Monday, April 5, 2010

Big Brother watching you or mobile phone security issues

Lets talk about mobile phone security. You are well qualified security specialist and never install suspicious application on you handset, so, you think you are secure? Have you heard about OMA-DM technology?
OMA-DM stands from Open Mobile Alliance Device Management. Within the Open Mobile Alliance Device Management the standard for firmware handset updates is known as the Firmware Update Management Object (FUMO) This standard permits Firmware Over the Air (FOTA) technology. How it works - here you can find short description. But it was only first step of implementing such technology on the market.
The second step is SCOMO - Software Component Management Object standard that permits Software Component Over the Air (SCOTA) technology. This technology was created for more granular and flexible management of each software components. With SCOTA, one or more piece of software could be changed without requiring update whole handset firmware. SCOTA is a best way to create phones' application stores, so, consumers can have access to the latest applications, without needing to replace devices.
The most interesting thing that all these technologies use http/https over IP and xml data format.
Sound cool, does it? But lets turn on our paranoia:
1. These technologies allow vendors, mobile or value added service providers (but not only them) to install or delete any application or data on your mobile phone.
2. This technology uses centralized management model , so, from the one management Center it's possible to legally control a huge botnet of mobile phones.
3. This technology could allow (or it could be already used) government to spy on citizens.
4. These system components could be penetrated by some "bad guys" and used for stealing your data or spying on you.

Talking about OMA-DM overall security conception - I' ve found only OMA Device Management Security Candidate Version 1.2 document. According to it OMA-DM protocol use to level of authentication: on transport layer (recommended to use TLS 1.0, SSL 3.0 ) and on application layer (OMA-DM use MD5 !).
Some useful information for Windows based smartphones you can find on msdn web site:

How many phones support these technologies? There are two types of OMA-DM support: OMA-DM ready terminals (soft client already build-in) and terminals that need OMA-DM client to be installed by user to enable OMA-DM support. Some useful but a bit old information you can find here .

Big Brother is watching you! Stay secured!

2 comments:

  1. интересно, используется ли где-то на практике - не слышал об этом?

    ReplyDelete
  2. Знаю, что точно да. Но где конкретно еще не нашел

    ReplyDelete