While this year’s edition of Black Hat, the annual hackers’ conclave that met recently in Las Vegas, was bigger and glitzier than ever, don’t get the impression that security has finally turned the corner and now is a real concern for commercial enterprise and original equipment manufacturer products, particularly smartphones.
As usual, there was an abundant selection of security training classes for attendees at Black Hat, along with the traditional Capture the Flag contest. Numerous researchers from industry and academia lectured on and demonstrated the latest techniques for hacking everything from home Wi-Fi access points to national databases. Security product vendors had professional models, celebrities and high-tech toys to deliver the message: “We have the ultimate solution to your security needs.”
Meanwhile, at the same conference, casually dressed, self-proclaimed experts and legitimate researchers presented an endless stream of hacks to defeat those “ultimate solutions.” That made me wonder: What’s really going on here? If so many companies have “the” answer,” why are there so many successful hacks and why do we keep hearing that the bad guys are winning?
I think it’s because there’s a principle at work here that I call “the WOW factor.” Simply stated, the WOW factor wins out over security every time in the commercial world. Or to put it another way, commercial smartphone manufacturers will always give a higher priority to the user experience than security and commercial enterprise decision-makers will always give a higher priority to cost than security. It’s hard to disagree with that principle. WOW sells far more smartphones than security features, and it’s hard to show the benefit of something NOT happening in an enterprise compared to NOT spending.
Clearly the WOW factor was the root cause of the latest Android vulnerability announced at Black Hat this year. In a highly publicized presentation, Blue Box Security described how one app can masquerade as another app by exploiting an Android vulnerability, which, by the way, is present in every version of (unpatched) OSAP Android.
With a newly purchased smartphone, Blue Box demonstrated how malware can use this vulnerability to infect several applications at once without ever requesting user permissions. It occurs because the identity of the application is not properly verified by a cryptographic process even though Android is fully capable of checking an application’s identity credentials in this way.
The cryptographic verification process takes more time and power to perform than what was actually implemented in Android, a simple string check. Processing time and power have the potential of degrading the user experience, thus degrading the WOW factor.
During the past several years, Motorola Solutions has been developing the Assured Mobile Environment, known as AME. It’s a secure smartphone solution that’s capable of protecting classified information. AME incorporates a commercial off-the-shelf Android smartphone because it provides the compelling Android user experience.
AME mitigates the risk of vulnerabilities by embedding the Android experience into a multilevel secure architecture. It uses not one but several layers of protection, including a separate hardware security module to segregate and protect critical security elements and processes.
AME adds the security assurance that is needed to overcome the vulnerabilities introduced by the WOW factor, delivering a compelling user experience while meeting the special needs of government agencies, enterprise and security-conscious smartphone users. Here at Motorola Solutions, security isn’t an afterthought; it’s a stream of consciousness.
Tom Mihm is the Chief Security Architect of the Motorola Solutions Secure Products Group.