A couple of interesting research papers from Stanford University.  I may decide to cover these in more detail in the future but for now I provide the links.

Mobile Device Identification via Sensor Fingerprinting
This research is significant since your mobile device can be fingerprinted uniquely like the HTML 5 canvas attack.  This is similar to the canvas attack in that it bypasses any cookie policies or device hardware policies for reading mobile IMEI numbers, etc.  Users can be tracked without their knowledge or consent.

Gyrophone: Recognizing Speech From Gyroscope Signals
This research describes using the gyroscope on mobile devices as a microphone to listen to sounds or conversations in the vicinity of the phone.  This is interesting since any privileges assigned to the microphone are not applicable to the gyroscope.

With canvas fingerprinting, and the new weaknesses discovered by Stanford, there is a trend where device sensors are used in ways outside their design parameters.  If your a hardware manufacturer, threat modeling your hardware devices with your engineering teams is probably a great exercise.

A few ideas to stimulate some thought, it may be possible to determine if a mobile device is being held by the capacitive properties of the human body on microwave transmitter power.  Exfiltrating data from mobile devices by modulating GSM, WIFI, or BlueTooth to transmit over other harmonics.  Listening to conversations by picking up background IR modulated on reflected glass in the room over mobile IR sensors.  Using the capacitive touch sensitive keypads in new and creative ways?  We have already seen add-hoc audio computer mesh networks transmitting ultrasonics over PC micspeakers.  It’s likely this can be done using mobile as well.  Imagine bots running on your mobile devices transmitting data to other bots over add-hoc audio mesh networks – creepy.  Even more creepy, many of device hacks are not detectable by carrier network security controls.  The value of this research is not so much in the research itself but the new approaches it stimulates.  Guaranteed we will see more research using device sensors in new and creative ways we previously didn’t imagine possible.

–Milton

Figure 1: security infographic, click to enlarge

[Download full image 274KB]

The raw public data behind the infographic for those interested.  Keep in mind the information comes from National Vulnerability Data (NVD) and CVEDetails which is an information aggregator of NVD.  You may find these public resources interesting for your own projects or persuasive presentations on security.

(1) CVEDetails (NVD) Vulnerability
Provides the aggregated yearly information.
http://cvedetails.com/browse-by-date.php

(2) Better or Worse?
Source for the quote.
2013 IC3 Annual Report, http://www.ic3.gov/media/annualreport/2013_IC3Report.pdf

(3) IC3 Complaints
Graph data for the number of complaints.
2013 IC3 Annual Report, http://www.ic3.gov/media/annualreport/2013_IC3Report.pdf

(4) Trust is Dead?
“…$180 billion or a 25% hit to overall IT service provider revenues [by 2016].”   James Statan – Forrester
http://blogs.forrester.com/james_staten/13-08-14-the_cost_of_prism_will_be_larger_than_itif_projects
* Hat tip to writer Kashmir Hill from Forbes for the web link to James article.
http://www.forbes.com/sites/kashmirhill/2013/09/10/how-the-nsa-revelations-are-hurting-businesses/

(5) Vulnerability Mixer
http://cvedetails.com/vulnerabilities-by-types.php

(6) Year with the most reported vulnerabilities to date?
2006
http://www.cvedetails.com/browse-by-date.php

(7) Most vulnerable product ever?
Java and Flash not in the top 10
http://www.cvedetails.com/top-50-products.php

(8) Most vulnerable web browser?
Internet Explorer, not even close
http://www.cvedetails.com/top-50-products.php

–Milton