Enterprise mobile security: defending the wireless realm
Enterprise smartphones are getting security-as-a-service to keep out threats
Angela Merkel reportedly had mobile phone calls monitored
AirWatch’s Enterprise Mobile Device Management dashboard enables users to monitor a range of mobile platforms
Telcos and mobile operators look best placed to capitalise on mobile data and voice/text/video encryption
Busy trade shows must ensure that communications links for visitors are secure
A subsection of mobile security companies are also turning their hand to encrypting video communications
Trending and bending: Why the Internet of Things needs a mobile security rethink
Mobile security software is now evolving rapidly to meet the growing needs of the business market, although some vendors freely admit that this segment has only really been commercially relevant since around 2011; but as enterprise smartphone usage has exploded the risks of unauthorised access to sensitive corporate information, hack-based disruption, and commercial espionage, have also accelerated.
With mobile devices far more capable than ever in terms of screen size, storage capacity and processing power, many are now regularly used for home working, for example, and businesses are increasingly nervous about protecting information which is on personal devices and not under the corporate ICT function's direct control.
Smartphones are an enabler for remote working on a much larger scale, using email and virtual private network (VPN) to access enterprise accounts. According to David Holman, vice president of sales for Europe at Cellcrypt, an eight-year-old company which specialises in encrypting data on wireless cellular, Wi-Fi and satellite networks, there is "also a level of voice security in part brought about by the ability for voice calls to be intercepted relatively easily and cheaply by hackers without needing huge knowledge".
Commercial organisations of all sizes now roll out smartphones, tablet PCs and other portable devices to employees en masse for the purposes of their work. This has greatly expanded the opportunity for mobile device management (MDM) platforms that specialist software vendors and telcos traditionally offered large corporates. Features include user and device authentication, remote lock and/or wipe to prevent access if the device is lost or stolen, centralised over-the-air (OTA) application and content distribution, and configuration and management from the comfort of the IT manager's desk without having to call in hundreds of devices from dissatisfied staff.
Security software companies that previously focused on the PC market but have now started to shift their attention to the mobile device sector include brand leaders Kaspersky Lab, AVG, Norton, Webroot, F-Secure, McAfee and Trend Micro. According to a report compiled by market-watchers ABI Research, these companies often hang on to the coattails of start-ups specialising in prevention of data being stored on mobile devices and control over who and what has access to it.
"If you work for a global oil company, then the last thing you want is an OPEC policy document sitting in your iPhone," says Ian Evans, EMEA managing director at MDM specialist AirWatch. "But with metadata and tagging, we can strip the email attachment off the message, put it in the cloud, or an on-premise data store, then profile the device before we allow it access."
However, while many applications have started to include document encryption protection, anti-virus tools, authentication mechanisms, number blocking, phone location capabilities, SIM card removal protection, download scanning and application locking for mobile platforms, few have evolved beyond the device itself to protect the communications sessions that smartphones enable. In some respects this is the next frontier for enterprise mobile security provisioning.
Encrypted voice, text and IM
Reports in October 2013 that Germany's Chancellor Angela Merkel had her mobile calls monitored by the US government's National Security Agency, despite having a secure device which she could have been using, caused alarm around the world.
For consumers, fears of somebody monitoring mobile calls, SMS messages and instant messaging (IM) conversations may be nothing more than healthy paranoia. The situation is potentially more serious for public sector organisations dealing in information covered by the Official Secrets Act, along with businesses wanting to protect intellectual property and 'trade secrets' that might be useful to rivals and competitors.
ABI Research senior analyst and cyber security expert Michela Menting points out that people living in countries where there is active government censorship may have genuine cause for concern. She maintains, however, that it is government agencies and corporate staff who have the most to lose, which is one reason for increasing numbers of organisations putting policies in place to make sure that their representatives use voice encryption and do not connect to the local Wi-Fi service while attending conferences and other large-scale meetings.
"This happens at a lot of big, international trade shows, as well as where communications on local Wi-Fi networks can be easily intercepted," says Menting. "There is definitely a lot more awareness about the information that may be imparted on the phone when attending the type of event where lots of competitors will be present."
Mobile encryption platforms
Depending on individual requirements, businesses do not have to pay through the nose for feature-rich MDM and mobile encryption platforms. Some are available as a managed or subscription service, including those from AirWatch, CellCrypt, Centrify and Silent Circle. A raft of tools from software start-ups give small businesses and consumers specific elements such as VPNs, message management and voice encryption, which may offer a smaller, but more tailored form of protection.
AnchorFree offers both free, advert-supported and premium versions of its Hotspot Shield mobile VPN platform. It is aimed at companies with 50-100 employees that do not have the expertise or infrastructure to set up their own VPN server, and are therefore looking for a quick and effective method of securing devices attached to public Wi-Fi networks, rather than full MDM services offered by specialist vendors or telcos, for example. The software provides secure Internet browsing, anonymous IP addresses and basic malware protection for Android and iOS devices, adding anti-spam and telephone support in the paid version.
