Ten years ago CTOs wanted company phones locked down, camera phones and iPods banned from the office. Now they are being forced to contemplate bring-your-own-device, whether that’s a smartphone or a tablet – that has to be a CTO’s worst nightmare. Meanwhile consumers and business people alike are adopting a laissez-faire attitude to downloading mobile apps – powerful computer programs that could potentially contain malicious code – from unknown authors, something few people would do on their PC. Yet 96 percent of smartphones and tablets do not have third-party security software installed, according to Canalys and Juniper (See: stats and analysis). This isn’t scaremongering, BullGuard discovered 2,500 different types of mobile malware (malicious software) in 2011.
The following experts contributed to this mobile security briefing:
• Peter Wood, CEO, First Base Technologies, and vice president, Global Institute for Cyber Security & Research
• Charles Brookson, Zeata Security, and chairman, GSM Association Security Group (but these are his personal comments, not necessarily the opinion of the GSMA)
• Ruben Rico, mobile product manager, Oberthur Technologies, and chairman, SIMalliance Mobile Internet Security Workgroup
• All three experts are presenting in the security track at the Smart Device and Mobile User Experience Summit, on November 1-2, 2011 (mobiThinking readers get a 10 percent for this event using discount code I3CN8/Mobi10).
Q1. What you consider to be the biggest security issues with mobile phones?
The types of threat:
Rico: Attacks on mobile devices range in volume and severity, but all have the potential to cause chaos at both a device and network level. Just like in the conventional fixed Internet world, attacks come in all shapes and sizes – such as phishing (criminals attempt to trick users into sharing passwords etc), spyware (tracks user’s activity, perhaps selling data to advertisers), worms (a program that copies itself onto multiple devices via network connections), trojans (a program that looks genuine but hides malicious intent) and man-in-the-middle attacks (where a criminal intercepts and manipulates messages between two devices or device and computer).
• The very useful infographic below from BullGuard gives an excellent overview of the most virulent mobile threats.
The threat smartphones pose to businesses:
Wood: Smartphones have surpassed laptops as the most likely thing to be lost or targeted by thieves or hackers. Many organizations have now secured company laptops with full-disk encryption, so they are less of an easy target for criminals than they once were. Unfortunately the smartphone has now replaced laptops as the soft target. They are small and so easy to lose or be stolen. Plus they are always on, generally not centrally-managed by IT departments and are often poorly protected either with just a PIN code or weak password.
For more information on the threat posed to organizations by smartphones read: Tech insight: Smartphones the new lost and stolen laptops of data breaches.
The sophistication of the mobile device is it’s own worst enemy
Brookson: The big security issues with mobile devices are a) the growth of malware i.e. malicious software programs that are aimed at mobile phones, and b) the difficulties associated with adapting GSM, the ageing technology that most mobile devices use to communicate, to deal with the demands of modern telephony and the new threats. (We are just talking about GSM here, the more advanced 3G and LTE networks are much more able to deal with security issues).
Mobile phones now run software that is similar to desktop PCs. They are capable of executing code and running applications. Phones can even be used by part of a botnet (this is a network of infected ‘slave’ devices used for malicious purposes).
The big problem with downloadable mobile apps
Brookson: It is possible to write secure mobile apps and to check them for malware and similar tricks. The problem is that app stores have now become vast, each with huge numbers of apps. This makes it difficult for app stores to do more than superficial checks for security threats. Increasingly, the onus is being placed on individual app authors/developers to monitor/check the apps for risks themselves. App stores do have strategies in place to monitor for dangers and withdraw illegitimate/compromised apps, but the shear volume of apps makes this a slow process.
At the same time, we are now seeing many variations of the same malware, such as Spyeye a program that compromises banking authentication by text messaging. This makes it difficult to keep mobile devices secure against new threats. Even updating software on mobile devices is a laborious business, much harder than with PCs, which limits how often security updates can be made.
