Mobile Monday

Bring Your Own Dilemma

mobilephonesecurity936843331Leave a comment

Matt Williams sums up a couple of events last week on BYOD:

Bring Your Own Device (BYOD) is proving to be a big challenge among business directors. Many employers are looking to the idea of their employees taking their own mobile phones with them to work, for use in the day job.

Last week, I attended two events, both of which have featured BYOD as the subject of focus. The first of these was the Mobile Monday panel discussion: BYOD – A Faustian Pact? Held at Centre Point in London, Copper Horse Director, David Rogers, was chairman for the session and panelists were from companies such as Blackberry and Telefonica O2. The greatest aspect of the discussion was, in addition to the interesting points raised by the panel, the interactivity between themselves and an audience that was one of the most active I’ve seen. It provided some stimulating talk, which was occasionally partitioned by an audience show of hands on questions such as “Do you regularly use mobile banking?”. What was surprising to me was that the majority of the audience raised their hand to that.

David Rogers (Copper Horse) chairing the BYOD panel at Mobile Monday, with Mubaloo’s  Gemma Coles speaking.
Event number two was an online webinar titled Mobile Apps – The Danger of Making Security an Afterthought. This time, David switched to the role of panellist to join fellow guest speakers from the likes of IBM and Sanofi as a discussion took place surrounding mobile app security.

The primary reasons behind implementing BYOD are to: increase flexibility, improve productivity and reduce cost for the organisation by not having to purchase ‘work phones’ for staff. However, there are important issues to consider for decision makers. And after attending these events, here are my thoughts on the subject:

  • BYOD is a balance of trust – A big question mark before embarking on implementing the idea of BYOD is – do employers trust their employees enough? Employers must expect and believe that their staff are capable of using their devices to an acceptable standard, be it at work, from the basics of refraining from making personal calls to not engaging in dangerous or illegal activities, or on a more general level, by having the nous to make sure that their device is as safe as it can be from outside threats. However, this all comes down to a piece of paper – the policy that’s written and implemented by the company and signed up to by the employee. In truth, employers are just giving in to the reality of the fact that their staff are bringing in their own devices anyway and the company has no control whatsoever.
  • BYOD is a balance of separation between work and home life – One of the largest considerations for an employer is that their employees’ work and home lives do not intertwine to a great extent. Of course, this depends on the role. For some staff, normally lower down the ladder of employment, it is a case of when the clock hits 5pm, work for the day is over and can be resumed at 9am the following day. But for other individuals, be it company directors or those whose job requires them to be ‘on call’, work becomes more of a continuous element of their lives. For the former, having work-related emails and calls coming through at hours when an employee is meant to have finished work for the day is a problem that needs to be considered. So where is the line drawn between work and play?
  • App permissions are a large consideration for employers seeking to implement BYOD– It’s not so much about what type of apps that employees are downloading to their phones, it’s the permissions that the applications ask for upon being downloaded that is the problem. Your mobile number, contacts and location are just some of the many examples of types of information that can be gathered by a mobile app. And depending on the type of work an individual’s business carries out, employers may not be so keen to let users reveal particular data. There are data protection obligations too. Ultimately, the phone belongs to the employee, but there may be situations where restrictions need to be in place so that their work for a company isn’t compromised. This needs to be addressed via remote mobile device management tools (MDM), but is that too intrusive into the personal side of things?
  • Policies: A simple one-time checklist or an ever-changing nightmare? – Whilst a BYOD policy outlines the rules set by an employer which an employee must abide by, a device policy addresses the issues of what features of the phone the employee is able to use – and this is a problem when it comes to BYOD. Employees’ phones are all so different, suited on a work level for their particular role and on a non-work level in terms of personal preferences, e.g. the type of apps they download (and the sensitive access to features which come with them). So is it the case that tailored device policies are required, in conjunction with their phone settings, or is it possible to roll out a generalised device policy for all to agree by? Or is it a combination of the two, where a middle ground needs to be identified? Technology and the components of it are changing all the time, with mobile phone applications being updated regularly as well as the device, platform and browser software. So is it the case that an employee’s device policy needs to be looked at after every individual change? The word “impractical” springs to mind, particularly in a large organisation. But regular changes made to phones will include addressing security features from time to time, so whose responsibility is it to take care of security in BYOD?
  • The responsibility of mobile application security is still ‘up in the air’ – Following on from the previous two points, a poll was taken during the webinar, asking attendees whether they believed the responsibility of mobile app security should be down to IT departments. Over 25% of the voters answered with the option that it is down to IT. However, the remaining voters disagreed, with the majority of those saying that responsibility should be shared across more than one area. In the area of BYOD, security is surely something that users should be involved in, but is it something that they are wholly responsible for? To have each individual employee notifying their organisation about updates to their phone and how it affects their policy again seems impractical. Overall, the responsibility is definitely something that in my opinion needs to be shared, but how and exactly who with remains to be seen.
As is clear, there are a plethora of questions that need to be answered before BYOD can be implemented, regardless of a company’s size. But I suppose the ultimate question is – do the benefits outweigh the drawbacks? Another audience show of hands was taken at the conclusion of the Mobile Monday panel discussion, asking whether the advantages of BYOD outweighed the disadvantages. The advantages had it, but by a narrow margin, so this example further evidences the fact that although BYOD is being increasingly taken up by organisations, there are still major hang-ups with the idea that need to be considered meticulously by an employer before the implementation process can begin. It remains, for now, a difficult subject.Some links:

