1. Introduction - wiki.cis.unisa.edu.au file · Web viewFrom the year 2010 onwards, the...

Table of Contents1. Introduction............................................................................................................................3

1.1 Introduction......................................................................................................................3

1.2 Rise of smartphone...........................................................................................................3

1.3 Risk of smartphone..........................................................................................................5

1.3 Introducing remote wipe..................................................................................................6

2. Research Question..................................................................................................................8

2.1 Theoretical attack on ADM..............................................................................................8

2.2 Formulating research questions......................................................................................13

3. Research Scope....................................................................................................................15

4. Literature Review.................................................................................................................17

4.1 Discussion on patents.....................................................................................................17

4.2 Number of overwrites....................................................................................................21

4.4 Flash translation layer....................................................................................................23

4.5 File system.....................................................................................................................23

4.6 Summary........................................................................................................................24

Legal Authorities......................................................................................................................26

References................................................................................................................................27

Security Aspect of Remote Wiping in Android

Table of FiguresFigure 1: Remote wiping process in ADM................................................................................8

Figure 2: ADM web interface....................................................................................................9

Figure 3: ADM app interface.....................................................................................................9

Figure 4: Erase device prompt.................................................................................................10

Figure 5: Web traffic between web browser and Google's web server....................................11

Figure 6: Capturing banking instruction in CSRF...................................................................12

Figure 7: Asking victim to execute the instruction..................................................................12

Figure 8: Web traffic between Smartphone and Internet.........................................................13


1. Introduction1.1 Introduction

From the year 2010 onwards, the world have witnessed tremendous growth in

smartphone sales and adoption. According to International Data Corporation report

(International Data Corporation 2014), in year 2013, worldwide market reached a milestone

where vendors have shipped over a billion smartphone worldwide. That's an increase of 38.4

percent on 2012′s 725.3 million shipments and more than double the 494.4 million

smartphones shipped in 2011. Subsequently this also further increase the penetration rates of

smartphone among worldwide population.

1.2 Rise of smartphoneThe roots of the contemporary smartphone industry are rooted in the feature phones

industry that preceded it and still somewhat vibrant in many countries (Head 2013). The shift

from the earlier mobile devices, known as “feature phones” due to mostly being a sum of

their features, to devices labelled as “smartphones” with more cross functional usability has

been gradual and relatively seamless. Feature phone is generally known as mobile device

which is not running the four most popular smartphone operating system (OS) (Smith 2012,

p. 2); iOS, Android, BlacBerry, and Windows Phone. As new technological advances, the

mobile device industry will however keep shifting more and more towards these the so called

smartphones. This can be observed when global annual smartphone sales surpassed sales of

feature phones for the first time in 2013.

Many observed that smartphone industry starts to grow rapidly after the release of

Apple's iPhone back in 2007 (Paik & Zhu 2013, p. 10; Müller et al. 2013, p. 1). The term

“smartphone” was allegedly coined around 1997 (Müller et al. 2013, p. 1) and the first mobile

device that could be considered as smartphone shipped in 1999 (Raento, Oulasvirta & Eagle

2009, p. 429) while the first smartphone that began penetrate mobile device market was

arguably Nokia 6600 introduced back in 2003 that sold 2 million units in four months

(Nuttall, cited in Raento, Oulasvirta & Eagle 2009, p. 430) though the trend of radical

changes that is common in mobile device industry nowadays was said to be started since the

introduction of commercial 3G mobile device by NTT DoCoMo in 2001 (Hsieh & Hsieh

2013, p. 309).


Many may ask, what exactly is a “smartphone”? Carayannis and Clark (2011, p. 212)

raised the issue on difficulty of finding an accurate description of the capabilities of this

device. Carayannis and Clark continued by stating smartphone should have following

property: intelligent, wireless, rich-media technologies, in the service of smarter business.

The properties stated are considered to be too generic as feature phone also can be considered

to be “wireless” and the property of “smarter business” means they can only applicable to

researchers' own paper. Raento, Oulasvirta, and Eagle (2009, p. 427) defined smartphone as

“programmable mobile device” and equipped with relatively sophisticated sensing

capabilities, increasing storage capacity, and built-in networking to access the Internet.

Although the capabilities listed are pretty reliable to differentiate from “feature phone”, but

the term “programmable” is confusing. Raento, Oulasvirta, and Eagle referred the

programmability as ability that allows subtle control over events taking place in the phone did

not take the liberty to explain the keyword “control” and “events”. Raento, Oulasvirta, and

Eagle pointed out programmability of mobile device allows research tools to be created

flexibly. This is not applicable for general consumer who uses smartphone for personal or

business use. However, from consumer's perspective, programmability can be interpreted as

the ability to install additional application, or commonly known as “app” in smartphone

industry, to extend the functionality of a smartphone. Thus, another property of a smartphone

is extensibility (see Table 1 for comparison).

Features Feature Phone PDA SmartphonePersonal organiser Limited Yes Yes

Telephony Yes No Yes

Sensors (e.g. gyroscope, accelerometer, compass, proximity, etc)

No No Yes

Storage capacity Limited Limited Large

Internet access No No YesTable 1: Comparison for different types of mobile device

At the same time, computing power has been doubling on average every 1.5 years

since 1975, outperforming even the Moore's Law (Intel Corporation 2006). This trend also

given rise to ever escalating computing power at lower cost (Markoff 2007). As an effect,

smartphone price is also on a downward spiral (The Economist 2009). Indeed, acquiring the


latest top of the range smartphone has never been drastically cheaper, however consumer can

always purchase previously most powerful smartphone that is still considered powerful

enough at much lower price years later. Today, a smartphone has become a necessity for

many of us: we use it as an alarm, make schedules, check emails, saving memos, and

communicate through social apps (Park et al. 2013, p. 2). Most of these functions can be

found in another type of mobile device called Personal Digital Assistant (PDA). PDA

basically provides electronic version of personal organiser (e.g. diary, calendar, address book,

to-do lists, note and memo pads, and clock) (Anderson & Blackwood 2004, p. 4).

Smartphone on other hand is a mobile device that includes PDA functionality, since PDA

mostly is not equipped with telephony or cellular capability (Punja & Mislan 2008, p. 1) (see

Table 1).

