Encryption & Security in a Mobile Context

By Richard Cooper, Principal Technical Consultant for Platform Security, Her Majesty’s Government Communications Centre

Unsurprisingly for an organisation that deals with national security, we are passionate about information security at HMGCC. Communication is at the heart of the UK economy and the ability to be able to communicate securely and effectively is essential in ensuring that the UK remains the best country in the world to do business with.

Secure communication has three key aspects: ensuring that the content of communication is confidential and secure from interception by 3rd parties; that the communication channel is available and resistant to denial of service attacks; and that systems provide high integrity, allowing you to be confident that the other parties involved are who they say they are.

Validating a person’s identity has become a crucial aspect of communication security. More and more communication is taking place when the persons involved are not face-to-face so an individual’s digital identity (Facebook accounts, telephone numbers, e-mail addresses) becomes a much sought-after commodity for attackers. Looking at unencrypted websites over public unencrypted WiFi links in the local coffee shop is recognised by most technical-savvy people as a bad idea; but it still takes place. This shows that users are unaware or disregard the risks to their digital identity.

Smart phones have changed the way we think of the telephone. Traditionally telephones provided basic voice and data services and whilst the handsets were simple and relatively immune from attack, the protection afforded by the network was somewhat lacking.  Now the situation is reversed.  Smart phones make confidential communication easy, with a wide range of options from secure email and web access through to secure VoIP and video conferencing. To support this the handsets have become fully fledged computers with a large attack surface and are becoming increasingly difficult to secure.

The new frontier in computer security is mobile security; whilst current attacks and malware are relatively benign, the impact on all of us should an SMS message worm/virus ever occur will be huge due to its ability to spread “peer to peer” and the ready access to an existing revenue stream (premium rate calls).  It is these threats which should drive us to better understand the mobile security domain and work to improve it wherever possible.

For all of us, security is a whole lot more than just encryption; its about the security of the whole system.  PIN locks on phones are a good start, but the finger marks left on most smartphones greatly reduce the search space for an attacker.  Equally, every application you install on your phone increases it’s attack surface – do you really trust the author and does it really need access to those system services?

The importance of a system level approach can be seen by looking at the work done at:http://robmenow.com.  Whilst not conventionally considered a mobile security issue, it has taken on a whole new form with smart phones.  http://robmenow.com demonstrates the ease with which location data can egress from devices to internet systems; be it through the user “checking in” somewhere or the unconscious geo-tagging of images; and that sometimes, users need to be protected from themselves.

Modern systems need to use the internet and must take advantage of the smart phone revolution. The business benefits are too great to ignore, but equally to stay useful, they must be secure – an organisations/individuals intellectual property only remains so if it is suitably protected.  Building these systems, be it the low level security architecture on the mobile platform, the application software or the server infrastructure required to support it is the primary challenge of our time.

Good luck!