In the physical world, 'security' for any business involves a whole spectrum of defensive measures; choosing a safer location, putting up warning signs and notices, monitoring and cameras, locks, identity passes, alarms and ultimately, insurance. IT really should be no different, and many do apply security measures, although pre-mobility and the internet, most organisations would have relied heavily on physical security to defend their IT, in addition to some form of system login, particularly on larger systems.
The easy availability of de-mountable, low cost media (floppy disks and things that followed like memory sticks) heralded the start of the malware industry—viruses and their counterpart anti-virus software—although some might remember earlier, less virulent infections such as the 'cookie monster' on Multics in the late 1970s.
Add networks, especially an open one like the internet, and all hell breaks lose with a range of excellent delivery mechanisms for all forms of malware and packet borne attacks. Even here there is still a physical barrier relatively easily at hand; pull the connection cable.
Mobile is, however, a different matter. It is not just that the devices are small, easily secreted, lost or stolen, or that they are now powerful computers with massive storage capabilities (the vulnerabilities of these attributes do of course need to be protected in some way). Nor is it that they are entirely personal devices, far more so than any ‘personal’ computer, in that for most people they are an extension (or even proof) of their identity—and protecting the perimeter of identities of individuals and for organisations is becoming a huge issue, as has been noted in other Quocirca reports, such as The identity perimeter.
No, the major problem is radio waves—they can't be seen.
NFC (near field communications, used in payment cards), RFID (radio frequency identification chips used for tagging), Bluetooth, Wi-Fi and even cellular connections all open up invisible vulnerabilities and typically most, if not all, of them are present on smartphones and tablets.
There has been reasonable security awareness of the risks of Wi-Fi and at one time many businesses took what they thought was a safe option and didn’t support wireless networks on their premises. How naïve they were. Many early smartphones had Wi-Fi and could act as cellular to Wi-Fi routers—a fact that for a while encouraged operators to charge for ‘tethering’ services as users connected laptops and then tablets via a personal hotspot and their smartphone.
Around the same time the cost of Wi-Fi access points fell to be affordable for many consumers and even coffee shops initially thought they could make money out of connectivity rather than ground beans—now free in most places of course. Enterprising employees might have also added an unofficial home access point to make the office environment a bit more flexible (and vulnerable). Eventually, most organisations realised they needed to do something to protect themselves; with wireless security solutions they could identify rogue access points and everyone one again felt safe.
Again, fine as far as it goes, but with new applications for IP-based wireless technologies appearing all the time—internet of things, wearables etc.—more devices are appearing and communicating with each other so wireless protection will need to be stepped up.
In addition to the challenges of Wi-Fi, there are also significant risks in apparently short-range wireless technologies, especially for those who do not understand the consequences of the term ‘high gain antenna’. Many would expect low power wireless such as Bluetooth to be very short range, but experimental projects such as those using ‘Bluesniping’ demonstrate that this is not the case as a range thought to be only a few metres can quickly be extended to hundreds of metres (one claims a range of around a mile). Think you are secure? Next time you are in a crowded space like a train carriage take a look at all the Bluetooth devices you can see and names of people that you can pick up—does your mobile broadcast your name? Again with more devices such as wearable fitness bands adding Bluetooth as a way of pairing with smartphones, the airways are getting even more crowded.
Other short-range wireless communications come with similar problems. NFC and RFID tags appear to have such a short range—even marketed as tap and go—that they appear that they must be secure from snooping, but with the right equipment this range limitation can be overcome and information gathered from a distance. The protocols and systems that exploit the value of these technologies need to be robust, especially for applications such as payments.
Even with good systems there are other pitfalls since wireless knows no bounds as some London commuters will no doubt have discovered. Now that wallets and purses contain multiple NFC cards, who decides which one will ‘win’ the transaction? Transport for London has warned passengers they might need a ‘change of behaviour’ to ensure that for example their Oyster card is used and not one of their bank cards. Here the systems might be secure, but there are unintended consequences of the lack of radio barriers.
Does this mean surrounding everything in a Faraday cage or in a metal box or under a tinfoil hat?
No, at least not unless it is something very secret, but organisations and individuals need to be aware that radio waves can be intercepted or broadcast more widely that expected. This is a first point of vulnerability or defence that can and should be addressed. Many more should be thinking about managing connectivity better at the radio end, such as being much more careful with switching wireless services on or off—e.g. Bluetooth—or investigating protective technologies that push the control of Wi-Fi access right to the radio edge in the access point.
In any event, with employees bringing their own (mobile) devices, using public networks and broadcasting or listening to everything over the airwaves, organisations need to apply much more rigour to securing applications and data. What was once simply seen as mobile device management should now be much more focused on mobile application, data and usage management.