ProtectingUserData

Overview

Ubuntu is designed with the future converged experience in mind and with the idea that the user owns the device and the data on it. As such, while the applications are isolated from each other and cannot access the data of other applications without the user's knowledge, the user is expected to have access to the data on the device. It is also recognized that protecting the device from data theft and tampering is important, yet we must keep in mind Ubuntu's design (and how its philosophy differs from other platforms) so that we may strike the right balance of usability, freedom, security and data protection.

A number of attack scenarios against devices have been identified along with plans to address the ones that are important to Ubuntu.

Attack scenarios

  1. [Phase 1+Phase 2] Casual theft with activated lock screen. These include but are not limited to attacks against:
    • Bootloader
    • Recovery console
    • ADB access
    • MTP access
    • Lockscreen (brute-forcing)
  2. [Phase 2] Targeted theft with activated lock screen. Same as casual theft but also include attacks against:
    • Hardware
    • Encryption passphrase (brute-forcing)
  3. [Unsupported] Casual theft with no lock screen or PIN/password. These include but are not limited to attacks against:
    • Direct application access
    • Terminal, file manager and webbrowser-app
    • Bootloader
    • Recovery console
    • Recovery console flashing
    • ADB access
    • MTP access
    • Unsigned application installation
  4. [Phase 1] Sideloading apps without adb while lending with unlocked screen
  5. [Phase 2] Sideloading apps and data theft during lending with unlocked guest

Because on Ubuntu the user owns the device and the data, solving 'Casual theft with no lock screen' is not supported and contrary to our design philosophy and all attack vectors would have to be addressed and this would lead to a fully locked system. If users want to protect their data, they should set a password.

Plan

Phase 1 (initial phone delivery)

For Phase 1, users desiring privacy and elevated security against casual theft should enable a PIN/password, protect that PIN/password against theft and not lend the phone to people they do not trust. Limiting access to user data when there is no PIN/password or when the PIN/password is stolen is not supported. Limiting access to the terminal, non-MTP files via filemanager and sideloading via non-adb will be password protected on app invocation. Actions:

  1. Provide configurable PIN/password support (should support both a PIN and password)
  2. Provide protection against brute-forced incorrect PIN/password guesses (1348251)

  3. Initial setup should default to password with appropriate language to discourage passwordless setups (1348362)

  4. adb (developer mode) should be disabled by default
  5. Bootloader and recovery console
    • If supplied, the Ubuntu bootloader should by default be locked and only boot/flash signed images. It should support unlocking. Unlocking wipes the device.
    • If supplied, the Ubuntu recovery should by default be locked and only boot/flash signed images. It should support unlocking. Unlocking wipes the device. adb should have reduced functionality by default (eg, no backups or other ways to steal data without unlocking/wiping)
  6. Either:
    • adb should only accept new connections if screen is unlocked, or
    • Authenticate new computers to adb if it is enabled
  7. MTP should not respond to new connection requests if the screen is locked (1348365)

  8. Require password (if set) on terminal launch (1347010)

  9. Require password (if set) for full filesystem access in filemanager (1347010)

  10. Restrict access to file:// URLs in webbrowser-app (1393515)

  11. Require package signing (1330770)

After completing Phase 1 actions, Ubuntu Touch should be considered to be a secure system with reasonable, expected privacy features for consumers and resistant to casual data theft when following recommendations for PIN/password security. Attack scenarios #4 and much of #1 are covered.

Phase 2 actions

Users desiring privacy and elevated security against casual theft should enable a PIN/password and protect that PIN/password against theft. Limiting access to user data when there is no PIN/password or when the PIN/password is stolen is not supported. Users may safely lend the phone to untrusted individuals using guest session functionality. Users may also setup multiple accounts for people (eg coworkers or family members). Users desiring modest protection from offline attacks should enable user data encryption and users desiring strong protection from offline attacks should also enable/buy a phone with bootloader and recovery console hardening. Actions:

  1. Support multiuser
  2. Support guest session
  3. Guest session should disallow access to user data, toggling developer mode, toggling allowing installing unsigned apps, installing apps
  4. Support easy transition to guest session for lending
  5. If not performed in phase 1, the Ubuntu bootloader should by default be locked and only boot/flash signed images. It should support unlocking. Unlocking wipes the device
  6. If not performed in phase 1, the Ubuntu recovery console should by default be locked and only boot/flash signed images. It should support unlocking. Unlocking wipes the device. adb should have reduced functionality by default (eg, no backups or other ways to steal data without unlocking/wiping)
  7. Require password for turning on adb in the settings GUI
  8. Support user data encryption
  9. Authenticate new computers to adb if it is enabled if not implemented in Phase 1
  10. Terminal should not run in guest session
  11. File manager should not expose non-guest-MTP directories in guest session

After completing Phase 1 and Phase 2 actions, Ubuntu Touch should have the minimum system, user and user data security features needed for the fully converged experience. Attack scenarios #1, #2, #4 and #5 should be covered.

SecurityAndPrivacySettings/ProtectingUserData (last edited 2014-11-18 20:16:52 by fitojb)