Keeping the IoE mobility secure is no small challenge.
As we climb that mobility ladder to becoming a mostly mobile society, every rung seems to expose us to more and more layers of security failings. Six billion of the seven billion people on this planet rely on a variety of mobile devices to shop, bank, interface with social media, monitor their health, and monitor their environment. Unless you are on the inside track and know better, one would think that all that data is secure. Reality is somewhat different.
Just recently it was brought to light that identity thieves have been compromising card readers, via a technique called skimming, at a variety of locations—ATMs, gas pumps, entry systems, retailer’s terminals, the list goes on and on. And this is just one of the latest of the nefarious activities perpetrators have been coming up with.
While this only indirectly related to what is typically defined as “mobile,” i.e. smartphones, tablets and various Internet appliances, the takeaway is that no matter what we devise or come up, someone will find a way to compromise it. And that will be true for mobile devices as well as those connected with a plug. A mobile society has tremendous benefits, but those benefits come with a price. The advantages are obvious, but the price can be very steep if security isn’t a primary consideration.
One of the pressing issues with mobile security is the way that mobile devices are accessed by third parties. Today, because everything just goes through a Web interface, one has to understand the type of communication,” said Kin-Yip Liu, senior director for systems engineering and technical marketing at Cavium. That means many of these parties, such as the device manufacturers, or carriers, are using it to do things like hardware upgrades, bug fixes and feature set improvements. And the easiest way to do that is over-the-air (OTA).
Unfortunately, that is also one of the weakest security vectors. “By far the biggest problem that mobile security has is update delivery,” said Patrick Nielsen, senior security researcher at Kaspersky Labs. So keeping a secure interface, with OTA programming requires a rather unique understanding of the content.
It affects, literally, every device out there, regardless of the operating system. And with the upcoming IoE, it is going to become much worse. The main reason is that there is just no standardization for secure deliver of updates so every manufacture can do it however they please, with or without any layers of security.
In the case of smartphones, for example, the average retention period is 18 to 24 months. So let’s say a manufacturer release a device with a set of software that has been quality assessed, tested, and generally known to be bug free. As the device ages in the marketplace, issues may arise, such as a coding error that occurs under specific conditions that were not tested for in development. Or certain code may be accessible because some attacker found a hole or back door in the software that permits access to critical data (as was the case with the Heartbleed breach).
As such cases arise, the manufacturer is going to try and update the software via OTA programming. We have all probably noticed that activity from time to time. And, so far that hasn’t been that big of a deal. However, that hay ride is about over.
Once the IoE, and the plethora of additional mobile devices it will add to the wireless fray come online, OTA will quickly become a huge security black hole for attackers if it doesn’t get secured.
What will exacerbate that problem is the way the developer model has evolved. “The developer ecosystem has moved to a model where anyone can become a developer, and develop active content that lands on hundreds of millions of devices,” said Steve Grobman, Intel Security CTO.
So essentially, thousands and thousands of developers out there are developing millions and millions of apps that are largely unprotected. And there is no reason to expect that the updates will be any more secure, unless they are security updates. “On some of the platforms there are high levels of ‘latency’ between the detection of a vulnerability and a patch being applied,” Grobman said.
And, as Nielsen noted, there are no standard to this process.
All of this has the potential to spell big trouble for OTA platforms, because once the IoE is involved compromises on mobile devices will not stop there. Any hack on the mobile device has the potential to worm its way into every other device the mobile device is connected to. And once the channel is compromised, all connected devices become potential portals to whatever they are connected to. One can readily see the implications of not moving to get both apps and OTA delivery platforms secure.
The hardware side
On the other side of the software and application platforms is the hardware in today’s mobile devices. Many chip security vendors see the hardware as the final frontier of security. “The most important thing one can do is to secure the silicon in hardware,” said Steven Woo, vice president of enterprise solutions technology at Rambus. “If a degree of security can be integrated at the chip level, then the issues with OTA programming can be minimized, if not eliminated.
Not all vendors see that as the answer, but hardware-based security is about as bullet-proof as it can get when it comes to protecting keys and other critical data. “It is the most robust way to secure things,” added Woo.
There is some new thinking on the hardware level that will help to address the proliferation of mobile devices that will come with the Internet of Everything. “In some ways, one can view the IoE as being mobile on steroids,” notes Simon Blake-Wilson, vice president of products and marketing for Rambus’ Cryptography Research Division.
That has some interesting ramifications. Essentially it means that mobile devices are largely autonomous when it comes to security—and largely unmanaged, as well. With fixed devices, such as desktop computers and severs, for example, there is a lot of interaction with the user, and if the device is on a network that is managed by an IT group, it has even more support. In that environment, security is much easier to manage and implement.
That is pretty much the exact opposite with mobile devices, especially when it come to the IoE. There will be a Wild West of unmanaged, sans-user interactive type of mobile devices, interconnected with everything from smart socks to private jets, and more. And there will be a few orders of magnitude of more devices, meaning there will orders of magnitude of more unmanaged devices too. And if the security issues aren’t resolved, the dark side is going to have a field day.
