BYOD: Mobile Devices Threats and Vulnerabilities
Mobile devices typically need to support multiple security objectives. These can be accomplished through a combination of security features built into the mobile devices and additional security controls applied to the mobile devices and other components of the enterprise IT infrastructure. The most common security objectives for mobile devices are as follows:
- ConfidentialityEnsure that transmitted and stored data cannot be read by unauthorized parties.
- IntegrityDetect any intentional or unintentional changes to transmitted and stored data.
- AvailabilityEnsure that users can access resources using mobile devices whenever needed.
To achieve these objectives, mobile devices should be secured against a variety of threats. Mobile devices often need additional protection because their nature generally places them at higher exposure to threats than other client devices (e.g., desktop and laptop devices only used within the organization's facilities and on the organization's networks). Before designing and deploying mobile device solutions, organizations should develop system threat models for the mobile devices and the resources that are accessed through the mobile devices. Threat modeling involves identifying resources of interest and the feasible threats, vulnerabilities, and security controls related to these resources, quantifying the likelihood of successful attacks and their impacts, and finally analyzing this information to determine where security controls need to be improved or added. Threat modeling helps organizations to identify security requirements and to design the mobile device solution to incorporate the controls needed to meet the security requirements. The major security concerns for these technologies that would be included in most mobile device threat models are discussed below.
Mobile devices are typically used in a variety of locations outside the organization's control, such as employees' homes, coff e shops, hotels, and conferences. Even mobile devices used only within an organization's facilities are often transported from place to place within the facilities. The devices' mobile nature makes them much more likely to be lost or stolen
than other devices, so their data are at increased risk of compromise. When planning mobile device security policies and controls, organizations should assume that mobile devices will be acquired by malicious parties who will attempt to recover sensitive data either directly from the devices themselves or indirectly by using the devices to access the organization's remote resources.
The mitigation strategy for this is layered. One layer involves protecting sensitive dataeither encrypting the mobile device's storage so that sensitive data cannot be recovered from it by unauthorized parties, or not storing sensitive data on mobile devices. Even if a mobile device is always in the possession of its owner, there are other physical security risks, such as an attacker looking over a teleworker's shoulder at a coffee shop and viewing sensitive data on the mobile device's screen (e.g., a password being entered). A second mitigation layer involves requiring authentication before gaining access to the mobile device or the organization's resources accessible through the device. A mobile device usually has a single authenticator not a separate account for each user of the deviceas it is assumed that the device has only one user. So there is no username, just a password, which is often a personal identification number (PIN). More robust forms of authentication, such as domain authentication, can be used instead of or in addition to the built-in device authentication capabilities.
Use of Untrusted Mobile Devices and Networks
Many mobile devices, particularly those that are personally owned (BYOD), are not necessarily trustworthy. Current mobile devices lack the root of trust features that are increasingly built into laptops and other types of hosts. There is also frequent jailbreaking and rooting of mobile devices, which means that the built-in restrictions on security, operating system use, and so on have been bypassed. Organizations should assume that all phones are un-trusted unless the organization has properly secured them before user access is granted and monitors them continuously while in use with enterprise applications or data.
There are several additional possible mitigation strategies related to the use of un-trusted mobile devices. One option is to restrict or prohibit the use of BYOD devices, thus favoring organization-issued devices. Another effective technique is to fully secure each organization-issued phone before allowing it to be used; this gets the phone in as trusted a state as possible when initially deployed, and deviations from this secure state can be monitored and addressed. There are also technical solutions for achieving the degrees of trust, such as running the organization's software in a secure, isolated sandbox on the phone, or using device integrity scanning applications.
Because mobile devices primarily use non-organizational networks for Internet access, organizations normally have no control over the security of the external networks the devices use. Communications systems may include broadband networks, such as cable, and wireless mechanisms such as Wi-Fi and cellular networks. These communications systems are susceptible to eavesdropping, which places sensitive information transmitted at risk of compromise. Man-in-the-middle attacks may also be performed to intercept and modify communications. Unless it is absolutely certain that the mobile device will not be used on any networks that are not controlled by the organization or any other un-trusted networks, organizations should plan their mobile device security on the assumption that the networks between the mobile device and the organization cannot be trusted. Risk from the use of unsecured networks can be reduced by using strong encryption technologies to protect the confidentiality and integrity of communications, as well as using mutual authentication mechanisms to verify the identities of both end points before transmitting data.
