News

2018-03-22

Making Smartphones Secure, Yet Easy To Use

Consumer smartphones are notoriously open to attack from people seeking to use the data they contain to gain access to the owner’s bank details, passwords and other personal information. Other types of attack target software vulnerabilities in the browser, email, or operating system. Because of these risks, using a smartphone is problematic for professional organizations that require mission critical communications. Guarding against these risks is largely a trade-off between high security and ease of use. It’s essential to know the risks and to employ a professional, hybrid smartphone that can take advantage of the high security features and protocols found in the TETRA standard.

Smartphones Threats

Everyday consumer smartphones are open to various types of attack. Known weaknesses in applications, messaging, or USB/Wi-Fi/Bluetooth connectivity can all provide a way in for attackers. According to research by University of Cambridge, 90 per cent of Android devices are exposed to at least one of the many known critical vulnerabilities. Attacks are annoying for the private smartphone user, but for a security professional, compromised data may have a much more serious outcome, including loss of life.

Device Security

Whereas regular smartphones are open and do not provide enough control over risks, military communication devices employs several methods to control risks. It is not open and thus can achieve optimal security for mission-critical users.

This article presents the threats and risks in five sections:

Device threats and risks

In this context, device means the hardware of the device as well as its basic use. The key questions about device risks include: Who can use the device? Can an unauthorized person use it? Can it be hacked physically? Can it be cloned?

Passwords and screen locking can eliminate casual threats, but as mobile devices are small and lightweight, they can easily be lost or stolen, presenting an opportunity for a person with malicious intent.

Even the cleverest intrusion-detection system and best anti-virus software are useless against a malicious person with physical access. An experienced attacker could work around a password or a locking mechanism, and getting to encrypted data is only a little more challenging.

The device will contain a variety of valuable data. There will be corporate data and professional contacts, but the device may also contain passwords which in turn could grant access to corporate services such as email and virtual private networks (VPNs).

Traditional access control with passwords and idle-time screen locking is a must to protect the device from unauthorized use.

In addition, professional organizations need a plan to deal with lost or stolen devices. For example, the organization should be able to track a lost device and disable it remotely to prevent unauthorized access.

A proper hybrid (dual-mode) device must have TETRA security built in. For example, the TETRA radio related TETRA stack, security keys for air interface encryption and end-to-end encryption, as well as configuration functions, must be located in a secure hardware module. The TETRA data must reside within that module as much as possible.

Data threats and risks

Organizations will always need to deal with lost or stolen devices but data loss is preventable. One essential is an Enterprise Mobile Management (EMM) solution that allows corporate data and apps to be wiped from stolen or misplaced devices remotely. The ability to track a lost device remotely and deny access to unauthorized users is also critical to ensure data never falls into the wrong hands, even if the device itself does.

An EMM is vital as a stolen or lost device cannot be wiped clean of data using the built-in factory reset or by re-flashing the operating system. Forensic data retrieval software - available to the general public - allows data to be recovered from phones and other mobile devices even after it has been deleted manually or undergone a reset.

Phishing scams can also target mobile devices, much as they do computers. Phishing scams involve using texts, emails and social media to trick users into providing sensitive data such as account information and passwords.

Data storage needs to be encrypted and standard Android phones have some level of data encryption.

The Android operating system allows apps to store secrets in ciphertext on disk, but standard apps don’t always take advantage of these features. For example, data encrypted on the mobile device may be stored in plain text if it is synced to a PC.

Applications threats and risks

Cybercriminals have increasingly targeted Android-based and other mobile devices with new threats. The most numerous and serious of these are related to applications, the software brought into the device.

Although mobile devices have many inherent security features, such as sandboxing, some types of attack can bypass these features.

Mobile ads are increasingly being used as part of many attacks, a concept known as “malvertising.” Adware that automatically creates advertisements in order to generate a revenue stream for its creator can also be used to collect information without the user’s consent and redirect search requests to advertising sites.