Mobile World Congress 2013 – The Copper Horse Experience

mobilephonesecurity936843331Leave a comment

Copper Horse’s Mobile Security Intern Matt Williams experienced Mobile World Congress for the first time this year. Here’s his write-up on what went on out there:

It was that time of year again. When everyone in the mobile industry gathered in one place to exhibit, network and discover the latest updates in the ever-growing world of mobile phones. As usual, the Copper Horse team were there, from the Friday before the event to the Friday after. And here is a short summary of our experience of the largest ever Mobile World Congress!

The word “ever-growing” used earlier is a more than appropriate term to describe the current state of the mobile industry, as was evident by the scale of this year’s event. Mobile World Congress had moved from its previous home, the Fira Montjuic, across the city of Barcelona (the congress’s current and future host until at least 2018), to the substantially larger Fira Gran Via exhibition centre. The 2013 event consisted of nine Walmart sized halls, six of which were for exhibition stands, with the other three carrying out the roles of registration, a conference village and a theatre district. To walk from the Southern Entrance at Hall 1 to the Northern Entrance at Hall 8 would typically take 15-20 minutes; such was the enormity of the occasion. Consequently, a record 65,000 people were expected to attend (the final totals were over 72,000!). But prior to the new venue even being looked at, the Copper Horse team had a busy weekend of events to attend and people to meet.

The Weekend Before

After some initial settling in on the Friday and Saturday, consisting of networking, tapas tasting at local bars and collecting our badges, we headed up to the Nou Camp, home of Barcelona FC for a once in a lifetime trip to see them play. Along with some other industry colleagues we watched them beat Seville 2-1 in a hard fought game.

Copper Horse’s team were now ready to attend the first mobile-related event of the week – Innovation on the Fringe at MOB (Makers of Barcelona). Hosted by Heroes of the Mobile Fringe, Innovation on the Fringe is the speed-dating equivalent of mobile app demonstrations – time-wise at least! App demonstrators had two minutes to present their ideas, with a further two minutes of questions from an audience containing potential investors. A wide variety of ideas were presented – from neighbourhood change to online authentication with pictures.

Copper Horse’s main role in the event was not to witness the app presentations, but to give out an inaugural award. Namely, the Dead Technology Award – A golden calculator trophy presented to the technology that has either died off or flopped spectacularly in the past year.