Use of Applications Created by Unknown Parties
Mobile devices are designed to make it easy to find, acquire, install, and use third-party applications. This poses obvious security risks, especially for mobile device platforms that do not place security restrictions or other limitations on third-party application publishing. Organizations should plan their mobile device security based on the assumption that unknown third-party mobile device applications downloadable by users should not be trusted.
Risk from these applications can be reduced in several ways, such as prohibiting all installation of third-party applications, implementing white-listing to prohibit installation of all unapproved applications, or implementing a secure sandbox that isolates the organization's data and applications from all other data and applications on the mobile device.
Another general recommendation is to perform a risk assessment on each third-party application before permitting its use on the organization's mobile devices.
It is important to note that even if these mitigation strategies are implemented for third-party applications, users can still access un-trusted webbased applications through browsers built into their mobile devices. The risks inherent in this can be reduced by prohibiting or restricting browser access, or by using a separate browser within a secure sandbox for all browser-based access devices related to the organization, leaving the mobile device's built-in browser for other uses.
Interaction with Other Systems
Mobile devices may interact with other systems in terms of data synchronization and storage. Local system interaction generally involves connecting a mobile device to a desktop or laptop via a cable for charging and/or syncing. Remote system interaction most often involves automatic backups of data to a cloud-based storage solution. When all of these components are under the organization's control, risk is generally acceptable, but often one or more of these components are external. Examples include attaching a personally owned mobile device to an organization-issued laptop, attaching an organization-issued mobile device to a personally owned laptop, and attaching an organization-issued mobile device to a remote backup service. In all of these scenarios, the organization's data are at risk of being stored in an unsecured location outside the organization's control; transmission of malware from device to device is also a possibility.
The mitigation strategies depend on the type of attachment. Preventing an organization-issued mobile device from syncing with a personally owned computer necessitates security controls on the mobile device that restrict the devices it can synchronize with. Preventing a personally owned mobile device from syncing with an organization-issued computer necessitates security controls on the organization-issued computer, restricting the connection of mobile devices. Finally, preventing the use of remote backup services can possibly be achieved by blocking use of those services (e.g., not allowing the domain services to be contacted) or by configuring the mobile devices not to use such services.
Use of Un-Trusted Content
Mobile devices may use un-trusted content that other types of devices generally do not encounter. An example is Quick Response (QR) codes. They are specifically designed to be viewed and processed by mobile device cameras. Each QR code is translated to a uniform resource locator (URL), so malicious QR codes could direct mobile devices to malicious websites. This could allow for targeted attacking, such as placing malicious QR codes at a location where targeted users gather.
A primary mitigation strategy is to educate users on the risks inherent in un-trusted content and to discourage users from accessing un-trusted content with any mobile devices they use for work. It is also possible to restrict peripheral use on mobile devices, such as disabling camera use in order to prevent QR codes from being processed.
Use of Location Services
Mobile devices with GPS capabilities typically run what are known as location services. These services map a GPS-acquired location to the corresponding businesses or other entities close to that location. Location services are heavily used by social media, navigation, web browsers, and other mobile-centric applications. In terms of organization security, mobile devices with location services enabled are at increased risk of targeted attacks because it is easier for potential attackers to determine where the user and the mobile device are, and to correlate this information with other sources about who the user associates with and the kinds of activities they perform in particular locations.
This situation can be mitigated by disabling location services or by prohibiting the use of location services for particular applications such as social networking or photo applications. Users may also be trained to turn off location services when in sensitive areas. However, a similar problem can occur even if GPS capabilities or location services are disabled. It is increasingly common for websites and applications to determine a person's location based on their Internet connection, such as a Wi-Fi hotspot or Internet Protocol (IP) address range. The primary mitigation for this is to opt out of location services whenever possible.
Technologies for Mobile Device Management
Centralized mobile device management technologies are a growing solution for controlling the use of both organization-issued and personally owned mobile devices by enterprise users. In addition to managing the configuration and security of mobile devices, these technologies offer other features, such as providing secure access to enterprise computing resources. This section provides an overview of the current state of these technologies, focusing on the technologies' components, architectures, and capabilities.
Components and Architectures
There are two basic approaches to centralized mobile device management: use a messaging server's management capabilities (often from the same vendor that makes a particular brand of phone) or use a product from a third party, which is designed to manage one or more brands of phone. It may be possible with the latter approach to have a single product that can manage multiple brands of phones desired for use within an enterprise. However, a product provided by a phone manufacturer may have more robust support for the phones than third-party products. It is outside the scope of this publication to recommend one approach over the other; both approaches can provide the necessary centralized management functionality.
