Both private businesses and governmental agencies are increasingly concerned about the mounting threats to wireless devices and networks. However, government approaches to dealing with the problem vary dramatically. From India, through the United States to the United Kingdom steps have taken range from full blown bans on use of wireless devices in the government workplace to the expansion of BYOD policies. In a previous blog post, we detailed how BYOD-friendly companies have declined by 20% since 2013, with 53% of all companies now banning private devices altogether. However, with reliance on the devices far from a downward trend, which government is on the right track?
India’s Smartphone Ban
In 2016, the Government of India issued new regulations to its employees across all ministries instructing use of smartphones in emergency situations only. Officials were requested to only conduct in-person meetings. Furthermore, government employees were no longer permitted to connect or sync their smartphones through office computers – not even to charge them. But who can define a real emergency? