Smartphone usage is growing, generating a huge increase in data traffic over mobile networks, and also changing the nature of the applications that users access. This Telecoms HotHouse, in association with Juniper Networks, asks how those factors are presenting different and increased security challenges to operators. More importantly, it seeks to identify the technical and organisational means with which operators can ensure network security in a smartphone age.
At the table:
GIJS VAN KERSEN
Head of Mobile & Convergence Marketing, EMEA, Juniper Networks. Gijs works closely with operators – leading to his awareness of the need to raise the profile of network security strategies.
FRAN HOWARTH
Senior Analyst, Bloor Research. Fran specialises in the field of security, primarily information security, but also in physical security and how the two are converging. Focuses on the business needs for security technology.
KEITH DYER
Editor of Mobile Europe. Keith is looking to foster a debate that will help others in the industry think about how operators can deal with security as they enter the smartphone age.
DAVID?RODGERS
Director of External Relations for OMTP. David has deep knowledge of mobile web applications and is OMTP's advisory committee representative to the W3C, currently working on the BONDI web applications initiative.
STEVE BABBAGE
Vodafone's head of security research and group chief cryptographer. Steve is also the chairman of ETSI SAGE, the standards body that specifies cryptographic algorithms for GSM, UMTS, LTE etc.
SMARTPHONE GROWTH AND IMPLICATIONS
KEITH
Gijs, perhaps you can frame for us what changes your mobile operator customers are experiencing in terms of network traffic, and the immediate implications of that?
GIJS
We are finding that the mobile network is going through a transition. In the past it was based on closed proprietary protocols, such as TDM and ATM, and it was very easy to secure it from outside influences. Also there was not so much data on the network, it was mostly voice. Now, with a lot of laptops, 3G dongles and smartphones accessing the network, the amount of data traffic flowing through the network is increasing. In addition, this is all IP traffic, so the network is opening to more potentially malign users, abuse can be not just by college kids but by people motivated by money. This is something we need to address, to make sure that consumers and business people alike will remain confident to use the mobile network, for their business and for their entertainment.
FRAN
The smartphone market is developing at 25-30% a year at the moment. By 2012 it's going to outpace laptop sales and that's going to be more and more important. Last year we were looking at mobile web and email, and now we're looking at a lot more applications and access to corporate data. And this is really putting a strain on the networks. It's challenging for the operators to know how to deal with it; which policies to put in place, what sort of technologies they need for protection and encryption.
STEVE
The bulk of the current data load is really coming from laptops and data modems rather than smartphones. But smart device use is increasing and as it does so, with the growth of consumer application usage, this leads into something that is certainly different in nature in terms of the security aspects.
DAVID
There's a lot of movement to applications now, a lot of app stores being launched, a lot of work going on in the mobile web around widgets. A further aspect of this is that the convergence of applications onto smart devices has driven the control points away from the networks slightly. You have smartphones with WiFi connections, for example, which means that whatever applications are on the devices they are probably not solely from the operator themselves. By opening up web applications to devices, and device functions such as SMS, calling and location, we are potentially opening up a Pandora's box. So the mobile industry has to step up and take leadership, and continue the good work we have already done to ensure that users continue to be protected in terms of their privacy and exposure to fraud.
STEVE
There are a host of very good reasons why you want to open up all this rich functionality to creative developers; it brings enormous benefits to customers. But on the other hand if you open this up to developers you know nothing about, that's exactly what brings you into security problems. So either you tighten up and only allow rich applications from developers you know well, or you restrict the functionality all developers can access, and then you can limit creativity.
WHAT IS THE THREAT LANDSCAPE?
STEVE
Thinking about it from the point of view of a malicious developer in the mobile space, the most obvious way they are going to try to make money is using premium rate fraud, but there's also potentially access to customer data, banking data and passwords and so on. Plus you have the general concerns about customer privacy in areas such as location.
GIJS
And there are different ways you can get access to that data – you can get access on a cell phone by a malicious application, or someone could try to get access to information residing in the network on a database. I think that's a worse problem because you are getting access not to one person's data but to millions of people's data. And you could do this either through hacked devices or through other networks, for example from the Internet or from a peering network. So you need to protect not only the devices but also the interfaces of the network through the use of firewalls and intrusion detection systems.
Also, because of the exploding volumes of data traffic, the firewalls will have to be upgraded not every 3-4 years but almost every year.
DAVID
As well as opening up the device APIs, there's a general trend towards opening up network interfaces, such as to billing and messaging functions. You are opening yourself up to a whole new base of attackers and it's traditionally an area that the operators and the mobile industry aren't experts in. There needs to be some support from the security community to help and support operators, because the internet world and the mobile industry are clashing together.
