That bites both ways. If I can get control of your Android device (which, given the exploit-like-it's-the-1990s state of security of the whole ecosystem shouldn't be that hard) then I've MITM'd your net connection, while doing the same for your router/access point is likely to be a lot harder.
I think anyone savvy enough to be separating domains in this way *because they can't trust their router (phone)* will have taken steps to make MitM'ing the router irrelevant. Pre-shared VPN certificates would largely render this pointless, right? As would Tor on the computer through the phone? Any attempt to MitM would result in failed cert checks. Now, you could get the phone to take action on its own that might assist in exploiting the upstream computer, so for example USB based attacks (#BADBIOS? :P) or just port scanning the computer through the tether and attacking open ports. So, isolating and firewalling against the phone, and treating it as a potential attacker plugged right into the device, is important if you're at this stage of paranoia. :) Of course, with bluetooth tethering (or even wifi, if you can power it) the USB bus attacks aren't as relevant. But firewalling the network connection with the phone, then VPNning or Torifying the connection through the phone, would be necessary for a properly "untrusted phone" connection, IMO. On 16/10/14 04:55, Peter Gutmann wrote:
coderman <coderman@gmail.com> writes:
it is more private because you are separating domains of communication. the less trustworthy smartphone is used as a network link (cell or other uplink) and not trusted with the content of the encrypted communications it carries.
That bites both ways. If I can get control of your Android device (which, given the exploit-like-it's-the-1990s state of security of the whole ecosystem shouldn't be that hard) then I've MITM'd your net connection, while doing the same for your router/access point is likely to be a lot harder.
Peter.
-- Twitter: @onetruecathal, @formabiolabs Phone: +353876363185 Blog: http://indiebiotech.com miniLock.io: JjmYYngs7akLZUjkvFkuYdsZ3PyPHSZRBKNm6qTYKZfAM