Cyber attacks against mobile platforms, especially smartphones, grew in 2010 according to the McAfee Threats Report: Fourth Quarter 2010 published by McAfee Labs (see Resources). The need to understand the threats and what to do about them is obvious given the current ongoing boom in the convergence of mobile platforms and cloud computing that defines mobile cloud computing.
The McAfee report also suggests that the mobile threat environment is fluid as new mobile platforms appear and as criminals explore new exploits. This evolving threat environment is having an impact on some businesses. For example, Google has been in the news lately because of difficulties in completing contracts to bring cloud-based e-mail services to some state and local governments. Part of the problem, according to Google press releases, relates to changing federal security guidelines, which make it difficult to deliver a solution.
What can be done to protect against the growing and changing security threat environment? Desktop security is an issue that businesses have faced for years. Lessons learned have been carried into cloud computing. In fact, cloud security is a topic that many vendors have addressed and present as a feature of their cloud offerings. Some vendors tout their security certifications obtained from sanctioning entities. Yet, there is a perception that lessons learned in the desktop world all too quickly become lessons forgotten in the mobile world. Mobile devices are still perceived by many as being vulnerable to security attacks.
This article addresses mobile cloud security issues by looking at the current state of security attacks in the cloud, vulnerabilities of mobile cloud devices, and how those vulnerabilities are being addressed. Future issues for securing the mobile cloud are also discussed, and opportunities for developers are noted.
Mobile cloud computing and security threats
There was a time when hackers were motivated by notoriety or curiosity. However, news reports in recent years show that now a primary motivation for hacking is financial gain. For example, at the time this article was written, the British news journal, The Register, reported the arrest of a group of individuals who used a strain of Trojan malicious software (malware) in an attempt to siphon off US$1.7 million from Finnish bank accounts. Other recent news items include reports of a 400 percent increase in Android malware.
The McAfee report mentioned earlier stated that while the mobile threat growth is steady, the volume of threats is much less than for personal computers. However, predictions are that the mobile cloud market will be valued at US$9.4 billion by 2014. As the mobile cloud grows with the increasing proliferation of smartphones, you can expect smartphones to be increasingly attractive to criminals looking for one more entry into potentially lucrative cloud businesses. Now is a good time to understand the security threat to the mobile cloud and to begin to prepare for an inevitable increase in security threats. Begin by taking a quick look at the current state of hacking to gain some insight into the mobile cloud security threat.
When discussing mobile cloud security threats, the primary concern is threats to smartphones and tablet platforms. These threats can be divided into three categories:
- Physical threats
- Threats to mobile network security
- The threat of malware
There are three basic types of physical threats to mobile devices: Lending, loss, and theft. Of these three, theft is the most obvious because the act itself is malicious. Statistics are difficult to find for these categories, but some reports indicate physical losses might range from 12 to 35 million per year. (These numbers are for mobile phones because smartphone and tablet statistics aren't readily available.) Thefts data are even more difficult to find.
Lending a mobile device to a family member or friend may seem harmless but does raise the possibility of enabling that person to access data or applications to which that person is not authorized. There is also the possibility of enabling access to an Internet site that might pose a danger to the smartphone by downloading malware, for example.
Mobile devices that are lost or stolen raise the issue of misuse of data on the device as well as misuse of the device itself. Mobile devices feature a pin-based or password-based lockout capability. However, this feature is often not used by owners. Even when the lockout feature is enabled, though, there are ways to subvert the lockout. For example, you can obtain access to an iPhone by automounting the smartphone via a Universal Serial Bus (USB) connection to a computer and bypassing the lockout. Circumvention of lockouts for other smartphone types is similarly possible.
Developers can add an extra layer of application and data-level security when critical data is controlled by their software. Certainly not all applications access critical data, but developers of those that do can enhance the security of their applications by building in access control.
Developers can also be cognizant of where data is stored on a smartphone. Subscriber identity module (SIM) cards typically hold subscriber and contact data and text messages. These cards can easily be removed from many devices and read by anyone. Developers should not store any data on a SIM card that does not need to be stored there.
The mobile cloud also offers some degree of protection against data loss resulting from a lost or stolen smartphone. Backups or synchronization of data with the cloud should be enabled by developers, mandated by business policy, and consciously pursued by users.
