Why your consumer smartphone (and tablet) is a threat to the enterprise

Why your consumer smartphone (and tablet) is a threat to the enterprise

Summary: Motorola Solutions' Gary Schluckbier explains why consumer mobile devices are, from a security standpoint, not fit for the enterprise -- and why Android is a particular threat.

SHARE:

If there's one guy who knows about mobile threats, it's Gary Schluckbier.

Schluckbier serves as the director of the secure products group at Motorola Solutions. He was recently in New York to speak at a cybersecurity conference; I was there, too, but we sadly missed each other.

Last week, I rang him up at his office in Chicago to follow up. I wanted to know more about the latest mobile threats and how he thinks the enterprise can patrol its cloud more effectively.

What he told me was enough to give any systems administrator pause about the bring-your-own-device trend -- especially when it comes to Google Android-based smartphones and tablets.

ZDNet: At the conference, the topic of your panel discussion was "Hijacking Gadgets and Gizmos."

GS: Yeah, fascinating stuff. State actors* and how some of the simplest things turn out to be some of the biggest vulnerabilities to an enterprise.

Mobile is different. It's not the same as traditional IT, with servers and computers and mainframes. They're in a different kind of environment. When you talk about a mobile device, those things are in what I'll call a "contested domain" -- outside the fence, as the military would say. On the road and not connected to an enterprise network, not even necessarily in the U.S. You might have a state actor working against you.

The technology that exists today is largely focused on consumer-facing investment. Those things change twice a year, and are driven by the volume of the consumer business. And consumers want something as open as possible.

The first thing the hacker does on an Android device is unlock it -- "rooting." OEMs are incented to make it easy to root, because [techies] are their customers. So they're driven to different things commercially than traditional IT. And because those things are so open, there's an overwhelming amount of attention by bad actors because they're so attractive a target -- they're easy to get to, they're always connected, they're not behind a firewall and they're probably not managed. And you do all your business on them; you talk to your wife on them.

There are individuals and there are other areas of responsibility around duty of care of information. When it comes to the government, there's a statutory duty of care -- to protect social security numbers, for example. And there's also a national security duty of care, and those are things that can get you thrown in prison for a very long period of time. Mobile requires us to have an approach that sufficiently deals with each of those scenarios.

Because we're addressing a "consumer duty of care" -- if there is one -- it leaves a considerable gap.

One question I hear quite a lot is, "How can I make my tablet or smartphone safe for my CEO to travel to XYZ country?" Those are difficult questions to answer.

ZD: At the conference, I heard some scary stuff about cyber threats in general. Give me a sense of what we're dealing with in mobile.

GS: The number of pieces of mobile malware, between 2010 and 2011, has doubled. These get on your device and let it do what they want it to do. In Android, the manifest comes up when you want to install the app. The average consumer often doesn't know what to do with that, because if you don't check yes, you don't get the application. In a way, they're not malware because you chose to download and enable these things, but that's where you see hackers getting a toehold in these devices. It's new. You're starting to see policies that these consumer devices are not secure enough to process company data. [In fact, the U.S. Department of Defense has indicated that the current crop of consumer devices is insufficient to process DoD information. --Ed.]

Our approach is trying to make the platform a little more trusted, through hardware with keys and keeping malware processes separate from those that process your e-mail or financial information. There are ways to solve these things. My department within Motorola was founded back in the early 1980s when we needed to provide information security to the government for the '84 Olympics. The techniques exist. We know how to do this stuff. It's just not baked into your average consumer device.

This message is resonating very well with our customers. It's part of what's keeping government and enterprise from embracing the mobile workforce in a big, big way -- on the BYO tablet, for example.

Here are some use cases we use in our lab. Take a device making a phone call with an off-the-shelf operating system. We've found a way to get a malware piece on there, after which making phone calls can be processed through specific voice centers, which can record the call and send the voice sample back to a command center.

The malware can also make a choice on where you connect to your network. So it won't connect when you want to call a specific number -- your attorney, for example, when you're about to make a big corporate deal. They're making money off your negotiating position.

Because you're over-the-air, vulnerabilities can come in through your modem -- the hardware that attaches to the carrier network. There are vulnerabilities where somebody who's on the air can inject things into your phone and take advantages of it.

From a use case perspective, those are the things that users need to be thinking of. How are their phone calls being protected? How are their devices being exploited? All the practical attacks haven't even been demonstrated. And then there are things that actually take advantage of the hardware components of your device, like GPS tracking your location.

We know there are so many vectors on these things that we're really working on the vectors more from the standpoint of a practical attack [as opposed to theoretical possibilities]. We realize there are so many different ways to get at useful information. There are things that just turn the phone into a listening device -- turn the microphone on all the time. You can imagine how that affects the intelligence community.

When we look at this, we're really looking at mitigation through a trusted platform.

ZD: The threats are significant, but we've got the tech. So why isn't everyone using it? What are the hurdles here?

GS: There's clearly the question of, "OK, I understand these are threats, but how high on my priority list does this need to be?" That's pretty common in the information security space. Another is that there are many emerging standards around these things; the standards for mobility security are very much in development. That limits industry's ability to really focus on an objective, but it also limits enterprise and government's ability to place bets on a particular approach.

Those are things that, five years from now, we'll have it figured out. Being aware, understanding how it fits, getting standards in place so a CIO can choose from a broad suite of capabilities and feel good about all of them.

If the government is going to lead the charge on this, I think…the government has the highest level of duty of care. They're the most sophisticated when it comes to developing and understanding the threat landscape, and the emerging technologies standards are really coming out of the government: DHS, NIST. The government is making an investment.

ZD: What price, security?

