For the past several months, security veteran Aaron Turner has been making the rounds at industry events presenting some pretty disturbing information about the state of mobile security.
Turner, a former strategist in the security division of Microsoft, should know. He's been working, researching and developing in the mobile space for years. After Microsoft, he to begin research and development at the US Department of Energy's Idaho National Laboratory. For two years, Turner worked on, and eventually patented, a cell phone-based payment and identification system which became the basis for his start-up, RFinity.
From there, Turner went on to found two more companies: IntegriCell, where he and his team work with large companies to uncover risks associated with mobile technologies, and N4Struct, which focuses on assisting organizations in battling against advanced persistent threats (APTs).
Turner, who was recently a presenter at CSO's CSO40 conference, spoke with me about the coming tide of vulnerabilities he sees on mobile platforms, as well as the dark days that lie ahead until security managers really have the ability to wrap their arms around the behemoth problem of mobile security.
CSO: You gave a really interesting presentation at our recent CSO40 event where you highlighted the new ways attackers are using mobile devices for APTs. Obviously, APTs are no longer just a hard-wired network threat anymore.
Aaron Turner: APT is sometimes an over-used acronym, it's one that gets everyone thinking about advanced attack capabilities and so I used it to describe what we're starting to see in the mobile technology ecosystem. For some reason, many long-time security veterans have lost their ability to remember the pains that we've suffered in past new-technology-adoption cycles when it comes to mobile.
Whether it was moving from mainframes to distributed servers, from desktops to laptops, we as infosec professionals often didn't understand the inherent security problems in technologies until it was too late to help our organizations properly mitigate the risks that new technologies introduced into our business processes.
Some very smart infosec leaders are sitting on the sidelines while mobile security problems cause significant incidents in their organizations. The reasons why mobile is now, and will continue to be especially painful from a security perspective:
- Not all carriers are 'friendly -- network operators, especially those in parts of the world where 'rule of law' is a total fantasy, have incredible power to manipulate the information flowing to/from mobile devices associated with their networks. They also have root access to install any persistent software on, or scrape credentials from devices on their networks.
- Becoming a 'carrier' is getting easier -- rogue towers can be setup to trick targeted users' devices into connecting to hostile base stations, and then inject software or manipulate information sent to/from the devices.
- Malicious application developers have realized crime pays -- the information on personally-owned devices which are connected to enterprise infrastructures has real value. Spearphishers pay excellent money for contact lists that are obtained from mobile devices. When an application asks for arbitrary access to your address book, it may not be to share your awesome high scores with your friends.
Do you think organizations are understanding and taking the threat among these new mobile attack vectors seriously yet? Are security managers really getting it? Why or why not?
The most-security-aware organizations are taking these threats very seriously. They're destroying phones after taking them to hostile areas with known malicious carriers, they're limiting what information gets copied to the default inbox/contact list on devices, they're limiting what applications can be installed on devices which have access to enterprise infrastructure. As a group, they're still a very small percentage of organizations, but the numbers are growing. Unfortunately, many organizations wait until an incident happens and then react to the problem. That's probably not the best strategy when it comes to assuring one's career path, but its the state of the industry when it comes to mobile security right now.
I think there is a big gap in knowledge when it comes to really understanding the problem. Most security managers have no clue that foreign carriers have complete administrative control of all devices that are associated with their network. They don't understand how rogue towers can be setup. They haven't had time to really do comprehensive threat modeling for malicious mobile applications. IntegriCell and others in the industry are working to bring these risks to light and helping organizations deploy compensating controls as fast as we can.
In your presentation, you specifically referred to some of the threats mobile users are facing now while traveling internationally. What are you observing?
There are two major threat categories when it comes to international travel, the malicious foreign carrier and the enterprising private mobile attacker. These threats result from the fact that citizens of a foreign country generally have no rights to privacy and no official recourse if their information gets stolen while they are in the foreign country. I already spoke about how foreign carriers have total control over devices which are associated with their networks. Probably the most alarming thing we've seen happen in our tests is how foreign carriers can steal the cryptographic seed values from soft-tokens installed on smartphones. One take-away I'd love to get across to all of your readers is to never let soft-tokens become a solution to be relied on for organizations which have a large number of international travelers.
