DoD be Warned: Smartphones A Weak Spot in Cyber Armor

Here’s an interesting piece from our sister site, DoDBuzz. It’s about the security dangers inherent in smartphones. This is an area that you’ve probably wondered about before. We do everything on our smartphones nowadays and, in some cases, they store all our data. If you’ve been paying attention you may have seen articles highlighting the fact that cyber criminals are going to start targeting our phones.

Well, now that the military has discovered smartphones in a big way, it’s also got to worry about how to defend its networks from attacks that take use smartphones as a way of gaining access to those networks.

From Buzz:

Smartphones “are a really rich target,” Joe Pasqua, VP for research at Symantec, said in a briefing for reporters today. For example, Android phone applications receive no security screening before they are released, and iPhone apps receive a cursory scrub. Those apps could be loaded with malware “that can take down a cell tower,” he said. Currently, Android phone face four known malware threats, he said.

In addition to the possible threat from apps, cell phones can be formed into botnets, remotely controlled computer devices turned into a malicious network that hackers have used to great effect in attacking computer networks. Pasqua was careful to note that no one has yet created a botnet with cell phones, but he says it can be done.

Still, there are relatively straightforward solutions to these security challenges:

The military has ways to make phones more secure, including encryption. Turning off the voice portion of the phone and only allowing it to use the data network would help, Pasqua said. That way all data transmissions can be encrypted, including voice communications using Voice over Internet Protocol (VoIP). Also, locking the phone and only allowing the use of approved apps would help, the Symantec security expert said. The same thing is often done with company-issued laptops.

  • Tech

    This is old news… Back at the Academy I gave a Security Briefing to my company on a similar topic. Since this was 6yrs ago, it was on the vulnerabilties of cell phones – turning them on remotely to “snoop” during briefings, meetings, etc.

    Just read an article about unencrypted data streams and apps accessing the “refined” GPS coordinates of a phone. Sure, botnets and such are fine and dandy, but if I can send an app out to that accesses GPS coordinates and updates me in real or near-to-real time as a background process, I would find that more valuable – Blue Force Tracking for the cyber criminal / insurgent…

    • blight

      Conversely, bringing security awareness to Americans about these issues probably alerts the red team to them as well. I imagine any competent ones are aware of the issues, but still…

  • Robert A Schwehr

    The breakneck speed of technological advance and the abscence of a “Microsoft and their ilk”,DOD pre-manufacturing review for security safeguards”is a communications security manager`s worst nightmare.Anybody know a solution?I don`t.

  • We offer a wrapper technology that has received a MAC 1, Classified DIACAP scorecard for cross-domain solutions. This approach also works with mobile and embedded devices and has been done successfully in the lab with some of the most common devices. What it essentially does is converts the system into a trusted operating system that prevents privilege escalation even when unpatched vulnerabilities are present. We are approachable if there is interest, but we have learned not to hold our breath when it comes to DoD so we will not be pursuing this ourselves at this time.

  • John

    The VP for research at Symantec isn’t exactly impartial. I think he’s full of it when he says they can “take down a cell tower” and for the rest I’m going to file under “no kidding”. A smart phone is more like a general purpose computer than a phone. They’re more powerful than a laptop was 10 years ago.

  • Scott Cummings

    Thank you for bringing attention to the subject of smartphone security in regards to uses by the United States Army. As an engineering student who will shortly be working in the defense industry, I am interested in new technology that is changing the way in which the military operates. While smartphones are far from being new, I was intrigued to learn that the armed forces are just beginning to put them to use on a large scale. I always figured that the military would use their own satellite linked communications instead of relying on ground based cell towers. However I do see the benefit of using existing technology that private companies have already put millions of dollars of research and development into, especially at a time when the defense budget is under constant scrutiny from lawmakers looking for ways to trim the overall deficit. Since the Department of Defense is turning toward private companies for launch vehicles it doesn’t surprise me at all that they would look to utilize other private sectors that have overlapping technologies. Do you also see this happening in a wide range of military applications? But I like how you point out that “there are relatively straightforward solutions to these security challenges”. Considering that most business executives for defense companies and financial institutions work remotely through the use of their smartphones there is probably plenty of security software already available to protect sensitive information from being stolen by hackers. Don’t you think that protecting our financial data and technological innovations has more than prepared us for securing mobile devices?

    I would like to suggest that the military put out a contract to smartphone manufacturers to see who can come up with a device based on an existing mobile platform that is secure and easy to use. This would save money because instead of having to develop a new product they would just need to create a variation that would best serve troops. Since the United States military has more than a million personnel and the Department of Defense still has a large budget, even if it is becoming more constrained, I think that this could be a win-win for both parties. Can you see this being successful or would this just be a waste of money because our current systems are more than satisfactory?