Others offer software that encrypts voice calls made between Android apps installed on two devices either end of a data-enabled communications channel, whether Wi-Fi or cellular, with Whisper Systems' RedPhone (acquired for an undisclosed amount by Twitter in November 2011) based on open-source code, which is free to download. The company also offers an app which secures SMS messages called TextSecure.
GroundWire is the business version of the Acrobits Softphone, another VoIP client for iOS devices, based on the session initiation protocol which adds call conferencing, multi-line call waiting, voicemail, and GSM Web call-back/call-through to help reduce GSM roaming charges on international connections, as value-added features.
PrivateWave's PrivateGSM, meanwhile, also uses SIP (session initiation protocol, a signalling communications protocol used for controlling multimedia communication sessions – such as voice and video calls – over IP networks) to set up mobile voice encryption on selected Nokia S60, Apple iOS, BlackBerry and Android-based devices.
The enterprise version includes PrivateServer, which links PrivateGSM into the company's existing VoIP private branch exchange allowing mobile users to make secure calls into desktop IP phones and to standard analogue telephone numbers connected by the public switched telephone network (PSTN), and vice versa. A'subsection'of mobile security companies are also turning their hand to encrypting video communications. Silent Circle allows users to send encrypted video calls made between Android and iOS mobile handsets alongside text messages, phone calls and file transfers.
Free to download open source platform Jitsi (formerly SIP Communicator) also supports videoconferencing and instant messaging using a range of common protocols and ZRTP encryption, but only between PCs or tablets running desktop operating systems rather than smartphone equivalents. AnchorFree is proposing a service that allows users to share their mobile phone videos selectively rather than posting them to YouTube, for example.
Its software stores a pointer on the site that leads the viewer to the actual content which is hosted somewhere else and accessed with a password. The video can be set to expire after a defined period of time.
The company conducted a survey of college students which found that 82 per cent had regretted videos they had posted to Facebook and other social network and sharing sites from mobile and other devices, voicing concerns that they would cause damage to their employment prospects in the future.
There is, of course, no absolute guarantee that any mobile security, MDM, apps or services will work on any one device. AirWatch and others spend considerable portions of their research and development budgets testing their software against individual makes of handset. This process has to be thorough, but the nature of the enterprise mobile market can help because certain handset types are more likely to be in the hands of business users.
VPNs over mobile networks
Because secure voice communications and encryption applications rely on setting up voice-over-IP (VoIP) links over data-enabled wireless networks, predominantly GSM, GPRS, 3G/4G and Wi-Fi, but also satellite and other forms of wireless networks, both the device and the network has to support data transfer.
"Mobile VPNs are not as reliable as they could be – sometimes they just stop working when the user moves from one cell to another, or from Wi-Fi to 3G," says David Holman at Cellcrypt, "and that is not conducive to voice communications [which are more sensitive to latency]."
In congested networks, where bandwidth is constrained by the number of users transmitting data simultaneously, latency can also disrupt the natural flow of conversation. Voice encryption packages attempt to get around this by using low-bitrate audio codecs, such as adaptive multi-rate audio (AMR) or Speex, which use anything from 4.75Kbit/s to 7Kbit/s of data to make calls.
With wireless network bandwidth and load balancing improving, however, it is arguably the initial call setup procedure where delays are more likely to happen. End-user tests suggest that placing a secure, encrypted mobile call can take almost twice as long for the remote receiver to start ringing followed by a brief one- to two-second delay caused by the authentication process. Handsets themselves may also be unsuitable to support adequate security.
Cellcrypt is considering adding extra features such as secure email and video broadcasting to its platform, for example, but says that data at rest is best handled by dedicated hardware features, which few smartphones yet incorporate.
"There are areas around message broadcasting on a one-to-many basis we might look at which work in the same way as one to many video broadcast technologies," says Cellcrypt's Holman, "but we need to wait for specific handsets [which support the Trusted Execution Environment (TEE)] to come out because secure pictures and video need data to be secured at rest."
Are the telcos missing a trick?
In theory at least, it is telcos and mobile operators which look best placed to capitalise on growing demand for mobile data and voice/text/video encryption – they own both the customer and the mobile communication channel after all.
Yet while many have been offering MDM platforms and integrated security solutions aimed at larger public and private sector organisations for years, ABI Research's Michela Menting says few are doing much on the mobile voice encryption side. She says they prefer to concentrate on filtering and white listing for word searches to block specific website access from mobile devices for consumer customers.
In the UK, for example, Vodafone uses filtering technology based on the Blue Coat platform, and similar products such as SafeNet and SmartFilter in other countries. Mobile operators including Vodafone and Telefónica in Europe (O2 in the UK) also use AirWatch products for enterprise grade MDM and mobile security.
"They [the operators] tend to partner security providers – I do not see a lot of solutions where they are developing their own," according to Menting. "It usually involves filtering at the network."
In the US, carrier AT&T is one of the few to offer mobile voice encryption services to businesses using BlackBerry and Windows Mobile devices based on KoolSpan's TrustChip and SRA International's One Vault technology, while North American rival Verizon teamed up with CellCrypt to deliver similar services to US government accounts in 2012.