Threats to mobile network security
One of the interesting features of smartphones is the number of ways in which users can access them. In addition to access through a cellular network, most are also accessible via Wi-Fi and Bluetooth, and some are accessible by infrared and radio-frequency identification (RFID). The cellular network (3G or 4G) enables access to phone services, of course, and Internet services as well as Short Messaging Service (SMS) communications. The other interfaces (Wi-Fi, Bluetooth, infrared, and RFID) are used primarily for data exchange. From a security perspective, all interfaces have the potential to expose sensitive information and possibly receive malicious data. This potentially makes them vulnerable in a variety of ways, as described in Table 1.
Table 1. Mobile network security vulnerabilities based on type of access
|Type of access||Vulnerability|
|Bluetooth||Bluetooth is a popular wireless personal area network (WPAN) for short-range transmission of digital voice and data that is most often used by smartphones to connect external devices, such as a headset. This technology is susceptible to hacking in a manner similar to SMS but because of its short range may not be attractive to criminal hackers.|
|Cellular||A smartphone uses one or more mobile phone technologies to connect to a cellular network to exchange voice and data. The data connection is always on. Multiple radio frequency (RF) bands and technologies may be supported to facilitate a wider range of roaming across networks. This opens the potential for forcing a smartphone to register with a malicious cell site using a less secure protocol.|
|Infrared||An infrared red interface is used primarily for data exchange but can also be used to control some devices, such as TVs. Infrared requires close proximity and line of sight to work. An infrared interface offers the potential to transmit sensitive data and to receive data that could potentially be damaging in some way. Data can be damaging if it contains executable software that can cause the receiving device to misbehave or fail.|
|RFID||RFID is used to transmit a radio signal containing information to identify an item. It is used primarily to tag inventory. Now that mobile devices are beginning to incorporate active RFID devices, a device will be able to transmit its location or condition. One obvious security implication is that this technology will enable intruder detection, in the event an unauthorized RFID signal is detected. Conversely, when a particular identifier is detected, a targeted attack could conceivably be launched.|
|SMS||SMS evolved from an earlier protocol for sending
short messages to radio memo pagers. SMS is used to exchange messages
between fixed land line and mobile phone devices. Demonstrations have shown
this service to be susceptible to attacks that can deny service or perhaps
even insert malware into the smartphone. Such an attack could conceivably be
used to obtain unique identifying information stored on the device.
SMS is sometimes used in two-factor authentication where, for example, a login to a particular site requires responding with a one-time password sent via an SMS message. As vulnerability increases for SMS messaging, developers are advised to use a different messaging band for two-factor authentication.
|Wi-Fi||Wi-Fi is a wireless local area network (WLAN) technology commonly used to establish connection to the Internet via a device with a wired Ethernet interface. Closed Wi-Fi connections are noted for their weak protocol encryption scheme. All Wi-Fi hotspots are also susceptible to “man in the middle” attacks where a hacker intercepts communications between a user and a Wi-Fi device.|
The threat of malware
Malware has long been a threat to desktop and personal computers. Smartphones, being sophisticated and fully featured computers, are receiving the growing attention of malware creators.
The mobile cloud offers one solution to this threat that is not available to smartphones in general. Authorized software can be stored in and distributed from the cloud. When malware is detected or suspected, the smartphone software can be restored from trusted backups in the cloud.
Securing the mobile cloud
Generally, developers don't expect the mobile cloud to be free from security threats any more than they expect that of any other information technology (IT) model used to support business. Instead, developers perceive security in terms such as risk reduction, mitigation, and deterrence.
Traditionally, developers think of IT security in terms of perimeter defense. That means they keep their computational assets within a confined space that is physically and electronically defended.
Mobile cloud computing makes the situation even worse, from a security viewpoint, because relevant mobile devices (smartphones and tablets) interact with the external world more intimately and through a wider array of technologies.
Two emerging security models offer reasonable approaches to securing the mobile cloud:
- Data Centric Security Model
- Data Loss Prevention
Each model can be implemented independent of the other, but together they complement each other nicely to help secure data at rest and data in transit throughout a network.
Data Centric Security Model
The Data Centric Security Model (DCSM) offers an approach to protecting data by associating it with one of a variety of levels and then enacting access control to each level. The data levels or categories can be set up arbitrarily, but typically they group data according to the level of damage that would occur if the data is accessed by someone with malicious intent.
