Top 5 tips to mitigate phone and IoT device hacking in government and enterprise
There is a growing need for cybersecurity tools to be more effective and for coverage to extend beyond older infrastructures to cover mobile and Internet of Things (IoT) devices. Some of these tool vendors will be well-known veterans of the personal computer / data center era and others will be startups, springing up to cover gaps in the market. A recent report by Gartner quantifies the growing threat to mobile devices - “by 2019, mobile malware will amount to one-third of total malware reported in standard tests, up from 7.5% today” .
Architecturally, many IoT devices are similar to mobile devices but their lack of screens, alerts and frequent updating can leave them out of sight and out of mind despite their huge and growing numbers. Typically, Information Technology (IT) is well budgeted and visible in organizations but the Operational Technology (OT) that “runs the plumbing” with IoT devices is neither. The Target Breach is often assumed to have begun with IT systems but instead began in OT, with the Heating, Ventilation and Air Conditioning (HVAC) systems being the “weak link” in security.
Our top 5 tips to mitigate phone and IoT device hacking ranges from hardware, to management, to threat detection, people and processes. Our tips are not simply a restatement of the well-known items found in Gartner reports, or in the quarterly updates of leading professional services vendors or data carriers, but instead focus on gaps in the market and new market entrants – skating to where the puck is headed, rather than where it was in the past.
Right tools for the job
Legacy cybersecurity tools such as Anti-Virus (AV), Firewalls, Intrusion Detection Systems (IDS) and a plethora of incident response systems were developed and deployed for the PCs, wired networks and data centers of the 1990s onwards.
Massive recent data breaches such as Yahoo, Equifax, OPM and even of buttoned-down Intelligence Agencies  underline how attackers have evolved to bypass legacy tools, or at least exploit gaps in their coverage.
In general, older tools are less successful at closing stable doors (i.e. delivering risk mitigation or avoidance) than detecting and analyzing how horses have bolted (i.e. facilitating risk acceptance or transference). Many vendors quietly admit that they cannot offer protection against so-called “zero day” attacks, i.e. protection covers only the types of attack that have been seen in the past
A key question to cover is -- among vendors, who is stopping attacks and who is simply detailing them for after action reports? Which tools are static like a “hammer”, changing little over the years, and which are in a constant evolution of capabilities?
The best tools are effective against a wide range of attacks, constantly adding capabilities, easy to use, automate and operationalize, with light infrastructure and personnel requirements. The worst are the opposite, difficult to use, relatively static, narrow in scope, with challenging setup and on-going costs related to their complexity and cryptic outputs both in compute and personnel resources.
Mobile and IoT device attacks
The last fortnight saw reports of phone hacking of NATO soldiers  and the Whitehouse Chief of Staff , highlighting vulnerabilities in a newer generation of IT infrastructure – mobile devices, wireless communications and cloud back-ends. The DYN attack that took down a chunk of the Internet last year came from simple IoT devices. IoT devices were once air-gapped but are now commonly connected 24x7x365 to the Internet.
Potential harms more than just data loss
The harms associated with attacks to mobile and IoT devices can potentially extend beyond data breaches, to ransomware, Distributed Denial of Service (DDoS), physical damages, injury, death and disruption of critical national infrastructure. It is unlikely those suffering one of these new types of harms can be fobbed off with a year of credit reporting to make them whole.
The poster child of potential new targets is the connected and automated vehicle. While fully automated vehicles (SAE Level 5) may be two or three years out, many of the cars and trucks on the road today feature computer control for predictive cruise, overtaking, parking and other Automated Driver Assistance (ADAS) roles. Vehicles are connected directly to the Internet, or indirectly via mobile devices.
Researchers Valasek and Miller showed how such vehicles could be remotely controlled back in 2015. That demonstration prompted a 1.4 million vehicle recall, the first automotive cybersecurity recall in history. Those news reports opened the floodgates for fast followers, with vulnerabilities were then shown in commercial trucks, police cruisers and right across OEM brands and tier 1 suppliers, underlining a sector wide concern and generating thousands of articles. Car thieves have been some of the fastest to exploit weaknesses.
Unsecured supply chains
The modern car, much like electric grid components, healthcare devices and smartphones, is also a great example of a complicating factor in mobile and IoT cybersecurity. Over 80% of the parts in a modern vehicle come from tier 1, 2 or 3 suppliers  around the word. A modern car has up to 100,000,000 lines of code spread across up to 100 ECU computers – more than are present in the world’s most sophisticated fighter jets.
The vast majority of cybersecurity tools offer little or no protection where malware has been baked into third party executables, frameworks, middleware, libraries, hypervisors, containers, OS, firmware, boot loaders, boards or the processing, memory or storage components themselves. Malicious components have even found their way into the supply chains of missile systems where literal armies of warfighters and contractors had the mission of keeping them out .