Architecturally, both approaches to centralized mobile device management are quite similar. The typical solution has a straightforward client/ server architecture. The enterprise contains one or more servers that provide the centralized management capabilities, and one or more client applications are installed on each mobile device and configured to run in the background at all times. If the device is issued by the organization, the client application typically manages the configuration and security of the entire device. If the device is BYOD, the client application typically manages only the configuration and security of itself and its data, not the entire device. The client application and data are essentially sandboxed from the rest of the device's applications and data, both helping to protect the enterprise from a compromised device and helping to preserve the privacy of the device's owner.
The centralized mobile device management may make use of other enterprise services, such as domain authentication services and virtual private networking (VPN) services.
If there is not a centralized management solution, or certain mobile devices cannot use it, mobile devices have to be managed individually and manually. In addition to the additional resources expended, there are two major security problems with this:
- The security controls provided by a mobile device often lack the rigor of those provided by a centralized mobile device management client application. For example, a mobile device often supports only a short passcode for authentication and may not support strong storage encryption. This will necessitate acquiring, installing, configuring, and maintaining a variety of third-party security controls that provide the missing functionality.
- It may not be possible to manage the security of the device when it is not physically present within the enterprise. It is possible to install utilities that manage devices remotely, but it will require significantly more effort to use such utilities to manually apply updates and perform other maintenance and management tasks with out-of-office mobile devices.
This section describes security services commonly provided for mobile devices. These services apply to the entire mobile device (if it is wholly managed) or to the mobile device's secure sandbox, unless explicitly noted otherwise. These services are equally relevant for centrally managed or individually managed mobile devices.
Most organizations will not need all of the security services listed in this section. Organizations deploying mobile devices should consider the merits of each security service, determine which services are needed for their environment, and then design and acquire one or more solutions that collectively provide the necessary services.
- General policy.The centralized technology can enforce enterprise security policies on the mobile device, including (but not limited to) other policy items listed. General policy restrictions of particular interest for mobile device security include the following:
- Restrict user and application access to hardware, such as the digital camera, GPS, Bluetooth interface, universal serial bus (USB) interface, and removable storage.
- Restrict user and application access to the built-in web browser, e-mail client, application installation services, and so on.
- Manage wireless network interfaces (Wi-Fi, Bluetooth, etc.).
- Automatically monitor, detect, and report when policy violations occur.
- Data communication and storage
- Strongly encrypt data communications between the mobile device and the organization. This is most often in the form of a VPN, although it can be established through other uses of encryption.
- Strongly encrypt stored data on both built-in storage and removable media storage. Removable media can also be "bound" to particular devices such that encrypted information can only be decrypted when the removable media is attached to the device, thereby mitigating the risk of offline attacks on the media.
- Remotely wipe the device (to scrub its stored data) if it is suspected that the device has been lost, stolen, or otherwise fallen into un-trusted hands and is at risk of having its data recovered by an un-trusted party. A device often can also be configured to wipe itself after a certain number of incorrect authentication attempts.
- User and device authentication
- Require a password/passcode and/or other authentication (e.g., domain authentication) before accessing the organization's resources. This includes the basic parameters for password strength and a limit on the number of retries permitted without negative consequences (e.g., locking out the account, wiping the device).
- If device account lockout is enabled or the device password/passcode is forgotten, an administrator can reset this remotely to restore access to the device.
- Have the device automatically lock itself after it is idle for a certain period (e.g., 5 minutes).
- Restrict which applications may be installed through whitelisting (preferable) or blacklisting.
Install, update, and remove applications.
- Restrict the use of synchronization services (e.g., local device synchronization, remote synchronization services, and websites).
Digitally sign applications to ensure that only applications from the trusted entities are installed on the device and their code has not been modified.
Distribute the organization's applications from a dedicated mobile application store.
- Limit or prevent access to the enterprise based on the mobile device's operating system version (including whether the device has been rooted/jailbroken) or its mobile device management software client version (if applicable). Note that this information may be spoofable.
Read more IT Performance Improvement
Certain names and logos on this page and others may constitute trademarks, servicemarks, or tradenames of
Taylor & Francis LLC. Copyright © 20082014 Taylor & Francis LLC. All rights reserved.