1.3 Risk of smartphoneDue to broad uses of smartphones for everyday life, many users knowingly and

unknowingly save in their phone much of their personal information such as e-mail

passwords, schedules, business documents, and personal photographs in their smartphones.

Though the portability of smartphone is convenient to carry, such compact device is also

prone to loss and theft. It is estimated there are 150,000 mobile device reported lost or stolen

every year in Australia (AMTA 2011). More than 30,000 mobile device have been stolen in

London alone at 2013 (Lynn & Davey 2014). Loss of smartphone be it accidental or theft

expose user to loss of any data stored on the device especially personal information.

With the advent of cloud storage service (e.g. Dropbox, Apple's iCloud, and Google

Drive) available to smartphone where data can be backed up automatically at frequently

using smartphone's always-on Internet connection, there is a fair chance that user could

retrieve back the information. But more serious issue is the information leakage or breach

results from loss of smartphone which could be detrimental if it falls in the wrong hands.

More often than not, the cost of the hardware or any purchased software is actually trivial

compared to the cost of information contained. In a study or social experiment conducted by

Symantec (2012) where 50 smartphones were intentionally lost and then monitored for any

access attempt. The report showed 96 percent of the lost smartphones were accessed by the

finders of the devices due inherent curiosity of human nature. The report also highlighted the


difficulty for owner to regain possession of its lost smartphone as only 50 percent of the

“lost” smartphones in study were recovered through finders' attempt to contact despite the

fact owner's contact information was clearly shown on the phone.

1.3 Introducing remote wipeTo mitigate the issue of data leakage, remote wiping feature has been introduced to

smartphone OS. This feature essentially allows owner to send a command remotely from

another location to its lost smartphone, and once the smartphone receives the command, it

will wipe the whole device or selected data. The command that is used to initiate the wiping

operation has been affectionately called “kill pill” (Caldwell 2011, p. 8) or “poison pill”

(Hansen 2010 , p. 3; Burnett, Friedman & Rodriguez 2011, p. 57). Reader well-versed in

business terms might refer “poison pill” as “shareholder rights plan” initiated to impose

financial burdens on a hostile buyer to acquire the firm (Ryngaert 1988, p. 377; Davis 1991,

p. 583). But this definition is totally unrelated in this case. The term used here refers to a pill

that once swallowed would enable a person to end their life if they wished to do so (Rurup et

al. 2005, p. 520). So, in the context of smartphone, “kill pill” essentially instruct the

smartphone to “kill” itself by destroying data.

Blackberry phone is well known to be used among US government official, so

naturally the phone operation must conform to government’s strict security policies. Remote

wiping feature has been introduced to Blackberry OS since version 4.2 which was estimated

to be released almost a decade ago. Version 4.0 was shipped in early December 2004 (Evers

& Johnston 2005, p. 3). On the other hand, remote wiping is introduced to Apple iPhone OS

(now called iOS) 3.0 through a service called “Find My iPhone” (Ogg 2009). However, at

that time, “Find My iPhone” service is only available to now-defunct MobileMe subscriber.

MobileMe was replaced by iCloud and discontinued from June 2012 onwards (Mayers & Lee

2011). It was not until the release of iOS 4.2 released back in November 2010 (Apple 2010)

when Apple decides to offer “Find My iPhone” service for free (Aomoth 2010).

In August 2013, Google announced availability of Android Device Manager (ADM)

to devices running Android 2.2 or above (Poiesz 2013). ADM allows user to remotely ring,


track, and wipe its lost phone through Google Account website. ADM is subsequently

updated to allow user to remotely lock its phone by adding screen lock. ADM is then made

available to be accessible from an app so user can perform for instance, remote wipe through

user's other phone which is linked to the same account (Google n.d.). This announcement

signify capability of finding and managing lost phone as official feature in Android which

previously only available through third-party app.


2. Research Question2.1 Theoretical attack on ADM

Figure 1: Remote wiping process in ADM.

Figure above show the process of initiating remote wipe through Android Device

Manager. The steps are outlined below:

1. User access to ADM either through web browser (see Figure 2) or Google official app

(see Figure 3). Then user choose “Erase” option to initiate remote wiping.

2. After user confirmation (see Figure 4), Google will send the wiping command.

3. Once the user's lost smartphone receives the command, data erasure shall commence.


Figure 2: ADM web interface.

Figure 3: ADM app interface.


Figure 4: Erase device prompt

Given the destructive nature of remote wiping feature, it has to be implemented

securely so that the erasure action on the smartphone itself can only be triggered by the owner

or authorised person. Supposedly the ADM is weakly implemented which allows an

adversary to send the wipe command to any smartphone, essentially wiping any smartphone

that it wants.


Figure 5: Web traffic between web browser and Google's web server

In these theoretical attacks, an adversary can spoof the command from two sources.

The first method is to spoof the request made by the user through ADM website or app. In

this case, attacker is targeting communication between the user and Google web server (see

Figure 5). In Internet environment, hacker has been using a technique called cross site request

forgery (CSRF) to spoof the request. To illustrate this technique, imagine a user called Bob is

transferring funds using online banking from account A to account B, both which are his

own accounts. Bob somehow managed to capture the command “TRANSFER FUND FROM

MY ACCOUNT TO ACCOUNT B WITH $100” that is sent to the web server to instruct the

bank to execute that transaction (see Figure 6). At the same time, Alice also login to the same

online banking website. Bob sends a web link (URL) to Alice which contains the command.

When Alice opens the link, the same instruction is sent to the web server (see Figure 7).

Unbeknownst to Alice, she had just transferred $100 from her own account to Bob's account

B.


Figure 6: Capturing banking instruction in CSRF

Figure 7: Asking victim to execute the instruction

Another way of spoofing the command is through “replay” attack. This is targeting

communication between Google web server and the smartphone (see Figure 8).


Figure 8: Web traffic between Smartphone and Internet

If an adversary managed to capture the “wiping” command sent by Google, adversary can

send the same command to another smartphone to wipe it. “Replay attack” is capturing a

message or a piece of a message that is then used at a later time (Syverson 1994, p. 187).

Froma another perspective, this attack also can be launched to “replay” the request made by

user to Google to wipe its smartphone.