Essentially the tech equivalent of the Golden Raspberry Award (Razzie) for Worst Film, attendees at the fringe event were given the opportunity to vote from a shortlist of nine nominees via SMS. At the end of the event, it was decided by the audience that Sony Ericsson’s demise as it was finally subsumed into Sony was to be the first ever winner of this prestigious title. And so it came to be that Sony Ericsson was propelled into Silicon Heaven (as they say in Red Dwarf). So congratulations (or should that be condolences?) to the now ‘deceased’ Sony Ericsson! RIP. You can watch the video of the shortlist below:

It was a quick dash for some filmed interviews, then back into town. Later on in the evening, it was our turn to become the host, as Copper Horse welcomed security experts from around the world to attend a dinner – now a well-established MWC tradition! The opportunity to talk with other experts in the field was a hugely interesting experience and the event took place at one of Barcelona’s top restaurants. This year’s security dinner provided a great insight into the week ahead at the Fira. And no sooner had the weekend arrived, then it was time for the congress to officially begin.

Monday

The primary focus of the first day of Copper Horse’s MWC was the Mobile Security Forum sessions held in the Theatre District of Hall 8. Security sponsors that included AdaptiveMobile, antivirus vendor AVG and network solutions provider Juniper Networks all held individual talks and panel discussions in relation to the world of mobile security. The topics debated were:

          Securing the Borderless Network
          Consumer Mobility and Privacy: Monetization without Alienation
          Offense or Defense: Security in an LTE World
The evening saw a great event hosted by Box. More security, good Tapas and red wine rounded off an excellent first proper day of MWC.

Tuesday

On Tuesday morning, Copper Horse Director David Rogers chaired the UKTI event “Cyber Security in theMobile World” – a seminar that identified what is meant by “Cyber Security” for mobile devices and networks, what is on the horizon in the context of threats, how genuine the threats are and what security methods could be put into place to make businesses and consumers more secure.

Following on from this were the Global Mobile Awards – We’ve already had the technology equivalent of the Razzies, now it was the turn of the best of the best to be recognised in the mobile industry equivalent of The Oscars. Over six hundred entries and nominees were in contention for the thirty-seven honours. Copper Horse judged in the ‘Best Mobile Safeguard & Security Products and Services’ category, which was won by Adaptive Mobile and Syniverse.

 

Among the other awards given out were Best Smartphone to the Samsung Galaxy S3, Best Mobile Tablet to Google and Asus for the Nexus 7 and the Judges Choice for Best Overall Mobile App to Waze, a mobile navigation app that allows users to add and see real-time traffic updates. The awards, hosted by comedian David Walliams, concluded, after which the team wound down the day at the annual Northern Ireland Beers and Scottish Whiskies – networking events held in close proximity to one another, in the UK section of the Hall 7 exhibitors.

Wednesday

Wednesday was a busy day for the team, with lots of meetings and events. It featured an early morning start at the MEF Kaspersky Breakfast Briefing. This session focused on the latest threats to app users, highlighting the most recent developments in mobile malware. A roundtable discussion and a series of presentations highlighting the scope of the threats took place. The main point to note was that the threat of mobile malware has never been greater, as there were approximately 4000 cases of it reported in 2012, of which 93% were on the Android platform. One of the primary reasons for the large number of cases being on Android devices, in addition to the fact that it is such an open operating system, was that many users ran older versions of the platform, which no longer had the necessary patches available. Overall, the breakfast was a very interesting event to attend.

In the afternoon, the GSMA’s Pat Walshe hosted an event ‘Mobile App Privacy: What’s Your View?’ with speakers from AT&T, Rovio (the makers of Angry Birds), Mozilla and the App Developers Alliance. There was some robust discussion, but there was a clear view that app developers need to focus on their own software quality and pay attention to security more seriously. There was also a good discussion on how small companies suddenly have to deal with regulators and lawsuits and what that growth experience is like.

After attending a few networking events in the evening, the day concluded with one of the best Barcelona parties – Swedish Beers. It’s a great chance to connect with other people as the week at MWC begins to draw to a close, particularly if you find one of the sponsors, who has the free drink tokens!

Thursday

Thursday was the quietest day of the four during MWC. Whilst some visitors had seen what they had come to see and departed Barcelona, there were still plenty of events to explore and exhibitors to meet. Mobile Monday operated a continuous run of presentations, discussions and talks until the congress reached its 4pm closing time, whilst WIPJam saw mobile developers meet for a busy day of storytelling, pitches and demos. Just to show how busy the event was, meetings carried on right up until the last minute of the show. In the last formal Copper Horse meeting of the day, the Fira staff were taking up the carpet and removing screens while the meeting was still going on! The day ended with a quiet Paella (where another ad hoc meeting happened (!)) before a good night’s rest before the journey home. 

