Smartphone Security
Written by Patrick Chisholm and Chris Hannas
MIT 2010 Volume: 14 Issue: 4 (May)
WITH ALL THE ADDED CAPABILITIES OF SMARTPHONES
COMES A BURGEONING SECURITY THREAT.
The proliferation of smartphones within the military, government and civilian work forces has transformed the way actions get done by enabling access to a plethora of data on a single mobile device. But with that convenience has come a security threat that is not well understood by most users, leaving their data and networks vulnerable to exploitation.
Security threats or not, there’s no denying that smartphones have become integral to how the general work force operates in the digital age. The devices give workers the ability to be more efficient without being tethered to a computer in an office.
With all the added capabilities of smartphones comes a burgeoning security threat that experts say rivals that seen with earlier versions of Windows computers.
“In general, a moderate smartphone today is running an operating system that is roughly on par with Windows 95,” said Benjamin Jun, vice president of technology at Cryptography Research. “It has memory protection mechanisms that are roughly at the same level of Windows 95 and runs a comparable software stack. The challenge is that we’re dealing in a world with threats that are a little more advanced than that.”
Advances in computer operating systems since Windows 95 have not only made conventional computer software harder to infiltrate, but have also accompanied a rise in vigilance on the part of users to help protect their systems. Computer users are more likely to be suspicious and have their systems defaulted to not trust new applications, compared with smartphone users.
“We go to all the hacker conferences and monitor the literature very carefully, and there’s no question that every hacker on the planet right now has his or her sights set on mobile infrastructure, mobile devices, mobility services,” said Ed Amoroso, chief security officer for AT&T. “There’s no question all the attention has shifted.”
One benefit of the nascent state of smartphone operating systems until recently is that the inability to multitask applications has helped keep malware from running undetected.
“Now as we go to operating systems that allow, for example, multitasking, we have to be ever more vigilant to ensure that malware doesn’t get implanted on the device,” remarked Amoroso.
As smartphone operating systems continue to evolve, users’ attitudes are not as dogged when it comes to protecting their handheld data as they are with conventional computers. A 2009 Trend Micro survey showed that nearly a third of smartphone users said they felt less at risk of acquiring a virus or malware on their phone versus their computer. Nearly half of the more than 1,000 people surveyed also said they have already been the victim of a smartphone malware attack.
VARIED THREATS
The threats come in a number of forms, from viruses and phishing scams that target e-mail to trojans and other malware that can be embedded in downloaded applications.
“As device operating systems become more powerful and more feature rich, the good news is that allows more attractive applications to be written,” said Amoroso. “It makes it easier for developers to do the kinds of things that we all want our devices to do. The obligation for the computer security engineer, though, is to recognize that exploitable codes—malware—also potentially would try to take advantage of these more powerful services. So we have to be that much more vigilant.”
There’s also the threat of intercepted voice and data. A few hundred dollars is all it takes to acquire the equipment necessary to passively extract keys used within certain cell phones. Jun said his company, Cryptography Research, has been fighting the threat of “information leakage” for a decade and licenses technology to address a vulnerability known as Differential Power Analysis (DPA). It basically says that if you monitor a device while it is operating, the amount of power it uses is tightly correlated to what the device is doing.
“If you monitor a phone while someone is using it, and they’re not doing anything special—maybe they’re simply making a phone call or accessing their private data—the phone will begin the process of doing various encryption operations,” said Jun. “And by simply measuring the device’s power consumption, DPA can extract the secret keys that are used in those encryption operations.”
Once one knows the encryption keys, Jun added, it is possible to access the data without ever having to touch the phone itself.
A threat that is particularly relevant to the military is the exposure of the location of soldiers using the handsets.
“These devices regularly tell the mother ship where they’re located and a couple of other pieces of information about the phone itself,” said Jun. “This is very useful because in a commercial phone network, you have to know where to route messages. In a more sensitive deployment, even when encrypted communications are used, conventional smartphones send pings of where they are located and what cell they are closest to. That may not be so good in an active deployment situation.”
