Auerbach Publications

New Books

The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules by John J. Trinckes, Jr., ISBN 978-1-4665-0767-8
Read excerpt
PRAGMATIC Security Metrics: Applying Metametrics to Information Security by W. Krag Brotby (US) and Gary Hinson, ISBN 978-1-4398-8152-1
Mobile Device Security: A Comprehensive Guide to Securing Your Information in a Moving World by Stephen Fried; ISBN 9781439820162
Digital Forensics Explained by Greg Gogolin, ISBN 978-1-4398-7495-0
Read excerpt
Leading Effective Virtual Teams: Overcoming Time and Distance to Achieve Exceptional Results by Nancy M. Settle-Murphy, ISBN 978-1-4665-5786-4
Read excerpt
A Guide to IT Contracting: Checklists, Tools, and Techniques by Michael R. Overly and Matthew A. Karlyn, ISBN 978-1-4398-7657-2

Effective Physical Security of a Mobile Device

Patrick W. Mooney II

Know anyone who has lost a cell phone? I dare anyone to answer no to that question. Most of us have probably lost our own cell phone, but if we haven't, we at least know someone who has. Whether it was family, friend or a coworker, we all know of someone who has either lost a device, had a device stolen, or misplaced a device for an extended period of time. If a mobile device has been out of your hands and control for even 15 minutes, it is long enough for all the information on it to have been copied off the device.

The Fallacy of Mobile Device Physical Security

Physical security of any small item is hard enough, but when you couple that with a constantly used device, which is in the hands of a user 24x7x365 wherever he goes, then the task becomes seemingly impossible. Loss of a mobile device is not the only concern. There is also the worry of theft. A smartphone is easy to steal and worth hundreds of dollars upon resale, making it a prime theft target. It's really a fallacy to think that we can provide proper physical security of a mobile device.

Loss of a Device
Some people will argue that we carry small valuable items with us all the time and we are able to provide proper physical security for those items. A man carries a wallet in his back pocket all day long, everywhere he goes, and he feels somewhat secure knowing that his wallet will be safe in his pocket. Let's not even look at the statistics of theft and how many people get pick pocketed each year, or even try to debate whether a normal wallet is secure. Let's focus on how many times a day a wallet is used. The more it is used, the more often it is being taken from its secure location, increasing vulnerability to loss. The same principle applies to a mobile device; the more it is used, the more it is taken from its secure location. "One in four people check their phones every thirty minutes, while one in five check every ten." (Duerson, 2012). From our own past experiences, it can safely be stated that we don't use our wallets nearly as frequently as we use our cell phones each day and that "... most of us don't take a wallet to bed with us" (Duerson, 2012). High frequency of use makes physical security of a mobile device nearly impossible and certainly not practical.

"Every year In the United States, about 70 million cell phones and smart phones are lost or stolen" (Fogarty, 2012). With a population of approximately 300 million that equates to roughly 23% of our population who experience a phone loss each year. Roger Yu (2012) from reported in USA Today that a mobile security company, Lookout, located one phone every 3.5 seconds last year. "Based on sample data, Lookout concludes Americans lose a phone, on average, once a year" (Yu, 2012).

Theft of a Device
While many of the phones are simply lost by their owners, an even greater number are actually being stolen. Terry Collins (2012) reports in NewsFactor that cell phone theft is exploding across the country. "Nearly half of all robberies in San Francisco this year are cell phone-related, police say, and most occur on bustling transit systems" (Collins, 2012). "New York City Police report that more than 40 percent of all robberies now involve cell phones" (Collins, 2012). The devices are primarily stolen for the hardware itself. A smartphone can be worth anywhere from a few hundred to close to a thousand dollars. Their market is very high with effective physical security of the device virtually impossible. Smartphones make a very easy and profitable target.

Consequences of Loss or Theft
The device itself is not the only target the thieves are after. The information on the device may be as important as the device itself. Many people use their phone as their wallet or purse. A smartphone will not only contain enough information to assist in identity theft, but can contain credit card information as well. "A lot of younger folks seem to put their entire lives on these devices" (Collins, 2012).

