FTC’s Mobile Security Updates and Recommendations on Mobile Device Security -- Perspectives Regarding Network Security
Post originally published on TechZone360.com
On February 28, 2018 the Federal Trade Commission (FTC) issued a report on security of Mobile Devices. The report focused on patch updates and their policies; risks for the complex ecosystem and recommendations for improved security. The 136 page report can be found on the FTC.gov website.
A press release accompanied the report calls for more education for security of mobile devices. In the release, Acting Director of the FTC’s Bureau of Consumer Protection, Tom Pahl points to “significant differences in how the industry deploys security” and “that more needs to be done.”
The following is a high-level summary and commentary on this issue. In Teneo’s opinion, the lessons learned from this report applies to any wireless enabled device; consumer “smart” phones, corporate owned devices, Internet of Things (IoT), watches, glasses and tablets.
Diverse Ecosystem with Complex and Inconsistent Security
Although the bulk of the mobile devices are manufactured by eight global companies, there are a staggering amount of variations by platform, brand and carrier. All of these devices can be operating customizable operating systems with little or no version control.
The FTC report points out “consumers can choose from thousands of different device-service combinations at a wide variety of price points.” However, these options come at the cost of security. “Operating system customization at the device level can prevent uniform security patch application, increase the time and cost to develop, test, and deploy security updates, and may lead to shorter update support periods and less frequent updates.”
Uncertain Security Updates
With such a complex ecosystem, security patches and updates are difficult to verify and control. The current environment relies on several stakeholders to be successful in performing their role; Developers, Manufacturers, Carriers and Device Owners.
- If the best patched OS is never installed by the owner, the device is at risk.
- If the carrier delays in reviewing and balks at security update because it can break some of their apps, the device is at risk.
- If the manufacturer’s attention is on the newest, greatest release; and the older version isn’t getting updated as often, the device is at risk.
- When you add into the equation the APPS on the device, the frequency of their updates and if they are supported at all, the security of these devices should be a concern for serious network professionals.
All of these risk factors increase as the number of users on your network grow.
Time to Update
The FTC also looked at the support data from each device manufacturer. The report reaches a clear conclusion, “Variation in Update Support Periods Is the Norm”, going on to say that “About a quarter of the devices were supported for less than one year” and that “Some Devices Are Sold After Update Support Has Ended.”
The report goes on to look at time to release a patch for a known vulnerability. The report finds that the newer devices are patched faster than older devices. The more popular the device the more quickly it is patched. And, for new operating systems, “although many vulnerabilities were patched within 250 days, it took much longer to patch many vulnerabilities”.
This lack of certainty puts even the best security professionals, in a difficult position. As one of the fundamental tenants of network security, you need to know and trust the devices on your network. How can you trust a device with these flaws?
Some of the risks the FTC’s report focuses on include:
- Mobile Malware – Bad actors have been increasing their attention on mobile and their attacks have been rising with a 400% increase in in 2016 according to Pew Research.
- Extorted money – From ransomware attacks $100 – $300 per device
- Spyware & Phishing – Harvested financial information, passwords, banking information and passwords.
- Hidden Malware – Hidden in 200 recreational apps that turn the device into a backdoor to networks.
- SMS attacks – that have unsuspecting device owners subscribing to services for a fee.
Although these examples may seem like an inconvenience— and they are—they are a large and real threat for network security professionals. These compromised devices are the foothold the threat actors use to establish a presence, harvest information, gain intelligence on their target and to identify their weakness. They may sell that information or deliver a payload that is customized for their target.
Although the report did not reference this recent incident specifically, the University of Virginia Heath System’s breach, was determined to be caused by physician devices that were infected with malware. This incident confirms the FTC’s security fears. Not only are the attacks happening, but they are going undetected for months if not years.
The FTC makes several recommendations to improve the security of mobile devices.
- Education – The role and the need for security on mobile devices
- Start with Security – “The mobile ecosystem has already proven itself adept at starting with security in number of ways, such as implementing physical security controls, sandboxing, and encryption for mobile devices and data.”
- Shared Responsibility – Between Manufactures, Carriers and Developers to share reasonable security update support.
- Learn from the Past – The industry should consider recording more data in a more careful way.
- Adjust the Security Update Process – “Continue to streamline the security update process, from patch development through deployment”
- Embrace Greater Transparency – Manufacturers should consider providing consumers with more and better information about their security update support practices.
The FTC’s report sheds good light on the issue of the Security of the Mobile Devices. For network professionals, this threat has been known, but it always something that was on the horizon. Today that threat is on top of us and can no longer be ignored.
Before the original iPhone’s debut in 2007, most data was accessed by your endpoint, via your wire to your data center. Today that same data is accessed via the cloud on a foreign network with a BYOD device. Mobile devices, cloud computing and the perimeter-less networks demand different tools to properly secure the network.
Today’s network security professional demands the tools that can help identify and trust the device regardless of how they are accessing your data. These tools help regain visibility into the network so that the network is more secure.
What is your opinion? What steps do you secure your network with these security holes?
If you have any questions or need clarification on how to best secure your mobile devices (regardless of OS, manufacturer, carrier, owned or BYOD) reach out to me or your Teneo engineer for assistance.