With the recent Android smartphone bug dubbed ‘QuadRooter’ effecting an estimated 900 million devices running Qualcomm hardware, it’s no wonder that security has once again become a forefront issue in the world of smartphones.
Kaspersky labs has identified 885,000 mobile malware attacks over the last year; this has doubled since 2014. QuadRooter is a collection of four different vulnerabilities stemming from a firmware issue on the chipset itself. It allows root access without special permissions, meaning files and personal data can be obtained without the user even realising. The Israeli security company who discovered the problem, Check Point, has said that it “highlights the inherent risks in the Android Security model”.
“Critical security updates must pass through the entire supply chain before they can be made available to end users” they said, before arguing that the situation could take a long time to resolve due to carrier device fragmentation affecting the speed of a quick fix.
Quadrooter represents a much wider problem
Speaking to ex ethical hacker Jason Hart, it’s clear that the issue is much bigger than just Android as a platform. In fact, it’s a concern that effects the entire Internet of Things (IoT) sector as a whole. “Security is an afterthought. If you try applying it after a product is designed, it’s very hard. It should be part of the design process”.
“We’re still making the same mistakes, we haven’t learnt from history. For me fundamentally, security should be top of the list. We’re still seeing stuff that requires static passwords, there’s no need for this anymore”.
Jason Hart is a man with over 22 years experience in cyber security and is the CTO of identity & data protection company Gemalto. Having spent 12 years of his life as an ethical hacker he has advised many of the Fortune 100. Gemalto works with everything from passport creation to banking and automotive security.
Hart believes these attacks will become far more commonplace as time goes on and that action needs to be taken by manufacturers to be more responsible about our data.
“We’ve had an explosion of cloud computing and virtualisation”, Says Hart.
“All of those basic security controls we had in place are no longer valid. This new world is all about encryption, key management and authentication”.
“We’re going to see a lot more integrity attacks in the future. We’re in this world of data now. We just assume the data is correct when we receive it. Once we realise that the data is incorrect it’s too late because the decision has been made”.
Is that even my data?
Integrity attacks are already one of the “least recognised issues in information security”, according to Bob Tarzey, director at research firm Quocirca. When the data a person is receiving becomes compromised, there’s very little way to know the authenticity of what was sent. Stronger security algorithms which require signed documents and hash implementation do exist to help, but for the average consumer cloud and IoT user none of this infrastructure is in place. With over 29 billion IoT devices expected to be in use by 2020 according to Gartner, this attack surface is a whole new space for the hackers. It’s no longer the device that they are after, it’s the data inside.
“As a consumer now, we should be more concerned about the security controls around the data we create ourselves, not the device” says Hart.
“Currently when you buy an IOT device, there’s a lot of security factors to take in. You have the manufacturer of the device, the consumer of the device, card providers hosting the data and you have third parties. There is this ‘compound risk effect'”
“If I was going to create an IoT device tomorrow, I’d think about what my biggest unique selling point is. Yes I’m creating a service that people can use, but we need to provide both a service and a security for it. Surely that is a value ad.”
Competitiveness is bad for security
The big problem with devices and services in the IoT world, this includes Qualcomm, is a need to get things out on the market quickly. For many manufacturers, the speed at which a product reaches the consumer is often more important than the security inside. Merrit Maxim of Forrester Research, an American independent technology and market research company, recently said in a story for IT World Canada that the rush to get products to market “is enough to offset security concerns.”
Hart believes that the use of more secure encryption methods currently employed by big firms such as banks should be brought down to the average consumer device. Giving each IoT device a unique encryption key which is derived from a master key means that our data is securely locked on a per user basis, rather than a model basis. The master key would then be stored by the manufacturer in a Hardware Security Module (HSM).
“HSM’s have various security accreditation’s. If the appropriate controls and standards are put in place and provided you use the correct standards, you can’t get any more secure than that”.
Qualcomm has tried to battle security concerns in the past by adding features to their chipsets allowing better malware protection. Their most recent attempt was ‘Snapdragon Smart Protect’, offering real-time on-device machine learning to sniff out malware. It’s included on the latest chipset range and monitors our device for malicious attacks, but doesn’t address the fundamental flaw with most IoT security.
“From a bad guys point of view, he just wants data” says Hart.
“By getting the data he can monetise it. What did the Texans do when they found oil? They refined the oil and they monetised the oil. That exact process is happening with our data”.
For more features, visit What Mobile’s dedicated features page.