7.08 Explain common methods for securing mobile and embedded devices

Introduction 

Think of your mobile device as your car. Just like you wouldn’t leave your car unlocked with the keys inside, it’s important to secure your device to prevent others from accessing your personal information. In this lesson, we’ll dive into ways to protect mobile and embedded devices from security risks. Learning these strategies isn’t just about keeping your own data safe—it equips you to solve problems and assist others in securing their devices too. With these skills, you'll be ready to handle real-world challenges and help others stay protected in a digital world. 

Importance of Screen Locks 

When smartphones or tablets fall into the wrong hands, attackers can gather a large amount of personal information. This information can be used to launch other attacks. In addition to confidential files, a device may store cached passwords for services like email, VPN, and websites. Attackers can also use contact lists and message history (such as SMS, emails, and instant messages) to perform social engineering attacks. To prevent this, screen locks are essential to protect devices from being lost, stolen, or accessed during unattended moments. 

How Screen Locks Work 

A screen lock activates when a device is idle or when the power button is pressed. To unlock the device, the user must perform a gesture. 

  • Swipe Gesture: A simple swipe unlocks the device without authentication. This may be suitable for shared or public-use tablets, but personal devices should use a stronger method. 

Authentication Methods 

To secure personal devices, various authentication methods are available: 

  • PIN or Password: Most devices require a PIN (Personal Identification Number) or password for screen lock authentication. The PIN may also be used to generate an encryption key. A 4- or 6-digit PIN provides decent security, but avoid simple sequences like "1234" or dates. In high-risk situations, a strong password is better. Devices can limit the number of failed attempts to prevent guessing. 

  • Facial Recognition: This method uses a 3D scan of the user's face to create a template. Since it uses the device’s camera, no special sensor is needed. Like the fingerprint method, facial recognition relies on matching the user’s face to the saved template. 

  • Fingerprint: Devices with fingerprint sensors allow users to unlock their device by touching the reader. During setup, the user’s fingerprint is scanned and saved as a template in a secure part of the device. Future scans are compared to this template for authentication. 

  • Pattern: This method requires the user to swipe through dots in a specific pattern. However, it has weaknesses: 

    • Patterns are easy to observe and copy. 

    • Smudges on the screen can reveal the pattern. 

    • Many users choose simple, predictable patterns (like "C", "M", "S"). 

For both fingerprint and facial recognition, a PIN or password is required as a backup or for tasks that require higher privileges, like resetting the device or changing lock settings. 

Limiting Failed Login Attempts 

Screen locks can also be set to restrict the number of failed login attempts. If an incorrect passcode or biometric (fingerprint or face) is used, the device locks for a certain amount of time. For example: 

  • After the first failed attempt, the device may lock for 30 seconds

  • After the third failed attempt, it may lock for 10 minutes

This setup discourages guessing the passcode or using a fake biometric scan. 

Mobile Security Software Overview 

Mobile devices can use similar security software as PCs and laptops to protect against malware, phishing, and software exploits

Patching and OS Updates 

Keeping your mobile device’s operating system (OS) and apps up to date is just as important as updating a desktop computer. Updates fix bugs, improve security, and may even add new features. 

  • iOS Devices: Updates for iOS are more consistent because of Apple's control over both hardware and software. Users can find updates by going to Settings > General > Software Update. App updates show notifications on the app icon and can be installed through the Updates section in the App Store. 

  • Android Devices: Android updates depend on the device manufacturer because they have their own version of Android. This can lead to different levels of support for new updates. Android devices notify users of updates through the notification bar, or users can manually check for updates by going to Settings > System > Advanced > System updates

Antivirus/Anti-malware Apps 

Modern smartphones, like computers, are vulnerable to malware and viruses, especially if apps from untrusted sources are installed. However, because mobile OS threats are constantly evolving, it’s harder to build databases of known threats. 

  • Antivirus/anti-malware apps for mobile devices mainly act as content filters to block phishing sites and prevent adware and spyware from running in the background. 

  • These apps also monitor permissions given to other apps, flagging any that might be abusing their access. They may also offer extra features like third-party data backup and device location services

  • Play Protect: For Android, the Google Play Store includes a built-in malware scanning and threat detection tool called Play Protect, which is turned on by default. It checks for harmful apps and prevents malware from being installed. 

Firewall Apps 

Firewall apps can monitor network activity on mobile devices, blocking connections to certain ports or IP addresses

  • Rooted Firewalls: Some firewalls require high-level access, known as root access, to monitor and control other apps. Rooting a device can be complex and may void warranties. 

