{"id":504,"date":"2009-01-23T17:33:40","date_gmt":"2009-01-24T01:33:40","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/?p=504"},"modified":"2009-01-23T17:33:40","modified_gmt":"2009-01-24T01:33:40","slug":"obamas-blackberry-security-review","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2009\/01\/23\/obamas-blackberry-security-review\/","title":{"rendered":"Obama&#8217;s Blackberry Security Review"},"content":{"rendered":"<p>It looks like, after much debate, Obama will be allowed to continue to use a smart phone (From most articles I have read, it seems unclear whether the phone will still be the Blackberry he seemed to like so much, or if it will be a NSA approved smart phone, or a combination of the two).\u00a0 Much of the debate centered around whether a Blackberry could be made secure enough for the President&#8217;s day to day use.\u00a0 For example, Obama would not want a highly sensitive conversation with the Secretary of Defense to be heard by anyone trying to listen in.\u00a0 Smart phones can also deal with email and the internet in general, which opens up the possibility of an exploit coming from there.\u00a0 Smart phones also have GPS receivers, and are in essentially constant contact with cell towers, both providing methods to track the phone.<!--more--><\/p>\n<h2>Assets<\/h2>\n<ul>\n<li>Obama needs to ensure that any sensitive voice communications using his smart phone are unintelligible to anyone that intercepts them.\u00a0 Voice communications should also not be spoofable.\u00a0 For example, if Obama were to say &#8220;launch the rocket&#8221; in reference to the testing of some new rocket from NASA, we would not want someone to replay that message to someone in the military that is ready to launch a rocket propelled missile somewhere.\u00a0 (I realize this is a very contrived and difficult to pull off example, but I imagine there are people out there who could think of a more realistic and doable exploit for this)<\/li>\n<li>The smart phone itself needs to be secure.\u00a0 By this I mean that it should not be possible for an attacker to gain remote access to the smart phone.\u00a0 If the attacker is able to do this, then they can easily access location information, as well as any key information used to encrypt communications.<\/li>\n<\/ul>\n<h2>Potential Adversaries<\/h2>\n<ul>\n<li> The most obvious adversary would be terrorists wanting to learn high level secrets or impersonate the president.<\/li>\n<li>Another threat could be malicious governmental officials wanting to hurt Obama&#8217;s reputation, or maybe just wanting to sell the information for great financial gain.<\/li>\n<\/ul>\n<h2>Potential Weaknesses<\/h2>\n<ul>\n<li> Probably the biggest weakness will be Obama himself.\u00a0 As smart phones are able to access the internet, he could plausibly be tricked into downloading and installing malware giving the attacker access to his phone.\u00a0 It is also plausible that Obama could accidentally leave the phone somewhere where anyone could pick it up and access it.<\/li>\n<li>Another potential weakness is in making sure sensitive communications are authenticated as being from Obama.\u00a0 For example, we would not want anyone thinking Obama said that we should &#8220;attack Iran&#8221;.<\/li>\n<\/ul>\n<h2>Potential Defenses<\/h2>\n<ul>\n<li> The secret service and the NSA should definitely make sure Obama is informed of all the security risks of downloading and installing arbitrary software.\u00a0 Also, since they only have to check one person&#8217;s activities, they could have a dedicated team inspecting everything Obama wants to download, ensuring he does not install malicious software.\u00a0 This may be a bit overkill, but would go a long way to making the use of a smart phone more secure.\u00a0 As for Obama forgetting a smart phone somewhere, it is likely that his aides and the secret service will be told to always make sure he does not leave it.\u00a0 With more people thinking about it, it will be much less likely that Obama will forget his smart phone somewhere.<\/li>\n<li>To protect against spoofing communications from Obama, they would need to make use of a MAC, notably one that included sequence ids.\u00a0 It would be important to include the sequence ids to prevent the possibility of replay attacks.<\/li>\n<\/ul>\n<h2>Conclusion<\/h2>\n<p>As we can see, there is a large amount of risk inherent in Obama using a smart phone as president.\u00a0 These risks can range from national security breaches to crippling Obama&#8217;s reputation as President.\u00a0 As such, a very high level of security is necessary to make these risks acceptable.\u00a0 An article at <a href=\"http:\/\/abcnews.go.com\/Technology\/Story?id=6712260&amp;page=1\">http:\/\/abcnews.go.com\/Technology\/Story?id=6712260&amp;page=1<\/a> gives an overview of some of the high level security concerns and how they were dealt with.\u00a0 It doesn&#8217;t sound like any actual methods have been disclosed, rather the article cites guesses by experts.\u00a0 One such guess is that they will &#8220;stay ahead of potential hackers by changing codes, methods and, potentially devices, with high frequency.&#8221;\u00a0 While changing codes and devices could be beneficial (If one device is unknowingly infected, changing will effectively mitigate this), changing of methods is not always good for security.\u00a0 Creating robust security methods is very hard to do, so if they were to change frequently, there is a good chance most of them would have flaws.\u00a0 On a similar note, obfuscating the security system in general (as they seem to be doing), is usually considered bad practice, as there is a limited number of eyes vetting it.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It looks like, after much debate, Obama will be allowed to continue to use a smart phone (From most articles I have read, it seems unclear whether the phone will still be the Blackberry he seemed to like so much, &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2009\/01\/23\/obamas-blackberry-security-review\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":109,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,5],"tags":[],"class_list":["post-504","post","type-post","status-publish","format-standard","hentry","category-miscellaneous","category-security-reviews"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/504","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/109"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=504"}],"version-history":[{"count":5,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/504\/revisions"}],"predecessor-version":[{"id":509,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/504\/revisions\/509"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=504"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=504"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=504"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}