2.2 Formulating research questionsThe potential ways of abusing ADM is not just limited to CSRF or replay attack.

Various ways shall be discussed in details in the section on the experiment setup. The

purpose of this research is to explore the potential misuse of ADM. Therefore, the question of

this thesis seeks to answer is:

1. Can remote wipe operation in Android Device Manager (ADM) be abused to wipe

other's Android phone?

Since there are two perspective that the abuse can happen as shown in Figure 5 and Figure 8.

In answering the above question, it can be divided into two sub-questions:

1.1. Can the remote wipe request made to Android Device Manager (ADM) system be

abused?

1.2. Can the remote wipe command sent by Android Device Manager (ADM) system be


abused?

If the Android smartphone can be wiped through ADM without user's request, then this will

be a finding that show security weakness in ADM. In the event of such security weakness

could not be found, the limitation various attack techniques used will be discussed. There is

also another possibility that the wipe “command” itself could not be captured due to certain

implementations in place to prevent such message from being identified and extracted. Those

implementations shall be discussed as well.

There is another important question needs to be explored as well. After a lost smartphone has

been successfully wiped through ADM, is there any data left especially personal information?

There is a possibility that there could be traces of personal information left even after being

wiped. Therefore, this thesis also seeks to answer:

2. Can personal data be recovered after being remotely wiped?

If such traces of personal data are found left in the storage of the phone even after being

wiped through ADM, then this will be a finding that user's data is not protected from data

leakage in ADM. In the event of such data could not be found, it still does not show the data

does not exist, but it could be the limitation of the tools used. In that case, we can evaluate the

popular tools used to recover data in Android platform, thus creating a benchmark.

The aim of answering all the questions mentioned above is an attempt to determine

any security weakness in ADM. Regardless of such weakness can be found or not, it is hoped

that this research assist the existing smartphone industry not just Android platform to

formulate best practises in implementing the remote wiping feature.


3. Research ScopeAlthough this research may be abstracted and applied as a means of discussing the

remote wiping process in any platform, it will only focus upon mobile phone, specifically the

smartphone. As discussed in <<Literature Review section>>, remote wiping feature can be

found smartphone platform, but this research will only focus upon Android platform. Current

smartphone market are largely dominated by four operating systems (OS) namely Google's

Android, Apple's iOS, Microsoft's Windows Phone, and BlackBerry (IDC 2014). Google

Android is chosen simply because it has the largest market share among those four most

popular smartphone OS in terms of unit shipment. It is estimated that Android controls 78%

(Gartner 2014) to 81% (IDC 2014) of the smartphone market share.

Remote wiping feature is usually implemented by the operating system thus it is a

software-level implementation. There is also existence of hardware-level implementation

introduced by Intel called Anti-Theft technology (Intel AT). Intel AT allows user to remotely

lock down its laptop equipped with supported hardware. The laptop including the hard drive

stays locked down even the hard drive has been removed (Caldwell 2011, p. 8; Intel 2010).

Although Intel AT and remote wiping shares the same purpose which is to prevent the data

stored inside the lost device from being accessed, since Intel hardware is mostly found in

desktop and laptop but rarely found in smartphone, it is beyond the scope of this research.

Most importantly, Intel AT will be discontinued January 2015 onwards (Intel 2013).

In another embodiment, remote wipe feature can be implemented in any wireless data

communication channel supported by the smartphone, such as Wi-Fi, Bluetooth, cellular

network, and so on. As discussed in <<Literature review>>, there are several patents granted

to telecommunication companies and mobile phone manufacturers. Those patents mostly

focus on remote wiping in the context of cellular network infrastructure. This research

involves intercepting traffic between a smartphone and the server which sends the “wipe”

command. Gathering data exchange in a cellular network is not without its challenges. The

first issue is that requirement of specialised hardware (McGowan, Dover & Kerber 1999). In

order to capture the data, researcher needs to set up a radio transmitter that function as a base

transceiver station (BTS) (Androulidakis 2011, p. 284). Since a mobile phone will connect to


any base station with stronger signal, a mobile phone can be manipulated to connect to

researcher's “fake” base station by placing it near to the phone. By all means, such hardware

can be acquired with proper funding.

However, the biggest challenge is performing the interception without breaking the

law (Glendrange, Hove & Hvideberg 2010, p. 3). Since the mobile phone automatically

connect to a base station, how does researcher ensure that the “fake” base station is only

connected by researcher-controlled smartphone? There is a possibility that outsider's mobile

phone which is not part of the experiment somehow got connected to the “fake” base station.

Thus, in such scenario, researcher is considered to be eavesdropping somebody else traffic

which is illegal in Australia (Telecommunications (interception And Access) Act 1979).

Researcher might stumble upon this legal implication even though it is not researcher's

intention. In contrast, in Wi-Fi environment, researcher can set up an access point (AP) in

such a way that a phone needs to be manually triggered to connect the AP, thus preventing

unwanted phone to connect it. Thus, in this environment, researcher can make sure that only

researcher's mobile phone is intercepted. All in all, in analysing remote wipe command, it

will only be attempted to extract from Internet connection through Wi-Fi.

As mentioned in section (research question), one of the main aim of this research is to

explore the possibility of triggering “wiping” action by third-party in Android phone through

ADM without owner’s knowledge. This can be achieved through several hacking techniques.

In June 2014, many Australians found their iPhones had been remotely locked through

Apple’s Find My iPhone service, which is Apple’s counterpart of ADM. Although this

highlights the fact that similar incident could happen on ADM as well, but it should be noted

that the cause of that incident probably is due to user account compromise (Turner 2014).

User account compromise is not considered as a weakness in implementation of remote

wiping in any OS, thus this factor is out of scope of this research. On the side note, user can

prevent adversary from using his or her Google account (used in ADM) even though that

account has been compromised. This can be achieved through two-factor authentication

currently offered by Google (Higgins 2013).


4. Literature Review

The advent of remote wiping feature had been a decade ago when it was introduced to

Blackberry OS. The underlying process could be similar so the purpose of this literature

review is to explore how remote wiping of mobile phone is done and what is the wiping

method. Literature searching is conducted on Google Scholar, ScienceDirect, and

IEEEXplore using the following search terms; remote (wipe OR wiping), (sanitize OR

sanitization) mobile phone, secure (erase OR delete) (flash OR NAND). Flash or NAND is

used because that is the current storage method in mobile phone.

