News Items & Releases

17.02.14

Canadian Defence Foundation partners with America's The Flag & General Officers' Network Read more

13.10.12

Book Release: DOOMSDAY: Iran - The Clock is Ticking by James G. Zumwalt Read more

25.09.12

Book Release: Practicing Military Anthropology by Robert A. Rubinstein, Kerry Fosher, Clementine Fujimura Read more

15.08.12

Mobile Computing: Recognizing that the Biggest Challenges We Face in 2012 and Beyond is Our Behavior and Use of Mobile Devices Read more

13.10.12

Book Release: DOOMSDAY: Iran - The Clock is Ticking by James G. Zumwalt Read more

25.09.12

Book Release: Practicing Military Anthropology by Robert A. Rubinstein, Kerry Fosher, Clementine Fujimura Read more

15.08.12

Mobile Computing: Recognizing that the Biggest Challenges We Face in 2012 and Beyond is Our Behavior and Use of Mobile Devices Read more

19.03.12

The Canadian Defence Foundation honours and recognizes Rear Admiral (Ret.) James J. Carey of the USA for his on-going support of Canadian efforts. Read more

02.03.12

Meet our newest Advisory Board members, persons who represent the next generation of Canadian expertise and leadership in the field. Read more

29.02.12

Cybersecurity is becoming an increasing issue in our daily lives, but far too often, we are the biggest vulnerability and are not even aware of it. Read more

04.01.12

The Canadian Defence Foundation announces formal working relationships with domestic and international players in academia, the think tank world, and in the private sector. Read more

04.10.11

There is a new generation of bacteria we are not prepared for. How incentivizing antimicrobial research and development will not only protect those on the front line, but each and every once of us. Read more

20.09.11

Members of the Canadian Defence Foundation travel with our supporters to the United Nations in New York City. Read more


Mobile Computing: Recognizing that the Biggest Challenges We Face in 2012 and Beyond is Our Behavior and Use of Mobile Devices

Adelph, MD | August 15, 2012

By George Platsis

Executive Summary

There has been great discussion in recent years of the increased use of mobile computing in our daily lives.  Indeed, it has altered so many ways of how we conduct our daily routines, at the personal level, and how we conduct business, at the business and government level.  The conveniences mobile computing has offered us are astounding.

For all that, mobile computing has come with an array of threats and vulnerabilities, most of which we are not aware of.  While there are many technical aspects that can be covered, arguably the single largest issue that we face is our behavior and how we treat and operate mobile devices.  We do not treat them as computers, when in reality, they perform virtually all the same functions as a computer, have as good (if not better) performance, yet come with a  multiple of many more issues that wired networks do not have.

This report presents a brief examination of the current mobile landscape and how its dynamics and constant change demonstrate that we are losing this battle.  We are unfortunately too focused on today (a battle that has already been lost) and not dedicating the time we should to tomorrow (where we may have a fighting chance).  The proliferation of devices, operating systems, and applications, presents a unique set of challenges that we must address, otherwise we face daunting challenges with respect to personal identity, economic success, and national security.

Introduction: What is Mobile Computing?
               
Mobile computing in our daily lives is increasing, and in turn, is having an even more profound effect on our behavior.  For all its conveniences, mobile computing also compounds threats and vulnerabilities because we, unfortunately, do not necessarily treat mobile computing with the respect and scrutiny it deserves, particularly as some really bad things are beginning to target our mobile devices (Meyers, n.d.).  In short, the ascendancy of mobile computing offers great opportunities, but also presents a new series of security challenges (The Economist Business Unit & Booz Allen Hamilton, 2011).

Mobile computing is over 15 years old and the infrastructure has inherent issues that we must deal with (Meyers, n.d.).  Yet, part of the issue is that we have yet to properly define what “mobile computing” is.  For example, when we say “mobile computing” what does that exactly mean in 2012?  15 years ago, that may simply have meant having a laptop; 10 years ago, it may have meant having a laptop that could connect to a Wi-Fi network; five years ago, it may have meant using certain applications on your mobile phone.  What will it mean five years from now?  Will “computing” be all that different from “mobile computing” soon?
 
