Global Mobile Awards 2014

I’ll once again be judging in the Global Mobile Awards “Best Mobile Identity, Safeguard & Security Products/Solutions” category this year. The deadline for entry submissions is Friday, the 29th of November 2013 at 5pm (GMT). The shortlist will be announced in January 2014 and the awards will be presented at Mobile World Congress.

If you’re planning to enter, there’ll be a live Q&A on the awards on Friday, November the 8th. Follow the GSMA’s twitter account @GSMA and the hashtag #GMA14 for more details!

If you want to show off your organisation’s success and innovation in the world of telecoms, please enter at the awards page: www.globalmobileawards.com

Good luck!

Mobile World Congress 2013 – The Copper Horse Experience

Copper Horse’s Mobile Security Intern Matt Williams experienced Mobile World Congress for the first time this year. Here’s his write-up on what went on out there:

It was that time of year again. When everyone in the mobile industry gathered in one place to exhibit, network and discover the latest updates in the ever-growing world of mobile phones. As usual, the Copper Horse team were there, from the Friday before the event to the Friday after. And here is a short summary of our experience of the largest ever Mobile World Congress!

The word “ever-growing” used earlier is a more than appropriate term to describe the current state of the mobile industry, as was evident by the scale of this year’s event. Mobile World Congress had moved from its previous home, the Fira Montjuic, across the city of Barcelona (the congress’s current and future host until at least 2018), to the substantially larger Fira Gran Via exhibition centre. The 2013 event consisted of nine Walmart sized halls, six of which were for exhibition stands, with the other three carrying out the roles of registration, a conference village and a theatre district. To walk from the Southern Entrance at Hall 1 to the Northern Entrance at Hall 8 would typically take 15-20 minutes; such was the enormity of the occasion. Consequently, a record 65,000 people were expected to attend (the final totals were over 72,000!). But prior to the new venue even being looked at, the Copper Horse team had a busy weekend of events to attend and people to meet.

The Weekend Before

After some initial settling in on the Friday and Saturday, consisting of networking, tapas tasting at local bars and collecting our badges, we headed up to the Nou Camp, home of Barcelona FC for a once in a lifetime trip to see them play. Along with some other industry colleagues we watched them beat Seville 2-1 in a hard fought game.

Copper Horse’s team were now ready to attend the first mobile-related event of the week – Innovation on the Fringe at MOB (Makers of Barcelona). Hosted by Heroes of the Mobile Fringe, Innovation on the Fringe is the speed-dating equivalent of mobile app demonstrations – time-wise at least! App demonstrators had two minutes to present their ideas, with a further two minutes of questions from an audience containing potential investors. A wide variety of ideas were presented – from neighbourhood change to online authentication with pictures.

Copper Horse’s main role in the event was not to witness the app presentations, but to give out an inaugural award. Namely, the Dead Technology Award – A golden calculator trophy presented to the technology that has either died off or flopped spectacularly in the past year.

Essentially the tech equivalent of the Golden Raspberry Award (Razzie) for Worst Film, attendees at the fringe event were given the opportunity to vote from a shortlist of nine nominees via SMS. At the end of the event, it was decided by the audience that Sony Ericsson’s demise as it was finally subsumed into Sony was to be the first ever winner of this prestigious title. And so it came to be that Sony Ericsson was propelled into Silicon Heaven (as they say in Red Dwarf). So congratulations (or should that be condolences?) to the now ‘deceased’ Sony Ericsson! RIP. You can watch the video of the shortlist below:

It was a quick dash for some filmed interviews, then back into town. Later on in the evening, it was our turn to become the host, as Copper Horse welcomed security experts from around the world to attend a dinner – now a well-established MWC tradition! The opportunity to talk with other experts in the field was a hugely interesting experience and the event took place at one of Barcelona’s top restaurants. This year’s security dinner provided a great insight into the week ahead at the Fira. And no sooner had the weekend arrived, then it was time for the congress to officially begin.