Personal mobile devices are not the only devices of concern. As corporations increase employee use of mobile devices and link these devices to their corporate networks, they become invaluable assets in corporate information theft and are new more easily accessible avenues to penetrate corporate cyber security defenses. Even the United States government faces this same problem. As more government employees utilize mobile devices in their daily job, the potential for loss of sensitive government information increases dramatically. This threat will get even bigger as the latest concept of BYOD (Bring your own Mobile Device) is considered by both the federal government and many corporations in order to save huge of amounts of annual expense on these devices. We are faced with providing security on the same personal mobile devices that on average are getting lost at least once by every American each year.

Current Mobile Security Solutions

There currently are no mainstream technical solutions that help prevent us from losing our devices. Technology is advancing everyday and with it comes new and innovative physical security measures, however these current measures have been slow to market and have not been adopted by the masses.

Current Bluetooth Solution
Jaroslovsky (2010) reports there are the Zomm and the Phone Halo, which are two new gadgets aimed at preventing you from losing your cell phone. Jaroslovsky (2010) states that the Zoom works with any Bluetooth enabled phone, but the Phone Halo is currently limited to BlackBerry and Android phones. While each device is different, the basic concept is the same. They utilize Bluetooth on the phone to connect with the external device. Once the device exceeds a certain distance from the phone, the device will emit visual and audible sounds to alert the user. Jaroslovsky points out that while this may be irritating it does "protect users from the annoyance of having to rush back to the restaurant they left 45 minutes ago" (p. 1).

Current Bluetooth Limitations
There are two limitations to these solutions. The first limitation is the users' failure to acknowledge the need for security in the first place. They are slow to spend the money on these types of devices when they haven't suffered a previous loss. It is a similar mindset to car insurance. Many people complain about the need and the cost of car insurance until they need it and it saves them from a loss of tens of thousands of dollars. Even after that loss, as soon as their insurance rate goes up, due to the loss, they start complaining again about the rate increase. This same mind set applies to their mobile device. After someone loses his phone and he has to get another, he quickly replaces the device and even more quickly loses the desire to do something about preventing the loss in the future. He continues with the same care-free attitude he had before he lost the phone. The bulk of the cost of many smartphones is subsidized by the mobile carrier as an incentive to get the user on their service. This keeps the cost of the phone that is very expensive, extremely low and affordable to the masses. When you couple this with the ability to upgrade your phone and many carriers providing the ability for early upgrades at discounted prices, many users won't even get mobile device insurance in case they lose their phone. They run the risk that they will be able to replace the device cheaply through their carrier if they lose it. Many users rationalize it by thinking, why should I spend $5.95 a month for insurance on a phone I got for .99 cents? They don't understand that the .99 cent phone has a value of close to $500.

The second limitation of these Bluetooth devices is the amount of energy they require to operate. One of the most annoying things to a user is a cell phone that runs out of power all the time and especially runs out of power when they need it. The current Bluetooth technology for mobile devices is not very efficient and requires a large amount of energy for operation. To use one of these Bluetooth security devices constantly would require the mobile device to be plugged in and charged every few hours. Many users find this not only extremely annoying and impractical, but they find it impossible due to their jobs, where they might not be near an electrical outlet all day. Many users simply are not willing, and do not feel the need, for a level of security that they find annoying.

Cell Carriers Anti-theft Effort
Even though physical security device measures will help with a lost or stolen mobile device, theft of these devices will still exist. The end result from a lost phone and a stolen phone is exactly the same. The device and all the information on it are gone. Fogarty (2012) reports that until recently there wasn't anything that prevented stolen phones from being re-configured and resold as used devices until the cell-phone carriers finally agreed to do something about it. Fogarty (2012) states that there are two phases to the carriers plan. In the first phase carriers will provide the ability to remotely deactivate a device and render it useless. Fogarty (2012) also states that each carrier will build an anti-theft database of the devices that have been deactivated so they can't be reused on the carriers network. Phase 2 will be the sharing of all device identifiers across carriers, preventing the use of the device on another network. While not an actual physical security measure that can be taken, it can act as a deterrent to theft and inadvertently help increase physical security, since the theft of device with this capability will render the device useless and negate the need for its theft.

