ITS 2110 - Introduction to Network Security

Chapter 10 - Mobile and Embedded Device Security

Objectives:

This lesson covers chapter 10 in the text. It discusses general security for mobile devices and devices with embedded OSs. Objectives important to this lesson:

  1. Types of mobile devices
  2. Mobile device risks
  3. Securing mobile devices
  4. Embedded systems, Internet of Things devices, and securing them
Concepts:

Chapter 10 begins with a discussion about wearable technology, specifically about fitness trackers. This topic made world news in 2010, when a story was broken about data from fitness trackers being worn by US soldiers. The data was hacked, and the soldiers' regular activities became trackable by people other than themselves. There was a directive issued to stop using the data sharing features of such devices. The problem still existed last year, as though no one was aware of it.

The point we should take from this example is that almost anyone's data can be misused by someone who wishes ill to the data owner.

The text presents a table on page 424 that should have been a list. Items on the same row in the table are not necessarily related to each other. Let's consider both columns to be common features of mobile devices:

  • small form factor
  • mobile operating system - typically a subset of a larger OS
  • wireless data network access - to connect to nearby WLANs, the Internet, or a cell network (for phones)
  • applications, and the ability to load more
  • non-removable storage - static drive, hard drive, or memory chips
  • removable storage - typically SD cards
  • global positioning system
  • microphone
  • camera
  • Bluetooth or NFC

The classic mobile device is probably the cell phone, but the text lists several device categories:

  • tablets - typically, touchscreen computers without mice or keyboards, but they can have both, and you can add both to most models
  • smartphones - cell phones with touchscreens, functional and adaptable OSs, and lots of available applications
  • wearable technology - watches and fitness trackers are mentioned
  • portable computers - laptops, notebooks, subnotebooks; their characteristics tend to appear across the sub categories

The text also presents a short list of wireless methods used by portable devices:

  • cell network - typically through cellular phone systems, but this method can also be used in enterprise networks
  • satellite - for areas in which there is no commercial reason to construct a cell system, people may use devices that communicate through satellites in orbit around Earth. More power is needed for this one.
  • infrared - IR was used for early TV remote controls, and other systems that only needed short range capabilities
  • ANT - a short range, low power consumption technology, similar to Bluetooth; not widely used outside health and fitness devices

The text mentions that most portable devices have at least one jack for a USB cable to connect the device to a computer (or other device) to transfer data. I have a friend who takes lots of photos with his phone and his camera, and regularly calls me for some assistance moving those files to long term storage.

Let's move ahead to Mobile Device Risks, starting on page 432.

  • physical security - smaller means easier to lose and easier to steal; the text points out that portable may mean that you will use it in public, making it harder to keep your screen data private
  • firmware - the author's remarks about firmware are a bit out of date; keep your devices patched, but don't jump on a patch before the bugs are worked out of it
  • location tracking - as we have already discussed, saving your regular locations, time spent in them, and regular schedule is not a security minded decision, especially if your profession or situation makes you a target in someone's eyes
  • unintended viewing or recording - the text mentions that unsuspecting users have been photographed, video recorded, and audio recorded by malware in their own devices; simple fixes are offered, such as covering camera lenses with tape when you are not using them
  • jailbreaking (Apple devices), rooting (Android devices) - this is bypassing the restrictions that normally control what software can be loaded on a device; it gives the user more options, but it also exposes the device to more risk because malware will now have administrative privileges

The text continues with some advice about securing (hardening) mobile devices. It is mostly advice that applies to all computers.

  • disable unused features - if a feature will not run, it can't be exploited
  • authentication - enable passwords/passcodes and use good ones; there is a table of Smart Lock options for android systems, all features will probably not be available to you
  • set PINs - some devices require a PIN, and they may be limited in the number of allowed digits, often 4; the text suggests never using obvious, easy PINs, like four repeated digits, home address, or birth year
  • encrypt your data

In the next topic, the text explains that encrypted data may be read by police agencies making a proper request if the data is being held on a server owned by the device provider or the telecom service provider. The kind of request can be avoided if the data in question is never stored. Storage avoidance may be attained by turning off the data backup functions in apps. The text mentions segmentation of storage on the portable device itself. When segmentation is an available option, it means that personal data may be stored separately from business data, making it possible to deliver or erase one type without touching the other type. This may be an attractive option for people who use their personal devices for business purposes. As is true of all options discussed in this section, these options are not standard and may not be available choices on specific devices or applications.

The text has a separate set of recommendations regarding theft or accidental loss of devices:

  • hide the device when not in use
  • don't let the device distract you - be aware of your situation, especially when you are in motion; don't stare at the screen when you are walking, much less when you are driving
  • don't use the device near objects that could take it away from you, such as automatic doors, or Earth's gravity when you are on a roller coaster
  • if a theft occurs, note the suspect’s description and call the authorities; contact your organization and/or the wireless carrier and change all passwords for accounts accessed on the device; if you are not keeping track of accounts and passwords on another device, start
  • install an app that is remotely managed, typically across the Internet, to locate a missing device, sound an alarm, or wipe it remotely

Enterprise management of company owned devices and Bring Your Own Device to Work devices is a good idea. People are not very good about managing their own data, much less their employer's data. The text presents three variations on remote management, each focusing on one aspect of the problem:

  • Mobile Device Management - This is a total solution that allows management of data, apps, operating system, patches, and settings. Devices can be checked for installed applications and security settings as required by the enterprise.
  • Mobile Application Management - This one is mainly about the software installed on top of the operating system. It may offer finer control over applications than MDM.
  • Mobile Content Management - This is most useful when multiple users (groups or teams) in an organization work on projects that require versioning and change control of documents. This includes program files and documentation created for home grown use.

The last six pages of the chapter take us to what seems like a new territory in which computing power is added to devices that traditionally have not had it. This is the way all devices were at one point, so the general idea is not something new. The idea is more that of having a product and seeking a new market for it. Do I need a smart broom? Probably not, unless I am able to tell the thing to sweep the floor without me.

The text introduces several concepts that have developed around adding autonomy to devices:

  • ICS - Industrial Control Systems are used to allow devices in factories to change conditions as needed, such as increasing or decreasing pressure or heat
  • SCADA - A large scale ICS, or a collection of them, may need a Supervisory Control and Data Acquisition system, such as those used by power companies, water treatment and supply plants, and mass transit systems
  • Embedded systems - The examples above are also embedded systems, but it is easier to see the concept when you consider the illustration on page 450 of the number of separate and connected embedded systems available in cars. Some are trivial, such as the digital turn signals. Others are not.

The Internet of Things takes us to the extreme end of what we can add computers to. There may be no limit, but there may be no utility in doing it for most things. Beyond utility, there may be no security in place around things that have newly been added to the Internet. New technology is often rough, and may not include the safety that we will eventually decide that we need. Look over the examples in the chapter and think about it.