For the past several months, security veteran Aaron Turner has been making the rounds at industry events presenting some pretty disturbing information about the state of mobile security.
Turner, a former strategist in the security division of Microsoft, should know. He's been working, researching and developing in the mobile space for years. After Microsoft, he to begin research and development at the US Department of Energy's Idaho National Laboratory. For two years, Turner worked on, and eventually patented, a cell phone-based payment and identification system which became the basis for his start-up, RFinity.
From there, Turner went on to found two more companies: IntegriCell, where he and his team work with large companies to uncover risks associated with mobile technologies, and N4Struct, which focuses on assisting organizations in battling against advanced persistent threats (APTs).
Turner, who was recently a presenter at CSO's CSO40 conference, spoke with me about the coming tide of vulnerabilities he sees on mobile platforms, as well as the dark days that lie ahead until security managers really have the ability to wrap their arms around the behemoth problem of mobile security.
CSO: You gave a really interesting presentation at our recent CSO40 event where you highlighted the new ways attackers are using mobile devices for APTs. Obviously, APTs are no longer just a hard-wired network threat anymore.
Aaron Turner: APT is sometimes an over-used acronym, it's one that gets everyone thinking about advanced attack capabilities and so I used it to describe what we're starting to see in the mobile technology ecosystem. For some reason, many long-time security veterans have lost their ability to remember the pains that we've suffered in past new-technology-adoption cycles when it comes to mobile.
Whether it was moving from mainframes to distributed servers, from desktops to laptops, we as infosec professionals often didn't understand the inherent security problems in technologies until it was too late to help our organizations properly mitigate the risks that new technologies introduced into our business processes.
Some very smart infosec leaders are sitting on the sidelines while mobile security problems cause significant incidents in their organizations. The reasons why mobile is now, and will continue to be especially painful from a security perspective:
- Not all carriers are 'friendly -- network operators, especially those in parts of the world where 'rule of law' is a total fantasy, have incredible power to manipulate the information flowing to/from mobile devices associated with their networks. They also have root access to install any persistent software on, or scrape credentials from devices on their networks.
- Becoming a 'carrier' is getting easier -- rogue towers can be setup to trick targeted users' devices into connecting to hostile base stations, and then inject software or manipulate information sent to/from the devices.
- Malicious application developers have realized crime pays -- the information on personally-owned devices which are connected to enterprise infrastructures has real value. Spearphishers pay excellent money for contact lists that are obtained from mobile devices. When an application asks for arbitrary access to your address book, it may not be to share your awesome high scores with your friends.
Sign up for Computerworld eNewsletters.