You see them everywhere: people hunched over their smartphones or tablets in cafes, airports, supermarkets and even at bus stops, seemingly oblivious to anything or anyone around them. They play games, download email, go shopping or check their bank balances on the go. They might even access corporate networks and pull up a document or two on their mobile gadgets.
But as wireless devices become increasingly ingrained into the daily lives of Americans, they open the door to heightened security risks. Not only do such devices become points of access for cybercriminals, but they also may be more easily breached than personal computers since many consumers do not secure their smartphones or tablets with antivirus software or take simple precautions such as enabling password protection.
According to a Harris Interactive survey commissioned by CTIA, a wireless trade group, less than half of all wireless device owners use passwords or personal identification numbers (PINs) on their handsets, a much smaller percentage than computer users. Among those who conduct online banking on mobile devices, only half encrypt the data or use some form of security software. Moreover, less than a third of users have installed antivirus software on their mobile devices compared to 91% on their laptops. This may explain why: 45% do not see cybersecurity on their mobile devices as a threat in the same way as they see it on their computers, according to the survey, which was released in May.
The dangers, of course, are plenty. Rogue mobile apps can record the information that users type into a device, such as bank account numbers and PINs, according to CTIA. They can read data stored on a handset, such as emails, text messages, attachments, credit card numbers, and log-ins and passwords to corporate networks. A phone can even secretly record conversations within earshot. Data that leaves a mobile device wirelessly to connect to a Wi-Fi network could be hijacked in midair in “man in the middle” attacks. Malware can transmit this information to hackers, including those in foreign countries. “So who gets this information?” asks Gerald Faulhaber, Wharton emeritus professor of business economics and public policy. “You think this doesn’t go anywhere?”
Consumers may not be as concerned about securing a wireless device because they do not view it as a small computer. “They think, ‘Oh, it’s just my phone. It’s not the computer where I do my taxes,’ for example,” notes Andrea Matwyshyn, Wharton professor of legal studies and business ethics. But if they have ever accessed their tax returns on their phones to see if the filing went through, they have created a record of the login and password. “The history of activity on that phone is shared with the service, and the device itself may be keeping a record,” she says.
The risks are transferred to the workplace as more people bring their devices to the office for both personal and professional use, a phenomenon known as BYOD or “Bring Your Own Device.” Workers may unwittingly contaminate the corporate network if one or more of their personal apps contain malicious software. “The trend is certainly toward a BYOD environment in most industries,” Matwyshyn notes. However, “all of this adds a layer of risk that businesses have to think about and mitigate.”
The portability of mobile devices makes it tougher for corporations to police them. “Mobile devices are … tied directly to individuals in ways that personal computers aren’t, because they move with people,” according to Kevin Werbach, Wharton professor of legal studies and business ethics. “It’s more difficult for corporate IT to manage and control something that leaves the building every night. The reality, though, is that workers want to use their own mobile devices, with their own apps, so fully locking them down is not often an option.”
The problem is expected to grow as people step up their use of wireless devices. For the first time, there were more smartphones shipped worldwide in the first quarter of this year than phones with limited functions and restricted or no Internet connectivity, according to research firm IDC.
By 2015, more Americans are expected to access the Internet through a mobile device than a PC, according to CTIA. In the U.S., a third of the population currently uses smartphones. The figure is expected to increase to 80% by 2017, according to the trade group, citing a Frost & Sullivan study. The security risk expands to areas such as Internet-connected cars and medical devices that send out personal data wirelessly. “Every mobile app is a potential security risk,” Werbach says.
The new trend of using mobile wallets opens up another area of risk for the wireless consumer. With Google Wallet, consumers can use smartphones equipped with near field communication (NFC) chips to tap and pay for purchases. Their credit cards are stored on the phone. ISIS, founded by AT&T, Verizon Wireless and T-Mobile, offers a mobile wallet with tap-and-go functionality as well. Others offering mobile wallets include Square Wallet, LevelUp and Paydiant.
Attacks on mobile wallets occur chiefly through smartphones. Tablets are mainly used for consuming media like video, games and e-books, and for accessing the web. Smartphones are more often used for mobile financial transactions, checking email, text messaging and voice calls. As such, the threat to these devices is based on how they are being used by consumers or employees. However, tablets can be easier targets for criminals, because 73% of them connect to the Internet exclusively through Wi-Fi networks, compared to 12% for smartphones, the CTIA survey said.
A Complex Environment
Before smartphones and tablets took off, mobile telecom carriers controlled every aspect of the original 10-number keypad cell phone, according to a report by CTIA. They ran closed operating systems; there were no apps or app marketplace; phones had limited processing power; the network and content existed in a cordoned off “walled garden,” and data speeds were slow.
