The Smart Mobile Computing Devices (SMCDs) such as Blackberry, Android and iPhones are multi-function devices that come equipped with various advanced technologies providing seamless high speed wireless internet and other communication capabilities using cellular and Wi-Fi networks. Additionally, most devices are equipped with GPS (Global Positioning System) and in-built camera allowing users to track their locations and geo tag photos. In many ways, the line between a computer and smart phone or tablet is vanished, making it susceptible to similar attacks as desktop or laptops.
The device adoption of SMCDs in the recent past has already surpassed the comparison with personal computer and as per estimates it will dwarf the PC sales in the coming years. As per ITU, Global active mobile-broadband subscriptions worldwide have reached 1.2 billion out of 5.9 billion mobile subscribers and are continuously on rise, contributing to huge business opportunities with online shopping and content consumption or contribution.
The seamless connectivity has enabled users to move beyond a stationary environment, which had restricted them to their desks or a dedicated location to access information or applications. This further enables users to access information on anything, anytime from anywhere. Thus, extending or eroding the organisation network perimeter and demanding to comprehend and defend against these unique security issues entering the organisations.
The power of mobile computing and availability of the critical information on these smart devices has introduced new security threats to business and privacy of individuals. There is a critical need felt across organizations to address these threats and secure the devices protecting the critical information.
The amazing capabilities of the SMCDs, allow users to leverage the multiple functionality such as using it as a digital camera or a microphone to record speech or use like a GPS device to find locations. Some of these capabilities act as a double edged sword, leading to serious security issues and privacy concerns as listed below.
- Stealth calls recording / listening and remote webcam access.
- Remote user location tracking using GPS or cellular networks
- Secret SMS and email messages reading or copying
- Listening to device surrounding (using device as remote bugging tool)
- Fraudulent software transmitting or forwarding all device data to internet hosts
Most of the above actions are simply possible by downloading free apps or installing paid fraudulent applications from apps store or other internet sites. It’s easy in case of device jailbreak or apps store’s (market place) not validating to allow only safe applications. Other popular techniques are Phishing (Email), Vishing (VoIP) or Smishing (SMS) attacks that entice users to disclose sensitive information or perform unsafe activities.
Additionally, the common risk identified globally is concept of BYOD (Bring your own device) encouraged in many organizations, allowing these personal devices has fuelled the risks levels, as most of these devices are not in line with company standards and security policies. Sometimes, these smart devices store or cache passwords for ease of use, potentially allowing an attacker to gain access to information if he gets access to the device or in case of purchasing the used device from an employee.
On a positive note, the use of SMCDs in conjunction with the other emerging trends such as cloud computing can be quite beneficial and secure, as the data accessed using SMCD is mostly stored on the cloud providing better data security against theft and other device related risks with effective security controls and practices.
The table provided below gives an overview of risks associated with the use of SMCDs and recommended countermeasures, this could possibly act as a flash card for secure mobile computing.
Finally, considering today’s business need and user lifestyle. The adoption of this technology is inevitable demanding organisations to carefully asses their risks by identifying the usage and data type stored or processed on SMCD and deploy necessary controls with awareness on secure mobile computing to mobile users.
(This article was contributed by Ahmed Baig, who is currently working in a CISO role at Abu Dhabi Government Entity and was previously leading the Business Management and Advisory Services at TECOM Investments. Ahmed Baig brings to his current role more than 14 years of experience in Governance, Risk Management & Compliance. )