Cell Carriers Anti-theft Effort Limitations
While this is a great measure and as Fogarty (2012) states this could have been started as early as 1996, it is not going to stop theft of mobile devices. A basic snatch and grab thief will think twice about stealing a device, but thieves are creative and they will find ways to either spoof valid device identifiers or move valid identifiers from other phones to the stolen phones. This should reduce the amount of theft to a certain degree, but it will not eliminate it. This thereby limits the effectiveness of this counter measure to theft.

Future Technology Solutions

We are constantly discovering new technology that helps us solve our existing problems. Advancement in current technology and creation of completely new technology might possibly one day close the gap and provide effective mobile device physical security. As these improvements become available they should be incorporated into the current solutions.

Future Bluetooth
Many companies understand the issues the users have with Bluetooth on mobile devices and are working on creating new technology improvements. The first major improvement was the creation of the Bluetooth 4.0 specification. One of the primary improvements for this specification was the reduction in energy required for operation, which they call Bluetooth low energy (BLE). By not putting as much strain on the users' battery it can help pave the way for eliminating this user annoyance and bringing security devices like this to the mainstream. Ward-Foxton (2011) reports that Nordic semiconductor and Broadcom conducted a joint effort to create a prototype fob that pairs to a Bluetooth 4.0 low energy chip which can be used to prevent unauthorized access to a device. Once devices such as these become mainstream they will greatly assist with device security, but at this time they are still being developed.

The Active Mobile Device Case
Many users have some form of a case for their mobile device. They do this for many different reasons. Some use a case for aesthetics reasons; others use a case to prevent scratching or breakage. An "active" mobile device case would be one that "actively" participates in the physical security of the device. Cell phone manufactures could include built-in sensors on the devices at the hardware level, which would detect some type of metal built-in into a case, or the case might instead emit some type of electronic signal to interact with the sensor. Blackberry devices contain a sensor that knows if the device is in its holder. Expansion on this concept, combined with new technology could produce a phone that would alert the user when it wasn't in its case or a case that would alert a user that its phone is gone. Thieves of the future might use sniffing devices when they stand next to a person to detect they had a mobile device and potentially even what kind of device it was, so they could mark their targets. An active case might eventually provide some form of Tempest standards, like blanket around the phone, preventing it from being sniffed electronically, but at the same time allowing the cell signal through. Any type of solution in this area would greatly improve physical security.

A Self-Aware Mobile Device
As computing power increases on the mobile platform, the ability to advanced types of software emerges. Artificial intelligence (AI) could be programmed onto the device to making it aware of whom its owner was and possess the ability to automatically alert or notify when needed. The eHarmony website states they can match you with your mate based on 29 dimensions. AI programming could match you to your device across similar dimensions including things you know, who you are, where you go, what you like, travel patterns, and your physical features, etc. Imagine a Smartphone that senses something is wrong. The phone checks the calendar of the owner and sees the user has a meeting in ten minutes downtown, but currently tracks on the GPS the device is heading out of town to an area the device has never been before. This might be a cause for an alert if verification from the owner is not provided across several of the dimensions. This same device might use its camera to snap a picture of the person holding it and realize the person is holding the device in their left hand, but the phone knows its owner is right handed. A wife can always pick their husband out of a crowd, a dog always knows who its master is and someday your phone will become aware and know who you are.

Recommended Solutions for Today's Mobile Device Security

Currently the best physical security defense available is user training. Teaching users how to utilize their devices, while at the same time protecting it and themselves from both loss and theft, should be the first line of defense in all aspects of security. It doesn't matter if its cyber security, home security, personal security or even corporate security. It all starts with the users. A properly trained user can do more to increase security than millions of dollars of hardware and software. It does not matter how much money is spent on cyber security, it can be defeated by a single untrained user opening the wrong email circumventing layer upon layer of security.

The average mobile device user does not care about security, since they can replace their devices cheaply and quickly and they don't feel the need for security since they haven't experienced a true loss yet. As Smartphone's begin providing capabilities past basic communication, such as replacing their wallet or purse, it will take credit card information theft or identity theft, due to the loss of a device, before users understand the need for the security and the safeguards required. The same mind set exists for corporations as well. Many companies don't want to spend the millions needed to protect their websites until some hacker takes their site down and the company loses customers and money.

