t3st3r at mail.ru
Fri Aug 10 21:57:15 CEST 2007
Shakthi Kannan wrote:
> This is w.r.t. having a login manager for OpenMoko.
> I am not sure how other PDA phones implement login access, but, in the
> Nokia 6210 classic, even without the SIM card, it simply allows access
> to the phone, organizer applications, and data. So, if the phone is
> lost, valuable information will be stolen, which is something
> end-users don't like.
So far, virtually no phones protect USER data well enough.Actually,
proprietary phones are doing some job at protecting their firmwares from
hacking and pretty powerful protection in operator locking part, etc.And
er, virtually no protection of user data.While locks, etc are encrypted
and heavily checksummed\signed, user's data are stored as is.So anyone
with physical access to phone can quite easily dump your private data if
they' really want to.Basically this can be done by just over wires.At
very most ("uncooperative" boot loader, etc), they have to use JTAG or
desolder flash IC.Not a great deal for pros.So, once you lost the phone
you have no reasons to feel your data too secure.They are not secure.
And user's "phone code" often implemented in very lame manner - usually
it is trivial to remove it or dump it's value.So, no, if you your lost
phone, phonecode will rather cause it to be removed and phone never
returned to you.While fair people will be effectively prevented from
contacting you.So this can even work against phone owner.
I can see two different approaches here.
1) You care about your data and do not care too much about phone is
returned to you.
The real way to protect all user data from unauthorized use in quite
powerful manner is to use file system encryption.This will make all
things protected.Phone book, calendar, notes and all your files.This
costs though. Filesystem will be slower and due to heavy CPU use battery
will exhaust faster. Everything has it's price, privacy too.
If someone is willing to implement this ever, there is funny hint, just
invented by me: long password is pain in the ass to type at boot
time.And short password is easy to bruteforce. So, you can store long
encryption key in SIM as phone number and name in SIM address
book.Access to SIM is protected by short PIN which is hard to brute
since you only have 3 attempts to go and SIM is pretty secure thing
:).So user have to enter just short PIN but this will cause powerful
encryption key to become accessible from SIM's address book.And those
who do not know pin will not have access to this key since SIM cards are
refusing address book access without entering proper PIN code IIRC.
This can make data pretty secure.But... evil persons will just erase all
this and reload "factory" flash image so they can use the phone.Good
persons will be prevented from contacting you up to some degree since
phone gives no access to address book.Idea with displaying your contact
info on boot splash\password request screen can help though.
2) You do care about phone return and do not care too much about
unauthorised data access.
Then another approach can be good: phone should allow all access to all
data as usually, any SIM should be OK, etc.Recommended setting is no PIN
and no phonecode.But it should silently send it's coordinates to let's
say, e-mail to your mailbox or SMSes to a "friendly" number(your second
phone number or friend, etc).SMSes will also expose bad guy's phone
number to you (your friend, etc).So, bad guys can use phone and access
all your data.But it will silently track them a bit so you can return
your phone easily.Actually there should be no restrictions in data
access or features.Otherwise phone will be reflashed by evil people and
tracking will be stopped so your chances to find your phone will become
pretty low (IMEI tracking is proven to be quite ineffective since not
each and every operator on the planet does this and they're cooperate
poorly enough). Well this will leave all or some data accessible to bad
guys.Tracking their location and new SIM's phone number in exchange.
I see no effective way to combine these 2 different goals.One is
prevents access to data but this will enforce bad guys to do full
reflashing.Killing your (unusable) data but getting working (usable)
phone.Another approach makes guys to believe phone is not defends itself
and not secured.While it really silently tracks evildoers.
> I read this page:
> I put together few points on the login manager:
> I am not sure if I have missed any user scenarios.
> Thoughts/suggestions/feedback appreciated. Just replace .pdf to .odt
> in the above to get the OpenOffice document.
> If login access has already been addressed in OpenMoko, please let me
> know. I hope this is clarified before mass market.
More information about the community