I just read about over-the-air (OTA) upgrades for Google Android smartphones from Motorola. Personally, I am divided about this issue as it has serious security ramifications. At present, practically nobody upgrades their phone software, which is only fine as long as we use them as dumb devices. However, with the increasing convergence and intelligence put onto these devices, security becomes a primary issue. You can be sure that the next frontier of virii and malware will be the mobile phones.
Therefore, OTA upgrades seem like a genuinely good idea on the surface. Few users would need to be troubled with manually upgrading their phone software when in fact, few users would ever know how to. Upgrades would be sent through the wireless networks and applied by the service providers. However, this is open to abuse on so many levels. I do hope that the implementation takes several things into account.
The upgrade packages must all be secured from tampering. Merely using a hash function may not be sufficient as already clearly demonstrated by the breaking of several popular hash algorithms. A hijacker is capable of injecting malicious code into an existing upgrade package and still have it correctly verified against the same signature as the original package. I hope that the folks implementing this system do not use signatures as a form of security.
All packages need to be authenticated against its source. The best way to achieve this is to use asymmetric ciphers with public keys. However, this would require each phone to have its own unique key generated. What this means is that costs will increase, whether in terms of storage costs and also in terms of transmission costs. Upgrade packages would need to be transmitted to the users one at a time, with different encryption keys.
We want to avoid another Debian debacle. So, phones should come equipped with good entropy engines. Some people may think that a phone is a great way to collect entropy. For example, simply moving from signal tower to signal tower could be used to feed the entropy engine. I honestly hope that they don’t try doing this because people rarely move randomly. We tend to move periodically from one place to another in a pattern.
Personally I don’t see this OTA upgrade technology as justified.
From a security stand-point, this just opens up the mobile phone for remote hijacking. Some enterprising person somewhere will figure out a way to hijack the OTA upgrades and inject malicious code into the phones remotely. This will make bot-nets look decidedly benign. From a personal perspective, I see it as a means to control the user and their phones. Carriers would now have the ability to use a remote ‘kill-switch’ on any mobile phone if this OTA upgrade feature is adopted. From an business perspective, it does not make sense to deploy this either. Consumers these days change their phones so often that these sort of upgrades are moot anyway as the user is going to get a new phone with the new firmware.
Beware the OTA upgrade.