4.1 Discussion on patentsThere are several patents on designing a system that allow user to remote wipe its lost

phone. Angelo, Novoa, and Olarig (2003) designed a security system made up of user's

portable device and security station. The security station can be a computer or a data centre.

When user losses portable device, user can report to security station. Security station will

then send security message wirelessly to portable device where upon receive, will perform

digital self-destruction. The patent addresses potential security issue in each process, first by

authenticating the user who reported, having more than one person in operating the security

station to authorise sending the security message to address issue of rogue employee. The

process then moves on to use of various combinations of asymmetric key pair, symmetric

keys, and digital signature to secure the security message and authenticate the security

station. In most basic form, the patent suggested security station should encrypt the security

message using device's private key, then upon receive, device will decrypt using its public

key to authenticate the source of security message. Private key is suggested to be encrypted

using user's password as security station could be compromised. Concern of replay attack

whereby adversary intercepts a security message and retransmit to the same device, can be

addressed by including unique value which is changes every time possibly by using time-

based one time password algorithm, TOTP).

Blackberry Limited (formerly known as Research In Motion, RIM), holds similar

patent on remote wiping (Brown et al. 2011). Given the nature of Blackberry product, the


designed system shown in the patent focus on Mobile Device Management (MDM) and

Bring Your Own Device (BYOD) in enterprise environment. The system allows each data

types (e.g. message, calendar, address book, etc.) to be set with authorisation level. So, when

issue remote wipe or encrypt command, the command includes indicator of authorisation

level of issuer (be it the user or IT support), so only the person with or exceed authorisation

level is able to modify the selected data types. The command can be issued only to selected

data types. The authorisation level is by server to construct IT policy that will be transmitted

to mobile device. The patent also mentions authentication of the server that issues the

command. Server first encrypts the command message and successful decryption by client

device thus authenticates the source of command. Then mobile device will flag the desired

data to be wiped or encrypted. The security of the flag is mentioned that it should not be

removable so adversary cannot circumvent the wipe command.

Blackberry Limited also holds another patent whereas remote wiping can be triggered

through voice mail. The purpose of the design is to extend features found in voicemail

system. In the case of lost device, owner can call the lost device and being prompted to leave

voicemail message. The system will authenticate the user with password and once valid

password is entered, voicemail system will provide variety of options. From the options,

owner can choose wipe option, once selected, voicemail server will request network server

(either provided by carrier or owner's enterprise) to send wipe command to the lost device.

There is no mention of verification between voicemail server and network server as the patent

assume both servers should be trusted entity of each other. Verification between network

server and mobile device is also not mentioned.

The next patent although is not related to remote wipe, but it is a lost device

management. The patent is hold by Acco Brands, a manufacturer of office product (Cavacuiti

& Merrem 2003). The purpose of the system is to alert user when user's portable device is

spaced apart from user by distance exceeding predetermined threshold. The system involves a

transmitter attached to the portable device and a receiver which user carry. The transmitter

will transmit the signal to the receiver in interval and receiver will calculate the distance. If

the distance is too far, receiver will alert the user. There is consideration of encoding the

signal to uniquely identify the transmitter. The system does not involve what will happen to


the mislocated portable device. This patent has been implemented in Acco's Kensington

Proximo1, although there are other similar third-party products made by start-up company

such as Tile2, SticknFind3, and Gecko4.

Sony Ericsson, a mobile phone company (currently known as Sony Mobile, a wholly

owned subsidiary of Sony) holds a patent in remote disabling mobile device (Gajdos & Kretz

2006). The patent is about the process of disabling a mobile device through cellular network

connection (e.g. GSM and CDMA). Verification is performed using asymmetric keys (control

centre encrypts with its private key, mobile device decrypt using control centre's public key),

but only for mobile device to verify identity of control centre. After verification is done,

control centre sends disabling data to mobile device. Disabling data can be comprised of

instruction to disable at least one functionality of the phone or enabling certain functionality

such as tracking and software update or enabling back disabled functionality. The patent

mentions remote wiping and wiping through overwriting with only zeros or ones. But the

wiping is only for removing program instructions to permanently disable certain

functionality. Verification of user's identity can be done through username/password.

(SyncML) (overide disable command)

Nokia, a mobile phone company, holds a patent in remotely disable personal data in

mobile device (Kenney 2005). The system assume deployment in cellular network

infrastructure. The system allow user to request the operator of cellular network to

disable/erase the lost cellular phone.. Upon successful verification of the person reported

(through password or security question), cellular network will broadcast disable signal to the

phone. The disable signal can be made up of commands to disable keypad, blank screen,

sound alarm, and erase data. After the commands have been executed by phone, phone will

reply signal to verify the commands have been successfully disabled. Verification between

device and cellular network is not considered.

1 http://www.kensington.com/kensington/us/us/s/3068/proximo.aspx2 http://www.thetileapp.com/3 https://www.sticknfind.com/4 http://geckotag.me/


Toshiba Japan holds a patent in which the system allows remote wiping command to

be triggered via e-mail. The designed system allows device owner to send an email that will

be received by the device for remote wiping. The user has to initially set-up a password and

security level in its device. The security level is to set which data should be erased if remote

wipe command is received or it can be simply locking the device. In the case of lost device,

owner will send an email with password in the header field, then when the device receive the

email, check whether is there any password attached in header field. If there is no password,

it will be treated as normal email. If there is password attached, device compares it to the

password stored in memory (previously set by owner), and if the password is valid, proceed

with erasing data.

AT&T, a telecommunication company based in US, holds a patent where a system

allows remote disablement of mobile device (Sennett & Daly 2013). The patent focus around

infrastructure of cellular network given the nature of its holder. The system mainly focus on

method to send disable command to the mobile device. The command is sent in a form of

disable signal through any communication link in PSTN. The signal can be sent with unique

address so it may only receive by intended device or received by all device but processed

only by intended device. Upon receiving of disable signal, mobile device will broadcast

authentication request in which cellular network respond with authentication signal. This is

confirm sender of disable signal is authorised to order a disablement. The mobile device can

be any device which meets the criteria specified in the patent. The disablement only targets

the CPU and memory storage but the mobile device may be designed in such a way that it

relies on CPU and memory to access the network. The disablement can be permanent/non-

reversible or non-destructive by erasing flash memory or firmware. The disablement can be a

'lockout' which the mobile device can be enabled back with valid password.