The 'enterprising mobile attacker' is someone involved in a situation like we found in Mexico. Imagine you're on a cruise ship. You don't want to pay the exorbitant internet fees on-board, so you're constantly looking for WiFi on-shore. You get off the ship, find a coffee shop with great WiFi, so you connect your device and get your internet fix. What you dont realize is that the coffee shop owner has realized he can make more money selling your address book to spearfishers than he ever can make selling you even his most-expensive latte.
You've developed a multi-factor authentication system that works with any smartphone to help people keep their information safe while traveling. Give us some detail of how it works?
We had several enterprise clients that wanted to have a higher-integrity authentication system for employees while traveling overseas. In designing the system, we set the goal of having it work with as many smartphones/tablets as possible. We have been looking at how devices like Square interact with smartphones through the audio jack for several years, so we decided to see if we could get a cryptographic token to work through the audio jack.
By setting the crypto keys inside of a device which is not integrated into the phone, like on the SIM card or in a piece of software running on the phone, we avoid the problem of malicious carriers harvesting the crypto keys. We are working with mobile data protection partners to make it so that your data can only be opened and viewed when our device is present. The app which stores your personal information is encrypted, half of the keyset required to open the app is on the device and the other half is hosted in a hardware security module in the cloud. Without both keysets, the data on the user's device is protected. As we worked through the design process, the device looked like a slice of lime, and we thought it would be funny to name it KeyLime. The name has stuck and we're doing a complete launch to consumers via the KickStarter community to bring the technology to any traveler, not just those who work for our enterprise customers.
Who is your target audience/demographic/buyer for this product?
We've designed the consumer-grade version of KeyLime for anyone who travels internationally and uses an iOS or Android device. We are working with folks like the Electronic Frontier Foundation and people who have been involved in events like the Arab Spring situation to understand how we can deliver KeyLime in a way that protects anyone's information anywhere in the world. The KickStarter community will be involved in helping us bring this technology to consumers everywhere. We're excited at the potential that KeyLime has to turn the tables in the mobile security battle that is going on currently.
What do you see happening in the next 2-3 years when it comes to mobile security?
Things are going to get a lot worse before they get better. For example, at the CSO40 event I asked many of the attendees what they were doing about rogue cell towers near their critical facilities / boardrooms. Outside of the US Intelligence Community, most organizations are wide open when it comes to mobile communications coming in / heading out of the building. The complete focus of mobile network developers on availability has really driven some fundamental vulnerabilities into the system. For example, with GSM/HSDPA downgrade attacks, nearly any phone can be made a slave to a malicious tower operator. It used to be that CDMA-network devices, like those offered by Sprint and Verizon Wireless, were much more resilient to such attacks. But, with the advent of LTE, which is a sort of strange merger between CDMA and GSM technologies, CDMA devices are beginning to inherit some of the GSM system vulnerabilities.
The lack of a consistent inventory of mobile devices within sensitive facilities can cause problems as well. We found one instance in which a 4G data stick was installed by a cleaning crew in the back of a computer sitting at the desk of the CEO's administrative assistant. It would burst out data at 2:00 am. Finding those types of unauthorized devices are very difficult without some pretty sophisticated equipment and operational discipline.
The greatest challenge, though, will be the continued innovation in the consumer mobile device market. CIO's have proven that they are not good at helping mobile technology companies innovate. The checks that many CIO's cut to RIM/BlackBerry resulted in a 5-year lag in enterprise mobility compared to consumer mobility. The stock market has very obviously told mobile technology companies that enterprise-grade mobile security just doesn't matter. When a company like Apple, with a disastrous record of security problems and a complete inability to integrate with security tools, has such market cachet that it can continue to dominate sales and draw in enterprise customers, things are going to end badly. The Android ecosystem's fragmentation will be its demise when it comes to security. BlackBerry 10 is probably the greatest evidence of how far we've fallen from a mobile security perspective.
Compensating controls will be the norm for enterprises, because the mobile system owners & OEM's are not providing the solutions we need. So, for the next few years, enterprises will have to deploy a host of tools to compensate for the lack of security on consumer mobile devices. I see some organizations moving to bring-your-own-device or BYOD practices and justify the policy because of a supposed cost savings. Once all of the tools are purchased and implemented to properly manage BYOD with all of the risk management controls, I have yet to see an organization actually save money and time with BYOD in the long run.