{"id":1021,"date":"2009-03-05T13:56:32","date_gmt":"2009-03-05T21:56:32","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/?p=1021"},"modified":"2009-03-05T13:56:32","modified_gmt":"2009-03-05T21:56:32","slug":"security-review-portable-computing","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2009\/03\/05\/security-review-portable-computing\/","title":{"rendered":"Security Review: Portable Computing"},"content":{"rendered":"

Portable computing continues to increase in diversity and use.\u00a0 <\/span>While a few years ago the number of average people that carried a laptop around with them were relatively few, increases in the capabilities of cell phones as well as the rise of the netbooks are resulting in a society where any given person walking around on the street is likely to be carrying a portable computing device on them with the capability to store sensitive documents and browse the web.\u00a0 <\/span>This means that it\u2019s more and more likely that the average person has with them a device that is designed to make it convenient for them to access their bank accounts and sensitive personal documents.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

While this is certainly a very broad area to analyze, there are some specific areas that pose a security threat to these devices that haven\u2019t really applied to using one\u2019s desktop at home or work.\u00a0 <\/span>Two of these areas will be analyzed below.\u00a0 <\/span>First is that because these devices are so portable, they are susceptible to both accidental loss (left it behind on the table in the coffee shop, in a booth at a restaurant, etc) as well as physical theft by both pickpockets and muggers.\u00a0 <\/span>Second, as these devices are used out in the open they are susceptible to \u201cover the shoulder\u201d attacks, including everything from physically watching the screen or keystrokes from a distance to recording the pitch or timing of keystrokes to acquire personal information.\u00a0 <\/span>A third area is the security of the wireless communications of these devices, but I will not analyze that aspect here.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

One important security goal of these devices should be \u201csecure by default\u201d.\u00a0 <\/span>These are devices that are used by the average person with limited technical or security knowledge, and home users lack the corporate IT department to ensure that security practices are being followed\/implemented.\u00a0 <\/span>Thus unless the default settings and usability scenarios implement security, the devices will be left vulnerable.\u00a0 <\/span>The main assert of these devices is secure information contained on the device or inputted through the device.\u00a0 <\/span>This includes sensitive documents physically stored on the device, as well as cached credentials to login to various webpages and user history.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

One adversary\/threat, as has been mentioned, is anyone who is willing to attempt to physically steal the device to gain access to it\u2019s information, for whatever reason.\u00a0 <\/span>Thus the threat is an adversary having physical, unrestricted access to the device.\u00a0 <\/span>Another threat is an adversary that will only collect information from a distance, and thus information displayed on screen in a public setting or input in a public setting can be vulnerable to discovery.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

The weakness I am considering have already been mentioned.\u00a0 <\/span>They are the weakness of small size and portability (through obviously this is simultaneously a strength for the purpose of these devices) as well as the weakness of insecure input and output in public settings (the input is visible to more than just the user, and the screen is visible to more than just the user).<\/span><\/p>\n

\u00a0<\/span><\/p>\n

While many possible defenses could be thought of, they all have the difficulty of decreasing convenience for a device that is designed to be convenient.\u00a0 <\/span>One such defense could be automatic encryption of the entire persistent storage of the device, with a password required every time one wanted to use the device.\u00a0 <\/span>This would not only slow down performance of the device once logged on, but would also generally irritate most users if they had to input a password every time they wanted to use their portable device.\u00a0 <\/span>A more feasible approach would probably be to have some way for the device to detect who it\u2019s being used by (biometrics, a separate RFID chip carried by the user, etc), but each of these options carry with them their own pros and cons.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Another defense that could be considered is polarized screens for portable devices, such that the viewable angle for the screen is limited to nearly straight-on.\u00a0 <\/span>This again increases security, but the reduction in image quality and other effects of this may be undesirable to the user.\u00a0 <\/span>Other options for increasing the security of both input devices and output displays in public settings seems to be an area that could benefit from further research.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

The risks associated with these devices will continue to increase as they become more and more a part of every day life for the average member of society.\u00a0 <\/span>The more these devices enable a user to access, the more valuable they will be to an adversary.\u00a0 <\/span>As this technology continues to evolve, maintaining security and privacy on a device used in public should be a constant consideration.\u00a0 <\/span>To conclude, portable computing devices provide a wide range of possibilities and convenience.\u00a0 <\/span>These devices will continue to become both more powerful and more widely used as time goes on.\u00a0 <\/span>As this happens, the security of these devices, especially in the presence of average non-technical users, will become more and more of an issue.\u00a0 <\/span>Thought must be given to maintaining the security of powerful, private devices used in public settings.<\/span><\/p>\n

\u00a0<\/span><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Portable computing continues to increase in diversity and use.\u00a0 While a few years ago the number of average people that carried a laptop around with them were relatively few, increases in the capabilities of cell phones as well as the … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":116,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-1021","post","type-post","status-publish","format-standard","hentry","category-security-reviews"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/1021","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/116"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=1021"}],"version-history":[{"count":2,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/1021\/revisions"}],"predecessor-version":[{"id":1023,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/1021\/revisions\/1023"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=1021"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=1021"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=1021"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}