Earlier this year, we submitted a bug to Google for the Google Authenticator app on Android. Basically, the bug we submitted is that the secret key (the private code that when combined with an accurate source of time creates the one-time-use codes for use with Google’s open-sourced two factor authentication) is stored in the clear on Android devices. Google’s response was that this was behaving by design, and that not the system controls around the filesystem are sufficient to protect this information. We humbly disagree. Rooted devices get around these system controls that protect these secret keys. So would any malware that performed a privilege escalation exploit. And most importantly, backups of the phone (using a tool such as Titanium Backup) contains these secret[…]

Last week at the RSA Conference I had the opportunity to attend the “Mobile Security Battle Royale“, featuring a great panel of experts on mobile phone security. Moderated by Zach Lanier, the panel featured Tiago Assumpção and Collin Mulliner paired off against Charlie Miller and Dino Dai Zovi (co-authors of iOS Hacker’s Handbook).  As many great panels typically do, this panel featured no slides and no set talking points. Instead, Zach asked the panel some great questions to just get the ball rolling, and the panel started firing off great quotes left and right. I got busy live-tweeting the session and got (and re-tweeted) a few great quotes from many of the panel members which I have embedded below. One of the recurring themes was “which is[…]

Recently I had the chance to test out a clever little device called the hiddn Crypto Adapter. Made by Norway-based High Density Devices, the adapter looks somewhat like a miniature desk calculator with a USB port instead of a display, but its simple appearance belies some powerful functionality: transparent, real-time encryption of USB drives with two-factor authentication. The adapter essentially acts as a proxy between your computer and a USB drive, meaning it needs no software, has no operating system requirement, and works with everything from a flash memory stick to an external hard drive. All communication with the USB device is encrypted on the fly using 256-bit AES via a certified FIPS 140-2 Level 3 crypto module, but the[…]

Another iPhone killer is here. DROID. Whether you’re a fan of either product, or you’re still thumbing away on your Blackberry or WinMo device, there’s one thing to be said. There are plenty of apps now. A couple years ago it was a pretty daunting task to get any sort of application on your device that wasn’t already on your carrier’s supported list. WinMo users have been the only real open crowd here as every version of Windows Mobile has supported most of the older apps since the Windows CE days. But with the rise of more and more applications comes the rise of the risks associated with these applications.

Questions about the trustworthiness of electronic voting machines have been in the news a lot over the last few years. Plenty of people acknowledge the potential for abuse of these machines, and discussions of how they can be used to swing elections are pretty common. A trait that these discussions share are hypothetical scenarios or instances where an attacker would need to have some kind of esoteric/insider knowledge about the hardware and/or software running the machine to mount an effective attack. However, I recently came across a video detailing a real attack against a real voting machine, carried out by real engineers, using real tools and data, and showing very real results. The Sequoia AVC Advantage, a pretty old piece[…]

A recent study on lost laptops by Dell and the Ponenom Institute show how important data protection and encryption are, especially for portable devices. Here are some of the findings. 12,000 laptops are lost in US airports each week. 65-70% are never reclaimed. 53% carried sensitive corporate information. Guess how many of those machines were protected with encryption. You can read the entire report [pdf] and find out on page 7.