DHS Builds Mobile Defenses
R&D is focusing on securing devices and applications.
The U.S. Department of Homeland Security’s Science and Technology Directorate is working to improve the resiliency of smartphones and other mobile technologies through directed research and development initiatives. Not as secure as office computers, mobile devices are becoming the preferred target for malicious actions by cyber adversaries. In many cases, smartphones, tablets and other electronic devices simply do not have the same protections available for more traditional computing technologies, experts say. The level of attacks also is moving “deeper down the mobile device stack,” from the application and mobile operating system layers to the hardware and infrastructure layers, according to the department.
The federal government has 1.5 million mobile device subscribers, representing $100 million in federal mobile and wireless service contracts, according to the department. Attackers can get to sensitive government information and resources through these mobile users—including contact information, location and movement details, sensor data, photos and messages—the Department of Homeland Security (DHS) stresses.
From weaknesses in mobile devices to vulnerabilities in applications and data, carrier networks, operating system providers, device vendors, enterprise systems and infrastructure, opportunities abound to access back-end systems. Attackers can gain access, especially through government-issued equipment, because of a lack of protections, the DHS warns. And there is limited visibility into these mobile environments. These vulnerabilities are putting first responders and others who carry out the DHS mission of protecting the homeland at risk, the department states. The government must find solutions to protect its ever-growing cadre of devices, experts say.
Add the slow pace of technology adoption in the federal government, and departments such as the DHS, which are charged with fielding emergency communications technologies, face a steep challenge in implementing mobile security, says Vincent Sritapan, DHS program manager, Cyber Security Division (CSD), and direct commissioned information professional officer, USNR.
Established in 2011 to address the DHS’ cyber operational and critical infrastructure protection requirements, the CSD, within the Science and Technology Directorate’s Homeland Security Advanced Research Projects Agency, is tackling some of these problems. Sritapan helped draft the CSD’s 2018 Mobile Security Research and Development (R&D) Program Guide—released in April—which lays down the DHS’ strategy for developing mobile security solutions. Essentially, the CSD is focusing on two main areas of mobile technology R&D: device and application security, he says.
Sritapan oversees the projects, which are aimed squarely at accelerating the adoption of secure mobility for the department, the rest of the government and the global community that defends homeland security. The division is conducting several R&D projects related to mobile software roots of trust; firmware security; virtual mobile infrastructure; continuous validation and threat protection for mobile applications; and integration of security into the mobile application development life cycle. (See related sidebar.)
The program manager also works on the Federal CIO Council’s Mobile Technology Tiger Team, coordinating mobile security across the federal government, the military and the intelligence community. “What keeps us up at night is the slow pace in which the government adopts technology—even mobile security,” Sritapan says. “It’s something known and already in use by the industry, but by the time the government picks it up, it’s very slow-moving. It’s like pulling teeth, even though it’s the right thing to do. I understand that there are limited budgets, but at the same time, there is a gap here in mobile security.”
Government-issued mobile devices commonly have mobile device management (MDM) systems, but MDMs are typically used for only configuration and policy management and essentially monitor device usage for policy violations. MDMs do not secure devices, Sritapan points out. Therefore, the CSD is targeting R&D programs to bring up the level of security for the government’s mobile devices akin to the security on laptops. “We have configuration management, host-based security systems and endpoint security for our laptops, but on our mobile devices today, we really only have enterprise mobility management,” Sritapan says. “There isn’t McAfee for our cellphones or other anti-virus software or other protections. And the mobile device manager is not smart enough to know if I got infected in malware. It will only know if I broke a policy or a rule.”
To be able to protect against these threats, the CSD is focusing one key aspect of R&D on endpoint security. The point at which a workstation or a mobile device accesses a network can be a vulnerability if sensitive data is stored or displayed on mobile devices. Software or hardware solutions are needed to protect these endpoints from attacks. If a spearfishing attack or malware hits the government’s mobile devices, “I’d say more than 90 percent of us wouldn’t be able to protect against it because we do not employ any kind of endpoint security on our phones,” Sritapan says. “Endpoint security is an important piece.”