Monday

The primary focus of the first day of Copper Horse’s MWC was the Mobile Security Forum sessions held in the Theatre District of Hall 8. Security sponsors that included AdaptiveMobile, antivirus vendor AVG and network solutions provider Juniper Networks all held individual talks and panel discussions in relation to the world of mobile security. The topics debated were:

          Securing the Borderless Network
          Consumer Mobility and Privacy: Monetization without Alienation
          Offense or Defense: Security in an LTE World
The evening saw a great event hosted by Box. More security, good Tapas and red wine rounded off an excellent first proper day of MWC.

Tuesday

On Tuesday morning, Copper Horse Director David Rogers chaired the UKTI event “Cyber Security in theMobile World” – a seminar that identified what is meant by “Cyber Security” for mobile devices and networks, what is on the horizon in the context of threats, how genuine the threats are and what security methods could be put into place to make businesses and consumers more secure.

Following on from this were the Global Mobile Awards – We’ve already had the technology equivalent of the Razzies, now it was the turn of the best of the best to be recognised in the mobile industry equivalent of The Oscars. Over six hundred entries and nominees were in contention for the thirty-seven honours. Copper Horse judged in the ‘Best Mobile Safeguard & Security Products and Services’ category, which was won by Adaptive Mobile and Syniverse.

 

Among the other awards given out were Best Smartphone to the Samsung Galaxy S3, Best Mobile Tablet to Google and Asus for the Nexus 7 and the Judges Choice for Best Overall Mobile App to Waze, a mobile navigation app that allows users to add and see real-time traffic updates. The awards, hosted by comedian David Walliams, concluded, after which the team wound down the day at the annual Northern Ireland Beers and Scottish Whiskies – networking events held in close proximity to one another, in the UK section of the Hall 7 exhibitors.

Wednesday

Wednesday was a busy day for the team, with lots of meetings and events. It featured an early morning start at the MEF Kaspersky Breakfast Briefing. This session focused on the latest threats to app users, highlighting the most recent developments in mobile malware. A roundtable discussion and a series of presentations highlighting the scope of the threats took place. The main point to note was that the threat of mobile malware has never been greater, as there were approximately 4000 cases of it reported in 2012, of which 93% were on the Android platform. One of the primary reasons for the large number of cases being on Android devices, in addition to the fact that it is such an open operating system, was that many users ran older versions of the platform, which no longer had the necessary patches available. Overall, the breakfast was a very interesting event to attend.

In the afternoon, the GSMA’s Pat Walshe hosted an event ‘Mobile App Privacy: What’s Your View?’ with speakers from AT&T, Rovio (the makers of Angry Birds), Mozilla and the App Developers Alliance. There was some robust discussion, but there was a clear view that app developers need to focus on their own software quality and pay attention to security more seriously. There was also a good discussion on how small companies suddenly have to deal with regulators and lawsuits and what that growth experience is like.

After attending a few networking events in the evening, the day concluded with one of the best Barcelona parties – Swedish Beers. It’s a great chance to connect with other people as the week at MWC begins to draw to a close, particularly if you find one of the sponsors, who has the free drink tokens!

Thursday

Thursday was the quietest day of the four during MWC. Whilst some visitors had seen what they had come to see and departed Barcelona, there were still plenty of events to explore and exhibitors to meet. Mobile Monday operated a continuous run of presentations, discussions and talks until the congress reached its 4pm closing time, whilst WIPJam saw mobile developers meet for a busy day of storytelling, pitches and demos. Just to show how busy the event was, meetings carried on right up until the last minute of the show. In the last formal Copper Horse meeting of the day, the Fira staff were taking up the carpet and removing screens while the meeting was still going on! The day ended with a quiet Paella (where another ad hoc meeting happened (!)) before a good night’s rest before the journey home. 