Good Technology, a provider of MDM solution holds a patent involving a system to

protect data in portable electronic device (Muratov & Foley 2007). The data is encrypted and

valid password must be entered upon powering on (if exceeding grace period) to decrypt the

data. If password attempt exceed user-defined limit or the device is not synced within a user-

defined period, the encrypted data is erased. The encryption key gets regenerated each time

user enters valid password. The patent did not specify encryption algorithm although


Blowfish is mentioned. It is also not mandatory to hash the password, although MD5 is

mentioned. Erasure method is also not mentioned, although bit-wiping is mentioned but not

bit-wiping algorithm.

Onyon, Stannard, and Ridgard (2007) holds a patent regarding mobile phone auto

destruct. The patent is about a system that allow user to remotely wipe or encrypt lost device.

The system allows user to initially activate remote wipe feature on a phone through a website

or an app. User can request web server to issue wipe command to lost device but it also can

be sent to the device via specially formatted SMS or email or network connection. There is

no mention of specific wireless communication link. Alternative method is to let the device

poll the server at an interval if any remote wipe command is pending. The verification

between device and server is through digital certificate where initial set-up may be

configured with server's certificate. The system also consider situation where attack repeated

reboot the phone upon receipt of wipe command. The system also allow override function

where upon receive wipe command, device prompts for override code, and terminate wipe

command if entered correctly. System also allow user to configure scope of data to be wipe.

SyncML

4.2 Number of overwritesMost of the patents mentioned above did not describe wiping method, except for a

few which mentioned overwriting data with zeros or ones, or 'bit-wiping'. It is popularly

agreed that erasing data should involve overwriting the original data to make it unrecoverable

(Gutmann 1996; Garfinkel & Shelat 2003, p. 19) or sanitising it (Hughes & Coughlin 2006;

Wei et al. 2011, p. 2). Data sanitisation can be performed using a software running in

operating system (OS) or firmware based such as ATA's Secure Erase (Hughes & Coughlin

2002). US National Institute of Standards and Technology (NIST) (Kissel et al. 2012, pp. 28-

29) and Australian government (2014, p. 147) recommends ATA's Secure Erase command if

available, otherwise overwrite at least once in its entirety. Some (Garfinkel & Shelat 2003, p.

21; Joukov, Papaxenopoulos & Zadok 2006, p. 62) agreed overwriting once is adequate

enough. Number of times data should be overwritten has been subject of controversy

(Wright, Kleiman & Sundhar 2008) especially when Gutmann (1996) suggested 35 times or

passes. Gutmann (2003) later clarified that a few passes should be fine and 35 passes is only


suggested due to consideration of wide range of hard drive encoding methods. Garfinkel and

Shelat (2003, p. 21) argued Gutmann's demonstration of possibility in recovering data even

after overwriting it once was possible because older hard drives have some gap between

'tracks' but the gap is non-existent in modern high-density hard drives.

4.3 API-based overwriting

However many researchers argued that simple overwriting might not be applicable in

mobile phone environment due to difference in file system layout and storage technology.

Mobile phone storage is usually flash-based as opposed to magnetic spinning hard drive.

Difficulty of data overwriting is due to use of wear levelling in Flash Translation Layer

(FTL) to distribute write access across flash storage (Spreitzenbarth & Holz 2010, p. 166).

Specifically, flash-based writes new or newer data to another valid physical location while

original location is simply marked as 'invalid' (Shin 2012, pp. 257-258). This is known as

out-of-place update which contrast to in-place update that writes new data to on top of

original. Thus, original content is preserved even with overwrite request. Spreitzenbarth and

Holtz (2010, pp. 170-172) developed a secure deletion tool running on Symbian. The tool is

demonstrated by overwriting personal data (contacts, calendar entries, and SMS message)

using Symbian API (Application Programming Interface). To evaluate the effectiveness of

the tool, forensic acquisition is performed on the phone and personal data allegedly could not

be found. However, since only official API is used thus there was no modification to the

platform, Spreitzenbarth and Holtz did not address how wear-levelling would affect the

operation of the developed tool. Spreitzenbarth and Holtz also did not specify how thorough

data recovery is performed.

Reardon et al. (2012) also proposed secure deletion method using the OS API on

Android. Reardon et al. developed an app that monitors the amount of free space and fill it

with random data. This is to ensure those unwanted data which has been marked as invalid is

filled with random data to achieve random deletion. Reardon et al. tested the effect of their

app on deletion latency, storage device lifetime and power consumption. Although

performance difference was calculated but the effectiveness of the proposed method was not

shown. Albano et al. (2011) proposed using standard linux commands (e.g. cp, rm, dd) to

selectively modify data in Android, without using any cryptographic primitives or kernel


modules that will raise suspicion during a forensics analysis. Their process involved first

copying mtd5 partition (which stores user's installed app and data) to external SD, zero the

mtd5 while selectively modify/delete the data in external SD, move the data in external SD

back to mtd5 and zero the external SD. However, the proposed method requires Busybox to

be installed (which provides the standard linux commands mentioned). Installing Busybox

requires the user to have root privilege. Rooting Android device not only void the warranty

but also may be abused by malware to cause more harm (Pieterse & Olivier 2013, p. 4).

Kang, Park, and Kim (2013) proposed more efficient method of data wiping in mobile phone

by overwriting only part of the data that will render it unidentifiable instead of overwriting

the whole data. Kang, Park, and Kim demonstrated their method on JPEG, BMP, FLV, DOC

and XLS while comparing the time taken for their method against entire file wiping method

on Android phone. However, it could not be determined whether authors' data recoverability

test and performance test are conducted on the same device, especially type of data storage.