Today, smartphones, tablets and other wireless devices run in both closed and open operating systems, app stores offer more than a million mobile apps and handsets boast heavy duty processing power, better resolution, larger screens and full access to the web. Meanwhile, carriers are investing billions of dollars to speed up wireless networks and carry heavier data traffic.
The result is that consumers and employees can perform far more complicated tasks on their handheld devices, and at a faster pace than ever before. In a BYOD environment, corporate IT staffs have to contend with many more devices for each employee, instead of just a desktop, laptop computer and feature phone. Businesses are used to securing computers that run on Windows or Mac operating systems, but now they also have to deal with iOS, Android, Windows Phone, BlackBerry, Symbian and others. System administrators can vet software that is downloaded to a company computer. But it is tough to do the same with mobile apps.
“Mobile devices add a new level of complexity to cybersecurity,” Werbach points out. “Smartphone users download a greater variety of apps from more sources than [they do] on desktop PCs, where most online activities run through the web browser.”
Even corporate laptops could be more easily secured than smartphones or tablets. Not only does the company IT staff load them with antivirus software, set up passwords and add other precautions, but laptops also remain mostly turned off when people are in transit, Matwyshyn notes. Users turn them back on again when they reach their destination. But “with a mobile device, the point is to always be available and accessible to those who need to reach us,” she says. “That exposes the holder of that mobile device to additional security risks.”
Even the military was recently caught falling down on mobile security. In a March report, the Inspector General of the U.S. Department of Defense found that the U.S. Army did not have an “effective” cybersecurity program for its commercial mobile devices. Not only did the Army chief information officer fail to “appropriately track” these devices, but he was also “unaware” of 14,000 handsets being used, the report said. In addition, the Inspector General’s office discovered that data could not be remotely erased if the device was transferred, lost, stolen or damaged.
Moreover, these Army devices were not configured to require passwords, leaving the task to users. The result was that some handsets were not secured this way, among other problems that arose. The Inspector General’s office said the Army CIO did not set a “clear and comprehensive policy” to secure these mobile devices after “inappropriately” thinking that these handsets were not connecting to Army networks and storing sensitive information. Consequently, it “left the Army networks more vulnerable to cybersecurity attacks and leakage of sensitive data,” the report said.
Step by Step
The country is taking some steps to secure its critical infrastructure. In February, President Obama signed an executive order that directed agencies to develop cybersecurity standards for companies that run the nation’s critical assets, such as the electric grid, to ward off attackers. The government also will share more information on cyber-threats in a timely fashion to affected companies so they can better protect themselves.
However, the order specifically excludes “commercial information technology products or consumer information technology services,” leaving out Google, Microsoft, Facebook, Twitter and others from further scrutiny. “I wasn’t too thrilled with that,” Faulhaber says. “These are the guys running the operating systems.” For instance, Google’s Android ran on 75% of the world’s smartphones in the first quarter of this year, research firm IDC reported in May.
Companies can deal with cybersecurity threats by setting up mobile device management policies, says John Marinho, CTIA’s vice president of cybersecurity and technology. These include using virtual private networks, or VPNs, encrypting data in transit and requiring passwords on all devices. However, IT departments are not fully aware of what company employees are doing. A May CTIA survey showed that 57% of employees use their personal devices to access company data, but most IT professionals believe fewer than 25% do so. Securing mobile devices is a “challenge every organization struggles with,” Matwyshyn says.
Other ways to mitigate the risks include implementing a “permitted use policy” and training employees on the consequences of using their devices without giving much thought to security, Matwyshyn adds. Businesses should monitor employees to make sure their network access is authorized and the data they are gathering is in keeping with someone in their position. “The system should be structured to allow each employee to have access to as much information as the employee needs but not more,” she notes. “It’s a principle known as ‘least privilege.'” The lesson: Do not give employees log-in credentials that are overly broad.
Providing employees with a company-issued phone or tablet would make the devices more secure, because the IT department can monitor their use, trigger a remote data-wipe and take possession of the gadgets if necessary, she adds. But realistically, “employees like having their own devices, and they like having the flexibility of checking their Facebook profile” without being monitored.
According to Marinho, the good news is that currently, the U.S. has one of the lowest smartphone malware infection rates in the world — less than 2%. While the rate is expected to rise, it remains a far cry from China and Russia, where breaches affect more than 40% of smartphones. Meanwhile, the U.S. wireless industry is investing heavily in keeping networks secure and drafting a cybersecurity road map, he notes.
But no system is foolproof; it takes one weak link for cybercriminals to slip through, Matwyshyn notes. The same personal information about a consumer could be stored in a retailer’s database and on a government agency’s servers as well as on the mobile device itself. All it takes is for a hacker to breach the least protected silo — such as the smartphone. “You don’t want to be the weakest point of attack,” she says. Taking steps to secure one’s mobile device is the “21st century equivalent of locking your door at night.”