Mobile's Security Problem
“The implications are huge!” Forristal wrote on Bluebox’s blog in July. “This vulnerability, around at least since the release of Android 1.6 (codename: ‘Donut’), could affect any Android phone released in the last 4 years—or nearly 900 million devices—and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.”
He added that “the risk to the individual and the enterprise” is “compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in cooperation with the device manufacturer (e.g. Cisco with AnyConnect VPN) ... that are granted special elevated privileges within Android ... specifically [system user ID] access.”
Forristal and his team let Google know about the security hole in February, but, he wrote, “It’s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates).”
Wait, there’s more: home Wi-Fi routers are also frightfully unsecured.
Independent Security Evaluators (ISE) set out to evaluate the level of security provided by 13 popular wireless routers and learned that almost all of them “had critical security vulnerabilities that could be exploited by a remote adversary, resulting in router compromise and unauthorized remote control,” according to a report the research firm published in April. “At least half of the routers that provided network attached storage (NAS) were found to be accessible by a remote adversary.”
In other words, when a user plugs a device into his or her home computer, the device and its mobile network are just as vulnerable to attack. Worse, the bring-your-own-device (BYOD) trend encouraged by many companies opens up even the most sensitive enterprise data to hackers who know little more than how to break into a home router.
Unfortunately, these device-based security vulnerabilities are just one aspect of the threat. Tyson Macaulay, VP of global telecommunications strategy for McAfee, pointed out in a recent white paper from McAfee titled “The 7 Deadly Threats to 4G” that as MNOs make the transition to IP-based LTE networks, all of the internet-hacker rules of old now apply to 4G. As he sees it, operators must take action to protect their LTE infrastructures from the following:
- wireless APN flooding
- mobile-to-mobile attacks
- eNodeB/femtocell/microcell compromise
- machine-to-machine (M2M) fragility
- lawful intercept compliance
- voice over LTE (VoLTE) attacks
- disruptions in content and media delivery
With these threats in mind, MNOs must accept the fact that securing mobile devices isn’t going to work. Instead, Macaulay suggests that operators take the following steps to “harden their nascent LTE infrastructure, to mitigate risk, gain operational efficiencies, and maximize potential revenue”:
- planning, including the integration of security into the LTE design will preserve 4G bandwidth and mitigate service disruptions;
- proactive, built-in LTE security
- security systems that have dual-purpose function as value-added service offerings
Mobile network operators are faced with a tall task: get every subscriber and every device on the network, then make it bulletproof. As LTE networks continue to come online every day, that task is about to get even tougher, but with a little planning and a whole lot of cunning, these slick, superfast networks will be reliable and safe enough to secure even the most sensitive data.