Friday

Inevitably, the airport on Friday morning was chaos, with thousands of exhausted delegates desperate to leave. Some more accidental meetings at the airport and then finally, arrival in the UK!

All in all, MWC 2013 was a terrific experience and the busiest year yet for the Copper Horse team. Now starts the planning for next year!  

M2M security is important but more importantly, how do we make money?

mobilephonesecurity936843331Leave a comment

That’s the story of last night’s Mobile Monday in London. As with all marketing catchphrases, the panel struggled to properly define machine-to-machine (M2M), with one describing it as more machine-to-network. Accenture’s David Wood (@dw2) presented quite a pragmatic view stating that there are likely to be multiple different eco-systems of machines talking to other machines in specific industries. He pointed out that big incumbents would try to control the technology to the extent that the revenue continues heading their way which is something that would hinder development as it did with Smart Phones in the past. The prediction of a Smart Barbie drew some sniggers in the audience but it does seem that the toy industry are quite on the ball so they will almost definitely exploit this kind of technology.

A long list of applications from healthcare through to construction and industrial controls were brought forward by the presenters with Ericsson’s Tor Bjorn Minde (@ericssonlabs) predicting 50 billion devices by 2020. This is an incredible number but is probably realistic. The number of transducers around far exceeds that now. In my view what we are more likely to see is similar to existing Distributed Control Systems (DCS) which have been in industry for years (I was working with one back in 1996). The transducers are connected back to one host system for the plant in a private network. Looking into this today, I see that industrial control systems already use wireless networks, so we’re already into a healthy M2M world, it just isn’t branded as such by the marketing people. Let’s also not forget that the WiFi connected fridge and vacuum cleaner already exist, they’re just not mainstream yet. It will probably take NFC tags on every product in your fridge to make that a hassle-free, useful product that people want (automatic ordering, recipe creator etc.). I guess that’ll mean a new fridge in every home…

Adrian and Janet Quantock [CC-BY-SA-2.0 (www.creativecommons.org/licenses/by-sa/2.0)], via Wikimedia Commons

Dan Warren from the GSMA (@tmgb) talked about embedded SIM and how to prevent SIM cards being stolen from smart meters and traffic lights. He also raised an important point that “you don’t need to drive test a fridge” – mobility isn’t that important for a lot of M2M applications. William Webb from Neul suggested that using the white space spectrum in the UHF space (which is bigger than the WiFi band) could be an opportunity for low-power devices talking to each other.

Camille Mendler (@cmendler) mentioned that people wanted to know “is it safe?”. There was no real discussion of this but one of the panelists privately told me afterwards that they didn’t want to go anywhere near safety critical software for applications such as automotive. As I’ve previously discussed, there needs to be some real discussion on this in the mobile phone industry as it is a relatively new area for handset manufacturers and operators. Going back to DCS systems, being able to control a valve is co-dependent on the status of other transducers in the system such as flow sensors, hardware interlocks and non-return valves. This is absolutely critical because human error can often cause huge safety issues. In a DRAM fab, you don’t want to open a silane valve if you’ve not purged it with nitrogen first (Silane is pyrophoric and this specific example has killed people in explosions in fabs in the past). Now think about your own home – what would happen if you remotely turned the oven onto full but the gas didn’t light? Consumer goods are certified for safety (e.g. CE marking) but there will need to be new certifications in place for remote control, including that the embedded software is fit for purpose.

The big question on everyone’s lips was “who is going to make money?” and the answer didn’t seem forthcoming. On twitter, there was more talk of Arduino, which I blogged about the other day in relation to Android@Home. After my question about whether Google could be in a position to clean up here, the panel dismissed this a little bit stating that this was what everyone used to say about Microsoft. It may have been that the panel hadn’t seen the announcements at Google I/O but I do see this as a real possibility.

