Ten years ago CTOs wanted company phones locked down, camera phones and iPods banned from the office. Now they are being forced to contemplate bring-your-own-device, whether that’s a smartphone or a tablet – that has to be a CTO’s worst nightmare. Meanwhile consumers and business people alike are adopting a laissez-faire attitude to downloading mobile apps – powerful computer programs that could potentially contain malicious code – from unknown authors, something few people would do on their PC. This isn’t scaremongering, estimates suggest that 2500 different types of mobile malware (malicious software) has been discovered in 2011.
The following experts contributed to this mobile security briefing:

• Peter Wood CEO, First Base Technologies & vice president, Global Institute for Cyber Security & Research

• Charles Brookson, Zeata Security and chairman GSM Association Security Group (but these are his personal comments, not necessarily the opinion of the GSMA)

• Ruben Rico, mobile product manager Oberthur Technologies, chairman, SIMalliance Mobile Internet Security Workgroup

• All three experts are presenting in the security track at the Smart Device and Mobile User Experience Summit, on November 1-2, 2011 (mobiThinking readers get a 10 percent for this event using discount code I3CN8/Mobi10).

Q1. What you consider to be the biggest security issues with mobile phones?

The types of threat:
Rico:
Attacks on mobile devices range in volume and severity, but all have the potential to cause chaos at both a device and network level. Just like in the conventional fixed Internet world attacks come in all shapes and sizes – such as phishing (criminals attempt to trick users into sharing passwords etc), spyware (tracks user’s activity, perhaps selling data to advertisers), worms (a program that copies itself onto multiple devices via network connections), trojans (a program that looks genuine, but hides malicious intent) and man-in-the-middle attacks (where a criminal intercepts and manipulates messages between two devices or device and computer).
• The very useful infographic below from BullGuard gives an excellent overview of the most virulent mobile threats.

The threat smartphones pose to businesses:

Wood:
Smartphones have surpassed laptops as the most likely thing to be lost or targeted by thieves or hackers. Many organizations have now secured company laptops with full-disk encryption, so they are less of an easy target for criminals than they once were. Unfortunately the smartphone have now replaced laps as the soft target. They are small and so easy to lose or have stolen. Plus they are always on, generally not centrally-managed by IT departments and are often poorly protected either with just a PIN code or weak password.

For more information on the threat posed to organizations by the smartphone read: Tech insight: Smartphones the new lost and stolen laptops of data breaches.

The sophistication of the mobile device is it’s own worst enemy
Brookson:
The big security issues with mobile devices are a) the growth of malware i.e. malicious software programs that is aimed at mobile phones and b) the difficulties associated with adapting GSM, the aging technology that most mobile devices use to communicate, to deal with the demands of modern telephony and the new threats. (We are just talking about GSM here, the more advanced 3G and LTE networks are much more able to deal with security issues).
Mobile phones now run software which is similar to desktop PCs. They are capable of executing code and running applications. Phones can even be used by part of a botnet (this is a network of infected ‘slave’ devices used for malicious purposes).

The big problem with downloadable mobile apps

Brookson:
It is possible to write secure mobile apps and to check them for malware and similar tricks. The problem is that app stores have now become vast, each with huge numbers of apps. This makes it difficult for app stores to do more than superficial checks for security threats. Increasingly, the onus is being placed on individual app authors/developers to monitor/check the apps for risks themselves. App stores do have strategies in place to monitor for dangers and withdraw illegitimate/compromised apps, but the shear volume of apps makes this a slow process.
At the same time, we are now seeing many variations of the same malware, such as Spyeye a program that compromises banking authentication by text messaging. This makes it difficult to keep mobile devices secure against new threats. Even updating software on mobile devices is a laborious business, much harder than with PCs, which limits how often security updates can be made.
Wood:
The most dangerous threats posed by download mobile apps are well-documented in Veracode's Mobile app top 10 list.

