securing mobile critical...
TRANSCRIPT
Securing
Mobile Critical
Communications
TELSYProfilo aziendale
La nostra storia
Dal 1971 Telsy, società del gruppo TIM, è un partner
di sicurezza affidabile per soluzioni e servizi ICT su misura.
Telsy è stata investita con il Golden Power dal Governo per
la sua importanza nella nostra sicurezza nazionale.
Supportiamo il rafforzamento della sicurezza nazionale
e la resilienza condividendo la nostra esperienza e fornendo
sistemi efficaci destinati ai clienti governativi
e alle organizzazioni commerciali che richiedono la
protezione di sistemi aziendali critici.
• 7.75 Billion
• Italy 60.5 Million
World
Population
• 4.54 Billion (59%)
• 4.18 Billion Mobile Internet users (92%)
• Italy 50 Million (82%)
• 45.6 Million Mobile Internet users (92%)
Internet
Users
• 7.95 Billion (103% pop)
• 5.19 Billion unique users
• Italy 80 Million (133% pop)
• 50 Million unique users
Mobile
Connections
• 3.8 Billion (49%)
• 3.75 Billion using mobile phone (99%)
• Italy 35 Million (58%)
• 34.7 Million using mobile phone (99%)
Social Network Users
Source: WeAreSocial and Statista
ATTACK
SURFACE
ATTACK
SURFACESource: eurostat, WeAreSocial and Statista
99% of total mobile subscribersused an IM app or a social media over the past year
52% of the total day time is spent working (EU)
Such a vast number of messages conveys almost all type of information, even business and work-related ones
Facebook alone controls almost50% of mobile message market
SECURITY
CONCERNSSource: Google Trends, CNN, CNBC, Facebook, MITRE
Below Whatsapp security concerns (in blue) are plotted with respect to NSO Group Pegasus spyware news, over the past 5 years.
CVE-2019-3568 (base score 9.8 critical)A buffer overflow vulnerability in WhatsApp allowed remote code execution via specially crafted series of packets sent to a target phone number.
On October 30 2019, WhatsApp's parent company Facebook confirmed that Pegasus was used to target journalists, activists, lawyers and senior government officials.
GLOBAL
SURVELLIANCE
• PRISM 2007 – 2013
• Global surveillance platform for VoIP, IM and Data
• USA main vendors and telco were all part of it
• MYSTIC 2009 – 2014
• Surveillance system able to record and store all the phone calls of a large country for 30 day
• Xkeyscore 2008 – 2013
• Global surveillance system of Internet, email, …
• Made through “implants” in network equipments
• BULLRUN ???? – 2013
• Intentional software and crypto backdoors implanted in cryptography standards
• Dual_EC_DRBG case: used from 2000 until 2013 circa (its weakness has been presented in Crypto 2007)
“A Trojan is really, really big. You can’t say that was a mistake. It’s a massive piece of code collecting keystrokes. But changing a bit-one to a bit-two is probably going to be undetected. It is a low conspiracy, highly deniable way of getting a backdoor. So there’s a benefit to getting it into the library and into the product.”
Bruce Schneier (Wired 2013)
DEFENSE IN DEPTH
«How can you defend a physical installation
from a large number of unknown threats?»
To use what in military doctrine is called
“Defense in Depth”
Idea
• To build multiple and independent countermeasures
• To defend extended attack surfaces using concentric
defenses, that progressively reduce exposure
DEFENSE IN DEPTH
Infrastructural Level
HW Level
Device Level
Endpoint Level
Application Level
Infrastructural Level
• Full control over the communication infrastructure
• Channel protection (high performance encryptors, 10Gb/s)
• Cyber Security Systems (Threat Intelligence Platform)
HW Level
• Assured supply chain
• Use of Common Criteria EAL5 + certified technology for the protection of sensitive parameters
Device Level
• Partnership with Samsung to build a unique, hardened mobile device based on S10
Endpoint Level
• Endpoint Protection built with domestic (Italian) technology
• Uniique feature for mobile market
Application Level
• Secure Unified Communication application using quantum resistant techniques
TSM S10
Use of embedded Security Element (eSE) to enhance phone security
Hardening
Hardening approach• Custom Android firmware built from Telsy / Samsung partnership to
finely control access to phone’s critical devices• Pluggable cryptography: customers have full control on keys and
algorithms used• Hardware lockdown to restrict the use of some devices (e.g.
microphone) to reduce attack surface• Complete control of data using Telsy infrastructure
Keys and critical security parameters are stored on an additional hardware security token in microSD form (CC EAL 5+ evaluated).