Home Asia-Pacific I 2014 Mobility: How to survive in a hostile environment
Asia-Pacific I 2014

Mobility: How to survive in a hostile environment

by david.nunes
Charles d’AumaleIssue:Asia-Pacific I 2014
Article no.:7
Topic:Mobility: How to survive in a hostile environment
Author:Charles d’Aumale
Title:Sales & Marketing VP – Security Products
Organisation:ERCOM
PDF size:255KB

About author

Mr Charles d’Aumale has extensive experience within the telecoms industry. At ERCOM Charles is responsible for direct and indirect sales of the company’s secure communication products. He also oversees ERCOM’s product portfolio management as well as the company’s partnership relationships. Prior to ERCOM, Charles worked for Orange in the Strategy, Partnership and MVNO Division, and earlier in his career he held senior managerial roles at Bouygues Telecom, Storage Telecom and France Telecom North America.
Charles d’Aumale studied Engineering, Telecommunications and Economics at the Ecole Nationale Supérieure des Télécommunications after which he spent a year at INSEAD, one of the world’s leading and largest graduate business schools.

Article abstract

Mobility raises many new security concerns, where devices are vulnerable to getting lost or stolen. Wire-tapping is extended from just Voice to many applications, and is now practiced by many governments and public organisations. All Voice and mobile data services are at risk of attacks, just like PCs. The physical access to the device can compromise user’s local data and also enterprise network servers, if not fully encrypted. Devices can also be ‘trapped’, with keystrokes intercepted, premium-rate SMS generated or bogus emails sent to external servers, especially when users leave on the WiFi and Bluetooth ports, when not in use.

Full Article

Mobility is no more than twenty years old. When you think of it, mobile phones only started to become common in the mid-1990s. Previously, large unwired phones were available, but they were rare and very expensive. For ten years (approximately 1993-2003), mobility involved essentially voice communications and text messages. However since roughly 2003, other applications have become available, particularly data applications such as push mail, instant messaging, web browsing, chat, and video streaming.
If the first mobile phones were basic, the most recent Smartphones and tablets can be compared to modern laptops. By acquiring new capacities and features, Smartphones and tablets have become the targets for the same attacks as laptops, but also for other attacks targeting their specificities, such as voice and text messages.
Recent news from PRISM and Xkeyscore indicate that voice communications and emails are breached and infringed, that spyware components are installed on the mobile device and that government agencies have access to servers of social networks. Even though the primary target is the fight against criminals, these methods are also used to help businesses by providing commercial and technical information, or to gain political advantage. However, it’s important to notice that the gathering of business information is also performed by competitors or hackers.
It is the responsibility of the management within businesses to prevent leaks of corporate information from mobile devices.
Threats/countermeasures
Mobile devices are particularly vulnerable compared to PCs because we use them for all types of communication (voice as well as data), on the go, and they are small and easy to steal or lose. They usually communicate via wireless networks as well as the classical fixed network, so there are more ways of listening in. In order to protect these vulnerable mobiles devices, it is important to identify each threat and the associated countermeasures available.
Loss/theft of the device
Two years ago I was sitting on the train going to the airport, and opposite me a business man with his suitcase next to him was calling a colleague with the latest iPhone at his ear. The signal indicating that the doors were about to close started, and right beside me a young man leapt up, snatched the mobile out of the businessman’s hand and ran out. The door closed and the man facing me sat their dumbstruck, with no chance to run after the thief. In the US, 113 mobiles are lost or stolen every minute. In the United Kingdom, around two percent of mobile phone owners have experienced a phone theft in the previous 12 months. This is probably the most common and important threat to mobile phones.
Once lost or stolen, with no specialist skill or knowledge, the device can be potentially used to:
• Access local data (files, mails, contacts, photos),
• Use the phone features abusively,
• Access the corporate network if no additional authentication is required.
To prevent consequences of devices being lost or stolen, it is recommended to implement a strong authentication based on a secure element and to encrypt all data on the device with a high-grade encryption mechanism. This will prevent unauthorized people from being able to read the device’s data.
Physical access
If an attacker gains physical access to the device, he/she can perform the same actions as for a theft (access to local data, use of the phone feature and access to the corporate network). However, with specialist skills and knowledge, the device can also be ‘trapped’ to:
• Intercept keystrokes,
• Retrieve displayed content (screen shots for instance),
• Send premium-rate text messages,
• Send terminal data to external servers,
• Access to corporate IT servers abusively.
As this requires hacking expertise, it is less likely to happen than simply accessing the phone’s data, however for companies concerned with the integrity of their IT system, it is highly recommended to prevent this trapping of the device, by installing a trusted boot and integrity mechanisms.
External ports attacks
Like a PC, phones can be attacked through external ports such as NFC (Near Field Communication), Bluetooth or USB. It is very easy for an end-user to forget to turn the WiFi or Bluetooth off after having used it, making the phone vulnerable to attacks. Through these ports, a hacker or other skilled personnel is capable of:
• Retrieving local data,
• Accessing the device remotely,
• Trapping the device.
To prevent such attacks, it is recommended to disable unused ports, strengthen security policies on the active ports, and avoid enabling ports only for private use. This can have an impact on the end-user’s freedom to use some technologies, but is vital to preserve the phone’s integrity.
Network attacks
The effects of network attacks are similar to those on external ports of the device. However, the risk is greatly increased due to the large number of accessed sites and applications downloaded, especially when the device is also used for personal reasons. Some of these “attacks” may even be legal, if the end-user has carelessly authorized applications to access the phone’s data. As an example, many applications downloaded on the Apple Store or Play Store require access the personal calendar, contact list and other confidential information. End-users often accept these terms because they want to be able to use their favorite application, however how this data is then used by the application is not always known.
To mitigate these risks, it is recommended to:
• Prevent devices from accessing the Internet directly, for example by using a corporate proxy,
• Implement a local firewall,
• Control or prevent the installation of third-party applications.
Wire tapping
Wire-tapping is an opportunity for attackers to intercept voice calls and text messages on fixed and mobile networks. Moreover, attackers may also intercept data exchange (emails, contacts, files, etc.). Over the recent months many examples of interception by foreign governments have been leaked to the press, indicating how widespread this type of attack is, without end-users being aware of it.
The solution is a strong security via encryption, authenticity and integrity of all communications and content. The security applet and encryption keys should be stored on specific hardware such as a microSD card on the device. Moreover, the security level of each communication shall be unambiguous for the user, meaning that each call or data connection initiated should clearly indicate the status: secure or not secure.
General advice for choosing a solution to secure mobiles
In general, several recommendations make sense to regulate mobility:
1. Protection levels must be appropriate to the level of risk;
2. Risks related to mobility must not be underestimated;
3. Protection must be consistent;
4. It is essential to have full confidence in the security supplier. Never believe to be protected while doubts exist;
5. It is impossible to have a high level of confidence, without complete control;
6. Security should not be seen as a constraint by end-users. Therefore, the “usability” factor must not be overlooked in the choice of a solution.

As we have discussed above, the first basic solution is to encrypt the device to secure the data. However, many other forms of attacks exist, and for these, safeguarding the communications themselves – whether voice or data – is critical, as well as ensuring the mobile’s integrity.

Related Articles

Calling time on compliance spreadsheet overload

Better safe than sorry

The dark side of TV Everywhere: Keeping an...

Best practices for securing your online retail presence

Power struggles: Managing IT’s hidden fear

Security is only as good as the big...

Shining the light on privacy

A flashlight is most valuable at night –...

Staying ahead through embracing change

Malware figures in the world

Upcoming Events

Contact us
Copyright © Connect-World 2022. All rights reserved

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More