Friday

Inevitably, the airport on Friday morning was chaos, with thousands of exhausted delegates desperate to leave. Some more accidental meetings at the airport and then finally, arrival in the UK!

All in all, MWC 2013 was a terrific experience and the busiest year yet for the Copper Horse team. Now starts the planning for next year!  

Combating phone theft – US takes a step forward but is it enough?

It seems that the theft of mobile phones is starting to be recognised in other parts of the world than the UK at the moment. A few of the American newspapers are reporting on the announcement that mobile network operators (or carriers as they are known over there) have done a deal with the FCC to block stolen mobile devices. This is all good news and I don’t want to pour cold water over what is going to be generally good for the consumer in the long term.

This never used to happen in the old days

Why has it taken until now?

The concept of a global blacklist (or Central Equipment Identity Register [CEIR]) for mobile devices has been written in stone (well the GSM specs) for a very long time. See this paper from mobile security veteran Charles Brookson from 1994, which talks about the CEIR. Operators have quietly ignored this requirement and very few are connected to it. Even local blacklisting has been an issue over the years, with issues over sharing information with other operators inside single countries. The practical difficulties are always cited as well as cost. Having been involved in a lot of this debate, a lot of the arguments just don’t wash. As an example, using prohibitive cost as a reason not to maintain a blacklist is laughable. Storage cost is ridiculously low, management is minimal and the operators themselves will see direct benefits from not allowing criminals to hook up stolen phones on their networks. The simple answer to network operator blacklisting is: “where there’s a will, there’s a way”.

Identity changing is not the issue it once was

Another argument that has been frequently wheeled out is that criminals will just change the identity (the IMEI number) of the device to side-step the blocking system. The fact is that IMEI number changing has dropped off massively since the turn of the century as more security has been built into devices (through a lot of effort in a number of industry initiatives). My presentation ‘Mobile Phone Theft: An unsolvable problem?’ from 2011 expands on some of this. There is a 42 day breach reporting process run by the GSM Association which nearly all the manufacturers are involved in. It seems as though the manufacturers have played their part, but it could be argued that the network operators haven’t.

What are governments doing?

It could also be argued that governments haven’t really played their part in all of this. Only the UK has really stepped up and addressed the criminals who actually perpetrate these crimes with legislation and through a dedicated Police unit, the National Mobile Phone Crime Unit. What meaningful steps have other countries taken to help their citizens from the blight of mobile phone theft?

Are we addressing the right problem any more?

Apparently the US system is going to take two years to become operational and this is where I have a bit of an issue. Development and deployment could probably happen a lot more quickly than this, given that the standards have already existed for nearly 20 years. My other issue is about whether we’re addressing the right problem anymore? If mobile phones have evolved to the point that they are now more mobile computer than phone, we should look at what will drive a thief. Thieves take phones generally for their inherent value. That is why historically, blocking a phone’s network access has essentially disabled the device and made it valueless. This isn’t the case in 2012. If you block the IMEI number, guess what? Anyone can still use the phone – you can use the WiFi connection to get on the web, you can use WhatsApp and Skype and you’ll still be able to download stuff from app stores. While this still remains the case, mobile phone theft is going to continue to be a problem. In some ecosystems, the vendor is actually in a very strong position (think those companies with fruits in the name) and they have actually provided additional tools to help against theft. What they need to make sure now is that those devices are not ‘re-activated’ after theft.

What can I as a user do to help myself?

  • It sounds a bit obvious, but make sure you use your device PIN-lock feature. It can be a pain to use, but it is highly effective in ensuring that whatever is on your device stays on your device. Although thieves generally just care about selling the device on, you still don’t want all your personal data potentially going astray.
  • Another piece of sensible advice is to be aware of your surroundings; don’t leave your phone on tables in cafes, be careful where you’re using your phone (in dangerous neighbourhoods etc) and when out and about at night. In big cities, tube and metro exits are commonly targeted as people turn their phones on when they surface.
  • And finally, write down your IMEI number – you’ll need this to give to the Police and network operator if your phone ever gets stolen. You can get the number from the back of your handset or by typing in *#06# at the home screen of your phone.

