As analyst predictions for sales of smartphones and tablet devices continue to rise, and users seek greater opportunities to work within a truly mobile environment, Imerja’s managing director, Ian Jackson, looks at the channel opportunity from consumer mobile devices in the workplace.
Read more: http://www.channelweb.co.uk/crn-uk/opinion/2136400/rise-rise-consumer-technology
Researchers at University of Ulm in Germany have discovered a weakness in the Android operating system that means it is possible to tap into the transfer of information between the phones and the internet, and thereby gain access to personal data.
The story was reported by the BBC earlier today, and news of the security weakness has quickly spread causing concern to users of the technology. The researchers went on to report that alarmingly most versions of the Android operating system pass unencrypted authentication tokens, and were therefore vulnerable. Although this vulnerability was fixed in version 2.3.4 of the operating system, official figures suggest that only 0.3% of Android phones are currently running this software.
If you are an Android user and haven’t done so yet, upgrade to the new operating system quick!
As businesses beome more accepting of mobile working practices, and in turn reliant on their employees using tablet and smartphone technology to stay in touch and remain productive (either corporate devices or personal handsets), it is importnat they design and implement robust security policies that will protect the user and data they may access with these devices.
Adding encryption solutions to protect corporate applications and information accessed on mobile devices is an essential step, such as that offered by Good Technology, providing an effective and easy to deploy measure to safely bridge the gap between social and secure usage, protecting business and personal information so that users can connect and collaborate safely.
For more on the story and Imerja’s comment on the news, read: http://www.dailymail.co.uk/sciencetech/article-1388107/New-smartphone-privacy-alert-Android-handsets-prone-leaking-data.html#ixzz1MeKSCnCw
Imerja’s CTO, Matt Hampton was recently interviewed on 5 Live Drive about the recent article reported in the Guardian on the security risks associated with ‘Evil Twin’ access points. In this blog Matt describes the experience, and provides further insight into the threat and measures which individualsand businesses can take to minimise the potential threat.
- – - – - – - – - -
Tuesday 26 April – afternon. Just got off the phone after Imerja recevied a call from Radio 5 Live to provide expert comment on a breaking story on the use of Evil Twin access points and the impact to smartphone users.
The whole process was quite interesting – being interviewed by a researcher first (I assume to make sure that I was a suitable interview subject) and then arranging how they were going to call me back shortly for a live broadcast on drive time news. Apparently mobiles are out and landlines are the preference. This caused a small issue as I was working from home and our house only has a landline to support the Internet connection and is in our lounge which was in use by three small children having their tea! The compromise was Skype.
In the event everything went fine, but I found there was more I wanted to say that time allowed – so the focus of this post is to expand on the main points during the on air interview; here is what I really wanted to say:
Q – what do you make of this investigation?
Nothing new was found by the investigation – the same issues have been reported on numerous times - I am aware of reports as far back as January 2005, which was covered by the BBC and was the subject of a BBC Three TV “The Real Hustle” (I can’t confirm the first airing of the episode but Google suggests it may have been as early as January 2007). It was then covered on BBC Watchdog in October 2009 but with a slightly different slant.
What is new is the prevalence of devices that connect to Wifi networks – including mobile phones – and the fact they will probably configured to automatically connect. In addition there are now network providers who are shipping mobile pre-provisioned (or are pushing updates to their customers) to automatically use Wifi networks in range.
Q – how do these cloned hotspots work exactly?
I didn’t really get a chance to explain this one – it is quite well explained here on Wikipedia.
To summarise – there are two attack vectors:
Q – is this a well known problem in the industry?
I think the first question covers this – but the answer is yes. So much so that CESG issue guidance that Wifi hotspots that require you to authenticate via a captive portal should not be used by (effectively) any public sector worker.
Q – why is there no permanent fix?
This is a question of ease of use versus security. There are ways of securing the infrastructure however this would require users to take extra configuration steps before using the services. This in turn will increase the cost of provision.
This issue is down to how the protocol was originally designed – remember that this is the lowest common denominator of connectivity support as various new authentication schemes have been added in response to increasing levels of threat.
Q – what can people do to protect themselves?
As I said in the interview, there is nothing a “normal” user can do at present as most handsets are not capable of verifying the Access Points. The Guardian article suggest that WiFi should be disabled until you need it as at present the service providers can’t solve this issue.
It should also be noted that Business Users are at risk as well – any unsecured connection (e.g. POP3 or IMAP) could be intercepted and used to access email accounts (note this could happen on any unsecured network whether an Evil Twin or not). To reduce the risks to the business technology such as those provided by Good Technology and RIMs Blackberry reduce the risk of exposing business information but still expose the user (entering credit card details) to risk.
To be clear – this is a a user education issue and also an industry problem which requires handset/mobile device manufacturers and network providers to work together to build a level of assurance in to their systems.
For more information on the Evil Twin threat and steps you can take to protect yourself from being a victim of data theft please contact Imerja on 0844 225 2888 or email us at [email protected].
