The complexity of trust
Nov 15th, 2013 by Jesper Kråkhede
All those having a smart phone raise your hands! I´m one of those and I thought I had a rather good grasp of the smart phone security, the do´s and don´ts etc. but apparently I was mistaken. Do you know there is a second operating system running on your smart phone that has a large number of bugs and vulnerabilities, low to none patch management and was written during the 90´s when security was ‘optional’?
I just read an article where the second OS is outlined with a number of ways to exploit it outlined. It is not for the ordinary hacker but setting up a fraudulent base station is possible and with that they have total control of your smart phone.
So when you investigate your smart phone security you thought you were covered when you installed an anti-malware, encrypted your files and used https for web browsing or fetching your mails. Everything was covered and suddenly…a new threat emerges that been there since the 90´s that no one ever told you about.
Is this something to worry about? All risk are to worry about but as long as you are not communicating trade secrets, proposals, issues of national security or other stuff that could interest someone else you are home free. But it sure brings trust into the equation. You trust the phone developer to produce a secure phone or at least patch it to an acceptable level but do you demand this from your base station supplier? When you create the Trusted Computing Base take real care that you have included those that your trustees trust.