Wood: The most dangerous threats posed by download mobile apps are well-documented in Veracode's Mobile app top 10 list.
Remotely hosted mobile applications and data:
Rico: It is not only the mobile device that is vulnerable to attack; data is similarly threatened because the vast majority of applications are hosted externally. Most often these services require some element of authentication to the external server based on user identity. Authentication ranges greatly in the level of sophistication from a simple user ID and password to a certificate issued by a recognized provider. But however sophisticated these techniques, there are always issues – passwords can be cracked, stolen or phished, and certificates can be manipulated if they are not handled and stored appropriately.
• For examples of issues with passwords, certificates and data hosted remotely, read: Hack attack exposes 1.3 million Sega accounts and Could DigiNotar hack lead to a cyberattack on you?
• The problems with GSM:
Brookson: GSM is still the most widely-used mobile-phone network technology, but it was only designed to have a limited lifetime of 20 years or so. We are now way beyond that 20 years and GSM networks face security issues that were never envisioned when it was created. The GSMA and other the standards groups have introduced new privacy and authentication algorithms, such as A5/3 and G Milenage to minimize some of these risks, but these enhancements also need mobile operators to incorporate them into and support them within their networks. 3G and LTE have built on GSM and have many extra security mechanisms.
• The growth of machine to machine (M2M)
Brookson: We are also seeing mobile technology being extended to automated systems – called machine to machine (M2M) – including smart metering (to save energy), eCall (to make emergency calls when you have a car accident) and transport systems. The reliability of M2M systems depends on the designers being able to make secure devices and systems, following the latest guidelines from the GSMA and others. Read this: Reverse-engineering a smart meter.
Q2. How seriously are consumers and companies taking these threats?
Consumers don’t take mobile security as seriously as PC security; only some organizations are aware of the threat:
Wood: Consumers seem to be blissfully unaware, with an even more relaxed attitude to security than they have for their home computers.
Some companies are dealing with this issue better than others. For example, Intel has a clear published policy and good controls for managing mobile devices, while other firms have little or nothing to protect them.
Mobile security requires technical savvy:
Brookson: Both the threat to devices and the threat to networks requires education and the correct messages to consumers and operators alike. While many consumers read and digest information, many just ignore the threats. For example, how many people are aware of the need to PIN protect their mobile, lock their SIM and turn off Bluetooth (especially in discoverable mode)? How many actually know how to do this for their particular mobile? Basic mobile security like this requires a level of technological know-how that most mobile users don’t possess.
Customers should be just as concerned about mobile threats as Web security:
Rico: Consumers are very concerned with online fraud. According to a poll by ThreatMetrix and the Ponemon Institute, 85 percent of consumers are overwhelmingly dissatisfied with the level of protection online businesses are providing to stop fraudsters. While this poll was about the fixed Internet, we should assume that consumers are just as concerned about companies they deal with over the mobile Web.
Q3. What can be done about these threats?
Education is key
Brookson: It all comes down to education. But also it is important to build devices that protect the user without them having to make informed decisions – but as we have seen with PCs this isn’t easy.
Standards bodies don’t really tackle the need for education, being much more interested in the technical aspects of security such as interfaces. Finding universal or similar ways of solving these issues is not always been possible.
A good example of the wrong message about mobile security is when the media talks about voicemail ‘hacking’. It isn’t really hacking at all, it’s just criminals guessing easy security PINs. Far too often default PINS have been left in place, really simple ones are used or people aren’t aware of the danger of criminals obtaining passwords through social engineering. For more on this read: Voicemail hacking and the 'phone hacking' scandal - how it worked, questions to be asked and improvements to be made.
Organizations need to put security policies in place before introducing smartphones and tablets into the business:
Wood: The key is a combination of user education and for organizations to establish security policies and adopt enterprise-level management tools. Too often organizations are playing catch up with new technologies. The IT and security folks are often wrong-footed by executives and project managers encouraging smartphone and tablet use within the enterprise without any thought of the security issues. (This issue is often referred to as consumerization of IT or bring-your-own-device).