Without this definition, it becomes problematic to list threats and vulnerabilities with any sort of accuracy or relevance, even if mobile devices are becoming prime targets because their increased use, storing of sensitive data, use calendar functions, contact information, passwords, and other vital information (Ruggerio & Foote, 2011).
 
Inasmuch, the departure point for this conversation really has to be: what are mobile devices being used for?  We are entering an age that a tablet will be virtually indistinguishable from a “computer” very soon, such as Microsoft’s “Surface”, which will run Windows 8 Pro and have an Intel Ivy Bridge Core i5 processor (Melanson, 2012).  At the core (no pun intended), how is this device any different from a laptop?  We must accept that mobile devices serve the same functions or computers, with comparable computing power, but with little, or no, endpoint security (Juniper Networks, Inc., 2012).

The reality is that we will continue to see: mobile device proliferation, coupled with a disparity of capabilities in these same devices, which in turn will result in a proliferation of malware threats (Wright, 2011).  These are trends we cannot fight; we should accept them, with a view to changing our behavior accordingly. 

Defining the Landscape

There is a dangerous belief that accessing the Internet from a mobile device is as safe or safer that accessing from a “traditional computer” (Ruggerio & Foote, 2011).  This mindset essentially confirms that we do not treat mobile devices with the same respect and scrutiny we do for computers.  The result is that we are the single largest and most impactful threat and vulnerability of the mobile computing realm.  The majority of computers users, even unsophisticated ones, know that operating a computer without antivirus and firewall protection is foolish; but these same users seldom think twice about using these same protective measures for mobile devices.  Why?  Consider the following:

  • - In 2009, there were approximately 4 billion global mobile users (US-CERT, 2010);
  • Over one billion use these devices to access the Internet (The Economist Business Unit & Booz Allen Hamilton, 2011);
  • - Broadband connectivity rose by 850% in 2008 (US-CERT, 2010);
  • - Android smartphone unit growth in Q3 2010 alone rose by 1,339.1% (Meyers, n.d.);
  • - Android malware from July 2011 to November 2011 increased by 472% (Thinesen, 2011);
  • - As of 2011, 50% of all smartphones were Wi-Fi enabled, but the projection is that by 2014, 90% of all smartphones will have Wi-Fi capabilities (Juniper Networks, Inc., 2011);
  • Mobile commerce industry accounted for $1 billion worth in sales in 2009, but may account for $170 billion by 2015 (Levin, 2012); and
  • - By the end of the decade there may be 35 billion devices running 24 million different apps (Tolentino, 2012).

These numbers are truly mindboggling and these same numbers are already dated by many respects.  Wireless networks, be they Wi-Fi, Bluetooth, Mobile Broadband, Near Field Communication, are still networks, and are exposed to the same risks wired networks are; that said, they are vulnerable to additional risks as well as a function of their wireless capability (Radack, n.d.).  From a technical standpoint, unless protective measures, such as encryption (Wright, 2011), are taken, these wireless networks, which transmit data through radio frequencies (Radack, n.d.), are fair game for attack.
 
A mobile device that is not secure, which can also be physically lost or stolen, leaves open the possibility of having: personal information, banking details, contacts, and so on, to be used to access money, data, or even steal an identity (Government of Australia, n.d.).  This is why, coupled with the staggering numbers above, it is difficult to accurately create a threat/vulnerability matrix that analyzes a probability of occurrence; the numbers are just simply increasing at exponential rates.

Given the opportunities that are available in this ever-changing landscape, all threats are high, and given our lack of awareness, all vulnerabilities are high.

IT managers learned from the desktop, laptop, and server worlds, that to get secure in the mobile computing world, vulnerabilities must be addressed proactively in order to pre-empt attacks against company data (Eddy, 2012) and the concerns surrounding mobile computing go well beyond the technical aspects of cybersecurity, and well into the aspects of management and leadership (Meyers, n.d.).

Are Threats Real or Perceived?

They may be both, but most are real.  A simple string search with the words “how to hack mobile” in July 2012 on Google produces a mere 157 million results (Google, 2012).  The Internet has given us wonderful things such as “cookbooks” and “recipes for disaster”, meaning that we need to be constantly on-guard, especially when our behavior defines so much of the threat/vulnerability matrix.
 
