Organizations — especially smaller ones that don’t have the staff and hence the sophistication of enterprises — should pay attention to the online tool that eWeek now has available online. The goal seems to be both to increase security and encourage users to be proactive.
The Smartphone Security Checker was put together by a number of organizations, federal agencies and companies, the story said. eWeek reports that it is customizable according to the type of device the user owns:
The guide includes information on how to set pins and passwords for a smartphone, download security apps that enable remote locating and data wiping, back-up the data on a smartphone if the device is lost or stolen, wipe data on an old phone and where to go to donate, resell or recycle it, and how to safely use public Wi-Fi networks and what steps to take if a phone is stolen.
After a bit of a slow start, it seems that issues relating to mobile device security are gaining the high profile they deserve. In parallel, however, there is a rise in incidents and problems. For instance, today BYTE reported on a vulnerability in Samsung’s Exynos Android kernel that it characterized as “severe” in the headline. Whether or not that term is overwrought, it clearly is a nasty bit of business:
The vulnerability gives the program complete access to device RAM and is being used for rooting devices, but can also be used by a malicious app to take control of the device, disable (brick) it or even silently modify arbitrary memory or other applications.
The story said that the Galaxy 33, Galaxy Note 2, other phones — both from Samsung and other vendors — use Exynos, which is an ARM system on a chip (SoC). This only is one example of how bad guys can, and often do, attack smartphones. It’s a good thing that people seem to be paying attention.
Other efforts are under way to protect mobility. This week, ARM, Germalto and Giesecke & Devrient announced a joint venture called Trustonic. The goal, according to a ZDNet piece that is based on a story behind The Wall Street Journal’s pay wall, is to embed the security the group develops throughout the handset from “the chip and operating system to applications,” the story said. The goal is to eventually make third-party devices and software obsolete by creating an area with the phone that doesn’t interact with the outside world and therefore is more secure:
Trustonic is based on ARM's Trustzone technology, which manifests as a security extension within the silicon and can be programmed into a smartphone's hardware. Gemalto and Giesecke & Devrient will be providing the software which will extend ARM's security programming.
The FCC best practices guide isn’t the only government initiative to increase mobile device security. Among the others is a proposal from the National Institute of Standards and Technology (NIST) in October. The agency, which is part of the U.S. Department of Commerce, wants to mandate hardware-rooted security for government-issued mobile devices. Associations Now explains what NIST is proposing and provides the pros and — through comments by the Telecommunications Industry Association (TIA) — the case against the approach.
It’s disturbing to see the increase in attacks on mobile devices, though that certainly is to be expected. The good news is that both the government and private industry are paying attention.