Rico: The SIMalliance believes that security based in a Secure Element (SE) can greatly contribute to the reduction of fraud. An SE is a combination of secure software and hardware that allows secure storage of certificates and use of encryption and digital signatures. There are three main ways that SE can be delivered: a) on the SIM card (or UICC) giving operators control of the secured services; b) via secure micro SD memory cards which give service providers such as banks the control; or c) via secure chip embedded in the handset putting the OEM in control.
Q4. Is it going to get worse?
Wood: Yes, it will get worse, before it (hopefully) gets better. All organizations will have to come to terms with the consumerization of handheld devices, just as they did with the advent of the desktop PC in the 1980s. The sooner they learn from history and from companies that have implemented working strategies for smartphones, the better.
Rico: Yes, because the usage of the mobile Internet is growing exponentially, while mobile devices are less protected than computers.
Brookson: The evidence shows that this is an increasing trend, for example the growth of malware, and the GSM weaknesses exposed at conferences such as Black Hat.
Q5. What’s the biggest myth about mobile security?
Brookson: That mobiles are secure even if you don’t understand what you are doing and do not protect yourself.
Wood: People who believe: "there's nothing worth stealing on a smartphone". This overlooks emails, attachments, contacts and address books and, of course, the wireless and VPN configuration that permit access to the corporate network.
Q6. What resources do you recommend research, stats, forecasts and further reading?
• Symantec security analysis on dangers associated with mobile apps A window into mobile device security. Examining the security approaches employed in Apple’s iOS and Google’s Android.
• The GSMA’s Security Advice for Mobile Phone Users.
• Video round-up of security issues from F-secure covers Security issues with jailbreaking iOS devices and other issues.
• AVG Technologies global Q1-2011 Security Threat Report: Android malware growing rapidly: “With smart phones becoming more like computers, the first quarter saw a notable increase in risk for smartphone users and the Android platform in particular; AVG blocked an average of 100,000 spam and phishing text messages per day.”
• F-Secure’s Essential security tips
1. Keep your system updated
2. Install a security application in your phone
3. Watch where you click and land
4. Refrain from doing transactions on a public network
5. Install or obtain applications from trusted source
6. Make it a habit to check each applications' data access on your phone
• Booz and Co: Friendly takeover The consumerization of corporate IT “The efforts of corporate IT departments to maintain perimeter security by exerting tight control over their networks is ultimately doomed to failure.”
• Intel: Maintaining secure personal handheld devices in the enterprise
• The growth of malware from BullGuard (below) identified 2500 different types of mobile malware in 2010.
• IBM X-Force 2011 Mid-year Trend and Risk Report “IBM X-Force Research & Development is predicting that exploits targeting vulnerabilities that affect mobile operating systems will more than double from 2010.”
For analysis from mobiThinking see:
96 percent of smartphones and tablets lack necessary security software. Why it matters to your business – a lot
This very useful infographic is from BullGuard
Courtesy of: BullGuard.com
• Be the first to know about mobiThinking news, guides, competitions etc… follow mobiThinking on Twitter: @mobithinking.
• Nine video interviews with leading mobile experts
• What makes EMEA the world’s most exciting mobile market? Interview with Paul Berney, MD, MMA EMEA
• Compelling content: tips for making useful, sticky mobile Web sites and apps (part 1)
• The mobile city project – the blueprint of a truly mobilized city
• The insider’s guide to device detection: give your Website visitors the site they deserve
• The insiders' guides to world’s greatest mobile markets • Latest country guide: Brazil
• Guide to mobile agencies • Latest agency profile: Grupo.Mobi
• Guide to mobile industry awards • Latest winners: Mobi Awards
• Guide to mobile ad networks
• The big compendium of global mobile stats