The DHS has tapped San Francisco-based Lookout Inc. to develop mobile endpoint security. “The government’s mobile devices are connected via the cloud, and a lot of agencies are now just putting their two-factor authentication on the mobile device itself,” explains Bob Stevens, vice president, Public Sector, at Lookout. “So if I am a bad guy and I know that, and I can get access to that device, I can basically get access to every single account that they have.”
The technology the DHS is developing with Lookout will continuously validate a mobile device and secure both the device and any mobile applications, Sritapan says. “Being able to understand the behavior of those applications is very important,” he notes.
Lookout performs predictive and near-real-time analysis, searching for mobile applications with malware or other vulnerabilities. Recently, company officials found a rise in surveillanceware on both Android and iOS devices among their 150 million commercial product users worldwide. They attribute the adversarial tools, which they are calling Stealth Mango and Tangelo, to the Pakistani military, which is targeting mobile device users in Pakistan, Afghanistan, India, Iraq, Iran and the United Arab Emirates. The surveillanceware tools also were able to pull sensitive data from the devices of officials, civilians and diplomats in NATO and across the United States, Australia and the United Kingdom, given interaction with compromised device users.
According to Lookout, the adversaries found content such as internal government communications; travel information; photographs of passports and other ID cards; mapping coordinates; legal and medical documents; developer information; and photos of military and government officials, including photographs from closed meetings of U.S. Army officials. “The U.S. government doesn’t want their contact information being exfiltrated to overseas,” Stevens stresses. “The bad guys are really starting to target mobile devices, so that is why it has got to be secured. And, unfortunately, there are still a lot of government agencies out there that haven’t bought into that yet.”
In its efforts to help public safety officials, the CSD is working to develop more secure mobile applications. The First Responder Network Authority, known as FirstNet, and its forthcoming first-responder network, which have their own public safety application store and do their own application vetting, are seeing vulnerabilities in mobile devices. The DHS is coordinating with FirstNet leaders on a quarterly basis to share information and “to show them that, ‘Yes, there is a concern,’” Sritapan says. “People who develop a mobile application today are not like traditional software developers. On a desktop, anybody can develop a mobile application, so coding flaws can occur, and other vulnerabilities can exist.”
To help cut the risks for this community, the CSD developed a joint pilot project, Securing Mobile Applications for First Responders, with the DHS Science and Technology Directorate’s First Responder Group (FRG), the Association of Public-Safety Communications Officials (APCO) and Kryptowire LLC. In the project, researchers removed potential coding vulnerabilities in 33 popular public safety-related mobile applications, protecting against malware, ransomware and spyware, Sritapan explains. They also discovered potential security and privacy concerns—such as access to device cameras, contacts or Short Message Service (SMS) messages—in 32 of the applications, according to the DHS. In addition, researchers found that 18 applications had critical flaws, such as hard-coded credentials stored in binary, issues with handling Secure Sockets Layer certificates or susceptibility to “man in the middle” attacks. The pilot has led to the creation of an ongoing mobile application testing program, Sritapan says.
Additionally, the CSD’s research into mobile security will look at device integrity “on the actual device, making sure it’s not tampered with,” Sritapan adds, “so you will see new projects coming out about that soon.” The department expects to announce work relating to vulnerability management and risky application behavior this month. “One of the areas that we think is important includes product ties around protections for phishing and spearfishing on a mobile device,” the program manager offers.
The CSD also is developing requirements for a new R&D effort on the security and resiliency of mobile network infrastructure. The division has many concerns regarding the ability of adversaries to affect commercial cellular carrier service, given vulnerabilities in the networks, Sritapan states.
“Based on the way that the ecosystems work for mobile carrier networks, I could be in Zimbabwe, and if I had the right subscriber services, I could, using the phone number, deny a call, listen in on a call, reroute the call or even change their billing address,” Sritapan warns. “And there are a lot of things in there, bigger problems that we do not know how to solve yet. For 3G, 4G and even 5G as we go forward, that is a really big concern.”
Whether or not the telecommunications companies are even implementing standards is unknown, given that the networks are privately owned, Sritapan says. The DHS has neither the legal authority to require that mobile carriers assess the security risks of their mobile network infrastructure to government devices nor the ability to demand that carriers provide information to evaluate risks, according to the department.