FTC's Mobile Security Updates and Recommendations on Mobile Device Security

On February 28, 2018 the Federal Trade Commission (FTC (News - Alert)) issued a report on security of Mobile Devices. The report focused on patch updates and their policies, risks for the complex ecosystem, and recommendations for improved security. The 136 page report can be found on the FTC.gov website.

A press release accompanied the report calls for more education for security of mobile devices. In the release, Acting Director of the FTC’s Bureau of Consumer Protection, Tom Pahl points to “significant differences in how the industry deploys security” and “that more needs to be done.”

The following is a high-level summary and commentary on this issue. In Teneo’s opinion, the lessons learned from this report apply to any wireless-enabled device, including consumer smartphones, corporate-owned devices, Internet of Things (IoT), watches, glasses and tablets.

Diverse Ecosystem with Complex and Inconsistent Security

Although the bulk of mobile devices are manufactured by eight global companies, there are a staggering amount of variations by platform, brand and carrier. All of these devices can be operating customized operating systems with little or no version control.

The FTC report points out “consumers can choose from thousands of different device-service combinations at a wide variety of price points.” However, these options come at the cost of security. “Operating system customization at the device level can prevent uniform security patch application, increase the time and cost to develop, test, and deploy security updates, and may lead to shorter update support periods and less frequent updates.”

Uncertain Security Updates

With such a complex ecosystem, security patches and updates are difficult to verify and control.  The current environment relies on several stakeholders to be successful in performing their roles: developers, manufacturers, carriers and device owners. 

• If the best patched OS is never installed by the owner, the device is at risk.
• If the carrier delays in reviewing and balks at security update because it can break some of its apps, the device is at risk.
• If the manufacturer’s attention is on the newest, greatest release, and the older version isn’t getting updated as often, the device is at risk.
• When you add into the equation the apps on the device, the frequency of their updates, and whether they are supported at all, the security of these devices should be a concern for serious network professionals.

All of these risk factors increase as the number of users on your network grows.

Time to Update

The FTC also looked at the support data from each device manufacturer. The report reaches a clear conclusion that “variation in update support periods is the norm,” adding that “about a quarter of the devices were supported for less than one year” and that “some devices are sold after update support has ended.”

The report goes on to look at the time to release a patch for a known vulnerability and finds, not surprisingly, that newer devices are patched faster than older devices.  The more popular the device, the more quickly it is patched and, for new operating systems, “although many vulnerabilities were patched within 250 days, it took much longer to patch many vulnerabilities.”

This lack of certainty puts even the best security professionals in a difficult position. As one of the fundamental tenants of network security, you need to know and trust the devices on your network. How can you trust a device with these flaws?

Risks

Some of the risks the FTC’s report focuses on include:

• Mobile Malware: Bad actors have been increasing their attention on mobile and their attacks have been rising with a 400 percent increase in 2016, according to Pew (News - Alert) Research;
• Extorted money: From ransomware attacks at $100 - $300 per device;
• Spyware & Phishing: Harvested financial information, passwords, banking information and passwords;
• Hidden Malware: Hidden in 200 recreational apps that turn devices into a backdoor to networks; and
• SMS attacks: SMS attacks have unsuspecting device owners subscribing to services for a fee.

Although these examples may seem like an inconvenience – and they are – they are a large and real threat for network security professionals. Compromised devices are the foothold the threat actors use to establish a presence, harvest information, gain intelligence on their targets, and identify their weakness. They may sell that information or deliver a payload that is customized for their target.

Although the report did not reference this recent incident specifically, the University of Virginia Heath System’s breach, was determined to be caused by physician devices that were infected with malware. This incident confirms the FTC’s security fears.  Not only are the attacks happening, but they are going undetected for months, if not years.

Recommendations

The FTC makes several recommendations to improve the security of mobile devices.

• Education – The role and the need for security on mobile devices;
• Start with Security – The mobile ecosystem has already proven itself adept at starting with security in number of ways, such as implementing physical security controls, sandboxing, and encryption for mobile devices and data;
• Shared Responsibility – Between manufactures, carriers and developers to share reasonable security update support;
• Learn from the Past – The industry should consider recording more data in a more careful way;
• Adjust the Security Update Process – Continue to streamline the security update process, from patch development through deployment; and
• Embrace Greater Transparency – Manufacturers should consider providing consumers with more and better information about their security update support practices.

Conclusion

The FTC’s report sheds good light on the issue of the Security of the Mobile Devices. For network professionals, this threat has been known, but it always something that was on the horizon. Today, that threat is on top of us and can no longer be ignored.

Before the original iPhone’s (News - Alert) debut in 2007, most data was accessed by your endpoint, via your wire to your data center. Today, that same data is accessed via the cloud on a foreign network with a BYOD device. Mobile devices, cloud computing, and the perimeter-less networks demand different tools to properly secure the network.

Today’s network security professional demands the tools that can help identify and trust the device regardless of how they are accessing your data. These tools help regain visibility into the network so that the network is more secure.

What is your opinion? What steps do you secure your network with these security holes?

If you have any questions or need clarification on how to best secure your mobile devices (regardless of OS, manufacturer, carrier, owned or BYOD) reach out to me or your Teneo engineer for assistance.

About the Author: John Warnagiris is a Green Belt, PMP and the Senior Project Manager at The Teneo Group where he oversees Client Relations, Business Development, and Marketing. He combines his understanding of Six Sigma & PM along with 30+ years of practical leadership experience to help achieve their mission of securing the networks and data of their clients.