#MWC15: Interview with Andy Davis, NCC Group Research Director

Written by

Exhibiting at Mobile World Congress, NCC Group research director Andy Davis tells me, is a bit like “being a needle in a haystack.” But there are a few things that can make you stand out. Having a drone on stand is one – despite the declaration by MWC’s organizers that this year’s event is a no-fly zone. But are drones just crowd pleasing gimmicks, or is there a message in here somewhere?

“Drones are useful in the security world,” Davis explains. “We have used them before for doing wireless testing looking for rogue wireless access points. The alternative is walking around with a laptop, but there are some places where it’s really useful to be able to fly a drone around.”

At MWC, the global information assurance firm is using this to demonstrate some of the aspects of smartphones and wireless technology that not everyone may be aware of.

“Everyone’s smartphone remembers all the wireless networks that it has connected to in the past. Your phone is always polling, asking of networks, ‘Are you there?’ We’ve got a Raspberry Pi attached to the drone that’s scanning all these probe requests and displaying them on a screen so people can see that their phones are broadcasting this information, because a lot of people don’t realize.”

That’s all well and good, but what are the real implications of this? Davis explains that, as well as the risk that spoof networks could be set up to trick devices into connecting, the privacy angle should not be underestimated.

If your device is relaying information about the name of the corporate network and home networks you connect to daily, that information could reveal some important things: the name of the company you work for, and even where you live, if your home network’s name has a street or house number in it.

The Convenience Factor

“When people set up wireless connections within, for example, Windows, you’ve got the tickbox to reconnect automatically. For convenience, a lot of people tick. They don’t realize that the only check that the OS is doing is that the name is the same.”

This is a matter of convenience versus a security-first approach – but Davis does not want to imply that these two things must, by necessity, stand in conflict.

“It’s all about ensuring that when devices are configured, they’re configured securely by default, and also getting the balance right between usability and security. Sometimes, if you took security to the nth degree, a device would be useless. It would actually have a negative effect, because people would think, ‘well I’m not really interested in this security lark.’”

At an event where mobile vendors are unveiling a host of solutions and partnerships that seek to offer secure enterprise mobility, this is clearly a key debate. Davis believes the mobile industry is moving in the right direction with the rollout of separation technologies.

Essentially you’re connecting some kind of device to the internet that could potentially be abused by an attacker and depending on what that device is doing and what environment it’s in, that could be quite maliciousAndy Davis, Research Director, NCC Group

“Major manufacturers are moving to a more secure state and listening to customers at the same time. Concepts have been designed with security in mind to provide solutions with a compartmentalized approach. It’s not a panacea and there are still restrictions - for example if you take a photo and want to attach that to a corporate email - but it’s significantly better than it used to be.”

NCC is currently conducting research into wearables and the IoT – two hot topics at MWC this year. I ask Davis if all the good enterprise security work done by mobile manufacturers will be undone when wearables and IoT devices come flooding into the workplace.

“There are a lot of people entering the IoT market, which is incredibly fast-paced, without necessarily having the knowledge of how to secure these devices by default. Essentially you’re connecting some kind of device to the internet that could potentially be abused by an attacker and depending on what that device is doing and what environment it’s in, that could be quite malicious.”

It’s difficult to enter into a discussion on the security of the internet of things without talking about some sort of doomsday scenario where a smart kettle brings down an entire corporate empire. I suggest that this tendency to focus on the overtly negative aspects of new technologies may suggest a more deeply pessimistic outlook within the security industry. But Davis says that such imaginings have an entirely pragmatic purpose.

“Even if these scenarios aren’t likely to be widespread, people need to know that they’re possible so that they can engineer the solutions to the next generation of kit before it becomes wireless.”

As a keen cyclist, Davis is interested in one facet of smart technology that addresses this issue – wireless groupsets on bikes. “It’s better to know now that someone could tamper with it remotely than for it to happen during a climb in the Tour de France when someone’s chain comes off!”

Risks to the Well-Connected Business

Wireless bicycles might seem an almost absurd concept – but clearly within that industry there is a hunger to experiment with the possibility. But just as cycling teams may wish to exercise caution with regards to what technology they implement, enterprises too, Davis argues, should not rush headlong into IoT for its own sake.

“Wireless kettles may look cool in a trendy office, but do you need one? It important to think sensibly when you purchase these things – am I increasing the attack surface of my organization? What is the actual benefit?”

But the task of making these decisions becomes difficult when technology with a valid business purpose presents a risk.

“Take smart TVs that you see in boardrooms – do you connect your smart TV to the network so you can do updates to the software? When you plug your laptop into one of these smart TVs to do a presentation, how much trust do you put in it? When you plug in an HMDI cable there’s a lot of data communication that goes on.”

Connecting to an infected smart device could obviously threaten your laptop. But there’s another threat vector to consider: “Some elements of the HDMI protocol will allow network connectivity from your laptop via the HDMI cable to whatever network the TV is connected to. You might inadvertently be plugging your laptop into their network just by plugging in the HDMI cable.”

Is this a doomsday scenario? Hardly. It’s simply another reminder of the business risks inherent in deploying smart technology ahead of the curve.

What’s hot on Infosecurity Magazine?