Physical security of a mobile device, due to its size and constant use, is never going to be accomplished in an effective manner with the limitations of today's technology or the amount of user training currently provided. We are hopeful that new future technologies may increase our ability to defend a mobile device, but at this time it is like trying to defend the indefensible. The best approach would be to focus on the protection of the data on the device and the recovery of the device after the device is lost or stolen. That is not to say that physical security measures should not be taken, but that focus should shift from loss prevention to intrusion prevention and device recovery. The best approach would be a defense in depth combining training, technology, people, policy and process.

Defense-in-Depth Solution

First Line of Defense (Training, People and Policy) The first line of defense would be to utilize what physical security measures exist starting with user security training. The United States Computer Emergency Response (US-CERT) Security Tip ST04-017 contains some of the best user training and advice for a user. ST04-017 states that a user should keep their device with them at all times, downplay their mobile device by avoiding its use in public areas, and to be aware of their surroundings. These simple and easy steps are the start of a good defense in protecting your device. This may be hard for some users, since their Smartphone is a symbol of their status, and the fact that they have the latest and greatest Smartphone on the market helps define them, but if they wish to secure their device they should learn to downplay its use in public. The government and corporate America do a relatively good job at providing training to users, although the quality of the training may be less than desirable. The average consumer however, does not receive any type of user security training when they purchase a device. User training is also not readily available to them from their carrier. Carriers should provide, in easy to find on-line locations, user training and security tips for all their users. If they offered incentives like discounts or free applications for taking the training they could get greater user participation.

Second Line of Defense (Technology) The second line of defense is to utilize whatever technological physical measures are available. When Bluetooth low energy security fobs hit the market we need to use them, until that time consider utilizing one of the existing Bluetooth security devices. Plan for the battery drain appropriately and alter your charging habits to conform to this increased power drain. The individuals' use of the device should drive their need for physical security of the device. Someone who only uses their phone to make phone calls may not feel the need to have an inefficient Bluetooth fob at this time. If you are one of the masses who use their phone to surf the web and store credit card information then you should probably make the investment into protecting this information.

Third Line of Defense (Technology, Policy and Process) The third line of defense is in securing the device and its information. Valerie Vogel (2012) published ten steps to securing your mobile device. Her steps include enabling auto-lock, enable password protection and require complex passwords, avoid using auto complete features that remember user names and passwords and to enable remote device wipe. If your device does not inherently have these features as part of the Operating System, then load applications that provide these features. There are many mainstream applications such as Norton Mobile Security which provide, in addition to standard antivirus and malware protection, the capability to remotely lock the device, remotely locate the device through GPS, remote wipe of the device, sneak peek of the device to see what the phone currently sees, and sound an audible alarm to help you locate a lost device. Enabling these type of features on your phone in addition to device encryption, which is also built-in on many operating systems, should be one of the first thing done when obtaining or configuring a new device.

Vogel (2012) points out many other steps, such as connecting only to secure Wi-Fi networks and disabling Wi-Fi when not in use are also essential. Along with Vogel (2012) the US-CERT recommends disabling any features that are not currently being used on your phone such as Bluetooth, infrared, etc. Another area of concern is keeping device software updated as pointed out by Vogel (2012) and US-CERT. Most people never give a second thought to updating their computer, but they don't think of their mobile device as a computer, which it really is. Failure to update their device software can leave them vulnerable to known exploits the same as it does on computers.

Similar to computers, we should require multi-factor authentication on our mobile devices as the standard. While many phones provide the capability for voice and face recognition, not all do and it is not standard. At this time, this technology is not very reliable and many users hesitate to use it since it is more annoying than useful. The government and cooperate America provide some technology and capability in this area, but there is nothing for the average consumer and nothing with a relatively cheap price tag to provide this capability. Phone manufacturers can help by including some of this technology on the phone hardware and at an operating system level. Creative programmers can also help by producing applications that use this technology. Another potentially inexpensive new approach would be to use Near Field Communication (NFC) cards to act as the "something you have" portion of multi-factor authentication. You would program the NFC card with an extremely complex password and possibly encrypt it with the public key of your Public Key Infrastructure (PKI) certificate. The NFC card would need to be swiped against the phone to activate it for use as part of the authentication to get into the phone. Biometrics technology for mobile use is growing quickly and when this technology becomes available it should be utilized to round out the mobile device multi-factor authentication.