European operators appear to be playing catch-up to an extent, but also seem reluctant to push mobile voice calls off GSM and onto data channels due to network performance and cost concerns.
"They [mobile operators] have an interesting quandary," says David Holman at Cellcrypt. "They want to make money out of [conventional] voice calls, but that revenue is going away, so they have to make more money out of data [to compensate]".
Holman points out that it makes more sense for large corporates and government agencies with large scale contracts providing connectivity to thousands of users at a time to ask mobile operators if they can sell them secure voice services on top of regular subscriptions."
Technology briefing: More data encryption starts to become ubiquitous
Most mobile voice encryption applications convert cellular calls to VoIP sessions, and then transmit them over whatever data channel is available. First, they authenticate participants from a database of registered users, then use one of several standard encryption methods to protect the data stream during transmission such as the Advanced Encryption Standard (AES), Triple Data Encryption Standard (Triple-DES), RSA, or OpenPGP (Pretty Good Privacy – a data encryption and decryption program that provides cryptographic privacy and authentication).
The server software runs on infrastructure hosted by the service provider or within the customer's own data centre according to preferences. "There are half a dozen tried and tested encryption algorithms around the world," says Cellcrypt's David Holman, "and if anybody ever says they have developed a new one you can be suspicious."
KoolSpan's TrustCall has several components, including the TrustCall app for Android and BlackBerry devices and the TrustRelay Server that stores and authenticates devices and users within the TrustGroup. Interestingly, TrustCall uses a hardware-based cryptographic device, called TrustChip, that's installed on a MicroSD card to boost encryption processing and provide FIPS 140-2 Level 1 validation for businesses and US government public sector organisations. PrivateGSM uses the Zimmerman Real-Time Transport Protocol (ZRTP) to add extra security to SIP sessions by eschewing reliance on SIP signalling for cryptographic key management (and third-party trust keys maintained in a third-party database), instead analysing whether both devices support ZRTP, then exchanging identifier keys which are tied to the phone's CLI number.
Trending and bending: Why the Internet of Things needs a mobile security rethink
More and more industrial devices, electrical appliances and sensor-enabled devices are becoming 'Internet-enabled' as their owners find ways to remotely 'harvest' the data they collect for various commercial purposes – everything from utility meters and automotive applications to greenhouse temperature and humidity gauging (see E&T Vol 8 Issue 11).
Accurate estimations of just how many of those connected devices will come online within the next decade are hard to determine, but the most optimistic predictions suggest anything from 50 billion (Ericsson) to 75 billion (Morgan Stanley) by 2020.
And because so many will be connected via some form of wireless network, whether cellular, Wi-Fi, White Space bandwidth (the emerging 'Weightless' proto-standard) or private mobile radio (PMR), the mobile operators and service providers running the underlying infrastructure will inevitably shoulder some if not all the responsibility for protecting the data they transmit from prying eyes and stopping hackers from taking over their control.
"A big part of the machine-to-machine (M2M) and IoT usage case will be with 'unattended' devices and machine types, and this poses a very big challenge because everything has to be enabled remotely for the whole lifetime of the device, which could be 10 to 20 years," says Bruno Basquin, chairman of the SIMalliance, a non-profit trade organisation lobbying for the adoption of embedded next generation SIM cards or Universal Integrated Circuit Cards (eUICCs) as the major security element included in M2M platforms.
"It also raises the question of security on those unattended devices which are more exposed to hacking. If you take the example of the [connected] car – if you can control your car remotely someone else will be interested in doing it as well. So it can be very attractive for hackers to attack those systems. It is not about the cost, it has to be secure by design, which is not so obvious."
Mobile attack vectors: How many ways can mobile security be hacked or compromised?
Bluetooth: unsolicited messages to discoverable devices (bluejacking), or requests for Bluetooth OBEX push profile (bluesnarfing) to obtain contact address book.
Out-of-date security patches/fixes on OS/apps open door to viruses/malware downloads disguised as games, utility software, etc.
Phishing: bank details/private data easier to input on false URLs on smaller, harder to read mobile phone browser address bars.
Poorly-configured devices without passwords, PIN numbers, pattern screen locks, or biometric readers enabled (or passwords easy to guess).
SMS-based DoS attacks cause device to restart, lose network connection or freeze by sending multiple special SMS messages.
Trojans which transfer themselves from PCs to phones via USB connection when they are attached for synchronisation.
Unsecured Wi-Fi networks (e.g., free public Wi-Fi hotspots with no authentication requirements) which enable wireless interception of unencrypted data/email.
Vulnerabilities which allow malicious software downloads to SIM card via SMS, which access data and control the device.
|To start a discussion topic about this article, please log in or register.|
"Our summer watersports special: surfing artificial waves, racing yachts for sport, superyachts for pleasure and much more besides"
- First experimental wormhole created
- NHS health records available online next year
- Internet of Things takes centre stage at IFA 2015
- Graphene fuel cell electric supercar planned to take on Ferrari
- Nissan invests £100m in Juke production at Sunderland
- Expected threefold rise in CO2 emissions from tourism