GS: Boy, that's a really good question. The whole of the IT industry is trying to figure that out, plus all the CIOs that are held to ever-decreasing budgets. There's clearly an understanding within enterprises and government of a focus on defense, which includes pieces of IT equipment, which includes mobile devices.

If you listen to what's coming out of the Pentagon, the DoD force of the future is going to be different than the force today, and investments are going to be made strategically for cyberdefense. There's risk, and with that a value judgment. When we brief customers, particularly those with an important job to do, the cost is not as high a concern as the level of trust.

*hackers working on behalf of, or in the interests of, national governments.

Topics: Government US, Government, Malware, Mobility

Andrew Nusca

About Andrew Nusca

Andrew Nusca is a former writer-editor for ZDNet and contributor to CNET. During his tenure, he was the editor of SmartPlanet, ZDNet's sister site about innovation.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • the real answer is a new network scheme

    for phones, land lines, the internet, you know, data. But if it was truly secure, how could the government wiretap you without a warrant??

    You have to wonder how secure the usb cable that charges your phone is connected to your corporate network either, since you can upload/download data with it....
    sparkle farkle
  • Finally, some sanity

    [i]Summary: Motorola Solutions??? Gary Schluckbier explains why consumer mobile devices are, from a security standpoint, not fit for the enterprise ??? [u]and why Android is a particular threat[/u].[/i] {Emphasis added.]

    In Android's favour is it's open-source nature:

    "Security Enhanced (SE) Android is a project to identify and address critical gaps in the security of Android. Initially, the SE Android project is enabling the use of SELinux in Android in order to limit the damage that can be done by flawed or malicious apps and in order to enforce separation guarantees between apps. However, the scope of the SE Android project is not limited to SELinux.
    http://selinuxproject.org/page/SEAndroid

    When will this be available for OEMs to install onto their devices?
    Rabid Howler Monkey
  • ANY computer end node is a problem.

    Nothing new here. This has been known for about 30 years... yes, even before "smart" phones.

    ANY computer end node is a problem.

    It doesn't matter if it is a phone, tablet, computer, network attached printer/scanner, or even a memory stick/thumbdrive with a hidden CPU.
    jessepollard
  • I have to agree with other poster...

    PCs can also be hacked. For Android devices, there should be a requirement of an AV (or some monitoring software) on the device that looks for certain key signatures (updated frequently) of problem applications that the connectivity solution (VPN, SSL Access Gateway, etc...) looks for. If there are signs of problems, you don't get in.
    There likely should also be some tighter integration (at least moving forward with Android ICS 4.x) between Android and connectivity vendors and AV/Malware Vendors to make sure that they can quickly identify the signatures of devices and safely report the status to connectivity vendors access software/devices.
    This has evolved over the years for PCs (and more recently iOS devices seem to be able to do at least some of it). Google and vendors need to make this happen if they don't want to lose out on sales and the BYOD enterprise market.
    jkohut
    • But you're making it easier to hack a phone as

      you take that outside of the building everyday. You take it on vacation, a run to the store, ect.

      Unless it's a laptop, your PC pretty much stays where it's at. In the building. Not saying it can't be hacked there, still, it's not like you'll lose it, someone else finds it, and reads that email stating whatever it is you don't want others to read.
      William Farrel
  • Acer Iconia 500 Tabs (and other models also ?) getting Android 4.0.3 ICS

    Not that it is reported on this site (they don't even have a Tablets section ?), but Acer Iconia 500 Android tablets are getting Android 4.0.3 Ice Cream Sandwich. A little later than some would have liked (and there were delays getting it because Acer's servers seemed to be a bit swamped), but after a few days I got it and so far it has been working pretty well (I restarted a couple of times after the update to let it settle down). ICS will hopefully allow Google, OEMs, and 3rd party vendors to standardize and enhance the platform for better BYOD support, security, etc...
    I now have ICS on my tablet and my recently purchased Google Galaxy Nexus from Samsung. Very Happy with both at this point !
    jkohut
    • Standardizing on ICS doesnt help at all. Google didnt put any secuirty into

      ICS. It's still completely pwn'able. DO NOT put any corporate or otherwise sensitive data on it.
      Johnny Vegas
  • The problem isn't the devices.

    China's been stealing U.S. and European enterprise data for years, so you can't really blame BYOD.

    More importantly, can you really take anything seriously from a Motorola guy who says [i]"consumers want something as open as possible."[/i] Really? That must explain the complete consumer rejection of the very-closed iPhone.
    matthew_maurice
    • In the guy's defense ...

      ... he goes on right after that to clarify that he is talking about "techie" consumers that are buying Android phones in order to root them. I think that was meant to be much less of a blanket statement than it appears to be out of context.
      RationalGuy
      • It's more than rooting Android-based devices

        From the article:
        [i]GS: The number of pieces of mobile malware, between 2010 and 2011, has doubled. These get on your device and let it do what they want it to do. In Android, the manifest comes up when you want to install the app. The average consumer often doesn???t know what to do with that, because if you don???t check yes, you don???t get the application. In a way, they???re not malware because you chose to download and enable these things, but that???s where you see hackers getting a toehold in these devices.[/i]

        BYOD's aren't necessarily centrally managed by enterprise mobile device management software such as Afaria or McAfee, as examples.
        Rabid Howler Monkey
      • No hes wrong. He claims oems make them rootable because of techy consumers

        Thats complete BS. 99% of consumers dont know/care what an os is. Add another .999% for those who do but would never care to root their phone. Not making them rootable would have zero material impact on any oems sales. It's a completely lame statement that lowers his credibility to near zero.
        Johnny Vegas
      • Your use of completely made up percentages ...

        ... similarly lowers your credibility to near zero.
        RationalGuy