← Back to team overview

ubuntu-phone team mailing list archive

Re: call history && DTMF logging

 

On Fri, 24 Apr 2015 12:56:30 +0100
Sam Bull <sam.hacking@xxxxxxxx> wrote:

> On Thursday, 23 April 2015 14:05:29 BST, Oliver Grawert wrote:
> > the moment you enable ssh i wouldnt call your phone an unhacked
> > phone anymore ;) 
> > i'm talking about a normally used phone like my mom would use it ...
> > without installing a terminal-app, enabling developer mode or
> > ssh ... since she doesn't know what that is ;)  
> > if you alter the low level defaults you should be aware that you
> > also alter security abilities ...
> 
> You only need the terminal-app installed to achieve all that. Which
> can be installed by an attacker in seconds if they have your unlocked
> phone. As a geek, I have the terminal-app installed, but I don't have
> developer mode or ssh or anything else enabled.
> 
> sudo doesn't require a password, and outgoing ssh is available, so it
> is fairly trivial to copy the log and upload it somewhere if the
> phone is unlocked. Particularly as my phone doesn't have a lock
> enabled, so there is no restriction on time.

Sudo does require either the pin or password that you use to unlock the
device.

You also need to unlock the terminal with you pin/password to access
anything outside of the terminal/home directory.

> 
> And, please don't block ssh in the future. If I was going to use it
> as an attacker, I could just switch to an http page to upload the
> data. I don't see how disabling ssh would provide any additional
> security. But, as a geeky user, being able to ssh to maintain my
> servers at any time or location is great. That's why I've been using
> Ubuntu for the past 2 years, to have the power of a full linux system
> on my phone whenever I need it.
> 

I think Oliver meant turning ssh-server on, on the phone but I could be
wrong.

-- 
You Make It, I'll Break It!

I Love My Job :)

http://www.canonical.com
http://www.ubuntu.com

Attachment: pgpcjwJJPuB06.pgp
Description: OpenPGP digital signature


Follow ups

References