  • No-root Firewalls: These create a virtual private network (VPN) interface that controls how apps access the internet. This way, the firewall can manage app activity without needing full control over the device. 

Enterprise Mobility Management Overview 

Mobile devices are now essential for handling email, business tasks, and accessing cloud-based applications. Enterprise Mobility Management (EMM) refers to the strategies and tools companies use to manage and secure the mobile devices that employees use for work. 

Mobile Device Deployment Models 

These are the main ways companies manage and provide mobile devices to employees: 

  • Bring Your Own Device (BYOD): Employees use their own devices for work. The company sets requirements for the OS version and functionality. Employees must agree to install corporate apps and allow some level of monitoring. This is popular with employees but can be challenging for security teams. 

  • Corporate Owned, Business Only (COBO): The device belongs to the company and is strictly for business purposes. Personal use is not allowed. 

  • Corporate Owned, Personally Enabled (COPE): The company provides the device, and while it remains company property, employees can use it for personal tasks such as email, social media, and web browsing. Personal use is subject to company acceptable use policies

  • Choose Your Own Device (CYOD): Similar to COPE, but employees get to choose a device from a list provided by the company. 

Mobile Device Management (MDM) 

MDM software is a key tool used in enterprise mobility management. It applies security policies to mobile devices, whether they are company-owned or part of a BYOD program. 

When a device is enrolled in MDM software, policies can be enforced to: 

  • Control which apps can be installed or used. 

  • Manage corporate data on the device. 

  • Disable or limit certain features (such as the camera or microphone). 

  • Ensure the device is kept up to date with patches and security updates. 

  • Verify that antivirus software is installed and working. 

  • Ensure the device's firewall is correctly configured. 

Custom Security Policies 

Companies need to create security profiles tailored to different roles, departments, or locations. For instance: 

  • A policy might disable the camera while employees are on company property to prevent data leaks. 

  • A more advanced system might only disable the camera in high-security areas to allow employees to make video calls in other locations. 

Soft Security Measures 

Not all policies can be enforced through technology. Some require soft measures, such as: 

  • Employee training on security best practices. 

  • Disciplinary action for violating security policies. 

Mobile Data Security Overview 

Mobile devices are often lost or stolen, and securing the data stored on them is crucial. Various mechanisms, such as encryption and remote backup, help protect data and prevent unauthorized access. 

Device Encryption 

Most modern smartphones and tablets offer built-in encryption to protect user data. 

  • iOS Encryption: iOS devices provide several layers of encryption: 

    • All user data is always encrypted, but the key is stored on the device. If the device needs to be wiped, the OS can delete this key, making the data inaccessible. 

    • Data Protection: Some apps, such as email, use an additional layer of encryption. This encryption uses a key derived from the user’s passcode, protecting sensitive data if the device is stolen. However, not all data is encrypted at this level—contacts, SMS messages, and pictures are examples of unencrypted data. Data Protection is automatically enabled when a passcode is set on an iOS device. 

  • Android Encryption: Encryption options in Android devices vary by version: 

    • As of Android 10, full-disk encryption is no longer used due to performance concerns. 

    • Android uses file-level encryption by default when a secure screen lock is set up, meaning user data is encrypted file by file. 

Remote Backup Applications 

Mobile devices are typically connected to a cloud service for automatic remote backups. These services allow users to recover their data if their device is lost or stolen. 

  • iOS Devices: Use iCloud for automatic backups of data, apps, and settings. 

  • Manual Backups: In addition to cloud backups, devices can be backed up to a computer. For instance: 

  • iOS allows backups to be made on macOS or Windows using iTunes

  • MDM Software: Companies using Mobile Device Management (MDM) can configure devices to back up data automatically, ensuring secure and consistent backup policies across all devices. 

Screenshots for Reference

iOS: Data protection encryption is enabled when a passcode is set (seen in the Touch ID and Passcodes settings). 

Android: File encryption is managed in the Encryption and Credentials settings. 

Cloud services and backup options provide an extra layer of security, ensuring data is recoverable even if a device is lost or compromised. 

  • Android Devices: Use Google Sync for backup services, though it doesn't include certain data types like SMS and call history. Android users can also choose alternative backup providers, such as OneDrive or Dropbox

Locator Apps and Remote Wipe Overview 

Most modern smartphones and tablets come equipped with GPS receivers. GPS helps determine the device's location by receiving signals from satellites. Although GPS requires a clear view of the sky, high accuracy location services use Wi-Fi and Bluetooth signals to locate devices indoors or in areas where GPS is not available. 

