From the "why won't wireless show me an MITM" department, Risks advises of these new threats to consider to your secure phone app:
"Andre Kramer" ... Thu, 18 Aug 2005 11:31:28 +0100
The Cambridge Evening News reported yesterday ("Phone Pirates in seek and steal mission" 17th August 2005) that several laptop computers have been stolen from car boots (automobile trunks for US readers) in Cambridge (UK). The article claimed that "Bluetooth" was used to detect the laptops presence. While the thefts appear related, the claimed modus operanti seems unlikely as short range wireless would be inactive unless the laptops were powered on (to be fair, the article also mentioned "other electronics"). The risk: thinking your devices are safe in the car boot when they don't have wireless.
Makes sense. Closing the top of a laptop may not have closed off Bluetooth. Or, it might be easy to construct something that otherwise sniffs laptops in power saving mode. Lead-lined laptop bags, anyone?
And, taking the shine off the cell/mobile phone as the ultimate in secure platforms, consider just how much a peeping tom your telco is:
Cellphone carriers can listen in through your phone?
Posted Aug 5, 2005, 10:20 AM ET by Ryan Block
We’re always a little wary of that very blurry line between protection of the general public and infringements on basic civil liberties, but it would appear that according to the Financial Times by way of the Guardian, at least one UK cellphone carrier not only has the power (and mandate) to remotely install software over the air to users’ handsets that would allow for the kind of monitoring we thought only perverts and paranoiacs had access to: picking up audio from the phone’s mic when the device isn’t on a call. While don’t think the backlash on this one has really gotten underway yet, and though we do hate to rock a cliché, we can’t help but be reminded of that classic Benjamin Franklin quote, “They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” What’s worse, a cellphone carrier and The Man are gonna take it from us without our permission on the sly?
Now, the big issue here is whether a telco (or any other party) can download a program to sniff out your keys. For this reason, the favoured platform is a PDA, with one and only one program on it, and no comms 'cept those we said. Anything else is a compromise, but that's ok, for those markets that can deal with the risks.
These can be considered to be an addendum to last week's wireless threats, but alas, still no MITMs recorded.Posted by iang at August 29, 2005 06:51 PM | TrackBack