Older: 
Hacking The Sky — The Woahphones Are Coming!
Jeff Lewis from my team joins us with an interesting post on the Woahphone. Lawrence
The idea of open source software running on a phone certainly is not new. Windows Mobile Smart Phones have had this capability since inception. Anyone can write software to run on them, the software development kit is free, and there is plenty of source code around to draw upon. But the operating system (OS) code itself remains closed source. So what would happen if you opened it up and let everyone see under the hood? Well, if Google Android, OpenMoko, Qtopia and other such Linux based projects are successful, we are going to find out. These projects, and others like them, promise varying degrees of openness in the operating system for mobile phones, which is in stark contrast to other systems like the iPhone, BlackBerry, and Windows Mobile based devices. The million dollar question I am wondering is - As far as Voice Security is concerned, is an open source operating system on a handset a good idea?
If history has anything to say about it, open source operating systems seem to be more secure than closed source ones. Maybe that is because undifferentiated access to the inner workings of an operating system makes it less of an attractive target for wrong doers. Or maybe it is because the number of eyes on the code helps to improve its security posture. Maybe it has nothing to do with the open source vs. closed source debate at all, and what really makes a target out of an OS is the way a company conducts its business. As such, the question remains, “Will Google’s Android be as popular a target as the Windows family is, or will it be on par with other open source operating systems?” The jury is still out. However, looking at the open source nature of a mobile phone OS is not the entire picture. There is something else that can change the security landscape significantly.
Google is positioning Android to herald in a new age of connectivity in handsets. Wired Magazine has a interesting article surrounding what Android is trying to accomplish, and one thing that stands out is the idea that “Coders were told that their applications would have constant access to the Net”. (Page 4). So this is interesting on at least two fronts – a mobile phone with a totally open source operating system and a constant connection to the Internet. Is that even a phone anymore? Seems to me that’s more of a mobile computer with voice capabilities, or a “woahphone” - a Wireless Opensource Always on Handset. To be clear, Android is not actually a phone – it is the OS. Any device running it would then be the woahphone. Although I found no specific evidence of OpenMoko and Qtopia being positioned as woahphones, there is certainly no reason they could not be since they already satisfy the open source requirement.
The security implications of a woahphone like Android are quite interesting. If anyone can study and alter the OS, the SDK is freely available, and the internet connection is always on, are we about to see a new generation of “woahware” such as mobile viruses, botnets, trojans, worms, malware, adware, scanners, sniffers, spoofers and who knows what else? That is just on the data side. What about toll fraud, eavesdropping, vishing, SPIT and the rest of the usual voice security concerns? Are we about to witness a new wing of the security industry open for business, or are we about to see the most secure mobile platform that has ever existed? The answer will partly lie in their (Google’s) security strategies, and partly in their success. Android’s security model actually looks a lot like Bitfrost from the OLPC Foundation. Both are based on a sound “least privilege” model, and that is a very good thing.
Looking at Google’s past success in the search engine space, it is easy to imagine that they will be similarly successful with Android and thereby reach critical mass with its deployment. This same critical mass and success also stands to make Android a lucrative target for attackers. In short, the more successful a product is, the bigger a target it is. According to Gartner – the number of PCs in use right now has just surpassed 1 billion globally, and we all know what the security situation is like there. By comparison, the number of mobile phones has nearly tripled that at 2.6 billion and the number of smart phones sold in 2008 alone is approaching 200 million – one fifth the total number of PCs in use. Clearly, it will not take long at these rates for smartphones, and possibly even woahphones, to outnumber PCs. Given these statistics, and that more and more people are using their phones to bank, invest, shop and conduct other such financial transactions, where might attackers focus their efforts? Looking at the law of averages, the picture becomes pretty clear.
In preparation, Google seems to be doing the right things. They have set up a vulnerability disclosure process, which is based on a responsible disclosure philosophy. They have also published some details on their security model, and started a forum for discussion, although it appears to have gotten off to somewhat of a slow start. At the time of writing this blog post, none of the questions posted there had been responded to, including my own.
To be fair, they have not officially launched Android yet, so I would expect the discussion groups to become a little more lively as we approach release day. I am more than a little disappointed they have not published any whitepapers or architectures on how the security model works, or at least if they have, they are not on their website at the time this post was written. Security professionals need time to look into the security behind the launch of these devices so they may better prepare their infrastructure, perform threat and risk assessments, and implement changes if required. If a vulnerability is discovered in the OS, what will the mechanism of patch deployment be? Can it impact the voice infrastructure? Traditionally, if a mobile phone had a vulnerability – it stayed there. Carriers are usually quite reluctant to release updates for their client’s handsets. Will Android change this through its always connected paradigm? Will it even be up to the carrier anymore? We’ll have to wait and see.
Moving forward, I will continue to watch this fascinating endeavor as it evolves, and dig a little deeper into the Android security model and its potential implications (if any) on Voice Security. The concepts of woahphones and woahware may be new, but malware is not. Given the level of openness of these operating systems, and the “always connected“ paradigm, there will certainly be interesting times ahead. I prefer to be prepared.
Jeff Lewis, CEH
Security Architect
Nortel
