RSA Conference Badge-Scanning Smartphones Exhibit Poor Security

The RSA Conference is taking place in San Francisco this week, and all the big names in computer security have converged on the Moscone Center where they will happily tell you all about their products, services and latest research. And the only cost for you is that the vendors will likely want to scan your badge if they think you're a potential lead. Sounds like a fair exchange, doesn't it? And to make things that little bit easier for the security companies who have travelled from around the world to get sore feet from standing on their booths all week long, the organisers of the RSA Conference provide vendors will a Samsung Galaxy S4, which runs an Android app that easily scans conference-goer's badges. What could possibly go wrong with that? Well, as The Register reports, the Samsung smartphones are supposed to be locked down into "kiosk" mode - only capable of scanning visitors' badges, rather than allowing bored booth staff to Snapchat each other or update their Facebook status. In short, if anyone wanted to do anything other than scan badges they would have to enter an administration password to unlock the device. You can probably guess where this is going. Researchers at Bluebox Security were curious as to just how secure the RSA-supplied locked-down smartphones might be - and discovered that the answer was, not very. The team downloaded a copy of the Android badge-scanning app from Google Play and analysed its code to discover that the smartphones could be broken out of kiosk mode by entering a default password, embedded inside the app's code in - you guessed it - plain text. In short, a brilliant demonstration on how not to write a secure app. Bluebox Security's Andrew Blaich was less than impressed:

"Using this password an attacker could gain access to the app’s developer mode, root the device, pull any data off of it, or install malware to steal even more data." “If you develop an app, it's usually a best practice to not leave a hardcoded password in your code. Just because an app is being used for one of the world's largest cyber security conferences doesn't automatically mean it's more secure."

Blaich is making a fair point. The RSA Conference is one of the biggest security events of the year, but it's no guarantee that its app - probably made by a third-party - is going to have security at its heart. And although at first glance you may imagine that the risks of such a flaw are fairly limited - just remember that these are devices which have been collecting information about visitors to a computer security conference all day long. In the chaotic environment of a trade show it's easy to imagine how an unauthorised party might temporarily grab a badge-scanning smartphone provided by the organisers and install malware on it which could forward them details of delegates. It would certainly make for a more comfortable week if you could relax in the knowledge that your competitor on another booth was collecting data from potential customers on your behalf. Of course there is a serious message for all businesses here. If you are building an app, or having an app built for you by a third-party, just how seriously are you taking security? Do you feel confident that the developers have embraced the concept of privacy and security, and are doing everything in their power to make you an app that is watertight? You can follow the latest goings-on from the RSA Conference, by checking out some of the highlights so far. And if you're at the conference please do drop by and say "Hi" to the folks at Tripwire, on their booth at North Expo #N3301. They will be pleased to see you, and just smile when they swipe your badge. :) Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.