Mobile and Embedded Device Security

Mobile Devices

  • Core features:
    • Small form factor
    • Mobile operating system
    • Wireless data network interface for internet access (Wi-Fi, cellular telephony)
    • Applications (apps)
    • Local non-removable data storage
    • Data synchronization capabilities with computers or remote servers
    • Support for using the device as removable storage
  • Additional features:
    • Global Positioning System (GPS)
    • Microphone and/or digital camera
    • Wireless cellular connection for voice communications
    • Wireless personal area network interfaces like Bluetooth or Near Field Communication (NFC)
    • Removable storage media

Tablets

  • Portable computing devices larger than smartphones but smaller than notebooks.
  • Classified by screen size.
  • Generally lack a built-in keyboard, relying on touch screen.
  • Primarily display devices with limited user input.
  • Popular OSs: Apple iOS, Google Android, and Microsoft Windows.

Smartphones

  • Possess all features of a basic cellular phone (feature phone) with the addition of an OS capable of running apps and accessing the internet.
  • Feature phones have limited functionalities like camera, MP3 player, and SMS.
  • Smartphones are considered handheld personal computers due to their app capabilities.

Wearable Technology

  • Devices worn by the user instead of carried.
  • Examples:
    • Fitness trackers
    • Smartwatches (can act as smartphone accessories for viewing messages)

Portable Computers

  • Similar hardware and OS to desktop computers.
  • Primary difference: smaller, self-contained, easily transportable, and operate on battery power.
  • Laptops:
    • Considered the earliest portable computers.
    • Have multiple hardware ports and limited upgrade options.
  • Notebook computers:
    • Smaller, lighter versions of laptops, fitting inside a briefcase.
    • Designed with basic, frequently used features.
  • Subnotebook computers:
    • Smaller than standard notebooks.
    • Use low-powered processors and solid-state drives (SSDs).
    • Often have both touchscreen and physical keyboard.
  • Web-based computers:
    • Contain a limited Linux OS and a web browser.
    • Integrated media player.
    • Designed for internet connectivity.
    • No traditional application installation.
    • No local user file storage; access web apps and store files online.

Mobile Device Connectivity Methods

  • Wi-Fi is a standard connectivity method.
  • Other connectivity methods:
    • Cellular
    • Satellite
    • Infrared
    • ANT (proprietary wireless network for sensor data communication)
    • USB connections

Enterprise Deployment Models

  • Bring Your Own Device (BYOD):
    • Users use personal mobile devices for business.
    • Employees are fully responsible for device choice and support.
    • Suited for smaller companies or those with temporary staff.
  • Corporate Owned, Personally Enabled (COPE):
    • Employees choose from company-approved devices.
    • Company supplies and pays for the device.
    • Company decides on the level of choice and freedom for employees.
  • Choose Your Own Device (CYOD):
    • Employees choose from a limited selection of approved devices but pay upfront costs, while the business owns the contract.
    • Company approves devices for security, reliability, and durability.
    • Company often provides a stipend for monthly wireless fees.
  • Virtual Desktop Infrastructure (VDI):
    • Stores sensitive apps and data on a remote server accessed via smartphone.
    • Users customize data display as if it were on their device.
    • Enterprise centrally manages apps and data on server instead of distributing to smartphones.
  • Corporate-Owned:
    • The enterprise purchases and owns the device.
    • Employees use the phone only for company-related business.
    • Enterprise handles all aspects of the device.
  • Benefits of BYOD, COPE, and CYOD models:
    • Management flexibility
    • Less oversight
    • Cost savings
    • Increased employee performance
    • Simplified IT infrastructure
  • User benefits:
    • Choice of device
    • Choice of carrier
    • Convenience

Mobile Device Risks

  • Security Risks:
    • Mobile device vulnerabilities
    • Connection vulnerabilities
    • Accessing untrusted content
    • Deployment model risks

Physical Security

  • A significant percentage (68%) of healthcare security breaches result from loss or theft of mobile devices.
  • Laptop thefts frequently occur from unattended cars (25%).
  • Airports and hotels are also common locations for thefts (15%).
  • Restaurants account for a notable fraction of thefts (12%).
  • Users must guard against shoulder surfing (strangers viewing sensitive information).

Limited Firmware Updates

  • Apple iOS uses a closed, proprietary architecture with updates via iTunes or over-the-air (OTA) updates.
  • Android updates are problematic because Google does not create the hardware and OEMs modify Android, making it difficult to distribute security updates due to potential conflicts and the need for wireless carriers to perform extensive testing.
  • OEMs and wireless carriers have little financial incentive to update devices.

Location Tracking

  • GPS-enabled devices support geolocation (identifying the device's geographic location).
  • Mobile devices using location services are at higher risk of targeted physical attacks.
  • Attackers can determine user locations and plan to steal devices or inflict harm.
  • GPS tagging (geo-tagging) involves adding geographical identification data to media.

Unauthorized Recording

  • Precautions:
    • Avoid using webcams in private areas.
    • Cover webcam lenses when not in use.
    • Grant camera/microphone access only to necessary apps.
    • Regularly review app permissions and disable unnecessary ones.

Connection Vulnerabilities

  • Tethering
    • Description: Sharing a mobile device's internet connection with other devices via Bluetooth or Wi-Fi.
    • Vulnerability: An unsecured device can infect tethered devices or the corporate network.
  • USB On-The-Go (OTG)
    • Description: Mobile device acts as a host or peripheral for external media access via USB.
    • Vulnerability: Connecting to an infected computer can transmit malware to the device.
  • Connecting to public networks
    • Description: Using public external networks for internet access.
    • Vulnerability: Attackers can eavesdrop on data transmissions and view sensitive information on uncontrolled public networks.

Accessing Untrusted Content

  • Quick Response (QR) Codes
    • Description: Two-dimensional barcodes read by imaging devices, used for tracking, identification, and marketing.
    • Vulnerability: Attackers can create malicious QR codes that redirect users to imposter websites or download malware.
  • Sideloading
    • Description: Downloading apps from unofficial third-party app stores, circumventing built-in limitations.
    • Apple iOS: Jailbreaking
    • Android: Rooting
  • Short Message Service (SMS) & Multimedia Messaging Service (MMS)
    • SMS: text messages up to 160 characters
    • MMS: includes pictures, video, or audio in text messages
    • Threat actors can send SMS messages with links to untrusted content or MMS videos containing malware.

Deployment Model Risks

  • Risks
    • Users may remove built-in limitations, disabling security features.
    • Personal devices are shared among family, exposing corporate data to outsiders.
    • Different devices have varied hardware/OS, complicating technical support.
    • Securing personal smartphones from departing employees can be difficult.

Securing Mobile Devices

  • Steps
    • Configuring the device
    • Using mobile management tools
    • Configuring device app security

Device Configuration

  • Disable Unused Features
    • Disable unnecessary and unsupported features to prevent vulnerabilities like bluejacking and bluesnarfing via Bluetooth.
  • Use Strong Authentication
    • Restrict unauthorized access with screen locks and strong passcodes.
    • Screen Lock: Prevents device use until the correct passcode is entered. Automatically locks after inactivity.
    • Additional protections are activated after failed passcode attempts, like extended lockout periods or factory resets.
    • Context-aware authentication: Device unlocks and stays unlocked until a specific action occurs.
    • Passcode, can be a personal identification number (PIN), fingerprint swipe, or pattern connecting dots

Manage Encryption

  • Loopholes exist in mobile device data security, including data-in-transit and remote data-at-rest.
    • Data-in-transit: Carriers build surveillance capabilities, allowing law enforcement to collect data.
    • New mobile apps use over-the-top (OTT) content delivery over the internet without telecoms involvement.
    • Remote Data-at-Rest: Apple and Google possess decryption keys, providing data on their servers to courts.
    • Users can disable backups to iCloud or Google servers.

Segment Storage

  • Storage segmentation: Separating business and personal data.
  • Containerization: Separating storage into distinct containers.
  • Advantages of storage segmentation:
    • Helps companies avoid data ownership privacy issues.
    • Allows companies to delete business data without affecting personal data.

Enable Loss or Theft Services

  • Precautions to Reduce Risk
    • Keep devices out of sight in high-risk areas.
    • Maintain situational awareness.
    • Use both hands when holding the device.
    • Avoid using devices on escalators or near train doors.
    • Consider replacing white/red headphone cords.
    • Do not resist or chase thieves.
  • Security Features
    • Alarm: Generates an alarm even when muted.
    • Last known location: Indicates the device's last location when the battery is low.
    • Locate: Pinpoints the device's current location via GPS.
    • Remote lookout: Remotely locks the device and displays a custom message.
    • Thief picture: Takes a picture of incorrect passcode attempts and emails it to the owner.

Mobile Management Tools

  • Support Tools
    • Mobile Device Management (MDM)
    • Mobile Application Management (MAM)
    • Mobile Content Management (MCM)

Mobile Device Management (MDM)

  • Tools for remotely managing devices by an organization.
    • Server component sends management commands to devices.
    • Client component implements commands.
    • Administrators can perform over-the-air (OTA) updates and configuration changes.
  • MDM Features:
    • Rapidly enroll (on-boarding) and remove devices (off-boarding)
    • Apply/modify default settings
    • Enforce encryption, antivirus updates, and patch management
    • Display acceptable use policy
    • Configure email, calendar, contacts, Wi-Fi, and VPN profiles OTA
    • Discover devices accessing enterprise systems
    • Approve/quarantine new devices
    • Distribute and manage public/corporate apps
    • Securely share/update documents and policies
    • Detect/restrict jailbroken and rooted devices
    • Selectively erase corporate data
    • Send SMS text messages

Mobile Application Management (MAM)

  • Tools for distributing and controlling access to apps.
  • Initially controlled apps through app wrapping (restricting parts of an app).
  • Originally required MDM but is now incorporated into newer OS versions.

Mobile Content Management (MCM)

  • Content management supports creating and modifying digital content by multiple employees.
  • A mobile content management (MCM) system is tuned to provide content management to many mobile devices used by employees in an enterprise

Mobile Device App Security

  • Apps should require authentication.
  • MDMs can support:
    • Application whitelisting: Only pre-approved apps can run.
    • Geo-fencing: Defines geographical boundaries.

Embedded Systems and the Internet of Things

  • Trend of adding computer capabilities to devices.
  • Includes: Embedded systems and the Internet of Things.

Embedded Systems

  • Computer hardware and software within a larger system designed for a specific function.
  • Examples: Medical devices, aircraft, vehicles, industrial machines, HVAC systems.

Industrial Control Systems (ICS)

  • Control locally or at remote locations by collecting, monitoring, and processing real-time data.
  • Machines directly control devices (valves, pumps, motors).
  • Multiple ICS are managed by a larger supervisory control and data acquisition (SCADA) system.

System on a Chip (SoC)

  • All necessary hardware components on a single microprocessor chip.

Real-Time Operating System (RTOS)

  • Software designed for an SoC in an embedded system.
  • Accommodates high volumes of data for critical decision-making.

Internet of Things (IoT)

  • Connecting any device to the Internet for sending and receiving data.
  • Includes wearable technology, multifunctional devices, and home automation items (thermostats, coffee makers, tire sensors, etc.)

Body Area Networks (BAN)

  • A network system of IoT devices in close proximity to a person’s body that cooperate for the benefit of the user

Autonomous Body Sensor Network (ABSN)

  • Introduces actuators and sensors for immediate effects on the human body.
  • Can restore sensation, mobility, and function to paralyzed limbs and organs.

Security Implications

  • Reasons for vulnerability:
    • Vendors prioritize low costs over security.
    • Weak security implementations.
    • Lack of update capabilities.
    • Long gaps in applying patches.
    • Initiatives are underway to address these vulnerabilities.