Return oriented programming attacks
This type of attack allow the existing code in a system to be repurposed and used as the attack itself. Return Oriented Programming (ROP) attacks occur where existing code is called out-of-order to then become a hacking script. Within a ROP attack, the text of the “Hunt for Red October” could be rewritten to become “Hamlet” by carefully “jumping” and “returning”. Many vendors offer no protection against it, or simply assume incorrectly that legacy tools like static or dynamic analysis (SAST/DAST), Address Space Layout randomization (ASLR) randomization and DX or do not execute flags alone are effective defenses for binaries.
Looking past “shiny padlock” solutions
Cybersecurity has an asymmetry of economics - defenders must defend everything but attackers need find just one-way in. If a mobile or IoT devices consists of a stack of hardware, firmware, OS, apps, communications and the cloud then all of them, “end to end” need to be protected. Security is not just the latest technology but also includes people and processes, including suppliers, the aftermarket and partners.
If we consider security as a chain link with a big shiny padlock in the middle, the whole is only as strong as the weakest among all the links. The padlock is often a highly publicized peak or set of peaks in the Gartner Hype Cycle, for example, Blockchain, Encryption, Multi-factor Authentication (MFA), Intrusion Detection Systems (IDS), Artificial Intelligence (AI), Machine learning (ML), Enterprise Mobile Management (EMM) or Mobile Threat Detection (MTD). That shiny padlock may be strong in its own right but if one of the other links is by comparison just a shoelace then it is that weak shoelace that defines the security posture of the whole system!
There is an analogous situation in the physical world. If the front door is strong with a good commercial grade lock with a lot of “curb appeal” then robbers search for a window to open or break, a duplicate key hidden nearby, or dropped off with neighbors, who might fall for a bit of social engineering.
Apple and Samsung have been the most prominent in meeting government and enterprise security requirements for devices, from the baseline of National Information Assurance Partnership (NIAP) certification, to secure booting through to offering enterprise configuration tools like DEP, Knox Configurator and Tachyon.
Outside of government certified configurations, device cybersecurity can be questionable – with many engineering teams able to deploy at least briefly a secure configuration for say a specific Android, Wi-Fi or carrier combination but then often struggle to keep that golden image and associated apps, communications and cloud back-end current.
Kryptowire last year identified several models of Android mobile devices that contained malware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers. Such built-in malware is not easy to detect since cybersecurity tools are typically run from user space and rely on trusting the device itself, which may be compromised. Only Kaprica’s Skorpion launched several years ago was able to verify devices externally, using a detection engine built into a micro-USB connected battery charger. Obviously, it’s not always possible to have a device checker for every device.
Many organizations are acutely sensitive to USB stick usage but ignore the potential dangers of other types of rogue hardware such as chargers, Wi-Fi access points, keyboards, mice and even monitors. Sepio’s behavior-detection software automatically detects rogue hardware connected into a network in the general case and mitigates its use.
Even legacy hardware can be improved without its having to be reconfigured or sunsetted. For example, Packet Viper sits outside of existing firewalls, reducing traffic, logging and alerts handling costs, protecting systems from flooding and DDoS attack, mitigating risks from bots and proxies while speeding threat detection.
Dark Cubed approaches the problem in a different way. It focuses on ease of use and operationalization for threat detection, side stepping the costs and complexities of traditional systems that confine their effective use to only the largest, well-staffed and well-budgeted organizations. This approach allows companies of all sizes to benefit from advanced analytics and threat detection techniques that have traditionally only been available to large enterprises.
2 Enterprise Mobility Management (EMM)
EMMs (previously known as MDM or Mobile Device Management) such as MobileIron, Blackberry / Good and IBM Maas 360 do a good job of maintaining specific configurations of whitelisted apps, major settings and data on a device where they are present. However, they may not be installed on Bring Your Own Devices (BYOD) and in any case their focus is management rather than cybersecurity. Along with Apple’s DEP, Samsung Knox Configuration and Tachyon, they are most useful in setting up and maintaining a baseline environment. EMM tools have a long history and some are reviewed in Gartners’ well-known Magic Quadrant .
3 Mobile Threat Defenses (MTD)
A newer generation of commercial tools marketed as MTD include SecureNow, Mi3, Zimperium and Lookout, focusing on cybersecurity that extends protection coverage beyond what is possible with EMM. However, that coverage is limited by what is detectable to apps in the user space, for example, examining app and network behavior.
Some of these tools are reviewed in Gartner's market guide for mobile threat defense solutions . The latest and potentially most interesting development in this area is Apcerto, which offers a risk-based NIAP standard framework against which to test such tools beyond comparing market collaterals or having to setup a bake off whose effectiveness relies on access to a comprehensive set of test data and deep expertise.
Perhaps the biggest bang per buck of cybersecurity risk mitigation and prevention is end user training. Cisco, for example, launches phishing attacks to its own staff as a training exercise . Shevirah’s Dagah tools allow simulation of a myriad of cyberattacks, which can be used to launch attacks for awareness training. Which employees do not realize that they can be phished via Bluetooth, SMS or WhatsApp? Which IoT devices can be taken over? How many folks will scan a QR code for a free dessert in the break room?
