar.com

    Comment by devynp

    March 6, 2009 @ 6:22 pm

    It’s amazing how portable computing devices, such as laptops or cellphones allow people to be in contact with other people 24/7. More people find the need to have smartphones, because of its handy size. But most people don’t realize that phones are less stable than computers. They don’t have stable operating systems and contains a lot of patches, so it can be attacked more easily.

  • 3
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Matt

    March 6, 2009 @ 8:02 pm

    There’s no silver bullet here. Even ingenious engineering will not be enough to prevent someone from simply forgetting a portable device in a coffee shop. And while encryption and polarized screens could potentially mitigate “shoulder surfing” and theft, they would not eliminate them completely (a determined attacker with physical access to a machine is capable of almost anything). And the usability cost would be higher even than Vista’s UAC, which draws a lot of ridicule already.
    A better solution would be improved education about computer security. The specifics of encryption and security protocols wouldn’t be necessary — influencing practices like situational awareness to keep track of your items and who is around you can succeed even where clever security schemes can fail, since simple awareness can circumvent most crimes of opportunity anyway. The basic principles of guarding your mobile device could, in my opinion, be as simple as practices like locking your door at night or keeping in well lit areas when walking around at night. The biggest barrier to raising security awareness is presenting it as complicated and obfuscated, which will immediately put most of the population off of implementing a few simple practices.

  • 4
    Get your own gravatar for comments by visiting gravatar.com

    Comment by alexmeng

    March 13, 2009 @ 7:06 am

    Something I have always wondered about portable security is even if there is application security and protocol security, but what about securing the authenticate of the user using the portable devices? I’ve noticed for laptops many people are use to setting a password. But I have also seen that smartphones for example, many people don’t set passcodes to use them, making it easy for someone to possible steal from and impersonate them until the authorities are notified.

    This becomes a bigger concern when people began to integrate smartphones into their daily lives, storing their e-mail, contacts, website information, active web sessions to sensitive websites.

    Without securing the authentication of the user, using the portable device, the security in protocols or applications may be irrelevant. Therefore, as security increases in portable computing communications, so should user knowledge in securing their physical portable device!

RSS feed for comments on this post