This lesson presents some material from chapter 12. Objectives
important to this lesson:
Communications commonly used by endpoint devices
Risks, threats, and vulnerabilities
OWASP mobile risks
An endpoint device is any device that is at the end of a network
branch. It is typically a device that serves the purposes of a
user, not those of a system administrator, although we could make
the case that any device with an IP address can be at the end of a
branch. Endpoint devices can be any devices that attach to a
network and can read data from that network. As the text reminds
us, this category includes smart devices, cell phones, and tablets
as well as laptops, printers, and more conventional computers.
This chapter deals with mobile endpoint devices, and begins with a
few remarks about cell phones.
I was reminded by an ad a few years ago that the first cell phone
call was made on April 3, 1973, currently 48 years ago. The text
mentions some history about early cell phones, which will make
them seem quite old to modern readers. It may be useful to
consider the diagrams at the bottom of pages 300 and 301. The
first shows a schematic of a 3G network: a cell phone had the
capacity to transfer voice signals or data signals over separate
channels, but the data service varied greatly by carrier, plan,
and location. The 4G system simplified the situation by pushing
voice and data over the same IP connection to a cell tower,
passing that data over a data network, and then forking to either
an Internet based path to a data device or a PSTN (Public Switched
Telephone Network) path to a telephone.
Page 303 presents a table of security concerns about 3G and 4G
service. Confusingly, we are told that 3G does not encrypt packets
on the data channel, but that IPSec is supported on it. I believe
the author means that the technology supports it, but the carrier
does not have to implement it. The same table tells us that
security is better on 4G networks, but we should still be wary of
trusting security whose implementation we know nothing about, as
consumers usually do.
In case you are wondering, here is a link to an article on CNET, published 4/5/2019
about a test of 5G service that was just implemented in Chicago.
The bottom line is that the reporter thought the service wasn't
ready for prime time yet. If that doesn't mean anything to the
younger readers, it means that it was a new technology, suffering
from bugs, not performing up to the advertising hype that was
generated for it. This is how technology often is when there are
new developments. In the two years between then and now (2021),
concerns still exist. This article, from March of 2021, addresses
The major lessons are that we should provide all the security we
can for our customers, and that the carrier networks cannot
The next section of the chapter discusses several services that
may be expected to operate on endpoint devices. The devices in
question seem to be smart devices.
Voice service - Cell phones are expected to offer voice
service, but non-phone devices may offer voice services through
Skype or Facebook. The text seems mostly relieved that we are no
longer in the days of unencrypted analog signals. At that time,
eavesdropping was easy with frequency scanners. The text seems
confident that encrypted signals are trustworthy in modern
Internet browsing - The phrase "Internet browsing"
covers a lot of risky activity, from shopping to bill payment
and anything else that affects your money and credit. The text
is concerned about using HTTP (clear text transmission) rather
than the encrypted HTTPS. It is also concerned about virus
protection for each device you use to access web pages for any
reason. Cyberspace is often unfriendly. You need protection for
E-mail - The text proposes that people expect access to
email, both business and personal, on any device they have
handy. Until you are compromised by an email attack, you are
unlikely to be a believer in the basic protections that have
already been mentioned. It's a computer: protect it.
Instant messaging and text messaging - The text
lists these as two services, but most people consider them to be
the same, which may be why people are often surprised by the
length of time a text message may take to be delivered. Instant
messaging often uses a proprietary account and/or software. SMS
messaging is typically compatible from one vendor to another, so
it does not matter who your carrier is, or who your friend's
The first problem associated with messaging is that antivirus
programs typically do not protect texts. On
the other hand, an attack through a text is often from a file
the text asks you to download and open, and a good antivirus
program should catch that.
The second problem is not technological. It is that people
continue to text and drive, causing car crashes. How about this?
Let's decide to do one thing at a time. Drive, text, eat, talk
to your friends, whatever: pick one, and don't mess up
the other things you were about to do badly.
Multimedia messaging - MMS service
allows the addition of graphic, video, and audio files to
messages. This is handy for sending someone a quick photo. Note
the table on page 309 that examines each of these services in
regard to four vulnerabilities. This service is vulnerable to all
four. Tell your corporate customers not to use it? Good
Regarding that table on page 309, note that all the listed
services have vulnerabilities. Voice seems the safest, web
browsing seems the most dangerous.
Pages 310 through 320 discuss ten risk articles published by
OWASP. Taking a look at their site on the Internet, I see that
the list in our text appears to match the OWASP list for 2014. So
the text is is not recent data. For what it's worth, these risks
apply to mobile and non-mobile devices.This link will take you to
a page comparing the OWASP Top Ten list for
2017 to the one for 2021.
The chapter ends with some general suggestions for better
security. Most have been covered already in the chapter. Browse
through this section. Let's discuss any ideas that seem valuable
This is the video I started in class from Linus Sebastian:
This is a video, also from Linus, that is a bit more on point for
a different part of the lesson:
Continue the reading assignments for the course.
This week you have a discussion about 5G, a lab, and a
part of your project.