Of course, the most basic threat to smartphone security is losing the device itself. With the device in-hand, it is simple to access contact lists, call logs and any information stored on the phone’s internal memory.
DATA SECURITY
Short of handcuffing the phone to your wrist, there are steps to protecting smartphone data in case it is lost.
The first is a simple step available in nearly all phones—enabling a password to access the device. This layer of security provides a roadblock to anyone finding the phone, helping to stop not only serious hackers but also more innocent phone finders who may curiously peek at your data. It is another example of a method that is standard in computer security that has not been as widely adopted by smartphone users.
The second layer involves disabling the device itself, rendering it impossible for anyone to access the data. If the phone is lost or stolen, a set of instructions can be sent remotely to destroy the data or render the phone inoperable.
While educating users and making them more aware of the threats is an important step in securing the devices, encryption technology also plays a big role in smartphone security.
A5/1 is the dominant GSM standard for handset encryption, now enhanced by A5/3. For federal government and military, the standard is the sensitive but unclassified Federal Information Processing Standard (FIPS) 140-2.
“The good news is that a lot of product vendors are already incorporating FIPS 140-2 into their handheld devices,” said Stacey Black, vice president of strategic products at AT&T Mobility. “BlackBerry, for example, has FIPS 140-2 encryption built into the core application, so you can take a BlackBerry and be able to send e-mail encrypted without having to be worried about violating your federal encryption standards.”
The Department of Defense and certain civilian agencies protect their classified smartphone communications with an even higher standard.
“The classified encryption is what is called Type 1 encryption,” explained Black. “Those are actually device-specific or devices specifically made for Type I encryption, and these are made by General Dynamics and L-3 Communications.”
The latest phones are part of a special class called Secure Mobile Environment for Portable Electronic Devices (SME PED). Distributed largely to senior officials, they allow not only secure calls, but also access to NIPRNet and SIPRNet systems.
ENCRYPTED ENVIRONMENTS
Research has indicated somewhere between 50 percent and 75 percent of mobile calls deal with sensitive or confidential information, according to Pat Burke, senior vice president of offerings and products at SRA International.
To combat the prevalence of exposed confidential information, SRA recently released technology that enhances encryption on Blackberry smartphones. The solution, called One Vault Voice, allows users to make calls at the controlled unclassified FIPS 140-2 Level 1 security tier, using Advanced Encryption Standards (AES) 256 encryption. AES 256 is orders of magnitude more secure than AES 128.
One Vault Voice uses a microSD cryptocard and a piece of software to authenticate the identity of every handset involved in a call. Once the call is established, the system maintains a secure, encrypted environment.
Mark Muller, director for the offerings and products division at SRA, described the system: “Essentially, the chip goes into the phone; it logs into the relay server through a username password setup; it sends a session key to the second phone and notifies it to call in; it logs in to make an established connection; and then there’s an authentication process that occurs with the chips based on the identification of the person calling in to be validated.”
Because One Vault Voice has a hardware component and is not solely software-based, Muller explained, it does not need to be on at all times when not in use. That difference saves battery power and doesn’t degrade battery life during normal use.
Secure military phones can be up to one-and-a-half times larger than a Black- Berry and more cumbersome to use, Burke contended. Often these specialized phones require isolated, specialized networks and can never be turned off, which causes the batteries to run down quickly.
“When the chips are installed on a BlackBerry with One Vault Voice, the system is indistinguishable from a normal BlackBerry, answering the customer’s need for simplicity and convenience,” he added.
In order for the secure call to be placed, both phones must be equipped with the card. The phone can still make regular calls to those without the card, but those communications are not encrypted to the same level. It also features a remote-kill function, and the card self-disables if it is tampered with.
Muller said the company plans to continue evolving the technology in order to make it compliant with the higher level security standards. The FIPS 140-2 Level 2 certification requires a device to have tamper-evident coatings or seals, and the ability to authenticate the authorization of an operator to perform a specific set of services.
The SRA encryption system utilizes the phone’s data stream to make calls, a practice other security companies use as well.