There are also specific trainings and qualifications around mobile devices. For example, CMDSP or Certified Mobile Device Security Professional covers mobile operating systems including Apple’s iOS, Microsoft's Windows OS, and Google’s Android OS.
Threats can come from insiders. InLitics applies Neuro Analytics (NA), a cognitive computing profile to focus on the neglected people side of cybersecurity protection. NA extracts thought processes to identify cognitive fingerprints and ultimately the persona(s). The results of NA are interlaced with other human disciplines to further interrogate the metadata to determine future expected behaviors. For example, in an automated car, NA can know who is at the wheel. Each driver has their own unique cognitive fingerprint when they drive and the system can be designed to recognize those patterns.
Process begins with a methodology, whether a simple checklist approach like Center for Internet Security (CIS) Controls or a more thorough and risk-based framework like NIST’s Cybersecurity Framework (CsF). In the Software Development Life Cycle (SDLC), the most neglected areas are typically unit, integration and acceptance testing, especially for updating and upgrading.
There can be immense pressure to add features, functions and ship, with end users as beta testers and a reliance on bounty programs administered by tools like HackerOne or BugCrowd to engage white hat hackers. Perhaps the worst case is where security executives and trade groups focus less on solving underlying issues than marketing reassurance to investors, lawmakers and customers.
More red teaming and pen testing is needed to supplement in-house testing. The secret is not more and more employee and contractor staff but better leveraging the people already in place with more effective tools and automation. Tool such as Shevirah’s can automate pen testing. Tools such as CyVision’s Cauldron can automate visualization and modeling of cybersecurity assessments, allowing the highest priority threats to be quickly identified and remediated first.
A well-known weak spot in the mobile and IoT ecosystem is the vetting of the software that goes into mobile and IoT devices. Legacy tools fall into two categories – external and internal. External tools include AV, Firewalls and IDS. Traditional internal tools are built into the code in Secure SDLC (SSDLC), featuring approaches like coding or re-coding best practices, secure libraries, instrumentation and layers of SAST and DAST inspection.
The challenges of external tools are numerous, from being by-passable, to their requirements for additional resources and monitoring personnel. Internal tools are best applied in new builds or re-engineering where time, budgets and resources permit but even there they cannot cover all vulnerabilities, especially not those associated with ROP attacks or a compromised supply chain. The vast majority of developers do not have access to source code from end-to-end. Instead, they focus on the 20% of the code that is controlled in their group or company, which does not prevent vulnerabilities being present in the 80% that comes from the supply chain.
A new approach takes a third path. RunSafe Security is an example of Runtime App Self Protection (RASP). It was developed with DARPA specifically to address challenges in hardening the millions of lines of legacy code associated with DoD IoT devices from military vehicles, to drones and medical devices. It works automatically with binaries, protecting against memory corruption attacks, ROP attacks and a compromised supply chain. Perhaps its greatest innovation is ease of use and operationalization with existing code.
RunSafe is simply a one-time transformation of binaries as part of the deployment or updating process, much like compressing or archiving files with Mac, Linux or Windows. Were RunSafe applied to distribution of a document reader, say version 17.01, every copy would be logically the same 17.01 functionality but different and unique to hackers, destroying their economies of scale.
A similar approach is offered by Virgil Security that provides cryptographic software building blocks that allow developers to add enhanced security (including password-less authentication, encryption, and cryptographic verification of data, devices, and identities) into their products. Again, Virgil’s greatest innovation is the ease of use and operationalization of the tools.
Following points 1 to 5 will mitigate phone and IoT device hacking. There is no magic bullet or shiny one-size-secures-all padlock. A comprehensive solution will layer defenses from many vendors, with a practical approach that does not assume unlimited time, budget and resources for IT and OT but is risk-based and emphasizes effectiveness and automation.
Deployment and updating of devices will at its best will include RASP, signing and encryption, fitting into secure devices, with EMM, MTD or their equivalents, where people and process factors like Information Sharing and Analysis Centers (ISACs) are given equal weight.
About the author
Simon is an industry recognized expert in cybersecurity, mobility and IoT, co-founder of Washington D.C. based cybersecurity startup RunSafe Security. He is a member of the Society of Automotive Engineers (SAE) IoT Cybersecurity Committee and a contributing author of their new book “Cybersecurity for Commercial Vehicles". RunSafe was developed as part of DARPA’s program of cybersecurity for military vehicles, drones and medical devices. Simon also worked with Apple and Samsung in hardening their mobile devices for DoD and government use.
Previously, he was VP of Sales at Kaprica Security (acquired by Samsung), Mobile Program Director, DMI, market leader in enterprise managed mobility and Director of Sales at Thursby Software, market leader in strong iPhone security. Prior executive sales and management roles in the US and Europe include Red Hat, HP, Capgemini, a $9B hedge fund, a $50MM dot com and a background in nuclear software engineering. He holds a BS in Physics from U-Manchester, England, a MS in Law & Cybersecurity from U-Maryland Carey Law, CISSP, CEH and CIPP/US cybersecurity and privacy certifications.