This lesson covers chapter 10 in the
text. It discusses general security for mobile devices and devices with
embedded OSs. Objectives important to this lesson:
Types of mobile devices
Mobile device risks
Securing mobile devices
Embedded systems, Internet of Things devices, and securing
them
Concepts:
Chapter 10 begins with a
discussion about wearable technology, specifically about fitness
trackers. This topic made world news in 2010, when a story was broken
about data from fitness trackers being worn by US soldiers. The data
was hacked, and the soldiers' regular activities became trackable by
people other than themselves. There was a directive issued to stop
using the data sharing features of such devices. The problem still existed last year, as though no one
was aware of it.
The point we should take from this example is that almost
anyone's data can be misused by someone who wishes ill to the data
owner.
The text presents a table on page 424 that should have been a
list. Items on the same row in the table are not necessarily related to
each other. Let's consider both columns to be common features of mobile
devices:
small form factor
mobile operating system - typically a subset of a larger OS
wireless data network access - to connect to nearby WLANs,
the Internet, or a cell network (for phones)
applications, and the ability to load more
non-removable storage - static drive, hard drive, or memory
chips
removable storage - typically SD cards
global positioning system
microphone
camera
Bluetooth or NFC
The classic mobile device is probably the cell phone, but the
text lists several device categories:
tablets - typically, touchscreen computers without mice or
keyboards, but they can have both, and you can add both to most models
smartphones - cell phones with touchscreens, functional and
adaptable OSs, and lots of available applications
wearable technology - watches and fitness trackers are
mentioned
portable computers - laptops, notebooks, subnotebooks;
their characteristics tend to appear across the sub categories
The text also presents a short list of wireless methods used
by portable devices:
cell network - typically through cellular phone systems,
but this method can also be used in enterprise networks
satellite - for areas in which there is no commercial
reason to construct a cell system, people may use devices that
communicate through satellites in orbit around Earth. More power is
needed for this one.
infrared - IR was used for early TV remote controls, and
other systems that only needed short range capabilities
ANT - a short range, low power consumption
technology, similar to Bluetooth; not widely used outside health and
fitness devices
The text mentions that most portable devices have at least one
jack for a USB cable to
connect the device to a computer (or other device) to transfer data. I
have a friend who takes lots of photos with his phone and his camera,
and regularly calls me for some assistance moving those files to long
term storage.
Let's move ahead to Mobile Device Risks, starting on page 432.
physical security - smaller means easier to lose and easier
to steal; the text points out that portable may mean that you will use
it in public, making it harder to keep your screen data private
firmware - the author's remarks about firmware are a bit
out of date; keep your devices patched, but don't jump on a patch
before the bugs are worked out of it
location tracking - as we have already discussed, saving
your regular locations, time spent in them, and regular schedule is not
a security minded decision, especially if your profession or situation
makes you a target in someone's eyes
unintended viewing or recording - the text mentions that
unsuspecting users have been photographed, video recorded, and audio
recorded by malware in their own devices; simple fixes are offered,
such as covering camera lenses with tape when you are not using them
jailbreaking (Apple devices), rooting (Android devices) -
this is bypassing the restrictions that normally control what software
can be loaded on a device; it gives the user more options, but it also
exposes the device to more risk because malware will now have
administrative privileges
The text continues with some advice about securing (hardening)
mobile devices. It is mostly advice that applies to all computers.
disable unused features - if a feature will not run, it
can't be exploited
authentication - enable passwords/passcodes and use good
ones; there is a table of Smart Lock options for android systems, all
features will probably not be available to you
set PINs - some devices require a PIN, and they may be
limited in the number of allowed digits, often 4; the text suggests
never using obvious, easy PINs, like four repeated digits, home
address, or birth year
encrypt your data
In the next topic, the text explains that encrypted data may
be read by police agencies making a proper request if the data
is being held on a server owned by the device provider or the
telecom service provider. The kind of request can be avoided if the
data in question is never stored. Storage avoidance may be
attained by turning off the data backup functions in apps. The text
mentions segmentation of storage on the portable device itself.
When segmentation is an available option, it means that personal
data may be stored separately from business data, making it
possible to deliver or erase one type without touching the other type.
This may be an attractive option for people who use their personal
devices for business purposes. As is true of all options discussed in
this section, these options are not standard and may not be available
choices on specific devices or applications.
The text has a separate set of recommendations regarding
theft or accidental loss of devices:
hide the device when not in use
don't let the device distract you - be aware of your
situation, especially when you are in motion; don't stare at the screen
when you are walking, much less when you are driving
don't use the device near objects that could take it away
from you, such as automatic doors, or Earth's gravity when you are on a
roller coaster
if a theft occurs, note the suspect’s description and call
the authorities; contact your organization and/or the wireless carrier
and change all passwords for accounts accessed on the device; if you
are not keeping track of accounts and passwords on another device, start
install an app that is remotely managed, typically across
the Internet, to locate a missing device, sound an alarm, or wipe it
remotely
Enterprise management of company owned devices and Bring Your
Own Device to Work devices is a good idea. People are not very good
about managing their own data, much less their employer's data. The
text presents three variations on remote management, each focusing on
one aspect of the problem:
Mobile Device Management - This is a total solution
that allows management of data, apps, operating system, patches, and
settings. Devices can be checked for installed applications and
security settings as required by the enterprise.
Mobile Application Management - This one is mainly
about the software installed on top of the operating system. It may
offer finer control over applications than MDM.
Mobile Content Management - This is most useful
when multiple users (groups or teams) in an organization work on
projects that require versioning and change control of documents. This
includes program files and documentation created for home grown use.
The last six pages of the chapter take us to what seems like a
new territory in which computing power is added to devices that
traditionally have not had it. This is the way all devices were at one
point, so the general idea is not something new. The idea is more that
of having a product and seeking a new market for it. Do I need a smart
broom? Probably not, unless I am able to tell the thing to sweep the
floor without me.
The text introduces several concepts that have developed
around adding autonomy to devices:
ICS - Industrial Control Systems are used to allow
devices in factories to change conditions as needed, such as increasing
or decreasing pressure or heat
SCADA - A large scale ICS, or a collection of them,
may need a Supervisory Control and Data Acquisition system, such as
those used by power companies, water treatment and supply plants, and
mass transit systems
Embedded systems - The examples above are also
embedded systems, but it is easier to see the concept when you consider
the illustration on page 450 of the number of separate and connected
embedded systems available in cars. Some are trivial, such as the
digital turn signals. Others are not.
The Internet of Things takes us to the extreme end of what we
can add computers to. There may be no limit, but there may be no
utility in doing it for most things. Beyond utility, there may be no
security in place around things that have newly been added to the
Internet. New technology is often rough, and may not include the safety
that we will eventually decide that we need. Look over the examples in
the chapter and think about it.
Assignments
Projects and Cases as directed in the
course Assignment Summary. Lab simulations as directed in the course Assignment
Summary.