Consider what’s happening with Bluetooth, for example. “If we look at Bluetooth IoT that seems to be a very large and growing segment,” said Andre Hassan, director of field marketing and applications at Kilopass . “There have been many radio standards vying for this: Bluetooth, WiFi, Zigbee, even a few proprietary ones, but it appears Bluetooth is running away with it for the sole reason that it has existing infrastructure. It’s in all the smartphones in the form of Bluetooth Low Energy, hence, the phone becomes the gateway. That doesn’t mean people will not design these little Bluetooth routers that sit in your house and transmit communication into the cloud. However, it’s probably not really secure, and the reason for that is if you take a look at how Bluetooth grew up, it was primarily the interface to your headset. So if you look at the authentication method, I bet I know the authentication key for 90% of the headsets: 0000 or 0123. Bluetooth pairing is absolutely too low of a security scheme for any information that you may consider critical. That does not mean that you cannot overlay a much higher security scheme on top of that: the pairing just establishes the connection but the data that gets communicated between the two devices can be encrypted, as well as the communication can continuously be challenged and reauthenticated. That can be done over and above the initial pairing.”
So one might simply ask, why not just add a security chip to all of these devices? Well, that might work except that many of these are extremely price-sensitive devices. “In a mobile phone or tablet, one could consider having a dedicated security chip,” noted Blake-Wilson. “But in low-cost devices, like sensors, that just isn’t an option.”
So what is an option for the price-sensitive market? Blake-Wilson believes the trend for the IoE will be to integrate security into general-purpose (GP) chips that will populate much of the lower end devices. In many cases it will suffice to have decent security integrated into a GP chip, versus the more traditional approach of having an unsecured GP chip and high security provided by a dedicated cryptography chip.
“However this goes, key security will still be the number one action item for mobile devices because there will still be a lot of hackers trying to compromise security keys on mobile devices, from reverse engineering to side channel attacks,” said Steven Chen, CEO of PFP Cybersecurity.
That seems to be a reasonable approach. A decent level of security in most devices will keep the “targets of opportunity” to a minimum, and the high-value targets will continue to have top-shelf security.
However, there is one gotcha in all of this – the interconnect. Until each and every device on the IoE is secured, the ubiquitous interconnect means that, theoretically, hacking a pair of smart socks could lead to a complete compromise of a network. To prevent that will require a set of standards that ALL device manufacturers will have to adhere to so that the Internet has, theoretically, no vulnerability access point and everything has at least a decent layer of hardware security.
Even so, it isn’t quite that simple. “On the security end, the pain point is that there isn’t any single point of responsibility,” said Kurt Shuler, Arteris’ vice president of marketing. “From the customer end, people are just flailing around on what to do and how to do it.”
That’s not due to a lack of options. There is no shortage of options or opinions about what is the best solution for a variety of different problems, as well as how to approach them.
The boxing ring
One of the big issues is there is a laundry list of vendors dealing with security at their own level. For example, on one level there are the IP vendors supplying IP security blocks that hook into the fabric. Then there are the software providers. Vendors such as Microsoft and Google have their own middleware and OS, and security platforms at that level. At the next level, there are vendors such as those that provide DRM platforms, and they too have their own security ideas. And finally there is the application level, where vendors like to have their own security platforms, as well.
Where this approach fails is that each level acts independently. “The reality is that with this centralized approach, how things get hacked is that attackers work their way around these various components until they find a hole,” said Shuler.
One of the big problems that will have to dealt with, as the march toward the IoE gains traction, is that 40-year-old legacy hardware will have to go. While there are ways to integrate it into the systems, to keep it alive costs resources: power, footprint and extra code, for example. And that just cannot be supported in the next wave of IoE technology. So eventually, support for legacy hardware will have to be dropped.
This makes sense for a number of reasons. First, keeping legacy hardware and software alive is becoming more and more expensive. Then, there is the proprietary issue and vendor-specific lock-ins. Next comes the issue of legacy components not being able to integrate into new technical environments, particularly virtualization and cloud platforms.
They are also bloated. Many of them are problem-specific, and in many cases, the problem either has disappeared or has been ported to more modern platforms. There are some other issues, as well, including lack of documentation and licensing, and legacy components can be difficult to port to a mobile platform and secure. Moreover, in many cases better technology is available to do the same thing.
At the edges – the cloud and the fog
Perhaps nothing has disrupted security conventionality more than the edge. Once the “four walls” are no longer the containing field, a new paradigm had to develop to protect this new perimeter-less network we now call the cloud.
There is an interesting analogy that can be used to illustrate the problem. Imagine, for a moment that the world is really flat. Under that assumption, there are four very clearly defined edges. And to keep out any ingress, one simply had to “firewall” these edges.
But the world isn’t really flat and there are no walls. So how do you protect the world. The answer is, you don’t – you protect the individual elements by firewalling them. And drilling down further, one can protect all of these elements—the continent, the regions, the cities, the neighborhoods, all the way down to the individuals themselves. That is the parallelism that will work with mobile devices, all the way up to the IoE.
Interestingly, while the move is to secure each and every object, in the cloud that may not be necessary.When it comes to the cloud, there are some other options. In cases where the mobile device is of low-intelligence (simple sensors, for example), security can be moved to the cloud or the fog (a term that has come to represent local cloud networks).
“In many cases it makes more sense to do the processing and security at the fog level,” said Liu. “This is true when the cloud is a long way off or the data just needs to be consumed locally, anyway.”
So when designing security for perimeter-less networks, the metric is that you protect the ports of entry, no matter what the device or network is. In this brave new world, successful network security solutions will have to be able to carry out deep and on-the-fly analysis in a three-dimensional environment that is always shifting.
There is really one way to deal with all of the various pieces of the mobile security puzzle, and that is, as Shuler noted, “Everybody has to start thinking about security.” Taking that one step further, everybody has to start working together, as well. That will be the final brick in the wall.
Collaborative effort by all interested players needs to be implemented. Everybody brings something to the table. The security platform will be much more effective if players realize that security is a component that is best handled by certain components, at certain layers and by the experts that do it best.
—Ann Steffora Mutschler contributed to this story.