Trojans designed to steal data can operate over either the mobile phone network or any connected Wi-Fi network. They are often sent via SMS (text message) - once the user clicks on a link in the message, the Trojan is delivered by way of an application, where it is then free to spread to other devices. When these applications transmit their information over mobile phone networks, they can be difficult to overcome in a corporate environment.

Regular smartphone users may not have security software set up against trojans, spyware, or spam.

Out of date operating systems are a risk because they can miss vital security patches. A malicious app or an attacker could achieve a number of damaging actions including stealing loging credentials, reading and sending e mails and SMS messages, uploading user information, and reading and sending GPS information.

The official Google marketplace allows remote installation of applications to a phone. It prompts the phone to accept the installation, making it impossible to remotely install and RUN an auto erase or find me type application.

The application marketplace has limited, if any, security features implemented. Instead, Google chose to allow nearly any application presented to the market to be published for user consumption.

Infrastructure threats and risks

The infrastructure that supports a mobile device has a major effect on the vulnerabilities it has and the threats it faces. Factors include the type of network it uses, such as VPNs, and features such as network protection, anomaly detection and hardened systems.

Attacks targeted at the device itself are similar to PC attacks. Browser-based attacks, buffer overflow exploitations and other attacks are all possible. SMS and MMS offered on mobile devices afford additional avenues to hackers. Device attacks are typically designed to either gain control of the device and access data, or to attempt a distributed denial of service (DDoS).

Wi-Fi-enabled smartphones are susceptible to the same attacks that affect other Wi-Fi-capable devices. The technology to hack into wireless networks is readily available, with much of it accessible online, making Wi-Fi hacking and man-in-the-middle (MITM) attacks easy to perform. Cellular data transmission can also be intercepted and decrypted. Hackers can exploit weaknesses in these Wi-Fi and cellular data protocols to eavesdrop on data transmission, or to hijack user sessions for online services, including web-based email.

For companies with workers who use free Wi-Fi hot spot services, the stakes are high. While losing a personal social networking login may be inconvenient, people logging on to enterprise systems may be giving hackers access to an entire corporate database.

Web-based threats are always present for smartphone and mobile devices because they are constantly connected to the Internet. Major threats to mobile devices include browser exploits that take advantage of possible vulnerabilities in a mobile device. Users that unwittingly visit harmful websites run the risk of infecting their devices with malware and other web threats from these sites.

Another factor is that wireless transmissions aren’t always encrypted, or devices may be allowed to connect to unsecured Wi-Fi networks. Not limiting internet connections is another risk factor.

In the case of infrastructure, it is essential to install a firewall to limit the risks faced by devices connected to it. The recommended network architecture is shown in the figure below.

Enforcing OS updates is one of the easiest and most cost-effective ways to prevent attacks from exploiting holes in operating systems. Security patches address vulnerabilities and, as a result, enforcing updated OSs provides one of the best protections against mobile threats. For limited effort and expense, patching offers a tremendous security advantage.

User organizations should carry out the following specific actions:

• Web browser: All Web content must go through a web filtering proxy in the organization’s network

• Email: Have a content filtering/ parser in the network.

• Antivirus: Deploy an antivirus solution on mobile devices

• VPN: Set up a VPN tunnel between mobile devices and the organization’s network.

Threats and risks related to people

Besides technology, people can also be a source of threats. These threats need to be mitigated by employing techniques such as identity governance, the management of user privileges and accurate tracking of entitlements.

Mobile devices can also facilitate threats from employees and other insiders. Malicious insiders can use a smartphone to misuse or misappropriate data by downloading large amounts of corporate information to the device’s secure digital (SD) flash memory card, or by using the device to transmit data via email services to external accounts, circumventing even robust monitoring technologies such as data loss prevention (DLP).

Many mobile security threats originate with social engineering and techniques designed to trick users into installing malicious configurations, software, or both. These threats often originate in unauthorized sources such as websites or third-party app stores.