Location Services and Locator Apps 

  • GPS and High Accuracy Services: These tools calculate the device's position on a map. When enabled, they help users find their lost or stolen device. 

  • Built-in Locator Apps: Both iOS and Android devices have built-in features, like Find My iPhone and Find My Device, that allow users to locate their phone from any web browser as long as the device is powered on. 

  • Third-party Apps: Many antivirus or Mobile Device Management (MDM) tools also support location tracking. 

  • Full Device Wipe: A factory reset that erases all data, apps, and settings. 

  • Enterprise Wipe: If a device is enrolled in MDM, a selective wipe (enterprise wipe) can be performed. This erases only corporate data and accounts, leaving personal apps and files untouched, ensuring user privacy while protecting business information. 

Features of Locator Apps 

Locator apps provide several key functions beyond just tracking a device’s location: 

  • Remote Lock: Lock the device to prevent unauthorized access. 

  • Display Message: Show a message on the screen, such as “Please return this device.” 

  • Ring Device: Call the device at full volume to help locate it. 

  • Disable Wallet: Prevent access to mobile payment systems. 

  • Passcode Control: Block passcode changes and prevent location services from being turned off. 

Remote Wipe 

If a lost device cannot be recovered, performing a remote wipe may be necessary to protect data and accounts. 

These features help safeguard both personal and corporate data in case a device is lost or stolen, providing flexibility for both personal and enterprise users. 

Internet of Things (IoT) Security Overview 

The Internet of Things (IoT) refers to the global network of devices, appliances, vehicles, and other objects connected to the internet. These objects use sensors, software, and network connectivity to communicate with each other and with traditional systems, such as computer servers. IoT devices are increasingly popular in both homes and businesses, but they also present significant security challenges. 

Home Automation Systems 

In home automation, IoT devices are used to control and monitor various functions, such as lighting, temperature, and security. These systems typically include the following components: 

  • Hub/Control System: Most IoT devices need a hub to communicate and a control system to manage them. Since many IoT devices are "headless" (lacking a user interface), control is often managed through a smart speaker (voice-controlled) or a smartphone/PC app

  • Smart Devices: These are the endpoints of the IoT network, performing specific functions (e.g., smart lightbulbs, thermostats, or doorbell cameras). These devices run mini-computers, often using Linux or Android operating systems, and are vulnerable to common cyberattacks like those targeting web applications. For example, built-in cameras or microphones could be hacked and used for surveillance. 

  • Wireless Mesh Networking: Communication between IoT devices often uses mesh networking protocols, such as Z-Wave or Zigbee. These standards consume less power than Wi-Fi and allow devices to pass data between nodes, making the network more efficient. 

Security Concerns with IoT 

IoT devices can introduce several security risks, especially when their security features are poorly implemented or maintained. 

Consumer-Grade IoT Devices 

  • Weak Defaults: Many consumer IoT products come with minimal security features enabled by default, such as weak or default administrator passwords. This makes them easier to set up but leaves them vulnerable to attacks if users do not follow the recommended steps to secure the device. 

  • Patch Management: Vendors may not provide timely updates or security patches, leaving devices vulnerable to exploitation. Users might also ignore update recommendations or fail to follow patching procedures. 

Corporate IoT Risks 

  • Shadow IT: Employees might introduce IoT devices, like smart assistants or cameras, into the corporate environment without proper approval. This practice, known as shadow IT, can bypass official security policies, making it harder for IT teams to monitor and protect the network. If one of these devices is compromised, it can serve as a gateway for attackers into the corporate network. 

  • Remote Work Risks: When employees work from home, they may connect to the corporate VPN from a home network filled with unsecure IoT devices. These devices can be an easy target for attackers, creating vulnerabilities for the entire corporate network. 

Mitigating IoT Risks 

To reduce the risks associated with IoT devices: 

  • Regular Audits: Perform frequent checks on the security of IoT devices, including their configuration and update status. 

  • Security Awareness Training: Educate employees about the risks of IoT devices and the importance of securing them, especially when used in a corporate or remote work environment. 

These measures help ensure that IoT devices remain secure and do not become weak points in a network. 

Summary

Securing mobile and embedded devices is essential in today's technology-driven world, and there are many effective methods to protect them. Screen locks, such as PINs, passwords, and biometrics, offer strong defenses against unauthorized access, while mobile security software keeps your devices safe from malware and exploits. Regular updates, using locator apps to track lost devices, and remote wipe features further safeguard sensitive data.

Enterprise Mobility Management (EMM) and IoT security measures also ensure that mobile devices and smart networks are protected in both personal and corporate environments. With a few simple actions, you can greatly improve the security of your devices and data!