4.4 Flash translation layerShin (2012) explored the feasibility of implementing secure deletion in different FTL

scheme based on the scheme design. The factors considered including effectiveness and

performance. Shin concluded although some current scheme allow effective implementation

but limited by low performance. Shin finally proposed the need of new FTL scheme which

allow effective and good performance implementation. Wei et al. (2011) developed a new

FTL scheme that overwrite unused copies of data with zeros. The developed FTL scheme

works by re-program unused cell to flip remaining ones to zeros. However, Wei et al. pointed

out their approach could result in program disturb subsequently results in bit errors. Reardon

et al (2012, p. 9) criticised this approach because reprogramming operates outsides of

specification although Wei et al. (2011, p. 9)argued that impact of reprogramming varies

between devices and some might have no effect.

4.5 File systemRather than modifying the FTL scheme, many researchers instead focus on file

system instead. Log-structured file system especially YAFFS (Yet Another Flash File

System) is chosen due to wide usage in flash storage of Android phone. YAFFS is the default

file system for Android since the release of first Android device (Hoog 2011, p. 141) until


Google announced the move to EXT4 starting Android 2.3 (Google 2010). Lee et al. (2010)

proposed a scheme randomly generate keys to encrypt file, store them in file headers while

making sure those file headers are in a same block using “unbalanced binary hash tree”

algorithm. With this scheme, a file can be securely deleted by erasing the file header block

(which stores the key). Lee et al. (2011) extended the scheme to perform standard data

sanitisation methods prescribed by US government agencies. So, Lee at al. designed a scheme

that will overwrite the data before erase operation (previous work was erase operation only)

without involving additional operations in which previous work had to performed. So, they

claimed their design is more secure and efficient than previous work albeit through

theoretical calculation and without actual implementation. On the other hand, Reardon et al.

(2013) criticised the scheme proposed by Lee et al. (2010) for just purely conceptual and will

cause too much wear on flash memory. Reardon et al. also pointed out their previous work

(Reardon et al. 2012) also too costly in terms of flash memory wear and execution time.

Reardon et al. proposed a scheme that is similar to Lee et al. scheme (2010) where each data

block is encrypted with a key and the key is purged when the data block is no longer in used.

The proposed scheme encrypted each block of data with distinct 128-bit AES key in counter

mode. IV (initialisation vector) is not used due to distinct key. The scheme is implemented in

UBIFS (Unsorted Block Image File System), another log-structured file system. The

modified file system is then implemented in Android. Reardon et al. conducted various tests

including wear analysis, power consumption, and I/O performance.

4.6 SummaryFrom the patents discussed, there is a consensus among inventors of using asymmetric

cryptography to authenticate server which sends the remote wipe command. This is can be

practically implemented through Transport Layer Security (TLS) which has been commonly

implemented to secure the traffic between client and web server in the form of HTTPS

(Hypertext Transfer Protocol Secure) (Rescorla 2000). TLS is the successor of Secure

Sockets Layer (SSL) (Geer 2003, p. 14). Then, there are several articles which suggest using

OS API or standard linux command to perform the wiping without modification to the

platform or the underlying architecture such as file system. Although there was suggestion on

more efficient implementation, it is doubted that the wiping time is practical. Then there are

several modification proposals to FTL and file system. However, the proposals are more


suitable for file deletion activity occurs during daily mobile phone usage, compared to remote

wiping which involves erasing the whole data in mobile phone.

The availability of ADM (Android Device Manager) means that virtually all Android

phone is equipped with remote wipe feature. Without any security in place, in worst case

scenario, this can results in mass remote wipe. Although this is not likely to happen, but it is

still necessary to inspect the security aspect of the remote wipe feature. Third-party Android

app which offers remote wiping feature has been available for years and yet as far as author

concern, there has not been studies conducted on the feature in Android platform.


Legal Authorities

Telecommunications (Interception and Access) Act 1979 (Cwlth), s 7.


ReferencesAlbano, P, Castiglione, A, Cattaneo, G & De Santis, A 2011. 'A novel anti-forensics technique for the android OS', in International conference on broadband and wireless computing, communication and applications (BWCCA), IEEE, pp. 380-385.

AMTA 2011, Lost and stolen phones, Australian Mobile Telecommunications Association, viewed 6 June 2014, <http://www.amta.org.au/pages/Lost.and.stolen.phones>.

Anderson, P & Blackwood, A 2004, 'Mobile and PDA technologies and their future use in education', JISC Technology and Standards Watch, vol. 4, no. 3, pp. 3-33.

Androulidakis, I 2011, 'Intercepting Mobile Phone Calls and Short Messages Using a GSM Tester', in Computer networks, Springer, Berlin, pp. 281-288.

Angelo, M, Novoa, M & Olarig, S 2003, After the fact protection of data in remote personal and wireless devices, US20030065934A1, USA.

Aomoth, D 2010, App of the week: Find my iPhone, TIME, viewed 15 June 2014, <http://techland.time.com/2010/11/23/app-of-the-week-find-my-iphone/>.

Apple 2010, iOS 4.2 software update, Apple, Inc, viewed 15 June 2014, <http://support.apple.com/kb/DL1061>.

Australian Signals Directorate 2014, 2014 information security manual, .

Brown, MK, Brown, MS, Little, HA & Totzke, SW 2011, Selectively wiping a remote device, US008056143B2, USA.

Burnett, RD, Friedman, M & Rodriguez, RP 2011, 'Managing laptop security', Journal of Corporate Accounting & Finance, vol. 22, no. 5, pp. 53-61.

Caldwell, T 2011, 'The mobile ‘kill pill’ – poison or panacea?', Computer Fraud & Security, vol. 2011, no. 10, pp. 8-12.

Carayannis, E & Clark, S 2011, 'Do smartphones make for smarter business? the smartphone CEO study', Journal of the Knowledge Economy, vol. 2, no. 2, pp. 201-233.

Cavacuiti, J & Merrem, R 2003, Loss prevention system for portable electronic devices, US20030043036A1, USA.

Davis, GF 1991, 'Agents without principles? the spread of the poison pill through the intercorporate network', Administrative Science Quarterly, vol. 36, no. 4, pp. 583-613.

Evers, J & Johnston, CJ 2005, 'Chapter 1: System Architecture', in Professional blackberry, Wiley Publication, Indianapolis, USA, pp. 3-18.

Gajdos, T & Kretz, M 2006, Method for disabling a mobile device, EP1725056A1, EU.