Don’t advertise your phone to thieves

We’re never going to stop people stealing things, but at least in the US and the UK life is being made slightly more difficult for thieves making things slightly more safe for you.

Cyber Security at Mobile World Congress

Here is a re-post of the blog I did for the Smart UK site (@smartukproject) in preparation for Mobile World Congress. I’m doing quite a few things out there, but I’m looking forward to this on the Tuesday morning (28th), it is going to be a great event,. There are still places available and I encourage anyone interested in mobile security and fraud related topics to sign-up.


The UK government recently published the Cyber Security Strategy. What implications does this have for the mobile industry and society at large? With the mobile device at the centre of nearly everyone’s life, the integrity of mobility is paramount. The mobile industry has weathered a variety of security incidents over the years but has been relatively successful in comparison to other industries. Can any lessons be learnt from the past successes of mobile that will help for the future? Is the industry living on borrowed time?

This year’s UKTI and ICT KTN Mobile World Congress seminar: Cyber Security in the Mobile World; will look at the vast array of subjects which now come under mobile security – including cyber bullying between children, fraud against telephony systems through to emerging technologies such as machine-to-machine and LTE infrastructure. Crossing all of these varied topics are industry needs such as the lack of security-aware software engineers and the need to prosecute criminals who defraud or attack electronic systems.

While the mobile industry has made great efforts to learn the past mistakes of the PC world in terms of security, the anti-virus industry has reached saturation in its traditional space. Do mobile devices really need anti-virus or can newer operating systems and technologies negate the need for this type of end point security? Can these companies transform their business models to the changing mobile security landscape and continue to provide a useful service to consumers? How can application stores and developer programmes be improved?

We are pleased to have some of the world’s leading mobile security experts speaking at the event next week. Make sure you sign up as soon as possible in order to reserve your place.

David Rogers runs http://blog.mobilephonesecurity.org. He is also advising the UK Department for Business, Innovation & Skills on Cyber Security for mobile.

Global Mobile Awards 2012 – Spread the Word

So here we are, before Christmas talking about Mobile World Congress (MWC). This is normal in the mobile industry – most companies in the industry are busily working on demos, deciding who to meet and sorting out stands. #mwc12 is after all, the biggest event in the 2012 calendar for the mobile industry. As a regular, it was sad not to be able to make it to 2011’s MWC, but I’m really looking forward to going back in 2012. Like most Brits, I made sure I had my flights from Heathrow booked back in March!

This year,  I am also heading over as a judge for the Global Mobile Awards 2012. I am very honoured to have been asked to judge in the Best Technology category – for Best Technology Product or Solution for Safeguarding and Empowering Customers. The product or solution must have been launched and commercially available prior to the closing deadline – which is very soon – the 30th of November 2011. I’d like to encourage entries. If you think your product or solution fits the bill, make sure you register your entry. More details on the criteria can be found on the award page. The judging criteria will be as follows:

  • How does the use of your technology safeguard and protect mobile users’ privacy and/or security?
  • Does your technology prevent fraud against the operator?
  • How does this technology improve the end user experience
  • Does this technology allow access to new services by illuminating privacy and security issues?

If you know anyone who you think should enter this, make sure you spread the word! Good luck to all the entrants and to the rest of you, let me know if you’re coming to Barcelona!

M2M security is important but more importantly, how do we make money?

That’s the story of last night’s Mobile Monday in London. As with all marketing catchphrases, the panel struggled to properly define machine-to-machine (M2M), with one describing it as more machine-to-network. Accenture’s David Wood (@dw2) presented quite a pragmatic view stating that there are likely to be multiple different eco-systems of machines talking to other machines in specific industries. He pointed out that big incumbents would try to control the technology to the extent that the revenue continues heading their way which is something that would hinder development as it did with Smart Phones in the past. The prediction of a Smart Barbie drew some sniggers in the audience but it does seem that the toy industry are quite on the ball so they will almost definitely exploit this kind of technology.