Downloading applications can also lead to unintentional threats. Most people download applications from app stores and use mobile applications that can access enterprise assets without any idea of who developed the application, how good it is, or whether there is a route from the application into the corporate network. The misuse of personal cloud services through mobile applications is another issue - when used to convey enterprise data, these applications can lead to data leaks that the organization can be entirely unaware of.

Mobile security threats will continue to advance as corporate data is accessed by a seemingly endless pool of devices and hackers try to cash in. Making sure users fully understand the implications of faulty mobile security practices and getting them to adhere to best practices can be difficult. Many device users remain unaware of threats, and the devices themselves tend to lack basic tools readily available for other platforms, such as anti-virus, anti-spam and endpoint firewalls.

Policies – a safeguard

Establishing a clear security policy is essential, as is ensuring that everyone complies with it. Training needs to be in place so that people are aware of the threats and know how to use their phone in a manner that guards against them.

Organizations need to ensure they have a methodology in place to ensure non-compliant devices are brought back into line or otherwise prevented from accessing resources altogether. Since devices with out-of-date policies don’t conform to the current configuration standard, IT should be used to tell users how they can quickly update or refresh outdated policies and configurations.

With the right EMM solution, IT can prevent compromised or noncompliant devices from accessing corporate resources until the issue is resolved. Preventing a device becoming compromised is critical to keeping enterprise data secure, as rooted or jailbroken devices are highly vulnerable to attacks. To safeguard hybrid devices, user organizations must adopt an EMM system and train their users to protect against cyber-security threats.

One of the major ways to control risky user behaviour is to prevent unauthorized configuration and app modifications. Organizations should control side loaded configurations and apps by disabling “Allow Untrusted Sources” as well as monitoring app permissions. However, the latest research shows that while most organizations create policies, nearly half of companies surveyed did not take an action such as blocking network access. This may be because in many low-risk scenarios the action is to alert the employee or IT administrator to request manual remediation. Yet, manual remediation is not immediate, nor does it require the employee to take corrective action. We therefore recommend automated policy enforcement.

Organizations will need to consistently update policies to protect against future mobile attacks.

Why Tactilon Dabat is secure?

During the recently concluded ISNR exhibition in Abu Dhabi, Selim Bouri, Vice President and Head of Region, Middle East, North Africa & Asia Pacific for Secure Land Communications at Airbus, discussed the secured evolution of existing hybrid and last generation networks. He also discussed Tactilon Dabat, the world’s first smartphone and full TETRA radio in one device, and its importance across mission critical networks, and the significant role it plays across day-to-day activities of mission critical operations.

Tactilon Dabat from Airbus is a secure hybrid smart device. As such, it follows the recommendations of governmental security bodies such as the UK’s National Cyber Security Center (NCSC) and France’s National Cybersecurity Agency (ANSSI).

It aims to achieve a security level of RESTREINT UE/EU RESTRICT¬ED, ST IV (to be certified). This level of security was achieved by an analysis of the new threat landscape and adopting a design that would mitigate or reduce those risks.

Its protected assets include TETRA communication, 3GPP commu¬nication, user location, user data, control of device and encryption keys (TETRA, 3GPP, VPN, WiFi). The software in the device can also be upgraded to meet future threats.

Tactilon Dabat has safeguards against the five types of threats and risks presented in this article. Protection for the device itself includes whitelisting of USB device classes and of accessories that can be connected to the device. In terms of data threats, safeguards include removal of unnecessary services and packages, the scrambling of PMR related code and storing PMR data inside the TETRA module.

Applications are a major source of threats. Tactilon Dabat overcomes the weakness of standard Android smartphones, which do not allow Google applications to be removed, while also allowing the remote installation and removal of applications. Tactilon Dabat ensures that the configuration of the device remains under the organization’s control.

It also ensures compatibility with third-party applications even without Google Mobile Services. Tactilon Dabat is a professional mobile device, not meant for private use.

Credit Text/Photo: www.securelandcommunications.com,www.airbus.com,www.army.mil

Comments () Views (4610 ) Print

Send To Friend