Why your consumer smartphone (and tablet) is a threat to the enterprise

Motorola Solutions' Gary Schluckbier explains why consumer mobile devices are, from a security standpoint, not fit for the enterprise -- and why Android is a particular threat.

If there's one guy who knows about mobile threats, it's Gary Schluckbier.

Schluckbier serves as the director of the secure products group at Motorola Solutions. He was recently in New York to speak at a cybersecurity conference; I was there, too, but we sadly missed each other.

Last week, I rang him up at his office in Chicago to follow up. I wanted to know more about the latest mobile threats and how he thinks the enterprise can patrol its cloud more effectively.

What he told me was enough to give any systems administrator pause about the bring-your-own-device trend -- especially when it comes to Google Android-based smartphones and tablets.

ZDNet: At the conference, the topic of your panel discussion was "Hijacking Gadgets and Gizmos."

GS: Yeah, fascinating stuff. State actors* and how some of the simplest things turn out to be some of the biggest vulnerabilities to an enterprise.

Mobile is different. It's not the same as traditional IT, with servers and computers and mainframes. They're in a different kind of environment. When you talk about a mobile device, those things are in what I'll call a "contested domain" -- outside the fence, as the military would say. On the road and not connected to an enterprise network, not even necessarily in the U.S. You might have a state actor working against you.

The technology that exists today is largely focused on consumer-facing investment. Those things change twice a year, and are driven by the volume of the consumer business. And consumers want something as open as possible.

The first thing the hacker does on an Android device is unlock it -- "rooting." OEMs are incented to make it easy to root, because [techies] are their customers. So they're driven to different things commercially than traditional IT. And because those things are so open, there's an overwhelming amount of attention by bad actors because they're so attractive a target -- they're easy to get to, they're always connected, they're not behind a firewall and they're probably not managed. And you do all your business on them; you talk to your wife on them.

There are individuals and there are other areas of responsibility around duty of care of information. When it comes to the government, there's a statutory duty of care -- to protect social security numbers, for example. And there's also a national security duty of care, and those are things that can get you thrown in prison for a very long period of time. Mobile requires us to have an approach that sufficiently deals with each of those scenarios.

Because we're addressing a "consumer duty of care" -- if there is one -- it leaves a considerable gap.

One question I hear quite a lot is, "How can I make my tablet or smartphone safe for my CEO to travel to XYZ country?" Those are difficult questions to answer.

ZD: At the conference, I heard some scary stuff about cyber threats in general. Give me a sense of what we're dealing with in mobile.

GS: The number of pieces of mobile malware, between 2010 and 2011, has doubled. These get on your device and let it do what they want it to do. In Android, the manifest comes up when you want to install the app. The average consumer often doesn't know what to do with that, because if you don't check yes, you don't get the application. In a way, they're not malware because you chose to download and enable these things, but that's where you see hackers getting a toehold in these devices. It's new. You're starting to see policies that these consumer devices are not secure enough to process company data. [In fact, the U.S. Department of Defense has indicated that the current crop of consumer devices is insufficient to process DoD information. --Ed.]

Our approach is trying to make the platform a little more trusted, through hardware with keys and keeping malware processes separate from those that process your e-mail or financial information. There are ways to solve these things. My department within Motorola was founded back in the early 1980s when we needed to provide information security to the government for the '84 Olympics. The techniques exist. We know how to do this stuff. It's just not baked into your average consumer device.

This message is resonating very well with our customers. It's part of what's keeping government and enterprise from embracing the mobile workforce in a big, big way -- on the BYO tablet, for example.

Here are some use cases we use in our lab. Take a device making a phone call with an off-the-shelf operating system. We've found a way to get a malware piece on there, after which making phone calls can be processed through specific voice centers, which can record the call and send the voice sample back to a command center.

The malware can also make a choice on where you connect to your network. So it won't connect when you want to call a specific number -- your attorney, for example, when you're about to make a big corporate deal. They're making money off your negotiating position.

Because you're over-the-air, vulnerabilities can come in through your modem -- the hardware that attaches to the carrier network. There are vulnerabilities where somebody who's on the air can inject things into your phone and take advantages of it.

From a use case perspective, those are the things that users need to be thinking of. How are their phone calls being protected? How are their devices being exploited? All the practical attacks haven't even been demonstrated. And then there are things that actually take advantage of the hardware components of your device, like GPS tracking your location.

We know there are so many vectors on these things that we're really working on the vectors more from the standpoint of a practical attack [as opposed to theoretical possibilities]. We realize there are so many different ways to get at useful information. There are things that just turn the phone into a listening device -- turn the microphone on all the time. You can imagine how that affects the intelligence community.

When we look at this, we're really looking at mitigation through a trusted platform.

ZD: The threats are significant, but we've got the tech. So why isn't everyone using it? What are the hurdles here?

GS: There's clearly the question of, "OK, I understand these are threats, but how high on my priority list does this need to be?" That's pretty common in the information security space. Another is that there are many emerging standards around these things; the standards for mobility security are very much in development. That limits industry's ability to really focus on an objective, but it also limits enterprise and government's ability to place bets on a particular approach.

Those are things that, five years from now, we'll have it figured out. Being aware, understanding how it fits, getting standards in place so a CIO can choose from a broad suite of capabilities and feel good about all of them.

If the government is going to lead the charge on this, I think…the government has the highest level of duty of care. They're the most sophisticated when it comes to developing and understanding the threat landscape, and the emerging technologies standards are really coming out of the government: DHS, NIST. The government is making an investment.

ZD: What price, security?

GS: Boy, that's a really good question. The whole of the IT industry is trying to figure that out, plus all the CIOs that are held to ever-decreasing budgets. There's clearly an understanding within enterprises and government of a focus on defense, which includes pieces of IT equipment, which includes mobile devices.

If you listen to what's coming out of the Pentagon, the DoD force of the future is going to be different than the force today, and investments are going to be made strategically for cyberdefense. There's risk, and with that a value judgment. When we brief customers, particularly those with an important job to do, the cost is not as high a concern as the level of trust.

*hackers working on behalf of, or in the interests of, national governments.