A long list of applications from healthcare through to construction and industrial controls were brought forward by the presenters with Ericsson’s Tor Bjorn Minde (@ericssonlabs) predicting 50 billion devices by 2020. This is an incredible number but is probably realistic. The number of transducers around far exceeds that now. In my view what we are more likely to see is similar to existing Distributed Control Systems (DCS) which have been in industry for years (I was working with one back in 1996). The transducers are connected back to one host system for the plant in a private network. Looking into this today, I see that industrial control systems already use wireless networks, so we’re already into a healthy M2M world, it just isn’t branded as such by the marketing people. Let’s also not forget that the WiFi connected fridge and vacuum cleaner already exist, they’re just not mainstream yet. It will probably take NFC tags on every product in your fridge to make that a hassle-free, useful product that people want (automatic ordering, recipe creator etc.). I guess that’ll mean a new fridge in every home…

Adrian and Janet Quantock [CC-BY-SA-2.0 (www.creativecommons.org/licenses/by-sa/2.0)], via Wikimedia Commons

Dan Warren from the GSMA (@tmgb) talked about embedded SIM and how to prevent SIM cards being stolen from smart meters and traffic lights. He also raised an important point that “you don’t need to drive test a fridge” – mobility isn’t that important for a lot of M2M applications. William Webb from Neul suggested that using the white space spectrum in the UHF space (which is bigger than the WiFi band) could be an opportunity for low-power devices talking to each other.

Camille Mendler (@cmendler) mentioned that people wanted to know “is it safe?”. There was no real discussion of this but one of the panelists privately told me afterwards that they didn’t want to go anywhere near safety critical software for applications such as automotive. As I’ve previously discussed, there needs to be some real discussion on this in the mobile phone industry as it is a relatively new area for handset manufacturers and operators. Going back to DCS systems, being able to control a valve is co-dependent on the status of other transducers in the system such as flow sensors, hardware interlocks and non-return valves. This is absolutely critical because human error can often cause huge safety issues. In a DRAM fab, you don’t want to open a silane valve if you’ve not purged it with nitrogen first (Silane is pyrophoric and this specific example has killed people in explosions in fabs in the past). Now think about your own home – what would happen if you remotely turned the oven onto full but the gas didn’t light? Consumer goods are certified for safety (e.g. CE marking) but there will need to be new certifications in place for remote control, including that the embedded software is fit for purpose.

The big question on everyone’s lips was “who is going to make money?” and the answer didn’t seem forthcoming. On twitter, there was more talk of Arduino, which I blogged about the other day in relation to Android@Home. After my question about whether Google could be in a position to clean up here, the panel dismissed this a little bit stating that this was what everyone used to say about Microsoft. It may have been that the panel hadn’t seen the announcements at Google I/O but I do see this as a real possibility.

All the panelists mentioned security as being paramount but didn’t elaborate on it with David Wood saying that “security issues will bite us”. I think that hits the nail on the head but the audience nodding in agreement seemed to me like lemmings heading forward towards the cliff “because there’s money to be made!”.

One attendee didn’t like the idea of being tracked around the supermarket and questioned privacy. Again, the concerned faces and “yes that is a challenge” response. “Yes but think about the nectar points!” I hear them cry.

So in summary, I think the really big issues are safety and security and there could be some serious money to be made out of looking at those issues – existing M2M installations are already under attack. A lot of people seem to be glossing over those issues in favour of the money to be made. There’ll be lots of sensors out there reporting to create the ‘internet of things’ that developers crave, but the interesting stuff should and will be firewalled and secured and ultimately heavily tested and regulated.