Smartphones and Cyber Insecurity?

MILITARY-WOUNDED/CYBERSECURITY

Recent furor over cyber attacks in the United States has focused largely on computers, but what about mobile devices?

Big changes are afoot in government and defense mobile device contracts. Even the formerly steadfast BlackBerry client the Department of Defense announced it is open to doing business with Apple (NASDAQ:AAPL), Google (NASDAQ:GOOG) and other mobile communications companies.

The question many are asking: is the shift away from Research in Motion's (NASDQ:BBRY) Blackberry based on solid cyber-security thinking or due to the allure of shiny apps and sleek design with other devices?

On the new mobile device policies, Defense Department Chief Information Officer Teri Takai noted, “This is not simply about embracing the newest technology -- it is about keeping the department’s workforce relevant in an era when information accessibility and cybersecurity play a critical role in mission success.”

Government and defense need to communicate sensitive and classified information on their mobile devices. Any those devices must secure classified and protect unclassified communication for DoD’s 600,000 mobile-device users.

Mobile platforms are just as vulnerable as a desktop computer. As ethical hacking firm Casaba’s security researcher Walter Pearce explains “You need to start considering them a computer in your pocket, not a phone.”

Preferred for superior security, BlackBerry long dominated in the defense, security and government market; however over the past year it has yielded more and more ground in this sector.

BlackBerry’s Security Reign

From the President through to the FBI or ATF agent, the “crackberry” has traditionally been the mobile communication device of choice.

Maintaining the highest-level security while communicating on modern devices required solutions. RIM’s domination was in large part thanks to the company’s innovations that provided greater security than competitors.

BlackBerries tend to be more time-consuming and expensive for hackers to attack, while other platforms have been far less challenging. They also have fewer inherent security weaknesses, with third-party apps creating most of the vulnerability.

BlackBerry does not control the eco-system of apps the way iPhone does, so users may be more prone to downloading malicious software; however, BlackBerry’s application control policy rules and assistive technology permissions solutions have been effective counter-measures.

The BlackBerry Enterprise Server, a capability to help manage and secure devices in enterprise email systems, is another feature that made it attractive to government business.

The Challengers

RIM has had to contend with challenges to its superior security features. Apple has been increasingly quick to react with security patches. For example, Apple says it has hardened the kernel in iOS 6 making it more costly and time consuming for a hacker to attack.

Some ethical hackers believe this is still not enough to keep out the most skilled hackers – the kind you would find targeting government and defense.

Tackling the memory vulnerability on their devices, Google has innovated its latest Android to include full address space layout randomization. Some white-hat hackers believe this fix has limitations and expect to see attacks evolve.

In a move to expand their potential market as challengers gain ground, RIM also made headway into the law enforcement market introducing the BlackBerry PlayBook tablet. Officers can use this tablet for a surprisingly wide range of useful functions, from video surveillance through to completing and printing traffic tickets.

Attempting to keep pace with the innovation of rival smartphones, RIM unveiled its new BlackBerry 10 smartphones designed to better compete in look, design and function on January 30.

Android Cyber-victim of its Own Success?

Finland-based F-Secure released a report last week that may have some re-thinking jumping ship BlackBerry in favor of the mesmerizing world of apps on other devices. F-Secure’s report says it's clear that the free Google operating system has become the primary target platform of hackers.

Android’s jump to nearly 70% of the smartphone global market corresponds with its escalating popularity as a target and platform for malware.

According to the report, while Android’s overall market share rose to 68.8% in 2012, its malware share rose even higher, to 79% - a more than 10% rise in malware from last year’s 66.7%.

Mark Wuergler, senior security researcher at offensive cybersecurity firm Immunity Inc. explains, “The primary weakness of any mobile platform is popularity - just like people, operating systems can be victims of their own success. The more popular a platform is, the more users it has, therefore the more potential targets and access to data and finances it has - so hackers will put their time and money into exploiting that platform to get the best ROI.”

By contrast, Nokia's Symbian platform has experienced a drop both in market share and the new malware variant numbers. While Symbian had also attracted a hefty amount of malware, it still only accounted for about 19% and has already been dropped by Nokia.

In F-Secure’s opinion, Apple's iOS is not nearly as vulnerable as Android. Apple iOS represents about 22% of all smartphones worldwide, but only 0.7% of the malware threats targeted iOS.

The report observes: "Every quarter, malware authors bring forth new threat families and variants to lure more victims and to update on the existing ones. In the fourth quarter alone, 96 new families and variants of Android threats were discovered, which almost doubles the number recorded in the previous quarter."

And how did the BlackBerry measure up on security? Blackberry and Apple iOS had less than one percent of mobile phone infections. The report concluded it was most likely they were intended for a range of platforms rather than specifically targeting them.

Security Compass CEO Nish Bhalla explains why the smartphone threat can be so serious: “ On the actual phones, the biggest trend is keeping sensitive data on phones… We’ve seen vendors who leave a single encryption key on every app installation: anybody who can access the data underneath the app in an individual phone can use it to steal secrets from every other customer installation.”

Ethical hacker Pearce takes a similar view, observing that a mobile platform is a very attractive target

“Mainly, it becomes a treasure chest of credentials. Everyone does everything on their phone…So now an attacker has one place to easily find all of their credentials which is not really up to the same scrutiny as regular computers have been over the years.

So What’s at Stake?

The potential loss of the hefty DoD client base is the latest in a series of setbacks not just for RIM, but also for cybersecurity.

Many ethical hackers believe BlackBerry’s central management and encryption remain superior. BlackBerry and Apple have been better and earlier adopters of security practices with Android seriously lagging behind.

Of the more than 600,000 DoD mobile devices up for grabs, BlackBerry had dominated with about 470,000 of those devices, while 41,000 were Apple devices and only 8,700 ran on Google’s Android system.

After eight years as a loyal customer, Immigration and Customs Enforcement, abandoned BlackBerry devices and joined team Apple iPhone – meaning 17,676 ICE employees will be discussing the business of national security on iPhones instead of BlackBerries.

The Coast Guard, Transportation Security Administration the Bureau of Alcohol, Tobacco, Firearms and Explosives and National Transportation Safety Board are all migrating to other mobile platforms.

In aerospace, the Air Force, the Federal Air Marshall Service and Federal Aviation Administration are considering BlackBerry rivals.

The shift is also underway with the vast government contractor workforce. Booz Allen Hamilton, for example, is moving its 25,000 employees from BlackBerries to iPhones and Android devices.