All the panelists mentioned security as being paramount but didn’t elaborate on it with David Wood saying that “security issues will bite us”. I think that hits the nail on the head but the audience nodding in agreement seemed to me like lemmings heading forward towards the cliff “because there’s money to be made!”.

One attendee didn’t like the idea of being tracked around the supermarket and questioned privacy. Again, the concerned faces and “yes that is a challenge” response. “Yes but think about the nectar points!” I hear them cry.

So in summary, I think the really big issues are safety and security and there could be some serious money to be made out of looking at those issues – existing M2M installations are already under attack. A lot of people seem to be glossing over those issues in favour of the money to be made. There’ll be lots of sensors out there reporting to create the ‘internet of things’ that developers crave, but the interesting stuff should and will be firewalled and secured and ultimately heavily tested and regulated.

UMA – Unsafe Mobile Access?

mobilephonesecurity9368433312 Comments
http://commons.wikimedia.org/wiki/File:Dlink_wireless_router.jpg

I’ve been following Mobile Monday’s London chapter for a few years now and I know a few of the guys there, but I’ve never been able to get down to one of their events. I finally made it down to the April 2010 demo night and was suitably impressed by the number of attendees and the quality of the short 3 minute lightning presentations. I thought that I’d put a security spin on what I witnessed but ended up writing this blog on one particular presentation about ‘Smart Wi-Fi’.

Mark Powell from kineto.com talked about offloading data to wifi from the mobile. Increases in data traffic have caused some big headaches for operators, so this is clearly an attractive proposition for them. It is pre-loaded on some devices, partly because there are some custom APIs involved. It uses 3GPP GAN (Generic Access Network) as the underlying technology to get access to the mobile network and is also known under UMA (Unlicensed Mobile Access). Kind of like a ‘soft’ femtocell (I might even go as far as to say a potential femtocell killer). This is being marketed by T-Mobile as ‘Wi-Fi calling’ and Orange as ‘signal boost’. You’re going to get charged for your normal call on top of your broadband fee, but in general the benefits of having a better signal in the house is probably going to be quite attractive to people and may become a standard offering in the future. Kineto also explained that it helps avoid international roaming because once going Wi-Fi it will be just as if you’re in your home country.

As a paranoid security person, I always get a bit concerned when operators rush to a new technology to solve their problems (in this case network load). Converged technologies bring completely new threat scenarios which can re-enable old attacks with new vectors for achieving them. From a security point of view – there are some pretty obvious initial questions that spring to mind:

  • What if you’re connected to a rogue router? Is any of my data going to be compromised?
  • Is a man-in-the-middle (MITM) attack possible on the access point?
  • Can fraud take place?

I searched around and found an interesting whitepaper from Motorola, produced back in 2006 which describes some high level threat scenarios: UMA Security – Beyond Technology . I also found Martin Eriksson’s thesis Security in Unlicensed Mobile Access . This states that the IMSI (International Mobile Subscriber Identity) is not secured well enough, leading to exposure of the subscriber who is attached to the router and therefore their physical location. Note that the thesis was written in 2005 and very much plays this issue down – in 2011 most readers would take a different view on this privacy breach. Issues with authentication and the potential for a MITM attack via the router allowing (fraudulent) free calls for other users of the access point all also seem to be areas of concern as the router would be open to data sniffing (particularly if it is a rogue access point in the first place). The problem here lies in the fact that the user is connecting to a less-trusted component than the normal mobile network, leaving them open to all sorts of potential attacks and manipulation.

Putting expensive hardware security into routers is not something I’ve seen and is difficult to protect – the problems with mobile device security often stem from the fact that you’re putting the device in the hands of your attacker to tamper and play with. There is already a healthy community for router hacking and modification around too such as DD-WRT .

UMA applications on phones need to use shared secrets which are stored on the UICC. It would be interesting to analyse how well protected this data is on the device and whether it would be possible to snatch that data or even whether other attacks could be created on the UICC.

Although some of the issues here may have been addressed by the mobile industry, it seems that UMA could be a bit of a risk for users. (I’d welcome any comments or updates by the way from those in the know). The technology is probably safe at the moment as it is in its infancy and hasn’t crossed the radar of most of the hacking community. However, I for one, will be steering clear for now.