The Department of Homeland Security (DHS) is studying ways to make the mobile devices and services that federal workers use more secure. The DHS is soliciting information from government officials, industry stakeholders and academic researchers as it explores how to beef up mobile security.
In the omnibus spending bill Congress passed in December 2015, lawmakers mandated that the DHS undertake such a study. Tucked into the bill was the Cybersecurity Act of 2015; section 401 of the act says the DHS must “assess the evolution of mobile security techniques from a desktop-centric approach, and whether such techniques are adequate to meet current mobile security challenges.”
The DHS is also looking into the effect such threats may have on the cybersecurity of federal information systems and networks, excluding those of the Department of Defense and the intelligence community. The DHS also must “develop recommendations for addressing such threats based on industry standards and best practices” and identify gaps that may be preventing the DHS from addressing mobile security concerns. Finally, the law requires the DHS to “develop a plan for accelerated adoption of secure mobile device technology.”
DHS Seeks Help
In its request for information (RFI) related to the study, the DHS says it is seeking input from experts in the cellular and Wi-Fi industries and from academics as it gathers information on “products, services, capabilities and technologies” that address mobile security. The deadline for responses is Aug. 22, though the DHS notes that its request for information doesn’t mean any action is imminent or that it will issue any new contracts; the RFI is “solely for market research, information and planning purposes.”
The DHS is exploring security concerns related not only to smartphones and tablets but also to mobile apps; operating systems; embedded mobile components, such as baseband radios; wireless networks; and enterprise mobile services and infrastructure.
The department notes that mobile devices face security threats similar to those affecting desktop PCs and notebooks, but because of the unique nature of mobile technology, mobile devices may face additional or greater threats. “These unique attributes include their portability, almost always powered-on state, ubiquitous network connectivity and inclusion of a variety of sensors such as GPS, compass, camera, gyroscope and microphone,” the DHS says.
The RFI notes that the input will help the DHS “identify gaps — areas that provide opportunities for industry, government and academic researchers to collaborate on advancing technologies and/or standards.” The department also wants respondents “to identify considerations, constraints and recommendations (including industry standards and best practices)” the federal government should be thinking about as it assesses mobile security threats and responses.
Multiple Kinds of Threats
The DHS is looking to get information on five different kinds of threats: application-based; software-based; physical-based; network-based; and mobile enterprise-based threats.
Application-based threats include apps that “gather privacy-sensitive information such as device persistent identifiers, device location, list of installed applications, contact lists, call logs, calendar data or text messages without adequate consent of the user.” Such threats also might include “apps that surreptitiously eavesdrop on the device user or others generally by using the device’s microphone and/or camera” or ones that “exploit vulnerabilities in other installed applications, the operating system or other device components.”
The DHS also wants information on apps that exploit the mobile device’s access to sensitive enterprise networks or data.
The department is also interested in “ransomware apps that prevent access to the mobile device or some or all of its data until payment is made,” among other app-based threats.
In terms of operating system- or software-based threats, the DHS wants to know more about how mobile operating systems or other lower-level device components can be exploited. The agency is also concerned about threats that delay timely security updates to publicly known vulnerabilities. The DHS also wants to know about threats that exploit “services provided by the mobile OS or device vendor, including device management capabilities, software updates or backup capabilities.”
The DHS is interested in learning about mobile devices that could be attached to enterprise PCs and attacks that could be launched from such mobile devices.
Network threats present a complex web of dangers because mobile devices are constantly connected, and the DHS says it wants to get information on the “collection or manipulation of voice and data communication to and from the mobile device,” such as man-in-the-middle attacks. The department is also concerned about the exploitation of SIM card vulnerabilities and mobile device signaling systems, as well as threats from Bluetooth signals or devices and rogue wireless access points.
Many agencies have embraced enterprise mobility management and mobile device management services, and the DHS is concerned about threats to those services. For example, a malicious actor could obtain administrator credentials and gain access to such services.
The DHS is also worried about the “exploitation of private enterprise mobile application stores, including obtaining administrator credentials or methods of subverting application security vetting procedures.”