Share

Related Links

  • Sophos
  • Reed Exhibitions Ltd is not responsible for the content of external websites.

Top 5 Stories

Feature

Comment: Mobile Device Security – What’s Coming Next?

07 November 2012
James Lyne, Sophos

James Lyne from Sophos believes that the mobile device revolution is quite possibly the most significant change in computing since the shift from the mainframe more than 20 years ago

These handheld devices feature ubiquitous connectivity, constant access to the biggest repository of mankind’s knowledge, and more computing power than the NASA control room for the first moon landing.

Too many people assume that mobile devices are secure because they’ve never experienced malware on them before. The reality is that, until recently, there was little data on them that was worth stealing.

Nevertheless, now that they do contain valuable information – from email addresses and passwords to bank account logins – cybercriminals will be paying closer attention. And just because mobile threats may not look like they do on the traditional PC, this doesn’t mean there are no security issues.

New Technology, New Threats

Mobiles will experience all the malware that PCs have before them, including viruses, phishing, worms and more. How these threats attack them will be different, however, as the vehicle will vary between the device, the operating system (OS), and the application. For example, attacks against the closed Apple iOS model are going to be significantly different to those affecting Google’s Android, which liberally allows applications to be published (including nasty applications).

In addition, new devices and new functionalities will breed fresh opportunities for cybercriminals; features such as augmented reality, facial recognition and integrated social media all add new dimensions that could be targeted. Augmented reality, for example, can connect location information with a user’s social media ‘friends’, enabling them to identify digital contacts nearby. This infringes privacy and potentially hands out more information than we would usually share with our digital contacts.

NFC (near-field communication) technology is another innovation that introduces new challenges for security. Primarily, the discussion over NFC has focused on its use with mobile payments, and therefore instantly means that mobile devices are likely to become much more of a target to steal money. In addition, other information associated with NFC – such as personal data, preferences or habits – may also be valuable to a cybercriminal, and be targeted as a result.

Long-term Evolution

Mobile networks are currently undergoing significant upgrades, enabling faster and more reliable connectivity. Although delivering better usability for customers, this ubiquitous connectivity can make mobile devices a more attractive target for both networks and command-and-control, because the network is strong enough to support an effective attack.

It’s not all doom and gloom. Some new technology will, of course, enhance security. Modern mobile platforms tend to include capabilities such as sandboxing technology, which can isolate applications to prevent compromised ones from accessing all of the device’s data. Access control and permission systems have also undergone drastic reform from the conventional OS; rather than being based on access to arbitrary items like registry keys, they instead focus on more human access permissions, such as whether an application needs to access location data or SMS messages, making it easier to understand for consumers.

Mobile device architectures are also becoming more tailored to modern working practices – BlackBerry, for example, has introduced a feature that provides two isolated working environments on the same device, allowing a separation between work and personal. This provides the benefits of a trustworthy and secure business environment, alongside the flexibility to play games and manage a personal life. These features are not yet widespread and the robustness of the security is unproven, but they do show a positive direction that could better secure the modern remote user in a way that works for both the business and the employee. It will be interesting to see if other vendors follow suit.

These capabilities show great promise for producing a more secure mobile environment. That said, they are as-yet far from perfect, and many of these controls do not come with smart, secure defaults. Instead they rely on the user to edit the permissions of an application, a process that requires some knowledge and expertise. Education and awareness is therefore vital to ensure users know what options they have, and how best to secure a mobile device.

IPv6 will also stamp a mark on the mobile security industry, especially because mobile device and telecoms providers are major proponents of IPv6, the next generation of protocols that will drive the internet. IPv6 will provide enhanced performance features, but it also has new functionality designed specifically for mobile and security. For example, IPSec – the industry standard for secure VPN connections – was incorporated into IPv6 and back ported to IPv4. Some of the changes enhance security, but others could leave a backdoor into your environment if not configured and managed correctly.

Protecting Yourself, and Your Business

Priority one is to get the basics under control. Despite all the hype, most mobile security breaches occur due to basic failures, such as poor passwords, lack of encryption, poor patching or social engineering. Mobile device management solutions can help ensure these capabilities are enabled.

Some will be provided by the device in hardware, such as full volume encryption; others by the OS, for example, sandboxing. These will be managed and reported on by security vendors. Software security solutions, including mobile device management (MDM) and anti-malware capabilities, will be increasingly required, although their implementation will vary from their PC counterparts and differ from platform to platform.

Data loss prevention (DLP) strategies must also be implemented specifically to mobile and, as data flows between different devices, continuous encryption to protect data wherever it resides will be powerful. Ultimately, the protection stack for mobile will expand over time, much as with the PC. It won’t be the same at first, but will need to remain as progressively capable.

Essentially, the more data we make available on our mobiles, the more incentive we provide cybercriminals with to weave creative attacks that compromise our personal lives, businesses and finances. Equally, the more applications and new capabilities we use, the more we increase the surface attack area to be exploited.

Privacy is also at risk, and as mobiles become the combination of a passport, personal record store and social life, we can expect to come under greater surveillance.

Technology is constantly changing as are the threats. A six-month strategy is therefore far more effective than the conventional three- to five-year plan many IT teams use.


James Lyne, director of technology strategy, is focused on the five-year technology strategy at Sophos in the Office of the CTO. Working with key business and technology trends and combining a detailed knowledge of threats, Lyne extrapolates from the modern world of threat protection to explore future security and technology requirements. Aside from technology strategy, he frequently engages with customers and industry forums to evangelize the security problem domains.

This article is featured in:
Application Security  •  Biometrics  •  Cloud Computing  •  Data Loss  •  Encryption  •  Identity and Access Management  •  Industry News  •  Internet and Network Security  •  Malware and Hardware Security  •  Security Training and Education  •  Wireless and Mobile Security

 

Comments

tomwood says:

13 November 2012
In my opinion Augmented Reality per se does not pose a security risk – AR is simply a display method, overlaying digital content on real world content that the mobile device recognises, typically using visual but also audio, location and positional recognition. There is significant potential for AR to enhance device security – requiring users to be in the right place, at the right time (and even looking at the right thing) before accessing protected systems or content.

James raises a valid point with respect to social networks and particularly the location aware apps that many of us now use daily on our mobile devices. Travellers used to remove home addresses from luggage until return trips for fear of burglary whilst away from the home – we are now in a time where our devices are broadcasting a continual stream of location information which, if intercepted could pose significant security risks. Much of this information is now made public on social networks such as twitter who record location information of the sender. Think twice about whether you locked the windows back home before you publish that next location-aware tweet!

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×