ITS 4050 - Internet and Web Security


Chapter 12, Securing Mobile Communications

This lesson presents some material from chapter 12. Objectives important to this lesson:

  1. Endpoint devices
  2. Wireless networks
  3. Communications commonly used by endpoint devices
  4. Risks, threats, and vulnerabilities
  5. OWASP mobile risks
  6. Best practices
Concepts:
Chapter 12

An endpoint device is any device that is at the end of a network branch. It is typically a device that serves the purposes of a user, not those of a system administrator, although we could make the case that any device with an IP address can be at the end of a branch. Endpoint devices can be any devices that attach to a network and can read data from that network. As the text reminds us, this category includes smart devices, cell phones, and tablets as well as laptops, printers, and more conventional computers. This chapter deals with mobile endpoint devices, and begins with a few remarks about cell phones.

I was reminded by an ad a few years ago that the first cell phone call was made on April 3, 1973, currently 48 years ago. The text mentions some history about early cell phones, which will make them seem quite old to modern readers. It may be useful to consider the diagrams at the bottom of pages 300 and 301. The first shows a schematic of a 3G network: a cell phone had the capacity to transfer voice signals or data signals over separate channels, but the data service varied greatly by carrier, plan, and location. The 4G system simplified the situation by pushing voice and data over the same IP connection to a cell tower, passing that data over a data network, and then forking to either an Internet based path to a data device or a PSTN (Public Switched Telephone Network) path to a telephone.

Page 303 presents a table of security concerns about 3G and 4G service. Confusingly, we are told that 3G does not encrypt packets on the data channel, but that IPSec is supported on it. I believe the author means that the technology supports it, but the carrier does not have to implement it. The same table tells us that security is better on 4G networks, but we should still be wary of trusting security whose implementation we know nothing about, as consumers usually do.

In case you are wondering, here is a link to an article on CNET, published 4/5/2019 about a test of 5G service that was just implemented in Chicago. The bottom line is that the reporter thought the service wasn't ready for prime time yet. If that doesn't mean anything to the younger readers, it means that it was a new technology, suffering from bugs, not performing up to the advertising hype that was generated for it. This is how technology often is when there are new developments. In the two years between then and now (2021), concerns still exist. This article, from March of 2021, addresses current ideas. The major lessons are that we should provide all the security we can for our customers, and that the carrier networks cannot guarantee security.

The next section of the chapter discusses several services that may be expected to operate on endpoint devices. The devices in question seem to be smart devices.

  • Voice service - Cell phones are expected to offer voice service, but non-phone devices may offer voice services through Skype or Facebook. The text seems mostly relieved that we are no longer in the days of unencrypted analog signals. At that time, eavesdropping was easy with frequency scanners. The text seems confident that encrypted signals are trustworthy in modern systems.
  • Internet browsing - The phrase "Internet browsing" covers a lot of risky activity, from shopping to bill payment and anything else that affects your money and credit. The text is concerned about using HTTP (clear text transmission) rather than the encrypted HTTPS. It is also concerned about virus protection for each device you use to access web pages for any reason. Cyberspace is often unfriendly. You need protection for your devices.
  • E-mail - The text proposes that people expect access to email, both business and personal, on any device they have handy. Until you are compromised by an email attack, you are unlikely to be a believer in the basic protections that have already been mentioned. It's a computer: protect it.
  • Instant messaging and text messaging - The text lists these as two services, but most people consider them to be the same, which may be why people are often surprised by the length of time a text message may take to be delivered. Instant messaging often uses a proprietary account and/or software. SMS messaging is typically compatible from one vendor to another, so it does not matter who your carrier is, or who your friend's carrier is.
    The first problem associated with messaging is that antivirus programs typically do not protect texts. On the other hand, an attack through a text is often from a file the text asks you to download and open, and a good antivirus program should catch that.
    The second problem is not technological. It is that people continue to text and drive, causing car crashes. How about this? Let's decide to do one thing at a time. Drive, text, eat, talk to your friends, whatever: pick one, and don't mess up the other things you were about to do badly.
  • Multimedia messaging - MMS service allows the addition of graphic, video, and audio files to messages. This is handy for sending someone a quick photo. Note the table on page 309 that examines each of these services in regard to four vulnerabilities. This service is vulnerable to all four. Tell your corporate customers not to use it? Good luck.

Regarding that table on page 309, note that all the listed services have vulnerabilities. Voice seems the safest, web browsing seems the most dangerous.

Pages 310 through 320 discuss ten risk articles published by OWASP. Taking a look at their site on the Internet, I see that the list in our text appears to match the OWASP list for 2014. So the text is is not recent data. For what it's worth, these risks apply to mobile and non-mobile devices.This link will take you to a page comparing the OWASP Top Ten list for 2017 to the one for 2021.

The chapter ends with some general suggestions for better security. Most have been covered already in the chapter. Browse through this section. Let's discuss any ideas that seem valuable to you.

This is the video I started in class from Linus Sebastian:


This is a video, also from Linus, that is a bit more on point for a different part of the lesson:


 

Assignments

  1. Continue the reading assignments for the course.
  2. This week you have a discussion about 5G, a lab, and a part of your project.
  3. Complete and submit outstanding assignments.