Feature: Mobile devices security
In the healthcare industry, having access to the right information at the right time is not only convenient but it could mean the difference between life and death.
In the near future a doctor may be able to look up patients’ information in a shared electronic record from anywhere using a range of portable mobile devices. This means, for instance, being able to find out information such as blood type, allergies or particular medical conditions of an individual that has been involved in a serious accident.
Access to this information in real time gives the health professional a much better chance of making the right decision, in a more timely manner. Mobile computing may also be of great assistance to clinicians working in hospitals as it allows them to access and update patient files in a very effective way. Doctors, nurses and other paramedic staff benefit from being able to access and update a patient’s record from anywhere, for example, when visiting a patient at home or in a residential facility.
With the consumeratisation of IT, or in other words with the availability of ever more sophisticated and powerful IT devices entering the market, users are becoming more demanding when it comes to data accessibility. They expect to be able to access data from anywhere, at any time and using the device of their choosing.
It follows that an increasing number of patients will start to expect their doctors to have access to these technologies as well. Health professionals are becoming more demanding of their technology. Outside of work they increasingly perform many tasks using their mobile phones or tablet devices, including online banking, processing online payments, shopping online, keeping in touch with friends and family and accessing a huge amount of information via the web.
Due to the affordability of mobile equipment, the proliferation of cloud computing and the availability of ever more powerful and reliable wireless technologies, in the next few years we will witness a boost in the usage of mobile computing across all sectors. This also applies to the health sector, where the benefits of mobile computing are unquestionable.
Data mobility increases collaboration, efficiency and business value but it also increases risk. Data externalisation is probably one of the biggest risks introduced by mobile devices and removable media. From the mid nineties onwards, data started travelling outside the physical perimeter of many businesses. With the widespread use of removable media (USB sticks, CDs and DVDs, external hard drives etc) and mobile devices, data is even more externalised and in the future, the fast and inevitable uptake of cloud computing will lead towards full data de-perimeterisation.
Portable devices and removable media can be easily lost or stolen and the cost of replacing these devices becomes insignificant compared to the risks associated with unauthorised access. A malicious person could use a stolen or misplaced mobile device to steal its owner’s identity and send out messages to their contacts. Pretending to be the owner, the perpetrator could use the information contained in the device to extort money from the owner, their customers or patients.
Like regular PCs, mobile devices are also subject to the risk of malware. While portable PCs and PC tablets may use conventional desktop antivirus and personal firewall software, these features are not commonly available on smartphones and tablets, making them extremely vulnerable. For this reason such devices are increasingly being targeted by hackers. A recent study by Juniper Networks shows that mobile malware has grown 250% between 2009 and 2010.
Common malware includes SMS trojans, which send SMS messages to premium numbers, or calling trojans that make long distance calls. Key-logging applications that capture and transmit all user keystrokes and self-propagating worms that can spread to all devices listed on the phone’s address book are also common. Malware is also available that allows hackers to take full control of a mobile phone or tablet, where they can carry out a number of illegal activities such as storing unlawful or unethical material, launching Denial of Service or other attacks against other devices, or activating microphones and the cameras and listening to private conversations and spying. Commercially available applications such as FlexiSpy, Mobile Spy and MobiStealth are very effective in concealing themselves and their activities.
Malicious software is proliferating very quickly through the various ‘App Stores’ which are repositories where users can download and install software. Repositories managed by device vendors are relatively safe because they are managed by reputable organisations that review all applications hosted in their stores.
Currently there are not many identified malware products for Apple iPhones and iPads, although there are a number of applications that transmit information to third parties without the user’s knowledge or consent.
According to a study carried out by the Technical University of Vienna and the University of California, nearly half of the applications installed on the devices involved in the study leaked data to third parties. The study also showed that the amount of leakage was about the same for applications downloaded from the official Apple App Store than from applications downloaded by ‘jailbroken’ devices. Jailbreaking refers to a process that allows iOS devices to run applications not available in Apple’s official App Store. Jailbroken devices are exposed to an exponentially higher risk than the not-jailbroken ones, not only because they can install software from third party repositories, but also because they enable services which, if not configured properly, may allow remote access and remote control of the device by malicious individuals.
Users of mobile devices should be aware of vulnerabilities introduced by flaws in the device’s operating system, as well as flaws in the applications installed on it. Last year for example, security analysts discovered a vulnerability in PayPal’s iPhone application which allowed malicious individuals to capture users’ authentication credentials.
Another vulnerability to which mobile devices are subject is data communication interception. Calls over a GSM network can be intercepted quite easily with around $10,000 worth of equipment. Most mobile devices are able to connect and exchange data by using various different technologies such as cellular networks, WiFi and Bluetooth. While this is great from a connectivity point of view, it also provides multiple exploitable channels than can be used both to remotely access a device and to intercept data.
Users may also be lured to connect to unprotected wireless access points operated by malicious individuals who intend to gain access to the device and to scan and capture all its wireless traffic.
Direct attacks similar to the one launched against regular computers are also possible against mobile devices. However, besides typical network based Denial of Service or ‘buffer overflow’ attacks, mobiles devices are also subject to a range of different attacks operated via Bluetooth or via SMS or MMS messages. For example the “Curse of Silence” attack makes a vulnerable Symbian based device unusable when simply receiving a specifically crafted SMS. Similar techniques also exist for iPhones, Windows Mobile and Android phones.
Browser-based attacks have also been growing exponentially in the last few years. In early 2010 researchers demonstrated the possibility of executing malicious code on an iPhone by simply visiting a specific website. The exploit has been fixed but new ones will no doubt be discovered.
