A smartphone ‘kill-switch’ bill that mandates antitheft software technology be pre-installed on all smartphones in California has successfully passed a Senate vote (27 to 8) and is now headed to the Governor’s desk for final signatures and approvals. Minnesota was the first state to adopt a kill-switch law, implementing it in May 2014.
Introduced by California State Senator Mark Leno and sponsored by San Francisco District Attorney George Gascon, the kill-switch bill requires all smartphones sold in California and manufactured after July 2015, to adopt kill-switch software. While the current target is California, it is expected to have national ramifications. Some are touting this as a big win for consumers. Smartphone manufacturers? Not so much.
And while many are focused on thwarting thieves who are merely motivated by reselling the stolen device, data security concerns are bubbling to the surface and begging the question: Isn’t the data on the device worth more than the device itself?
Think about it – we use our smartphones for online banking, for emailing (work and personal), we house our contacts and our images, our calendars, and (hopefully not) our passwords and credentials. So it’s not that we’re always connected to the physical device itself – we’re connected to, and reliant on, the data that’s stored in the device. Isn’t that more valuable than simply the street value of a stolen phone?
The industry should implement the best of what mobile security has to offer – a hardware-based device ID that identifies the smartphones to the network, with the controls housed in the network rather than in the phones. Every phone has a SIM card – why shouldn’t every phone have a permanent ID for phone network management that leverages a TPM (trusted platform module) for data and key protections? For example, Boeing’s ‘Black Smartphone’ offers a hardware root of trust for software authenticity as well as data protection for stored and transmitted data by way of its embedded TPM.
Take your average consumer out of the picture for a minute and think about mobile technology and security for government agencies. Do you think the government cares about a stolen device as much as they care about the sensitive data on that device?
According to a June 2014 article in the Federal Security Insider, “For years in the DoD, desktops have been protected by technology known as trusted computing. At first highly mobile laptops like the Samsung Chrome Book or the Sony Ultra Book had the TPM chip embedded on the motherboard. But now virtually every laptop has a TPM chip that is enabled in the operating system.”
Software-based security is routinely thwarted by cyber criminals, which is why experts are proposing we use hardware-based security (see NIST’s Special Publication 800-164 Guidelines on Hardware-Rooted Security in Mobile Devices – draft). And for that reason, the industry should adopt these very same standards for mobile security by implementing hardware-based device ID that identifies the smartphones to the network.
If we are legally pursuing a security solution to deal with theft of phones, we should absolutely pursue hardware that addresses data theft as well.
IT Harvest’s Richard Stiennon interviews Wave Systems Corp.’s CEO William (Bill) Solms. This segment touches on Wave’s Virtual Smart Card (VSC), as well as total cost of ownership.
Despite numerous, well-publicized incidents of data breaches caused by intentional misuse, as well as inadvertent leaks of sensitive data by insiders, enterprise spending on insider threats continues to lag behind external security concerns, such as hackers and malware. The traditional approach of maintaining siloed network security and endpoint security implementations hardly make a difference.
According to a Forrester Research survey of nearly 700 North American and European small and mid-size business decision makers, 36% of those companies are looking to either adopt or invest in underlying technologies that include database activity monitoring and tools for auditing and vulnerability assessments – key technologies in mitigating insider threats. (See CRN.com’s most current countdown of the “Top 5 Technologies That Detect Insider Threats.”)
Late last month, the President’s Council of Advisors on Science and Technology (PCAST) delivered a report to the President, titled Immediate Opportunities for Strengthening the Nation’s Cybersecurity.
PCAST is a pretty heady group of mostly senior and well-respected academics, but also includes people like Eric Schmidt, Google’s Executive Chairman, and Craig Mundle at Microsoft.
It seems there is no end to the use of trusted computing capabilities to strengthen well-known security applications and protocols. Followers of this blog are more than likely familiar with the many use cases for Trusted Platform Modules (TPMs), notably improving the security of many PKI-based, high-use applications such as 802.1x, virtual private networks (VPNs), virtual smart cards, and more. The simple act of replacing a software-cert private key with a hardware-based, TPM protected key, improves security immensely.
One session at the Trusted Computing Conference in Orlando, Florida, in September further expanded my horizons. The Naval Research Lab’s Olga Chen presented her work on improving trust and authentication in Kerberos, a network authentication protocol. Kerberos is designed to provide strong authentication for client/server applications by using secret-key cryptography.