FRAN
That's why in the general security area threats are coming via the web, and it's not just about malicious programmers. It's the fact that security is often not included at the requirement and planning stage of application development, yet it's so much more expensive and difficult to put in later. And there are so many apps coming out developers really are under pressure to get them functional and get them out, especially in the consumer space. The new Web2.0 programming languages put a lot more of the logic up at the UI level which makes it much easier for the hacker to get at. This is going to be a big, big problem; it hasn't been to date, but it will be.
THE IP-CONNECTED BASE STATION
KEITH
As well as the spread of internet-based applications on devices, we are seeing the spread of IP to the edge of the network, and into the RAN itself, as operators seek to support that traffic and its growth. Will that have an effect on the security threats to the base stations themselves?
STEVE
I think it does bring some new issues. I think the most extreme example of this is the femtocell in the home that customers can potentially start fiddling around with. And to a large extent the same thing could happen with LTE. It brings two issues to address; first the integrity of the base station, which takes you into areas of secure boot, software protection in the device and trusted computing, as well as testing of devices through penetration testing. And then there's the IP backhaul which needs to be in a secure tunnel that ends securely inside the device and isn't just easily plugged into.
KEITH
And Gijs, as operators overhaul their backhaul networks with Ethernet-based solutions, do they have to be more aware of the security implications of the connected base station?
GIJS
It has become an issue, not only because of IP, but because operators have the opportunity to lease capacity from other companies, such as metro networks, so you are not controlling all the elements in the network anymore. I think the way to counter that is by compartmentalisation, to protect not only the perimeter and then assume if someone has passed the perimeter they have full access, but to make sure you have different layers of security in different parts of the network. So you can have some access protection at the backhaul end, but then again when you go towards the data centre you should implement further protection.
I can also imagine somebody writing a piece of software for a PC that emulates the femtocell and using that to exploit some potential loopholes to carry out theft of service. And with LTE, base stations will also have an Ethernet connection, so you need to protect those physically and logically by not exposing any of the routing protocols to the base station, because if you can tamper with the routing protocols you can potentially bring down the whole network.
WHAT SOLUTIONS ARE REQUIRED?
On the device
DAVID
One of the reasons that the OMTP started the BONDI initiative is that we want to open up these device functions to the users, but we want to make sure the user is secure. What we're going to do is have a policy layer in between the internet and the device so the user themselves can use a policy provider to regulate application access to their device's functionalities. So for example you don't necessarily want every app to see your location, and you might not want to give access to any premium rate numbers for messaging.
So having an adaptive policy layer on handsets, and potentially on the network itself, allows a much richer suite of tools for the operator and manufacturer to protect users.
It deals with privacy, fraud protection and a whole host of other attacks, and any third party could be a provider of policy – it doesn't necessarily have to be the operator.
In the network
KEITH
So that is one approach, the concept of a policy layer for managing security and access. But what can the operators do at a network level to protect themselves if a device is compromised?
STEVE
David said that mobile devices don't only connect through mobile networks, they sync with PCs, through Bluetooth, through WiFi, so it isn't possible for mobile operators to provide 100% protection to every single device. But what we can try to do is limit the damage from a single infected device to prevent the proliferation of malware to lots of devices, or stop a device accessing or damaging the data for lots of other users. The most obvious way that malware can propagate between mobiles at the moment is through MMS. It's therefore natural to put some measure of AV filtering or something similar in the MMS infrastructure to stop that happening.
GIJS
It's possible with appliances in the network to detect dynamically if a device has been compromised, and then change the access policy of that user so that he or she is redirected to a captive portal. So they see a web page saying. ‘We have detected a virus on your device, please download the remedial software'. That is one in way you can protect infected devices from accessing other resources and possibly infecting other devices.
But we are also expecting more and more apps on mobile devices that may not have the power to run locally. So we're now seeing thin client software on mobile, meaning security is not only a device and network issue, it's also a computing security issue. With data server virtualisation, it's no longer enough to have a firewall running in front of your servers, because there can be different applications running on the same server. You need to provide a virtual firewall application running inside the data center.
DAVID
That is the advantage mobile operators have, at least they control the network and can take some measures inside the network to protect the user. And that's partly the reason we've been so successful to date. We need to continue that trend – and being able to identify trends through traffic analysis and things like that will be key to identifying new emerging threats in terms of fraud, or perhaps botnets or P2P abuse.
GIJS
That is one aspect certainly. There are signatures developed by security companies that detect known viruses or malware based on the coding patterns, so as soon as the traffic matches such a signature then they can redirect that traffic or block access altogether. There are other more statistical methods: for example if a company uses a particular mail protocol and the suddenly there is traffic with a different protocol then the network can throw up an exception, and at least alert the administrators.