Consider, for example, that mobile banking usage grew by 63% in 2011, and the adoption rate over the next 18 months is expected to continue to grow (Wills, n.d.).  We take certain precautions when using our computer to do banking, but we do not do nearly as much when going mobile.  So this issue is not only a corporate/organizational one, it really is one that affects each and every single person who uses mobile computing, particularly as mobile banking has become one of the most lucrative arenas for cybercriminals to attack (McAfee Labs, 2011).

At the “highest strategic levels” we can categorize threats by: physical access, communication channels, browsers, operating systems, applications, and social engineering (Meyers, n.d.), all pretty standard networking issues.  And generically speaking, we can cluster threats in a few smaller categories, such as: text messages, contacts, videos, phone transcriptions, call history, document, and buffer overflows (Cheng, 2007).  Yet, the ways and means to exploit the vulnerabilities change with every new form of mobile technology we employ.  For example, two new devices, Nokia’s Lumia 610 and Samsung’s Galaxy S III use Near Field Communication (NFC), something that is relatively new for a mobile – yet is another vulnerability we have to deal with.  Our behavior is the driver behind how we deal with these issues.

Let us step away for a moment from mobile computing, but still use NFC as an example.  Many credit cards have NFC capabilities where we can “tap” our card on a receiving device to pay for services.  Problem is, our credit cards are always “broadcasting” whether they are in our back pocket, purse, or lying on our dresser.  A scanner could easily pick up our credit card’s information and “go to town” per se with our hacked information.
With that example in mind, the NEXUS card (a trusted traveler program between the United States and Canada) employs the exact same NFC technology, except there is one major requirement of a cardholder: they must keep the card in protective metallic sleeve when the card is in use (in order to protect from scanners and from other credit cards using the technology).  If a border official catches a NEXUS cardholder without the sleeve, they may in fact lose their card and all privileges that go with being a NEXUS cardholder.  Keeping the card in a sleeve is behavioral; this is what we need to concern ourselves with when considering mobile computing. 
Our behaviour is being used to exploit and compromise security models that isolate and protect data (Eddy, 2012) especially as personal devices are being used, more and more, to access enterprise data (Meyers, n.d.). Not only is organizational data being leaked, but the exploitation of application and operating system vulnerabilities in mobile devices is putting the organization’s server at risk, especially if the mobile devices have already been authenticated to access the network (Eddy, 2012).

Common Risks, Threats, and Vulnerabilities

               
The increase in malware for mobile phones has jumped by 400% from 2011 to 2012 (Walters, 2012) and vulnerabilities have increased by 93% in 2011 (Reyes, 2012). What is compounding the issue is the newly adopted term of BYOD, which means: bring your own device.  It is becoming the norm as consumer and business security issues are beginning to collide, especially since the operating systems of many mobile devices provide little protection (Reisinger, 2012).  Many of these operating systems, when designed, simply did not account for the potential threats.  Considering that many of these devices are still in use, attackers can use old rootkits to exploit and install their own custom firmware onto devices (McAfee Labs, 2011).

One needs to also consider the law of unintended consequences with mobile devices.  Many services providers, particularly in North America, felt an almost pathological need to “lock in” their customers by “locking” the mobile device to a specific carrier (which is not necessarily common practice in Europe, where a mobile device may be branded but not locked to a provider).  Understandably, many consumers felt the need to be “free” and would unlock or “jailbreak” their devices.  The unexpected result is that many of the tools originally developed for customers to unlock their phones have been used as the best tools for malware to exploit the root of the OS (McAfee Labs, 2011).  Considering the above, some more specific threats can include (Derr, 2007):

  • - Malicious code designed to take control of certain functions and act discreetly (such as placing long-distance phone calls, snooping capabilities, enabling the camera, or altering the calendar);
  • - Replacing common applications with similar versions that have malware embedded in them;
  • - Modify communication protocols, such as Wi-Fi and Bluetooth, to gain access with no authentication;
  • - Access corporate databases;
  • - Modify, steal, or delete vital contact information; and
  • - Attack the battery of the phone by keeping the device continually alive.

