infoTECH Feature

January 29, 2015

McAfee Exec: We Need to Do More to Secure Smartphones, IoT

With all the high profile network breaches in recent months of everyone from CENTCOM to Sony and Target (News - Alert), we are all by now aware of the potential for hackers to gain unauthorized access to our networks and our data. Yet most of us don’t bother to take the simple step of PIN protecting our smartphones.

This is particularly notable given smartphones are the weakest link security-wise in the end-to-end communications environment, and considering that wearable devices that track intimate details of our lives are expected to proliferate in the coming years, said Gary Davis, chief consumer security evangelist at McAfee, a division of Intel Security.

Davis today at ITEXPO (News - Alert) Miami gave the address “Wearables: Panacea or Pandora’s Box – A Security Perspective.”

There’s a belief that security will be the gating factor to the widespread adoption of IoT, Davis said, so the time to figure out how best to secure both our networks and devices is now. That will require some work both on the parts of consumers and business users, from cloud service providers, and from device manufacturers, he indicated.

Every point in the communications chain – from the endpoint (maybe a Fitbit on your wrist), to the smartphone, to the cloud service – is a potential point for a hack, he said. But the weakest link in the chain is the smartphone, he added. The value of the data on a smartphone is ~$36,000, yet most people don’t go to the trouble of setting a simple PIN.

Attributing the data to Consumer Reports, Davis said that 36 percent of mobile devices are not PIN protected. Only 14 percent of people install third-party security applications on their smartphones, he said. And only 7 percent of smartphone users leverage security features (such as encryption) other than screen lock.

Forty percent of robberies in major U.S. cities involve the theft of mobile devices, he said, noting this data comes from the FCC (News - Alert). Consumer Reports, meanwhile, has reported that there were four million lost phones last year that were never recovered.

And a recent HP study indicated that each connected device in the home has an average of 25 vulnerabilities. That’s the case because so many home devices don’t use encryption or have other vulnerabilities that could be addressed with a simple fix, he said.

A lot of the focus from an individual and retailer perspective is focused on securing credit card information, said Davis. While that clearly is important, the credit card companies have processes and systems in place that have become pretty good at detecting and correcting fraud quickly. However, if someone hacks your smartphone, your fitness band, or a connected medical device, it can be difficult to detect. And the results can be life threatening and privacy invading. According to Davis, the health credentials of a consumer are worth 10 to 20 times more than that person’s credit card information because of both the value of the data and the lengthy window of time until the hack is likely to be discovered and addressed.

Applications, devices, and operating systems are all potential openings for hackers. For example, take a look at the popular Flappy Bird game. Davis said 79 percent of Flappy Bird clones contained malware that enable hackers to remotely make calls on unsuspecting users’ smartphones without users’ permission; install additional apps on the mobile devices; send, record, and receive SMS messages; and more.

At one of McAfee’s (News - Alert) recent events, it used a directional antenna and wrote some software to demonstrate a hack of an insulin pump. It was able to do that fairly easily and without the user/patient ever knowing that the device had been accessed by an unauthorized party.

“We are in an industry where every single day there’s something new happening that requires us to pay attention,” Davis said.

So consumers that use, or want to use, smartphones, wearables, and other connected things should take the following steps to protect themselves and their devices, he suggested. They should change default passwords; turn Bluetooth off when it’s not required; limit the amount of information to only what’s required for the wearable to function as they wish; be careful when using social sharing features; and read and understand privacy policies. People should also PIN or password protect their mobile devices, using biometrics when possible; be mindful of permissions; apply OS and app patches; turn on locate and lock capabilities; turn off non-essential antennas (Bluetooth, GPS, and Wi-Fi drain batteries and open devices to intruders); install security software; use full device encryption; and stick with trusted app stores, he said.

As for cloud service providers, to allow for the most secure scenarios they and their customers should connect using encrypted communications, use multi-factor authentication, only collect data necessary to deliver service, require strong passwords, implement secure session management, and follow best practices for password handling (only storing salted hashes and encrypted passwords).

And everyone in the communications ecosystem – from device companies to service providers – should build in security from the start, not in the second or third versions of their solutions, as so many companies tend to do, Davis said.

Davis noted that FCC Commissioner Terrell McSweeny was quoted a couple days ago in the press as saying “It’s time to insure there is a clear set of ground rules for the security of Internet-connected products – before the marketplace and our homes fill with exploitable devices.”

This quote from a recent story in The Washington Post is also a nice addition to the speech today at ITEXPO Miami: “Concerned about people hacking into your email? Just wait until they hack into your bathroom mirror and release your naked selfies to the Internet. In an interview last year with Harvard Business Review, security expert Bruce Schneier suggested that the Internet of Things would be harder to secure than the Web, mostly because “these are devices that are made cheaply with very low margins, and the companies that make them don’t have the expertise to secure them.”




Edited by Maurice Nagle
FOLLOW US

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers