DACS 2201 / 08-Mobile & Embedded Devices Security

Learning Objectives for Mobile and Embedded Devices Security

  • List and compare various types of mobile devices used in modern computing environments.
  • Explain diverse methods and technical strategies used to secure mobile devices against internal and external threats.
  • Describe the architecture of embedded and specialized devices and identify their unique security vulnerabilities.
  • Explain the complex issues surrounding the security of specialized devices, including technical constraints and lack of standardization.

Classification of Mobile Devices

  • Portable Computers:     * These devices closely resemble standard desktop computers but are significantly smaller in physical size.     * They are designed for easy transport and operate primarily on battery power.     * Laptops, Notebooks, and Subnotebooks: These devices are capable of performing all tasks typically associated with a desktop computer.     * Web-based Computers (e.g., Chromebook):         * These contain a limited version of an operating system, such as Google Chrome OS.         * They typically include a web browser, an integrated media player, and a suite of web applications.         * They generally do not run traditional software installed locally; instead, they store user files and data on the internet.

  • Tablets:     * Portable computing devices that lack a built-in physical keyboard or mouse.     * Input relies on a touch screen interface and the use of virtual keyboards.

  • Smartphones:     * Modern telecommunication devices equipped with an operating system (OS) that enables them to run complex applications and access the internet.

  • Wearables:     * Devices designed to be worn by the user rather than carried by hand.     * Examples include smartwatches and fitness trackers.

Connectivity Methods and Hardware Standards

  • Cellular Phone Networks:     * The total coverage area for a cellular telephony network is divided into geographic regions known as cells.     * A Mobile Telecommunications Switching Office (MTSO) serves as the central control for all transmitters (towers) within the cellular network.

  • Wireless Connectivity:     * Mobile devices utilize Wireless Local Area Networks (WLAN) to connect, with technologies including Bluetooth and Wi-Fi.

  • USB (Universal Serial Bus) Connections:     * Hardware interfaces include standard-size connectors, mini connectors, and micro connectors.     * Connectors are categorized by types including Type A, Type B, and Type C.     * Specific variations noted include USB Mini, USB Micro, and USB Micro B.

Mobile Device Deployment Models in Organizations

  • Corporate Owned:     * The organization purchases and owns the device directly.     * Employees are restricted to using the device only for company-related business tasks.

  • Corporate Owned Personally Enabled (COPE):     * Employees select a device from a pre-determined list of devices owned and paid for by the company.     * The devices on this list are chosen because they meet specific criteria for security, reliability, and physical durability.     * Employees are granted the freedom to use the device for both professional business and personal activities.

  • Bring Your Own Device (BYOD):     * Employees use their own personally owned mobile devices to perform business-related tasks.

  • Benefits of COPE and BYOD:     * Organizations benefit from reduced support requirements for IT staff.     * These models are associated with increased employee performance and job satisfaction.

Vulnerabilities and Risks Associated with Mobile Devices

  • Primary Risk Categories:     * Mobile device vulnerabilities (physical and OS-related).     * Connection vulnerabilities (network-based).     * Accessing untrusted content (software and media-related).

  • Physical Security:     * Portability is the greatest asset but also the greatest vulnerability of a mobile device.     * Devices are frequently subject to loss or theft.

  • Limited Updates:     * Security patches and system updates are distributed via firmware Over-The-Air (OTA) updates.     * Manufacturers using the Android OS are generally required to provide updates for at least 2years2\,years.     * However, manufacturers are often hesitant to provide updates beyond this period to encourage new sales.

  • Location Tracking:     * Devices with Global Positioning System (GPS) capabilities support geolocation to identify device coordinates.     * Geolocation increases susceptibility to targeted physical attacks.     * Geo-tagging: This process adds geographical identification data to media files, such as photos. Posting these to social networks can inadvertently reveal private or sensitive locations.

  • Unauthorized Recording:     * If a device is infected with malware, a threat actor can remotely activate sensors to record conversations or video without the user's knowledge.

Threats from Connection Interfacing and Untrusted Content

  • Tethering:     * A mobile device shares its active internet connection with other devices via Bluetooth or Wi-Fi.     * An unsecured mobile device can act as a vector, infecting other tethered devices or the broader corporate network.

  • Malicious USB Connections:     * Connecting a malicious flash drive to a device can lead to malware infection.     * Specific USB cables may be embedded with independent Wi-Fi controllers that allow attackers to send commands to the device wirelessly.

  • Hotspots:     * Wireless signals in public locations used to access the internet. Attackers can use these to eavesdrop on data transmissions.

  • Sideloading and Rooting/Jailbreaking:     * iOS Jailbreaking and Android Rooting: Procedures used to circumvent OS limitations that normally prevent the installation of unapproved apps.     * Sideloading: The act of downloading and installing apps from unofficial, third-party app stores, which is made possible by rooting or jailbreaking.

  • Malicious Links and Codes:     * Messaging apps are frequently used to distribute URLs that lead to malicious websites.     * Quick Response (QR) Codes: A QR code can store a string of up to 4,296characters4,296\,characters, including complex URLs. Attackers may place malicious QR codes over advertisements for reputable websites.

Defensive Strategies and Protective Measures for Mobile Devices

  • Strong Authentication:     * Screen locks prevent unauthorized access. Options include passcodes, PINs, fingerprints, face recognition, or dot-connecting patterns.

  • Data Encryption:     * Early mobile OS versions required third-party apps for encryption. Modern versions utilize native Full Disk Encryption (FDE) by default when the device is locked.

  • Storage Segmentation:     * Containerization: Separating business data from personal data into distinct, isolated "containers" on the same device.

  • Loss or Theft Services:     * GPS Tracking: Shows the device's current location on a map. If the battery is depleted, the service indicates the last known location.     * Remote Lockout: Locks the device and displays a custom message on the screen.     * Thief Picture Apps: These take a photograph of the current holder after 3incorrectpasscodeentries3\,incorrect\,passcode\,entries and email the image to the owner.     * Remote Alarms: Apps can trigger a loud alarm even if the device volume is muted.     * Remote Wipe: If recovery is impossible, this command erases all sensitive data on the device.

  • Mobile Device Management (MDM):     * Large-scale tools that allow organizations to remotely manage device settings, quarantine compromised or jailbroken devices, and selectively erase only corporate-specific data.

Embedded Systems and Specialized Computing

  • Industrial Control Systems (ICS):     * Systems that collect, monitor, and process real-time data to control physical devices like valves, pumps, and motors without direct human intervention.     * These are usually managed by Supervisory Control and Data Acquisition (SCADA) systems.

  • Raspberry Pi:     * A low-cost, credit-card-sized motherboard with multiple I/O ports. It can perform standard computer tasks or control specialized devices.

  • Specialized Systems in Industry:     * Medical Systems: Specialized embedded tech used for patient care.     * Transportation: Systems in airplanes and vehicles; cars use sonar, radar, and lasers to control braking, steering, and acceleration.     * Environmental Systems: Heating, Ventilation, and Air Conditioning (HVAC) systems.     * Utility Meters: Digital smart meters used to measure the consumption of electricity, water, and gas.

The Internet of Things (IoT)

  • Definition: Connecting any arbitrary device to the internet for the purpose of sending and receiving data for automated action.
  • Examples of IoT:     * Wearable technology.     * Home automation: Thermostats, coffee makers, keyless entry systems, washing machines, electric toothbrushes, headphones, and light bulbs.     * Medical IoT: Monitoring the human body or controlling artificial implanted parts.

Security Constraints and Challenges for Specialized Devices

  • Power: Devices are optimized for extremely low power draw, leaving no headroom for power-heavy security modules.
  • Computation: Small physical size dictates low processing capabilities.
  • Network: Designers often support simple network protocols that lack advanced security features to ensure ease of connectivity.
  • Cryptography: The intensive resource requirements for encryption and decryption are often beyond the capabilities of these devices.
  • Inability to Patch: Most embedded devices lack a mechanism for software updates or security patching.
  • Weak Defaults: Devices often ship with well-known default usernames (e.g., "root", "admin") and simple passwords (e.g., "123456", "password").
  • Cost: Market competition drives developers to keep products inexpensive, often leading them to exclude security protections.

Legislation and Best Practices for IoT Security

  • Government Initiatives:     * Governments are starting to enact laws requiring "reasonable security features."     * A primary example is the requirement for a preprogrammed password that is unique to every individual device manufactured.

  • Personal Security Recommendations:     1. Apply software patches and updates as soon as they become available.     2. Isolate IoT devices by placing them on a separate guest network, away from primary data devices.     3. Always change the factory-default password immediately.     4. Conduct thorough research and read user reviews regarding the security history of a device before purchase.

Questions & Discussion

  • Question: Which of the following is needed to allow downloading and installing apps from a third-party provider on Android phones?     * Tethering.     * Sideloading.     * Jailbreaking.     * Rooting. (Current answer based on the Android-specific context of the slide).     * Offset loading.