< Back to listing

Posted 11 juin 2015

We have become the mobile actors of a connected world, where objects are more and more ubiquitous in our daily life. From the moment we wake up until bedtime we browse and share, in a personal or professional way, most of the time in a permanent tangle of devices set up in BYOD (Bring Your Own Device), CYOD (Choose Your Own Device) or COPE (Corporate Owned, Personally Enabled)

Image removed.

mode, with an ever growing number of different used applications: about thirty applications a month per person. In a 1.3 billion devices global smartphone installed base, Intel McAfee’s last report on the threat status stresses that, within 2 years, aggregate active mobile phone malwares’ number has jumped from 1.5 million to over 6 million, with a spawning rate of roughly 250,000 per month! All users, even the experienced ones, have a natural tendency to trust their devices and applications that they think they know, developed by trustworthy and well known editors. Users heard of cryptography so they believe they do not risk anything. That’s clearly a mistake! Indeed, cryptography is not to blame in what is known as MITM (man in the middle) kind of attacks that build upon SSL/TLS loopholes, but rather the way keys and certificates attached to cyphering keys are managed. Similarly, when you ask a locksmith to craft a key, how could you be sure he wouldn’t make a copy of it and be able to open your doors, if it is not because your locksmith is granted and trustworthy? In the cyber world, it’s harder to picture the door but the approach should be the same, otherwise mobile handsets and information systems would end up infected by malware derived from vulnerability loopholes, such as the BERserk loophole. This loophole originates from a flaw in the RSA signatures verification process launched by mobile or non-mobile apps at secure connection establishment stage, or Heartbleed that affects the OpenSSL library implementation of SSL/TLS protocol. It allows an attacker to take over what seems to be secure connections between users and websites (cf. February 2015 McAfee’s Labs report). Thus, trust in keys and certificates management is essential! It will be discussed later on….