Indeed, it may seem as though many of these threats may seem more like a nuisance than anything, but as our behavior changes, these nuisances may come to be full-fledged disasters.  Two key behavioral changes that must be considered are: people are giving up their landlines for cell phones and as more people moving into shared spaces, such as condominiums and community residencies, and sharing Wi-Fi networks.  These two behavioral changes alone transform mobile computing into a nightmare.  And we are sloppy too.  An informal survey by mobile and forensic specialists found that half of the mobile devices sold on eBay still contain some form of personal information (Eddy, 2012) and 17 different known malicious apps available on Google Play have been downloaded over 700,000 times (Digital News Asia, 2012).

Third-Party Apps & The Future of the Internet
               
One could argue that the primary reason mobile devices are at risk is because there are more PC-style malware attacks happening, with the greatest risk coming from the proliferation of apps in the various application stores (Juniper Networks, Inc., 2011).  The concern here is that many applications are not being vetted and users are installing anything that seems fun (Meyers, n.d.), and that cybercriminals have most past the hit-and-miss approach of attacking mobile devices and a moving towards more aggressive and innovative ways of extracting information (Digital News Asia, 2012).  This is particularly true for Android-based devices where there is no upfront review process of what the application actually does, something that is only compounded by the fact that virtually anybody can create a developer account for a mere $25 (Thinesen, 2011) and remain relatively anonymous after that.

Indeed, the app world is somewhat bizarre, where Android pretty much lets everything go, Windows Mobile is constantly going through revisions, and iOS is stubbornly wanting to keep everything in house and taking an almost blind eye to the looming threats it faces.  Android in Q1 of 2012 saw nearly 5,000 new malicious apps (Digital News Asia, 2012), for example.

Sadly, Apple does not even allow iOS to be opened to external scrutiny because of company policy (Subramanian, 2012), as Apple feels their OS and third-party development/vetting process is good enough.  Unfortunately, such arrogance in an ever-changing world is the type of arrogance that could expose a highly successful company, such as Apple, to disaster (look at BlackBerry, for example).  Legitimate third party developers who wish to build legitimate security tools have limited access (Meyers, n.d.), something that frustrates the serious people in the industry.  This frustration was voiced by Eugene Kaspersky when Apple refused Kaspersky from developing anti-viral tools for iOS (Worstall, 2012). 

Something that Apple must realize is that as they become more popular, particularly with the iPhone and iPad (both mobile computing devices), they become a bigger target.  Learning from Microsoft’s successes and follies would be in their best interests, especially when Eugene Kaspersky believes that Apple is 10 years behind Microsoft in terms of security (Gates, 2012). The advent of HTML5, something that will be a web standard for Apple, Microsoft, and all other browser makers, such as Firefox, Chrome, and Opera, will be a critical component of mobile computing.  As a function of that, the more ubiquitous the platforms become, the device type matters less and less, be it mobile or traditional computer (Lowensohn & Rosenblatt, 2012).  The threat is going to be there and it is only going to become easier for criminals to exploit, particularly as our business models change and more and more different companies take roles in commerce, such as third-party payment processors who are not governed by any regulating agency (Smith, 2012).

Prevention & Culture Change

              
There are some pretty standard techniques that, as users, we should keep in mind, such as: erring on the side of prevention, being cautious with Wi-Fi and Bluetooth, backing up frequently, using legitimate tools (like mobile anti-virus software), and limiting the amount of data we keep on our devices (McAfee Labs, 2011).  We may think something as simple as contact information is not critical, but depending what industry somebody works in, contact information can be a treasure trove of information.  In other words, we need to be more aware of what we are doing on our mobile devices and begin to treat them more like computers as opposed to mobile devices that we once used just to make phone calls or read eBooks.

Many of our laws were drafted long before our behavior changed.  For example the laws governing mobile payments were drafted long before mobile payments (and the devices that facilitate them) were even created (Smith, 2012).  Where BYOD is becoming commonplace, organizations must be aware of, and have the capabilities to detect, the potentially risky behavior caused by applications and employees on mobile devices (NetSecurity, 2012).  In other words, an organization needs to assess the risks involved and set a level of risk they are willing to accept before blindly adopting policies.  The easy things are (Radack, n.d.):

  • - Understanding the technical aspects of wireless networks;
  • - Keeping inventories of devices;
  • - Creating backups;
  • - Performing periodic tests and assessments;
  • - Applying patches; and
  • - Constant monitoring.