Security designed-in
KEITH
Steve, when a new service is launched within Vodafone, how is security handled within the process – does Vodafone expect security to be handled as part of your ongoing efforts, or do you get involved at the project design level?
STEVE
There are several stages. First, services will be built on mobile standards that have security built into them inherently. Clearly there will also be an element of constructive security in the application or service design. But then there also needs to be a detection element as well, you can't build total constructive security into applications without making everything a brick. You have to try and strike the right balance, and so we need the detection capabilities to try and catch when something is going wrong early.
KEITH
So do you feel you have the scale and the level of detection technology you need in the network to deal with the increased threats we have identified?
STEVE
It is something that has to evolve, and yes our capabilities are evolving as well: we are always reviewing and adding to that.
WHO PAYS, AND WHEN?
KEITH
So we've seen that operators need to constantly refresh and evolve their technology, will that have a big impact on budgets, and is the cost of that something that operators will just have to put up with, or can it be mitigated?
STEVE
It probably is an increasing cost, yes, but it's not a vastly increasing cost, so it's something that frankly we have to swallow. You could invest as much as you like but you don't get unlimited budget and you have to use your budget wisely, that's obvious.
GIJS
I think the point that both Steve and Fran made earlier is very valid: if you build security into the design of the network from the start it's a lot less costly and a lot quicker than trying bolt on security afterwards. And when I ask operators whether they would delay the launch of a new service if the security hasn't been proven, quite often they say they will go ahead and see what happens, because they haven't seen any outbreaks or intrusion so far. But the risk they are taking is not only loss of revenue but of their credibility and reputation.
FRAN
Especially if that intrusion leads to data being lost that someone is forced to disclose it through regulation. Even if no-one uses that data, the fact that everyone knows the data has been lost can ruin a company's reputation.
DAVID
I think this is an engineer's nightmare – they are always under pressure to keep costs down and not to delay things, but we have to live in the real world. If we wanted to create the most secure system ever it would never get launched. But everything is converging on the mobile device. Suddenly we have to look at banking security, credit card security, pay TV hacking; so all of the attackers are now converging on the mobile device from different communities. It's up to companies to recognise that and invest in their own security departments. Otherwise they're going to lose money.
STEVE
The sensible approach is to allocate a realistic percentage of turnover, and then leave it to the security experts to use that to the best advantage to the company,
GIJS
Another way operators can optimise the use of that budget is to have a central department looking at security, rather than have security as part of individual projects, so you can centralise your resources.
WHO TAKES RESPONSIBILITY?
KEITH
Where does the balance of responsibility for ensuring security lie, between the user, the handset vendor, the applications community and the operator?
FRAN
At the enterprise level this is something that enterprises are looking for the operator to do. If you ask them whose responsibility it is, probably around 60-65% say it should be the operator should takes responsibility. And at a consumer level if someone has a malware problem you might consider it acceptable to put someone into quarantine, but you can't wholesale block someone off, it's got to be the responsibility of the operator to help the user to get their access back as quickly as possible.
STEVE
And I think it's clearly in the interest of the operator to solve that as well. In the mobile industry if the mobile is infected the user gets onto the operator. That's different from the fixed internet model.
DAVID
And this is something that's not necessarily understood by the browser vendors and people in the internet world. The customer has a contractual relationship with the operator and therefore there are obligations and expectations on the operator. We need to help W3C and organisations like that understand that users do need protection. We can't just let them loose on the world and expect them to take responsibility for everything that might happen.
STEVE
If you really want high end security, you need to put something on the device, but from the point of view of the consumers, who don't want to pay extra, and from the point of view of the operators, who don't want to bear the costs of the support calls or any other associated costs, it makes sense to put security in the network to keep the level of infection as low as possible.
IS THERE AN OPPORTUNITY FOR OPERATORS?
KEITH
Fran, you mentioned that enterprises might be willing to pay for security services. So might this be an opportunity for operators, as well as a cost and a contractual responsibility?
FRAN
I'd say there was. There are a number of software types you can put on a phone to protect it. But you may need further things as new threats present themselves. Pushing proper updates out is a service operators can provide, and potentially people will pay for it.
DAVID
So this is potentially where the policy layer could really help. Policy isn't static, whereas access control at the moment is pretty static and binary. The other advantage is you can update something remotely, for example using the OMA DM standard to update devices, or update firmware over the air so vulnerabilities can be dealt with almost immediately.
STEVE
I think the really big enterprise customers will take control and have expectations of the service from the operator to deliver security up to their domain. And at Vodafone I don't think we'd see that as a paid extra. But for smaller companies there's more potential for operators to provide managed communications with security services as a part of that.
KEITH
Everybody, thank you very much.
Watch the video of the debate here