Mobile Security – The Gathering Storm

Mobile Security – The Gathering Storm

Discretix multi-scheme content protection
Elecom Biometric Flash Drive

Security. The guy in the red shirt who always beams down with the Enterprise landing party, but never beams up again.

And seriously, who cares?

Ever since Captain Kirk whipped it out and flipped it on, in every episode of the same original 60s Star Trek series, the mobile phone has been a symbol of freedom.

No programs, no IT department, just free love forever… And no security! There was no need for it, no data on a phone, no passwords, no access to the corporate network. In those bygone days, not fussing with security may have been the best part of having a mobile phone.

Has anyone ever found security attractive? It doesn’t make the developer rich or famous. It doesn’t make the user more elegant and beautiful (I’m looking at you, cow-eyed Apple consumer, you know that free love is still blind), or more productive (if you’re not fortunate enough to buy a smart phone to just accessorize).  If Ensign Ricky is not coming back with the landing party, well — who cares! We all lived innocent in a Garden where love was free and forever, where every feeling and opportunity could be shared instantly, gratified as soon as our bodies caught up to our signals, sending each other photos and sexts, not even aware of our nakedness. There was only one restriction. Thou Shalt Not Eat of the Tree in the Center of the Garden, the Tree of Intelligence.  Every garden has a serpent, and when that shiny Apple was held up for the first time, who among us stood up and said “Guys wait! What about security?”

Now your innocence is jail broke, your phone is a little computer… as complex, vulnerable, and leveraged into every part of your life as your Old World desktop — in many ways more so! And it’s getting worse with every generation. These are early days of course; no one knows the full extent of the problem, but one thing is abundantly clear already: innocence and freedom are the price of Intelligence.

A large part of security’s unapproachable aura is the economic dynamic that is inverse (some would say, perverse) to the way we normally think of profit in a market economy. Whereas most of us try to buy and sell a feature that is going to make us glad, security’s dubious temptations promise to make us sad. Most party people don’t get that and don’t want to think about it much, but it’s actually painless.

1. You have something others want.
2. Someone steals it from you.
3. You are sad, and want to be compensated.
4. You pay the insurance company a stiff premium to compensate the rest of your stuff, but
5. Nothing else gets stolen, you just continue to pay a lot and get nothing for it, so you’re sad again, what up yo!

Security comes in here, because your insurance company will drastically reduce your premiums if you invest in an accredited security program. That’s how everyone gets paid for something nobody wants.   The take home is that, if you don’t know how the security works, you are increasing your risk from both ends: you may not have either your insurance right, or your (data) stuff safe.    Having fun so far? Don’t worry, it gets much more depressing. For example, did you think that leaving it to the experts is safe? Not if those “experts” are the big organizations that inspire a false sense of safety for most ordinary users. One of the biggest known losses of data from the last decade could be the UK government’s mishandling of 25 million nationals’ bank account information, national insurance numbers, birth dates, and anything else a criminal would need to steal someone’s identity. It resulted in the resignation of the department head of the agency that lost the data — that’s your consolation if you lost your identity, all your life savings, etc. — and to this day nobody knows where the data ended up.

If the PC industry is any indication of what is coming to the smart phone market, government agencies, fortune 500 corporations, and local banks offer no refuge for the very substance of your modern existence, your personal data. Despite all the hi-tech differentiators that define your modern, smartphone-bearing life, you are no less alone and unprotected in a predatory wilderness than your paleo ancestors; your digital identity is still just many financial calories to any tech-savvy carnivore who happens to see it exposed.

Scared? Good. There is no more explicit example of burying your head in the sand, nor potentially tragic, than ignoring mobile security. Over time, you will be carrying more and more of your life in your phone holster, and more and more people will be after it. Your only defense is your knowledge.   So where do you begin? We decided to speak with Jacob Greenblatt, Chief Strategist at Discretix. From a background of delivering general security solutions from mobile phones to portable storage devices, the Discretix mobile security product suite is currently protecting millions of handsets, flash memory cards, drives, and smartphones around the world.

Discretix Cryptocell security platform

The Discretix suite is broad, attacking the potentially vast mobile security challenge from multiple fronts. Embedded engines perform heavy lifting, time-tested encryption and key-exchange protocols. Newer approaches concentrate fire on some of the more ephemeral features and opportunities specific to mobile: software images and versioning, booting protocols, disk integrity, and ensuring that flash memory devices for both storage and user authentication are safe from hackers and thieves.