Garfinkel, SL & Shelat, A 2003, 'Remembrance of data passed: A study of disk sanitization practices', IEEE Security & Privacy, vol. 1, no. 1, pp. 17-27.

Gartner 2014, Gartner says annual smartphone sales surpassed sales of feature phones for the first time in 2013, Gartner Inc, viewed 8 June 2014, <http://www.gartner.com/newsroom/id/2665715>.

Geer, D 2003, 'Taking steps to secure web services', Computer, vol. 36, no. 10, pp. 14-16.

http://www.gartner.com/newsroom/id/2665715

http://support.apple.com/kb/DL1061

http://techland.time.com/2010/11/23/app-of-the-week-find-my-iphone/

http://www.amta.org.au/pages/Lost.and.stolen.phones


Glendrange, M, Hove, K & Hvideberg, E 2010, 'Decoding GSM', Master's thesis, Norwegian University of Science and Technology, Trondheim, Norway.

Google n.d., Android device manager, Accounts Help, viewed 21 April 2014, <https://support.google.com/accounts/answer/3265955?hl=en>.

Google 2010, Saving data safely, viewed 29th April 2014, <http://android-developers.blogspot.com/2010/12/saving-data-safely.html>.

Gutmann, P 2003, Secure deletion of data from magnetic and solid-state memory, viewed 27th March 2014, <https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html>.

Gutmann, P 1996. 'Secure deletion of data from magnetic and solid-state memory', in Proceedings of the sixth USENIX security symposium, USENIX, .

Hansen, CK 2010, 'Technology trends in mobile communications how mobile are your data?', Invited Paper for the IEEE Reliability Society Annual Technology Report.IEEE Transactions on Reliability, vol. 59, pp. 458-460.

Head, M 2013, 'Word of mouth in social learning: The effects of word of mouth advice in the smartphone market', Master's thesis, Aalto University, Töölö, Helsinki, Finland.

Higgins, P 2013, How to enable two-factor authentication on twitter (and everywhere else), EFF, viewed 15 June 2014, <https://www.eff.org/deeplinks/2013/05/howto-two-factor-authentication-twitter-and-around-web>.

Hoog, A 2011, Android forensics: Investigation, analysis and mobile security for google android, Syngress, Waltham, MA.

Hsieh, J & Hsieh, Y 2013, 'Appealing to internet-based freelance developers in smartphone application marketplaces', International Journal of Information Management, vol. 33, no. 2, pp. 308-317.

Hughes, GF & Coughlin, TM 2006, Tutorial on disk drive data sanitization, Center for Magnetic Recording Research (CMRR), UC San Diego.

Hughes, GF & Coughlin, TM 2002, 'Secure erase of disk drive data', IDEMA Insight Magazine, p. 22.

IDC 2014, Smartphone OS market share, Q1 2014, International Data Corporation, viewed 7 June 2014, <http://www.idc.com/prodserv/smartphone-os-market-share.jsp>.

Intel 2013, Laptop security and intel anti-theft technology, Intel Corporation, viewed 7 June 2014, <http://www.intel.com/content/www/us/en/architecture-and-technology/anti-theft/anti-theft-general-technology.html>.

Intel 2010, Intel anti-theft technology, Intel Corporation, viewed 7 June 2014, <http://download.intel.com/pressroom/kits/vpro/core/pdf/IntelAT_ProductBrief.pdf>.

Intel Corporation 2006, Moore's law and intel innovation, Intel Corporation, viewed 5 June 2014, <http://www.intel.com/content/www/us/en/history/museum-gordon-moore-law.html>.

International Data Corporation 2014, Worldwide smartphone shipments top one billion units for the first time, according to IDC, International Data Corporation, viewed 22nd March 2014, <http://www.idc.com/getdoc.jsp?containerId=prUS24645514>.

http://www.idc.com/getdoc.jsp?containerId=prUS24645514

http://www.intel.com/content/www/us/en/history/museum-gordon-moore-law.html

http://download.intel.com/pressroom/kits/vpro/core/pdf/IntelAT_ProductBrief.pdf

http://www.intel.com/content/www/us/en/architecture-and-technology/anti-theft/anti-theft-general-technology.html

http://www.intel.com/content/www/us/en/architecture-and-technology/anti-theft/anti-theft-general-technology.html

http://www.idc.com/prodserv/smartphone-os-market-share.jsp

http://android-developers.blogspot.com/2010/12/saving-data-safely.html

http://android-developers.blogspot.com/2010/12/saving-data-safely.html


Joukov, N, Papaxenopoulos, H & Zadok, E 2006. 'Secure deletion myths, issues, and solutions', in Proceedings of the second ACM workshop on storage security and survivability, ACM, pp. 61-66.

Kang, S, Park, K & Kim, J 2013, 'Cost effective data wiping methods for mobile phone', Multimedia Tools and Applicationspp. 1-13.

Kenney, T 2005, Systems and methods that provide user and/or network personal data disabling commands for mobile devices, US20050186954A1, USA.

Kissel, R, Scholl, M, Skolochenko, S & Li, X 2012, Guidelines for media sanitization, NIST Special Publication 800-88.

Lee, B, Son, K, Won, D & Kim, S 2011, 'Secure data deletion for USB flash memory.', Journal of Information Science & Engineering, vol. 27, no. 3, pp. 933-952.

Lee, J, Yi, S, Heo, J, Park, H, Shin, SY & Cho, Y 2010, 'An efficient secure deletion scheme for flash file systems.', Journal of Information Science & Engineering, vol. 26, no. 1, pp. 27-38.

Lynn, G & Davey, E 2014, 'Black market' for stolen smartphones exposed, BBC, viewed 6 June 2014, <http://www.bbc.com/news/uk-england-london-26979061>.

Markoff, J 2007, Intel says chips will run faster, using less power, The New York Times, viewed 5 June 2014, <http://www.nytimes.com/2007/01/27/technology/27chip.html?_r=0&ei=5087&em=&en=59a4d10473c4a8c8&ex=1170046800&pagewanted=print>.

Mayers, S & Lee, M 2011, 'From MobileMe to iCloud', in Learn OS X lion, Apress, New York, pp. 245-253.