The hard thing is instituting culture change where people recognize that their mobile device is as powerful as their computer and is open to as many, if not more, threats and vulnerabilities as their computer.

Conclusion

               
Unfortunately, the question asked has an inherent, but not necessarily intended, flaw.  It is asking for solutions for today; the problem is, by the time we create these solutions, they are no longer applicable.  We need to focus our efforts on tomorrow’s challenges.  This should be our driver in creating an effective organizational cybersecurity standard and policy.  We are already behind the curve on this issue, and focusing on today only puts us further behind.  Organizations, both small and large, and individuals, need to be prepared that their mobile devices are increasing the risk to both them and their networks (Meyers, n.d.).

As the insider threat grows, the risk of exploiting mobile devices increases.  Be it benign or malicious, an insider that has legitimate access to a network, creates financial and even national security related issues.  The increasing exposure to foreign intelligence services presented by the reality of global business (Figliuzzi, 2012) is enough of a concern for us to recognize that our mobile computing behavior is critical to the success and preservation of our: personal identity, economic success, and national security.

Works Cited

Cheng, Z. (2007). Mobile Malware: Threats and Prevention. Santa Clara, CA: McAfee.

Derr, K. W. (2007). Nightmares with Mobile Devices are Just around the Corner! Idaho Falls, ID: Idaho National Laboratory.

Digital News Asia. (2012, May 29). Mobile malware threats on the rise. Retrieved from Digital News Asia: http://www.digitalnewsasia.com/node/204

Eddy, N. (2012, April 10). Small Businesses Exposed to Security Threats From Mobile Devices. Retrieved from eWeek - Enterprise Technology News and Reviews: http://www.eweek.com/c/a/Mobile-and-Wireless/Small-Businesses-Exposed-to-Security-Threats-from-Mobile-Devices-552903/

Figliuzzi, C. F. (2012, June 28). Statement Before the House Committee on Homeland Security, Subcommittee on Counterterrorism and Intelligence. Retrieved from Federal Bureau of Investigation: http://www.fbi.gov/news/testimony/economic-espionage-a-foreign-intelligence-threat-to-americans-jobs-and-homeland-security

Gates, S. (2012, May 16). iPhone Malware: Kaspersky Expects Apple's IOS To Be Under Attack By Next Year. Retrieved from The Huffington Post: http://www.huffingtonpost.com/2012/05/15/iphone-malware-kaspersky_n_1515074.html

Google. (2012, July 8). How to hack mobile. Retrieved from Google: http://www.google.ca/search?q=how+to+hack+wireless&sourceid=ie7&rls=com.microsoft:en-ca:IE-Address&ie=&oe=&redir_esc=&ei=DBr6T4r5FeTw0gH7u9mKBw#hl=en&rls=com.microsoft:en-ca%3AIE-Address&sclient=psy-ab&q=how+to+hack+mobile&oq=how+to+hack+mobile&gs_l=serp.

Government of Australia. (n.d.). Secure your mobile phone and device. Retrieved from Stay Smart Online: http://www.staysmartonline.gov.au/home_internet_users/Secure_your_mobile_phone_and_devices

Juniper Networks, Inc. (2011). Mobile Device Security - Emerging Threats, Essential Strategies: Key Capabilities for Safeguarding Mobile Devices and Corporate Assets. Sunnyvale, CA: Juniper Networks, Inc.

Juniper Networks, Inc. (2012). Malicious Mobile Threats Report 2010/2011: An Objective Briefing on the Current Mobile Threat Landscape Based on Juniper Networks Global Threat Center Research. Sunnyvale, CA: Juniper Networks, Inc.