Malicious code can also be delivered via Bluetooth. A user may be lured into accepting an incoming file believing that it is a security update or a configuration setting sent by their mobile manufacturer or carrier.
Users may turn on their device’s Bluetooth connection without changing the default PIN. Some examples of worms for Symbian that propagate via Bluetooth are Caribe and CommWarrior.
Bluetooth attacks are often undetected and unlike other wireless communication networks, the Bluetooth network is rarely monitored for intrusion detection. Most users feel safe when using Bluetooth connections as it operates typically at a very short range, however, it is possible to modify a Bluetooth adapter and extend its range of operation. In this way, malicious individuals may be able to attack devices from several kilometres away.
Securing Mobile Devices
Following is a list of precautions that mobile device users should consider in order to protect their privacy and the confidentiality of the information stored on, or accessed by, their devices:
- Mobile devices containing sensitive information or being used to access this type of information should be password protected and should be setup with an up-to-date antivirus software solution and personal firewall. Be aware that password protecting a device is not considered enough as there are ways to bypass password protection to get data stored in a lost or stolen device.
- Information stored on removable media or on portable devices should be encrypted.
- Mobile computing devices should be equipped with software that allow remote tracking and remote data wiping in case the device is lost or stolen.
- Ensure that the device’s Bluetooth connection is operating in non‑discoverable mode and switched off if not in use.
- Do not use a mobile device that has been jailbroken to store or access sensitive data.
- Do not install any non-business related software on devices used for storing or accessing sensitive data and install only applications coming from reputable and trustworthy sources.
- Regularly check mobile phone bills for text messages or calls you did not make, particularly if the bill is higher than what is expected.
- Connect only to trusted access points.
Getting your practice ready for mobile computing
The widespread adoption of removable media and mobile devices provides a clear indication that people have an increasing need and desire to collaborate and share data.
With the increasing adoption of removable storage and mobile computing devices, business network boundaries are no longer as well defined as they used to be. Conventional security strategies are no longer adequate to protect data.
Distributed data is hard to track and protect, however, the right approach is to think that data and security architecture needs to deliver data to wherever is needed, and not be restricted to wherever it can be managed.
Organisations willing to embrace mobile computing should develop a policy on usage of mobile devices and provide security awareness training to their users.
With the introduction of mobile computing our approach to information security needs to change. The starting point when developing or reviewing security policies is to establish very clearly what needs to be protected. The scope and level of protection should be specific and appropriate to the asset at risk.
Most organisations rely on a threat centric security model — its objective is to define what is bad, i.e. protect against virus, software vulnerabilities, unauthorised access, and so on. However, to deal with data externalisation we should switch to a trust centric security model. This means not to trust anyone or anything by default and assess each element individually and independently. For each device, user or application we need to establish whether it is good or bad, what it is, where it comes from, and so on.
Access to sensitive information should be granted only after successful evaluation of a set of criteria, rather than on successful identification of the user. Trust is no longer about identifying people but it is also about identifying devices, applications, data and agents.
If an organisation’s policy allows its employees to use their own private mobile devices to access business critical data, then extra precaution should be taken when identifying the type of device and whether it is compatible with the policy.
These access rules may be established and enforced through Network Access Control devices (NAC). These devices, which have been used by corporations for many years, have now become affordable to small and medium businesses. NACs are capable not only of authenticating a user but also of authenticating the device and assessing if it is compliant with a series of rules. For example, the NAC may check if the device belongs to the organisation or if it is an unknown device, in which case it may be forced to erase any cached information when disconnecting from the network. The NAC may also check if the device has up-to-date antivirus software and a personal firewall installed.
NACs are also capable of enforcing application white-listing. This prevents not only malware, but any other application that is not trusted to communicate and exchange data with the organisation’s information systems. NACs may also prevent unauthorised access, scan all incoming and outgoing traffic for malware and detect potential data leaks such as the transfer of credit card numbers.
In order to produce the desired level of protection, NAC devices need to be constantly monitored and professionally configured and managed.
Organisations should allow connections of mobile devices only through VPN connections to ensure encryption of information while it is being transferred. Multi-factor authentication such as fingerprint sensors, smartcard/USB dongles and one-time passwords should be considered.
Connecting a wireless device to sensitive data without re-thinking current data protection strategies is very irresponsible and a perfect recipe for disaster.
Health professionals and the organisations in which they work should certainly embrace mobile computing, but only once appropriate usage policies have been established.
- Malicious Mobile Threats Report 2010/2011 - Juniper Networks
- PiOS: Detecting Privacy Leaks in iOS Applications - 2011 - M.Egele, C.Kruegel, E.Kirda, and G.Vigna
- Mobile payments by smartphone still dicey - By Constance Gustke - Bankrate.com - http://www.bankrate.com/finance/personal-finance/mobile-payments-by-smart-phone-still-dicey.aspx
- Mobile Device Security - J.Viega, B.Michael - IEEE Security & Privacy March/April 2010
- 'Curse of Silence' exploit squelches inbound SMS/MMS to Nokia S60 devices - http://www.engadget.com/2008/12/31/curse-of-silence-exploit-squelches-inbound-sms-mms-to-nokia-s6/
- iPhone Exploited at CanSeWest - http://www.iphoneincanada.ca/iphone-news/iphone-exploited-at-cansecwest-browser-jailbreak-revived/
- Trifinite - Bluetooone - http://trifinite.org/trifinite_stuff_bluetooone.html
Posted in Australian eHealth