Smartphones from the iPhone and Android families deploy the application via the CPU, as well as USB, flash or USB drives, sandisk, se, Motorola… Discretix provides the security infrastructure, encryption engine, real core security competencies required to encrypt a disk, wipe the data, or reset a device.

According to the company, any smartphone’s potential downfall is it’s chief strength: the ability to download what you want, when you want it, and have it run on your phone. Everyone knows that’s how the bad guys get in to get your stuff.   But other dangers are not as immediately obvious. If that phone is, for example, a Blackberry packing a full list of customers’ email addresses and private information, and it is simply misplaced, then it requires a security solution that will wipe the device remotely, kill the device, or retrieve it.   A remote wipe has a number of different mechanisms. The basic idea is very simple, the phone would receive a certain repeated message continuously. If that message was not received for a defined period, the phone is required to execute a protocol. So I report my phone lost, for example, immediately the repeating message stops, and the phone responds by wiping its disk and shutting down. In the case of an unconnected device like a flashcard, as soon as that device connects to any phone, the protocol should wipe the device immediately.

But here a subtlety lurks, someone could cloak the message to wipe out someone else’s device; the mechanism embedded in the chipsets would need to be able to differentiate faultlessly between a self-device that is operational, and a foreign device that should not be connecting to this phone, not unlike a mammalian immune system.   Further dimensions open when you provide a security infrastructure that offers the software vendor hooks to take advantage of your offerings, thereby providing a more robust performance, and a more uniform standard.

Discretix multi-scheme content protection

According to Discretix, the target is not only moving, but the problem is getting bigger at least as fast as the mobile market itself. Smart phones are by no means satisfied with mere phone status, or even settling for just being smart. At the recent MWC, Discretix saw chipsets that were able to run HD movies on a large screen from a mobile phone, new form factors like book readers and numerous iPad-like species of tablet computers. The handsets are also becoming more actively involved in delivering content projection.

“Traditionally content has been concentrated on large devices like televisions and movie theatres. That content is migrated in a mobile form, in different formats and combinations; as that content migrates to the mobile device, the mobile security solutions required to protect that content are likely to increase. We expect the mobile security market (MSM) to display continued fast growth, what was a desktop device last year is now a mobile connected device today, like netbooks, tablets, ebook readers, are more connected devices. Are all running open oses; many allow you to download apps and are used for delivering some type of content to the end user and such requires more solutions.” Jacob Greenblatt told Mobile in a telephone interview.

Mobile Security industry is about to go through a major overhaul.

“According to our initial estimates we see the MSM at a 100-150 million global today, we expect the market to more than quadruple and approach 800 million by 2013. Internal company forecasts are seeing an increased number of mobile content subscribers. Approximately 500-600 million subscribers will be accessing mobile content via the internet by 2013.

Companies like ours have watched the market develop and we’ve seen an uncharacteristically large increase in content to mobile devices. I’m not talking about games, Tetris or things like that, 40% of subs by 2013 will be using a smartphone in one form or another.” added Greenblatt.

Discretix expects mobile business security to be catalyzed by a few high profile incidents that will escalate and catapult industry awareness and priority. The immediate response will include mandatory encryption, and other security standards subject to regulatory compliance.  A mobile phone/internet device can increase enterprise productivity, but the downside and risk must be taken into consideration. In dollar figures, RIM’s recent acquisition of Certicom weighed in at $100 million, so this downside is not trivial.

The current iPhone 4G (generation 4) is displaying the industry’s classic “borrow from the future” approach to security, rushing the most desirable features out to market first, and leaving security woefully inadequate for the current release. Discretix views the current state as sufficient for what the iPhone is currently used for, but nevertheless a soft target until Apple invests the needed resources to tighten up to enterprise standards.

Who is making the most secure smartphones today?

Discretix seems most impressed with a few offerings like the NSA-grade made by General Dynamics. Nokia has always traditionally invested heavily in security, probably the vendor that’s invested the most is RIM. They’ve always had encryption since day one, their solutions are behind a firewall, there enterprise is great. They are able to target that NSA market as well since their Certicom acquisition.

Special feature by Lance Hanlen with contributions by Fabrizio Pilato