Document Home

Valid HTML 4.01 Transitional

Nokia N810 and 770 Internet Tablets
Security

James F. Carter <jimc@math.ucla.edu>, 2006-03-24, updated 2008-03-15

Security on a PDA is similar to that on a laptop computer, but carried to extremes. See my document Cryptographic Vault for a discussion of laptops and datacenter security, and for an introduction to the philosophy I'm describing here.

Payloads

First, what is the paylod that is being threatened? Here are just a few examples of stealable payloads.

Threats

As with a laptop computer, the primary threat is theft.

The threat of hacking or viruses cannot be dismissed, particularly if the operating system is Windows® Mobile, but the measures needed to discourage hackers and malware are rather orthogonal to measures taken against theft, and they will be discussed relatively little in this document. See the Cryptovault URL above for a more extensive discussion.

If the thief snatches the PDA out of your hand and starts using it, the PDA has few clues that it needs to clam up -- sense of smell? (A security alembic or leash can help protect against snatches.) Therefore I'm going to focus on the theft of a PDA which is in the standby state or otherwise is not in active use. Here's a sample scenario that the security measures need to resist:

Having lunch at a tony sidewalk café in Basel, a researcher for a multinational pharmaceutical firm is discussing with a co-worker the latest blockbuster drug, using the sketchpad application on his Nokia N810 Internet Tablet (whose screen can be seen in the warm sunlight) to show structural variants and the needed accomodations in the manufacturing process. No sensitive information on napkins this time! The waiter appears with their soup course. Oh, terrible, the soup has spilled all over Monsieur's jacket! Oh, quel catastrophe! (Wipe, wipe.) (Etc. etc.)

By the time the waiter, or his supervisor, can start pawing at the PDA it should have realized that it was not being paid attention to, and it should have gone into standby mode, which should include clamming up. The length of the standby timeout is configurable and on a security-sensitive machine should be kept short. With any competence in the security design, the Sun will turn into a cinder before the competitors get their hands on those sketches. Of course the researcher was violating company security rules by taking his work PDA out of the building, or by even opening his mouth in a public place.

This scenario illustrates another key point in security: it's useless if it isn't used. Here the researcher tried to have a normal life, which is not compatible with high-level security. More relevant to mere mortals, if the users can't get their work done, they won't use the security at all. Not everyone can afford the infrastructure to keep his work and personal life strictly separate, e.g. using the work PDA only within the security perimeter. And there's also the issue of corporate culture: I interpret the Wen Ho Lee escapade at Los Alamos as a serious breakdown of working together to keep the dangerous information safe -- researchers did not take security seriously, while security personnel failed to accomodate the researchers' need for unhindered communication. The security regime on the PDA needs to balance effectiveness and convenience of use, so the user (just me :-) will use it consistently.

Thus, non-use of the security measures has to be counted as a threat.

Defense Measures

This design can be summarized easily: Based on a timeout or on a user action (e.g. covering the screen), the PDA enters standby mode. This includes clamming up: secrets are forgotten (e.g. the SSH key agent), and crypto filesystems are unmounted. When the machine wakes up the user will need to give a password to make the clam open.

On the Nokia 770, the deepness of sleep is greater when it's covered than when the screen is blanked after an activity timeout. However, the latter state is the key for the most effective security protection. The N810 does not have a screen cover and does not distinguish levels of sleep as far as I can tell.

Most data on my PDA does not need protection: music files, journal articles, grocery list, blood pressure record... I could use it for quite some time before needing one of my secrets, likely through several sleep-wake cycles. This means that the clam open action should not happen at wakeup time, but rather when one of the secrets is actually accessed.

The technique of the Cryptographic Vault is very applicable to the PDA. Basically, all the secrets are in one (or a few) small crypto filesystems, which on the laptop are mounted when the user logs in, using his password which is provided via PAM. Within the crypto filesystems many of the secrets need to be unencrypted, e.g. the secret key that goes with the X.509 digital certificate which the Postfix mailer uses to send mail to a gateway that requires SMTP authentication (port 587). If feasible, some secrets have a second encryption, mainly the SSH key, so it cannot be stolen by a hacker doing a root exploit. This secret is loaded into the SSH key agent, again at login time using the password saved by PAM.

When the laptop is suspended, secrets are erased and the Crypytographic Vault is unmounted, and the screen is pre-locked. When the machine wakes up the screen locker uses PAM to authenticate the user, and the login scripts are run again to remount the crypto filesystems and reload the SSH key. On my laptop this all works smoothly and unobtrusively. But people without security issues may object to entering their password when waking up their machines.

How can this be adapted for the PDA? Let's first look at an ideal system where I can change anything I want.

But I want to have this machine ready for a trip to Europe a month from now. How much security can I get in that time?

Where does the BIOS pass number fit into this picture? The password on the Cryptographic Vault has to be good enough to protect the most important secret, and four digits are far too weak. Also, the BIOS pass number only is engaged upon positive user action (turning over the cover, or the power menu), and we need security actions at the screen blank timeout; review the spilled soup scenario. However, you don't want to deliver a working PDA to a casual thief, and a wimpy four-digit BIOS pass number could be good enough for that protection. Remember, however, that a savvy recipient of stolen goods could and should simply re-flash the filesystem image, probably yielding a working machine.

How helpful would a fingerprint reader be? I'm thinking of a role generally parallel to the BIOS pass number. But print images change, e.g. with injury or dirt, so the reader could not be too picky in matching, and also there would have to be a non-biometric authentication mechanism. If that mechanism were the four-digit BIOS pass number, then the authentication system would be only as strong as its wimpiest branch. Even so, print reading is a whole lot less hassle than entering a number, and I would recommend including such a reader in future models of the N-Series.


Document Home