Smart phones pose emerging security threat

Although vulnerability is inherent to data-in-motion, defense insiders say the latest innovation on the network – the smart phone – is proving especially vexing.

Specifically, insiders lament that encrypted systems, which often take years to develop, can be undone in a nanosecond when a soldier in battle grabs for an off-the-shelf iPhone and starts hemorrhaging secrets.

Related coverage:

Army unruffled by smart-phone cyber vulnerability

Security needs high as defense networks evolve

Android headed to DOD’s classified networks

“While we have strong encryption mechanisms, if personnel don't use them, they can't be effective,” said LCDR C.T. O’Neil, chief of media relations at the Coast Guard.

Indeed, such intelligence leaks can be especially devastating when artillery is raining down on troops, and they’re forced to tape together a network that might not meet the "white glove" test.

“Workarounds create the biggest vulnerabilities,” said Loc Nguyen, sales development representative at WhiteHat Security. “When individually designed systems are married together to serve as temporary solutions, standard operating procedures don’t exist to guarantee proper usage and best practices.”

Also, smart phones can be equally disarming during downtime, when soldiers post messages about their exploits, their concerns – or simply how their day is going – over popular social networks such as Facebook, Twitter or any number of other similar services.

Meanwhile, insiders also worry that even military grade smart phones can be transformed into unwitting, on-the-go informants if the phone’s underlying software is compromised by the enemy.

“A smart phone is essentially a camera, a microphone and a GPS locator,” said Barry Hensley, senior director of the Counter Threat Unit Research Group at Dell SecureWorks. “If a hacker were to break into someone’s smart phone via an e-mail spoof, Web exploit or via any other way, he would then have access to anything that goes on within that smart phone. He could listen in on calls, see all incoming and outgoing e-mails, see all the websites the smart phone user visits and via the smart phone’s GPS system, the hacker would know where that person, holding the smart phone, is at all times.”

That problem is often magnified if a compromised smart phone happens to be a model that is especially popular among the rank-and-file.

“The increasing use of off-the-shelf technologies by the military makes it increasingly susceptible to the monoculture effect [a faster spreading of diseases] – which increases the number of systems affected by common vulnerabilities,” said Dan Brown, senior security researcher at Bit9.

Equally nettlesome for those who would secure data-in-motion is the same problem that has always plagued armed forces: human error. “There are often ways to skirt encryption, for example, when systems are misconfigured,” Brown said.

Scott Montgomery, vice president of public sector solutions at McAfee, sees the seemingly endless availability of smart phone apps as especially threatening.

“In my opinion, the single biggest challenge is the validation, acceptance, download location and protection of the apps that will be approved for use,” Montgomery said. “The two largest providers of app stores – marketplaces -- have wildly different approaches. One allows anyone to put an app into the marketplace unfettered and unexamined, ‘let the buyer beware’ being the only protection for the user and his or her organization. The other performs a security examination of the app prior to permitting it.

“This challenge – the security of the apps: where do the apps come from, where are users permitted to download them from, how are they vetted, who has access to them, and how is the user validated, is the paramount security issue facing military organizations in their quest to allow powerful mobile computing tools into their missions.”

Richard Forno, graduate program director for cybersecurity at the University of Maryland Baltimore County, has his own concerns, many of them about the cloud.

“One key area of emerging concern is data-in-motion within a cloud -- i.e., ensuring that data is protected as it transits and/or exists in multiple servers at the same time, and by extension, the issue of ‘availability’ of data in a cloud environment,” Forno said. “The more moving parts you have to deal with, the easier it is to gum up the works, inadvertently cause self-inflicted problems, or make it easier for an adversary to do the same thing.”

Yet another easy target: the smart phone’s nimble nature. The wonders of the technological age are engineered to leapfrog from one communications network to another in its relentless search for the best signal -- a boon for consumers.

But it’s a nightmare for troops in enemy territory, where secure and insecure networks often intersect. “Mobile phones that lose a 3G signal will automatically connect via 2G, if a 2G signal is lost it reverts to 1G, etc.,” said Dell’s Hensley. “Smart phones may automatically connect to carrier-operated WIFI ‘hotspots’ -- or even any unencrypted WiFi network.”

Essentially, troops using smart phones that are bouncing from one network to another may never be sure they are on a secure channel. Even worse, they may never even be able to determine which network they’re using at any given time, Hensley said.

Here's another tough nut: smart phones are tougher to update than other communications devices. For example, a single security fix for Google Android software requires three different parties to sign off on the update: the operating system maker, the phone maker, and the signal carrier, Hensley said.

If any single player refuses to green light the change, the security flaw remains.

Even the everyday guts of the average smart phone are suspect. “Supply chains are extremely complicated,” said Bit9’s Brown. “It’s extremely difficult to guarantee that all the equipment the military uses is completely free from parts supplied by, for example, China.”

The upshot is that no one software maker, manufacturer or military entity is close to offering an all-in-solution to neutralize all the data-in-motion soft spots that smart phones create. However, there have been some tactical gains in some areas, and concrete plans to combat others.

For example, the Defense Department is starting to filter social media posts to eliminate intelligence leaks. “The DOD has started to require and implement more sophisticated content filtering technology to scan, detect, and eliminate confidential and/or malicious data in communications with family and friends,” said Randy Lee, director of federal engineering at Fortinet. “These content filtering appliances are very small, which enables putting advanced network security into more portable units for field/combat deployment and inline network devices.”

Military contractors are also pushing for the adoption of two-factor authentication – or requiring two passwords instead of one to enter an application – a practice that is already used online by many U.S banks, according to Lee.

Meanwhile, Dell has rolled out an enhanced version of Google’s Android operating system, which uses government-certified encryption for both data-in-motion and data at rest, according to Hensley.

“Dell worked with the DOD so it can control and administer the device if it is lost or stolen,” Hensley added. “The military can wipe the device and lock the device so no one can use it.”

And McAfee is working with DOD to enable military efforts manned by coalition forces from many nations to share data-in-motion on a need-to-know basis – while keeping nation-specific secrets classified, according to McAfee’s Montgomery.

On the horizon, government contractors are pushing for smart phones that would have multiple personas – much like PCs have one account for an administrator, another for an everyday user and a third for a guest, Montgomery said.

Such smart phones would offer a logon persona for non-military uses such as game playing, another persona for business-type applications and a third, ‘secret’ persona that would be reserved solely for military approved apps and encrypted communications.

And Fortinet’s Lee expects more data-in-motion networks to begin authenticating users based on their behavior and reputation on a network, rather than authenticating them by signature.

“Why this is a game changer is that it will enable IT organizations to detect threats like the Wikileaks case, where an authorized user harvested data from authorized sources before distributing it,” Lee said.

As Ray Letteer, chief of the cybersecurity division at the Marine Corps, says, “It is a consistent cat-and-mouse game.”