McGowan, R, Dover, RD & Kerber, KD 1999, Method and apparatus for intercepting calls in a communications system, US5937345, USA.

Müller, MU, Medyckyj-Scott, D, Cowie, A, Heuer, T & Roudier, P 2013. 'Current status and future directions of mobile GIS', in Proceedings of the SIRC NZ 2013 - (GIS and remote sensing research conference), University of Otago, Dunedin, New Zealand, pp. 1-6.

Muratov, AV & Foley, RE 2007, Method and system for protecting data within portable electronic devices, US007159120B2, USA.

Ogg, E 2009, Updated: IPhone OS 3.0 now available, CNET, viewed 15 June 2014, <http://www.cnet.com/news/updated-iphone-os-3-0-now-available/>.

Onyon, R, Stannard, L & Ridgard, L 2007, Remote cell phone auto destruct, US20070056043Al, USA.

Paik, Y & Zhu, F 2013, The impact of patent wars on firm strategy: Evidence from the global smartphone market, Harvard Business School.

Park, M, Choi, Y, Eom, J & Chung, T 2013, 'Dangerous wi-fi access point: Attacks to benign smartphone applications', Personal and Ubiquitous Computingpp. 1-14.

Pieterse, H & Olivier, MS 2013. 'Security steps for smartphone users', in Information security for south africa, 2013, IEEE, pp. 1-6.

http://www.cnet.com/news/updated-iphone-os-3-0-now-available/

http://www.nytimes.com/2007/01/27/technology/27chip.html?_r=0&ei=5087&em=&en=59a4d10473c4a8c8&ex=1170046800&pagewanted=print

http://www.nytimes.com/2007/01/27/technology/27chip.html?_r=0&ei=5087&em=&en=59a4d10473c4a8c8&ex=1170046800&pagewanted=print

http://www.bbc.com/news/uk-england-london-26979061


Poiesz, B 2013, Find your lost phone with android device manager, Android Official Blog, viewed 21 April 2014, <http://officialandroid.blogspot.com/2013/08/find-your-lost-phone-with-android.html>.

Punja, SG & Mislan, RP 2008, 'Mobile device analysis', Small Scale Digital Device Forensics Journal, vol. 2, no. 1, pp. 1-16.

Raento, M, Oulasvirta, A & Eagle, N 2009, 'Smartphones an emerging tool for social scientists', Sociological Methods & Research, vol. 37, no. 3, pp. 426-454.

Reardon, J, Capkin, S & Basin, D 2013, Data node encrypted file system: Efficient secure deletion for flash memory, Department of Computer Science, ETH Zurich.

Reardon, J, Marforio, C, Capkin, S & Basin, D 2012. 'User-level secure deletion on log-structured file systems', in Proceedings of the 7th ACM symposium on information, computer and communications security, ACM, pp. 63-64.

Rescorla, E 2000, HTTP over TLS, RFC 2818, viewed 4 May 2014, <https://tools.ietf.org/html/rfc2818>.

Rurup, ML, Onwuteaka-Philipsen, BD, Wal, Gvd, Heide, Avd & Maas, PJvD 2005, 'A "suicide pill" for older people: Attitudes of physicians, the general population, and relatives of patients who died after euthanasia or physician-assisted suicide in the netherlands', Death Studies, vol. 29, no. 6, pp. 519-534.

Ryngaert, M 1988, 'The effect of poison pill securities on shareholder wealth', Journal of Financial Economics, vol. 20, no. 1, pp. 377-417.

Sennett, DWA & Daly, BK 2013, Remote disablement of a communication device, US008375422B2, USA.

Shin, I 2012, 'Secure file delete in NAND-based storage', International Journal of Security & its Applications, vol. 6, no. 2, pp. 257-260.

Smith, A 2012, 46% of american adults are smartphone owners: Smartphone users now outnumber users of more basic mobile phones within the national adult population, Pew Research Center’s Internet & American Life Project, Washington.

Spreitzenbarth, M & Holz, T 2010. 'Towards secure deletion on smartphones.', in 5th conference of the GI special interest group “Sicherheit, schutz und zuverlässigkeit”, Gesellschaft für Informatik e.V. (GI), pp. 165-176.

Symantec 2012, Symantec smartphone honey stick project, Symantec Corporation, viewed 2 June 2014, <https://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=symantec-smartphone-honey-stick-project>.

Syverson, P 1994. 'A taxonomy of replay attacks [cryptographic protocols]', in Proceedings of computer security foundations workshop VII (CSFW 7), IEEE, pp. 187-191.

The Economist 2009, The boom in smart-phones: Cleverly simple, The Economist, viewed 5 June 2014, <http://www.economist.com/node/14563636>.

Turner, A 2014, Apple iCloud users urged to change passwords as hackers target iDevices, The Sydney Morning Herald, viewed 12 June 2014, <http://www.smh.com.au/digital-life/computers/gadgets-on-the-go/apple-icloud-users-urged-to-change-passwords-as-hackers-target-idevices-20140611-zrwzy.html>.

http://www.smh.com.au/digital-life/computers/gadgets-on-the-go/apple-icloud-users-urged-to-change-passwords-as-hackers-target-idevices-20140611-zrwzy.html

http://www.smh.com.au/digital-life/computers/gadgets-on-the-go/apple-icloud-users-urged-to-change-passwords-as-hackers-target-idevices-20140611-zrwzy.html

http://www.economist.com/node/14563636

http://officialandroid.blogspot.com/2013/08/find-your-lost-phone-with-android.html

http://officialandroid.blogspot.com/2013/08/find-your-lost-phone-with-android.html


Wei, MYC, Grupp, LM, Spada, FE & Swanson, S 2011. 'Reliably erasing data from flash-based solid state drives', in 9th USENIX conference on file and storage technologies (FAST), USENIX, pp. 1-13.

Wright, C, Kleiman, D & Sundhar, S 2008, 'Overwriting hard drive data: The great wiping controversy', in Information systems security, Springer, pp. 243-257.

1. Introduction - wiki.cis.unisa.edu.au file · Web viewFrom the year 2010 onwards, the...

Documents

Transcript of 1. Introduction - wiki.cis.unisa.edu.au file · Web viewFrom the year 2010 onwards, the...