Fourth Line of Defense (Technology and Policy) The fourth line of defense consists of mobile device recovery and dealing with the loss of data. Identifying the loss as quickly as possible is the top priority in getting the device back. The sooner you know it's gone, the sooner you can take the appropriate actions to secure it. You would start by activating any software you have installed on the phone which will remotely lock or wipe the device. You would also activate remote tracking of the device. Depending upon the outcome of these steps, and if you can locate the device, you may want to seek assistance from the authorities to get it back. If these steps fail, you can notify your carrier that the device has been lost or stolen and they can remotely deactivate the device if they provide that capability. Many people, who just find a phone, would be less likely to try to keep it, if it contains these basic measures and is tracked to their location quickly. They would switch from wanting to keep the device, to accepting a reward for finding the device, since they didn't steal it and came by the device honestly. In the event however, that all efforts fail and the device is never recovered, you will have lost all the information on the device. This information might not have been compromised, but if there was something on the device that wasn't on your computer, it would be lost. Both Vogel (2012) and US-CERT include a measure which advises us to backup the device frequently to ensure against data loss.

Conclusion

The unique nature of mobile devices prevents them from having any degree of effective physical security. Mobile devices are going to get lost and stolen, in high volumes, no matter what types of security measures are taken with the technology and solutions we have at this time. As the lines blur from cell phone to tablet to laptop or desktop, more and more mobile devices will the primary, and in some instances only, device the user owns. While physical security should not be ignored, the primary security emphasis should be focused on device intrusion prevention and information security of the data on the device, followed with strong emphasis on device recovery. A defense in depth approach to mobile device security, while not foolproof, will provide the best security possible at this time.

References

Collins, Terry. (2012, 23 October). Cell Phone Thefts Explode Coast to Coast. NewsFactor. Retrieved from http://www.newsfactor.com/story.xhtml?story_id=11300B432VCQ&full_skip=1
Duerson, Meena H. (2012, 16 August). We’re addicted to our phones: 84% worldwide say they couldn’t go a single day without their mobile device in their hands. NY Daily News. Retrieved from http://www.nydailynews.com/life-style/addicted-phones-84-worldwide-couldn-single-day-mobile-device-hand-article-1.1137811
eHarmony.com (2013, 18 January). From Single to Soul Mate. Retrieved from http://www.eharmony.com
Fogarty, Kevin. (2012, 10 April). Call carriers launch anti-theft effort they could have started in 1996. ITWorld. Retrieved from http://www.itworld.com/mobile-wireless/266674/cell-carriers-launch-anti-theft-effort-they-could-have-started-1996
Jaroslovsky, Rich. (2010, 2 September). Hand On Help for Lost CellPhones. BusinessWeek. Retrieved from http://www.businessweek.com/magazine/content/10_37/b4194075902008.htm
United States Computer Emergency Readiness Team Security Tip (ST04-017), Protecting Portable Devices: Physical Security, December 2011. Retrieved from http://www.us-cert.gov/cas/tips/ST04-017.html
Vogel, Valerie. (2012, 21 December). Mobile Device Security. Internet2 Wiki. Retrieved from https://wiki.internet2.edu/confluence/display/itsg2/Mobile+Device+Security
Ward-Foxton, Sally. (2011, 15 August). Bluetooth Proximity Fob Prototype Eyes Low-Energy Apps, Electronic Design. Retrieved from http://electronicdesign.com/print/communications/Bluetooth-Proximity-Fob-Prototype-Eyes-Low-Energy-Apps
Yu, Roger. (2012, 23 March). Lost cellphones added up fast in 2011. USA Today. Retrieved from http://usatoday30.usatoday.com/tech/news/story/2012-03-22/lost-phones/53707448/1

Related Reading

Mobile Device Security: What Are You Trying to Protect?

The BYOD Revolution

Mobile Device Security: A Comprehensive Guide to Securing Your Information in a Moving World

About the Author

Patrick W. Mooney II is Security Technical Advisor / Senior Product Architect at Tech Mahindra. Guidance and editorial comment provided by Dr. Jim Chen, National Defense University. Correspondence concerning this article should be addressed to Patrick Mooney, 1052 Ridgewood Farms Rd, Farmington, MO 63630. Contact: usma89@i1.net.


 
Subscribe to
Information Security Today







© Copyright 2013 Auerbach Publications