A Germany-based company called SecurStar, meanwhile, has released an encryption application known as PhoneCrypt that operates on the data channel. PhoneCrypt provides end-to-end privacy and ensures confidentiality by creating a voice VPN over a network carrier’s data channel. The application uses standardsbased encryption such as RSA (4096 bit) and 256-bit AES. SecurStar’s CEO, Wilfried Hafner, explained that PhoneCrypt re-authenticates the session key every four seconds, preventing eavesdropping and man-in-themiddle attacks.
“If the session key was compromised, the voice stream is still encrypted using AES, so an attacker would still have to break that cipher, and if the attacker was successful in cracking AES, four seconds of conversation would theoretically be exposed before the connection was dropped,” said Hafner.
PhoneCrypt has platform support for mobile phones that include Windows Mobile, Symbian, Apple’s iPhone and Blackberry. “Our approach is to help provide comprehensive DLP [data loss prevention] solutions with our DriveCrypt product line, and PhoneCrypt on the voice side,” said Hafner. “We see the smartphone as a computer, with all the security vulnerabilities of a conventional computer.”
Earlier this year, an anonymous blogger claimed to intercept calls made by 12 phones that were using different commercial voice encryption products. The blogger said PhoneCrypt was one of only three products to successfully block his attacks, which utilized a wiretapping Trojan. SecurStar publicized the results, saying their product uses a filter that shuts down a call if it detects any application trying to access a resource on the phone.
Hafner said the blogger “went for the weakest link; he did not attempt to crack the encryption itself, but used simple wiretapping techniques.”
PROTECT YOURSELF
One aspect of the current smartphone market working in users’ favor from a security standpoint is the diversity of operating systems. With systems made by Research In Motion and Apple as well as the open-source Android and Symbian software environments, no one company dominates the market like Microsoft has with Windows for computers.
“In mobility, you don’t have that same level of a preponderance of any one vendor,” said Amoroso. “There are so many different components, that diversity does help from a security perspective. Now, who knows what’s going to happen moving forward?”
Hackers wanting to target the largest number of computers know they can write code aimed at Windows and affect a lot of machines. With the smartphone diversity, it is harder to try to get code onto a wide array of devices.
Nevertheless, multitudes of security threats remain. While developers are actively working to allay the problem, there is no better security protection than smart steps taken by the end-user.
Using encryption technology, a remotekill feature and setting a phone password are musts. And as with conventional computers, users should not click links in text messages from people they don’t trust, and don’t open suspicious e-mails. They also need to be mindful of which sites they visit while browsing the Web, and only install applications from trusted sources.
Users should also back up their data, and turn off WiFi and Bluetooth connections when they are not needed. If feasible, it is best not to store sensitive information on a smartphone. And above all, users should consistently install security updates from the operating system provider.
SIMPLE ENCRYPTION
For BlackBerry smartphones, encryption is designed to be “simple right out of the box,” according to Michael Brown, director of security product management for Research In Motion, the maker of Black- Berry phones. The user doesn’t have to do anything special to activate the device’s encryption, he notes, because it is built in.
“A part of that means that when the user sends a message, it’s automatically encrypted between the BlackBerry device and the BlackBerry enterprise server, which the customer has deployed,” said Brown. “We support additional encryption standards on top of that, such as S/MIME, which is widely used in military.”
Brown pointed out that while Black- Berry data communications, whether military or civilian, automatically have AES 256 encryption, such is not the case with voice communications. Voice encryption occurs through the phone carrier or through products such as those discussed elsewhere in this article.
In addition to encryption, RIM offers measures to safeguard data in case a device is lost or stolen. Brown recommends all BlackBerry users enable a password in order to access their device.
“For customers that have higher insurance requirements, such as DoD, we do also offer products like the BlackBerry smart card reader, which allows you to use things like your Common Access Card to log into your BlackBerry in addition to a password,” noted Brown.
BlackBerrys are also equipped with malware protections that allow administrators to control what applications are allowed to be used on the device. They can also limit which resources, such as GPS and Internet, a particular application is allowed to access. ♦
