At the end of last week, a number of digital security specialists met in a bank vault below the streets of lower Manhattan. While this might sound like the start of a heist film, in actual fact these security pros were attending the SecurityWatch Summit 2012.
The event covered all aspects of mobile security and was led by industry veteran Neil Rubenking. Panelists included Renato Delatorre, the Director of Network Technology & Security at Verizon Wireless, Gary Davis, a VP of Marketing at McAfee, Keith Gordon, an SVP of Security, Identity and Fraud at Bank of America, and security consultant Dan Guido of Trail of Bits.
The main event was a roundtable discussion where Rubenking asked questions to each of the experts and they proceeded to answer with insights from their corner of the security world, as well as rebut what the others brought up.
A major topic of discussion was the relative safety of iOS over Android, at least based on the number of successful exploits that have been documented. Dan Guido noted that the large number of unpatched Android devices on the market combined with little barrier to entry in Android app stores makes for a more susceptible target than the iPhone or iPad.
This led to one of the key reveals of the evening: So far, mobile exploits have been remarkably unsophisticated. Mobile operating systems are pretty well locked down so doing anything naughty requires acceptance from the user – they generally have to open the door (by jailbreaking, rooting, or going to a non-standard app store) and then invite crooks in. The invitation almost always comes in the form of an app because that’s the main way to get new code on the system and give it access. This isn’t really possible within Apple’s walled garden, but an Android user who downloads a questionable app then doesn’t bother to read the permissions during installation might be in for an unpleasant surprise.
Guido, who had many of the best lines of the night, was particularly keen on coming at things from the perceptive of a professional, work-a-day hacker. He noted that while lots of exploits were theoretically possible, they only really mattered if they could lead to some form of profit for the hacker. After all, these exploits aren’t (generally) being done for the lulz, they are done by people who want to use your information to pay the rent. So if the level of effort is too high, or the pay off is too unlikely, the hacks aren’t going to happen in the wild.
In fact, that’s a major reason why mobile systems aren’t being attacked that often – compared to PCs, there just aren’t that many smartphones. They might be the computing platform of the future, but their smaller number combined with the relative pain of circumventing security means your mobile won’t be the target that your Windows machine is for some time yet.
Another notable point was raised by Delatorre, who urged Verizon subscribers to stay on 3G and away from Wi-Fi for the sake of security. The Verizon rep wasn’t just trying to get US phone users to chomp through data, either – 3G/LTE is secure, whereas that free Wi-Fi picked up while at a coffee shop should not be trusted.
Delatorre also initiated a special aside in order to debunk the idea of BYOD (Bring Your Own Device – to your workplace, that is). He noted that very few people actually want to bring their own device; what they are asking for is companies to provide new, high-end hardware. He was firm in this belief but didn’t mention how BYOD can prevent people from having to carry two smartphones. Rather, he focused on the user’s logical desire to have a device that isn’t an outdated piece of hand-me-down junk.
The final surprise of the night came when the conversation shifted to NFC. At that point Keith Gordon from Bank of America – the group you think would be most in favour of the technology – said his team was looking past NFC for mobile payments. The proximity is good for security, but it makes the process no easier than swiping a credit card. Verizon’s Delatorre seemed more hopeful but wasn’t entirely convinced either.
All heads turned to the outspoken Guido, fully expecting him to tear apart the technology as being a fraud and plague on our collective houses, but that wasn’t the case. He noted that NFC is actually very secure right now because the proximity makes theft unlikely, and then because NFC readers (unlike credit card skimmers) are both expensive and require expertise to use. In other words, hacking NFC just doesn’t make monetary sense at this point in time.