Friday Rant: More Worries To Keep IT Busy – Are Your Phone Communications Secure?
Categories: Friday Rant |
With the greater and greater extent of content passing through your smartphone – and with Point-Of-Sale type functionalities using Near Field Communication (NFC) currently used mainly overseas soon to be rolled out in the US as well – how secure is your phone?
Without getting too technical, there are various "man-in-the-middle" type methods that can exploit the many ways your smartphone engages with external devices (e.g. WiFi routers, Bluetooth devices, GSM repeater stations, and now NFC devices). Additionally, the smartphones rely on a large suite of third-party applications that might have weaknesses that can be exploited. Experts in the field can likely add considerably to the list of issues that keep them awake at night.
Oddly, there are no readily available communication encryptions approaches for the iPhone. Those that exist either require a hacked (the irony...) iPhone or a two-way approach from a third party such as Cellcrypt, which requires an additional contract to run communications via their servers using only the data transmission portion of the smartphone. Also, it's mighty pricey – tacking on around $1,500 per year per user. Still, could it be a viable option for your C-suite executives and other individuals discussing market-driving information? I would imagine that Apple relies on something like this themselves.
Other solutions that exclusively rely on encrypted communications over the data channel (like Skype, Viber, and others) are probably more secure than standard cell phone calls – and certainly far less expensive than Cellcrypt!
Oddly, gaining security in your communications can land you in trouble in countries outside the USA – our 5th Amendment against self-incrimination isn't a widely held principle around the globe. Even countries like the UK has a fairly primitive outlook on securing your data – anyone failing to comply with government requests for decryption of their data can be punished with up to two years in jail. So far the longest sentence meted out is 13 months. France, Belgium, Australia and other countries take a similarly dim view of anyone trying to keep their own data secure. Hmm, makes me wonder...will I get in trouble for my illegible handwriting?!
As usual, there are far more advanced forms of encryption – e.g. deniable encryption – that include combinations of technology and stratagems such as placing folders within folders, manipulating the signature of the encrypted file to look like something else, and far more. This is a complicated field, and likely a good career path for the mathematically inclined. I can't see any end to the cat and mouse games involved.
So what are the takeaways?
Challenge your IT department to come up with a strategy to ensure that sensitive data does not needlessly reside on mobile devices. Device tracking is likely another good approach – although paradoxically, that probably violates the privacy laws of at least a few European countries.
The trend toward BYOD – bring your own device – is probably not compatible with higher levels of security. You might need to provide company-owned equipment to more employees.
In case you plan on sending employees overseas with devices containing sensitive information – VPN connections as well as DropBox-type methods to get to your data, are probably far better.