Remotely hosted mobile applications and data:
Rico:
It is not only the mobile device that is vulnerable to attack; data is similarly threatened because the vast majority of applications are hosted externally. Most often these services require some element of authentication to the external server based on user identity. Authentication ranges greatly in the level of sophistication from a simple user ID and password to a certificate issued by a recognized provider. But however sophisticated these techniques there are always issues - passwords can be cracked, stolen or phished and certificates can be manipulated if they are not handled and stored appropriately.
• For examples of issues with passwords, certificates and data hosted remotely, read: Hack attack exposes 1.3 million Sega accounts and Could DigiNotar hack lead to a cyberattack on you?

• The problems with GSM:
Brookson: GSM is still the most widely used mobile phone network technology, but it was only designed to have a limited lifetime of 20 years or so. We are now way beyond that 20 years and GSM networks face security issues that were never envisioned when it was created. The GSMA and other the standards groups have introduced new privacy and authentication algorithms (such as A5/3 and G Milenage to minimize some of these risks, but these enhancements also need mobile operators to incorporate them into and support them within their networks. 3G and LTE have built on GSM and have many extra security mechanisms.

• The growth of machine to machine (M2M)
Brookson: We are also seeing mobile technology being extended to automated systems – called machine to machine (M2M) – including smart metering (to save energy), eCall (to make emergency calls when you have a car accident) and transport systems. The reliability of M2M systems depends on the designers being able to make secure devices and systems, following the latest guidelines from the GSMA and others. Read this: Reverse-engineering a smart meter.

Q2. How seriously are consumers and companies taking these threats?

Consumers don’t take mobile security as seriously as PC security; only some organizations are aware of the threat:
Wood:
Consumers seem to be blissfully unaware, with an even more relaxed attitude to security than they have for their home computers.
Some companies are dealing with this issue better than others. For example, Intel have a clear published policy and good controls for managing mobile devices, whilst other firms have little or nothing to protect them.

Mobile security requires technical savvy:
Brookson:
Both the threat to devices and the threat to networks requires education and the correct messages to consumers and operators alike. While many consumers read and digest information, many just ignore the threats. For example, how many people are aware of the need to PIN protect their mobile, lock their SIM and turn off Bluetooth (especially in discoverable mode)? How many actually know how to do this for their particular mobile? Basic mobile security like this requires a level of technological know-how that most mobile users don’t possess.

Customers should be just as concerned about mobile threats as Web security:
Rico:
Consumers are very concerned with online fraud. According to a poll by ThreatMetrix and the Ponemon Institute, 85 percent of consumers are overwhelmingly dissatisfied with the level of protection online businesses are providing to stop fraudsters. While this poll was about the fixed Internet, we should assume that consumers are just as concerned about companies they deal with over the mobile Web.

Q3. What can be done about these threats?

Education is key
Brookson:
It all comes down to education. But also it is important to build devices that protect the user without them having to make informed decisions – but as we have seen with PCs this isn’t easy.
Standards bodies don’t really tackle the need for education, being much more interested in the technical aspects of security such as interfaces. Finding universal or similar ways of solving these issues is not always been possible.
A good example of the wrong message about mobile security is when the media talk about voicemail ‘hacking’. It isn’t really hacking at all, it’s just criminals guessing easy security PINs. Far too often default PINS have been left in place, really simple ones are used or people aren’t aware of the danger of criminals obtaining passwords through social engineering. For more on this read: Voicemail hacking and the 'phone hacking' scandal - how it worked, questions to be asked and improvements to be made.

Organizations need to put security policies in place before introducing smartphones and tablets into the business:
Wood:
The key is a combination of user education and for organizations to establish security policies and adopt enterprise-level management tools. Too often organizations are playing catch up with new technologies. The IT and security folks are often wrong-footed by executives and project managers encouraging smartphone and tablet use within the enterprise without any thought of the security issues. (This issue is often referred to as consumerization of IT or bring-your-own-device).