Levin, N. (2012, June 21). Attack of the Phones: Combating Cyber Threats in the Era of Mobile Commerce. Retrieved from McAfee: http://blogs.mcafee.com/consumer/ecommerce/attack-of-the-phones-combating-cyber-threats-in-the-era-of-mobile-commerce

Lowensohn, J., & Rosenblatt, S. (2012, April 6). Flashback the largest Mac malware threat yet, experts say. Retrieved from CNET News: http://news.cnet.com/8301-1009_3-57410702-83/flashback-the-largest-mac-malware-threat-yet-experts-say/

McAfee Labs. (2011). 2012 Threats Predications. Santa Clara, CA: McAfee Labs.

Melanson, D. (2012, June 18). Microsoft announces Surface for Windows 8 Pro: Intel inside, optional pen input. Retrieved from Engadget: http://www.engadget.com/2012/06/18/microsoft-announces-surface-for-windows-8-pro/

Meyers, A. (n.d.). Emerging Threats in Mobile Computing. Retrieved from American Council for Technology: http://www.actgov.org/sigcom/mobilityhome/Documents/SRA_Emerging_Mobile_Threats_noanim.pdf

NetSecurity. (2012, June 19). Identify and block mobile malware on enterprise networks. Retrieved from NetSecurity.org: http://www.net-security.org/malware_news.php?id=2148

Radack, S. (n.d.). Security for Wireless Networks and Devices. Retrieved from National Institute of Standards and Technology: http://www.itl.nist.gov/lab/bulletns/bltnmar03.htm

Reisinger, D. (2012, April 4). Enterprise Mobility: Android Security Is a Major Threat: 10 Reasons Why. Retrieved from eWeek - Enterprise Technology News and Reviews: http://www.eweek.com/c/a/Mobile-and-Wireless/Android-Security-Is-a-Major-Threat-10-Reasons-Why-148798/

Reyes, R. R. (2012, June 14). Symantec warns of cyber attack threats on mobile devices. Retrieved from Business Mirror: http://businessmirror.com.ph/home/world/28601-symantec-warns-of-cyber-attack-threats-on-mobile-devices

Ruggerio, P., & Foote, J. (2011). Cyber Threats to Mobile Phones. Pittsburgh, PA: US-CERT.

Smith, J. (2012, June 29). Buyer beware: Mobile payments might not be protected. Retrieved from NextGov: http://www.nextgov.com/mobile/2012/06/buyer-beware-mobile-payments-might-not-be-protected/56540/

Subramanian, K. (2012, February 21). Massive spike in mobile threats in 2011: study. Retrieved from The Hindu: http://www.thehindu.com/sci-tech/gadgets/article2913309.ece

The Economist Business Unit & Booz Allen Hamilton. (2011). Cybersecurity in the Age of Mobility: Building a Mobile Infrastructure that Promotes Productivity. McLean, VA: Booz Allen Hamilton Inc.

Thinesen, E. (2011, November 17). Malware Threats Increase 472% on Google Android Mobile OS Since Summer. Retrieved from IT Pro Portal: http://www.itproportal.com/2011/11/17/malware-threats-increase-google-android-mobile-os-since-summer/
Tolentino, M. (2012, March 29). Mobile Market Boom Leads To Increasing Cyber Threats. Retrieved from SiliconANGLE: http://siliconangle.com/blog/2012/03/29/mobile-market-boom-leads-to-increasing-cyber-threats/

US-CERT. (2010). Technical Information Paper-TIP-10-105-01 Cyber Threats to Mobile Devices. Washington, DC: US-CERT.

Walters, P. (2012). The Risks of Using Portable Devices. Pittsburgh, PA: US-CERT.

Wills, T. (n.d.). Mobile Banking: Emerging Threats, Vulnerabilities and Counter-Measures. Retrieved from Bank Info Security: http://www.bankinfosecurity.com/webinars/mobile-banking-emerging-threats-vulnerabilities-counter-measures-w-285

Worstall, T. (2012, May 22). Apple Won't Let Kaspersky Develop Tools For iOS. Retrieved from Forbes: http://www.forbes.com/sites/timworstall/2012/05/22/apple-wont-let-kaspersky-develop-tools-for-ios/

Wright, J. (2011). An Intense Look at the Mobile Computing Threat. Retrieved from SANS Institute: http://blogs.sans.org/pen-testing/files/2011/10/IntenseLookAtMobileComputingThreat-20111012.pdf