Most businesses use data that can be differentially categorized. For example, one company database might include customer data (Social Security Number, credit card data), corporate data (mergers and acquisitions, financials), and intellectual property (source code, pricing).
Categorizing data is often a function of business requirements and regulations. The US Health Insurance Portability and Accountability Act (HIPAA) security regulation is one example of government-mandated data security. After categories are established, access control rules can be written and enforced.
In this case, the mobile cloud conceivably can enhance enforcement of access control rules. For example, a user's access to a particular category of data might require that the user's mobile device report its geolocation as somewhere in the United States, otherwise access is denied.
Data Loss Prevention
Data Loss Prevention (DLP) is a methodology that attempts not only to deter data loss but also to detect data that is at risk of being lost or misused. DLP approaches deal with data in motion, data at rest, and data in use, which are described in Table 2.
Table 2. DLP data types
|Data in motion||Refers to monitoring of traffic on the network to identify content being sent across specific communications channels for the purpose of determining the suitability of that channel for the data. A mismatch between data and channel could indicate a potential security threat.|
|Data at rest||Involves scanning storage and other content repositories to identify where sensitive content is located. If the container isn't authorized for that data, then corrective action is indicated.|
|Data in use||Means monitoring data as users interact with it. If a user attempts to transfer sensitive data to an unauthorized device, the user can be alerted, or the action can be blocked.|
This emerging technology of DLP affords a good opportunity for developers and researchers. Good threat signature identification will be an ongoing problem as new types of threats emerge. Threat detection rules and security policy enforcement are needed. Also, implementation is a fertile area for growth. For example, DLP-bots — small applications that run on smartphones and tablets — might be one vehicle for deploying DLP in the mobile cloud.
Future of mobile cloud security
Mobile cloud computing is an emerging market driven by the popularity and increasing proliferation of smartphones and tablet computers. As more mobile devices enter the market and evolve, certainly security issues will grow as well. There are many trends that might influence the growth of the market.
One possible trend is incorporation of hypervisors into smartphones. A hypervisor is a program that allows multiple operating systems to share a single computer. Popular examples of hypervisors include Xen from Xen.org. This development is intended to simplify smartphone management problems. It also has potential to simplify security management.
Another trend is the growth of what is known as the Internet of Things. The growth in intelligent devices that are able to interact with the Internet is growing at a much greater rate than traditional computer technology. Some estimates are that over one trillion devices will be connected to the Internet in a few years, and most of those will be standalone devices. Smart meters being installed by utility companies are one example. The growth in the variety of mobile devices that can interact with the cloud will undoubtedly bring new security concerns as well.
Mobile cloud computing is poised to become a huge market. That huge market will attract the attention of criminals who want to make an easy profit by finding and exploiting weaknesses in mobile cloud technology. Also, enormous growth in the variety of devices connected to the Internet will further drive security needs. This article presented some of the issues that are pertinent for planning how to provide security for the mobile cloud.
- See the McAfee Threats Report: Fourth Quarter 2010 by McAfee Labs.
- Read more about the Data Centric Security Model.
- The author's article Mobile cloud computing introduces the devices, the trends, the issues, and the enabling technologies that come along with a more mobile, device-loving cloud environment.
- Grace Walker's developerWorks article Revolution in the air: Fundamentals of cloud computing provides a good introduction to cloud computing. Another excellent resource for intro-level cloud technology knowledge is the series on service models PaaS, IaaS, and SaaS.
- In the developerWorks cloud developer resources, discover and share knowledge and experience of application and services developers building their projects for cloud deployment.
- The next steps: Find out how to access IBM SmartCloud Enterprise.
- Follow developerWorks on Twitter.
Get products and technologies
- See the product images available for IBM SmartCloud Enterprise.
- Join a cloud computing group on developerWorks.
- Read all the great cloud blogs on developerWorks.
- Join the developerWorks community, a professional network and unified set of community tools for connecting, sharing, and collaborating.
Dig deeper into Cloud computing on developerWorks
Get samples, articles, product docs, and community resources to help build, deploy, and manage your cloud apps.
Experiment with new directions in software development.
Software development in the cloud. Register today to create a project.
Deploy public cloud instances in as few as 5 minutes. Try the SoftLayer public cloud instance for one month.