Technical solutions
Rico:
The SIMalliance believes that security based in a Secure Element (SE) can greatly contribute to the reduction of fraud. An SE is a combination of secure software and hardware that allows secure storage of certificates and use of encryption and digital signatures. There are three main ways that SE can be delivered a) on the SIM card (or UICC) giving operators control of the secured services; b) via secure micro SD memory cards which give service providers such as banks the control; or c) via secure chip embedded in the handset putting the OEM in control.

Q4. Is it going to get worse?

Wood:
Yes it will get worse, before it (hopefully) gets better. All organizations will have to come to terms with the consumerization of handheld devices, just as they did with the advent of the desktop PC in the 1980's. The sooner they learn from history and from companies that have implemented working strategies for smartphones, the better.
Rico:
Yes, because the usage of the mobile Internet is growing exponentially, while mobile devices are less protected than computers.
Brookson:
The evidence shows that this is an increasing trend, for example the growth of malware, and the GSM weaknesses exposed at conferences such as Black Hat.

Q5. What’s the biggest myth about mobile security?

Brookson:
That mobiles are secure even if you don’t understand what you are doing and do not protect yourself.
Wood:
People who believe: "there's nothing worth stealing on a smartphone". This overlooks emails, attachments, contacts and address books and of course the wireless and VPN configuration which permit access to the corporate network.

Q6. What resources do you recommend research, stats, forecasts and further reading?

Brookson recommends:
• Symantec security analysis on dangers associated with mobile apps A window into mobile device security. Examining the security approaches employed in Apple’s iOS and Google’s Android.
• The GSMA’s Security Advice for Mobile Phone Users.
• Video round-up of security issues from F-secure covers Security issues with jailbreaking iOS devices and other issues.
• AVG Technologies global Q1-2011 Security Threat Report: Android malware growing rapidly: “With smart phones becoming more like computers, the first quarter saw a notable increase in risk for smartphone users and the Android platform in particular; AVG blocked an average of 100,000 spam and phishing text messages per day.”
• F-Secure’s Essential security tips


1. Keep your system updated
2. Install a security application in your phone
3. Watch where you click and land
4. Refrain from doing transactions on a public network
5. Install or obtain applications from trusted source
6. Make it a habit to check each applications' data access on your phone

Wood recommends:
• Booz and Co: Friendly takeover The consumerization of corporate IT “The efforts of corporate IT departments to maintain perimeter security by exerting tight control over their networks is ultimately doomed to failure.”
• Intel: Maintaining secure personal handheld devices in the enterprise

Rico recommends:
• The growth of malware from BullGuard (below) identifies 2500 different types of mobile malware in 2011.
• IBM X-Force 2011 Mid-year Trend and Risk Report “IBM X-Force Research & Development is predicting that exploits targeting vulnerabilities that affect mobile operating systems will more than double from 2010.”

Check out this very useful infographic from BullGuard

What to consider when designing services ...

What to consider when designing services for the Internet of Everything

November 9th 2011

When I had the pleasure of speaking to key telecoms and technology industry figures at November's Smart Device and Mobile User Experience Summit this is the question I attempted to address.

As always at Fjord, people come first. So when looking to provide sustainable design a future market within the Internet of Everything, we have to look at the economic and social situation that many people in the world are facing. In the west this looks like what the LifeStyle News Network is coining 'The Just Nots': aspiring and hard working citizens affected by increasing inflation, food prices, and housing costs; just not able to create the life they thought they were going to achieve.

It's likely that we'll have to design niche services and create flexible, open source brands to meet the needs of this generation – who are digitally native and happy to hack; they transcend the demographic driven models that brands have traditionally targeted.

We believe the experience of the Internet of Everything is a liquid experience, where platforms and even interfaces begin to disappear. This is our new challenge – how can we design liquid services to address the new needs that are emerging from from a age where digitally mature, and connected people want more value with less money?

Daniel Harris
Service Design Lead
Fjord London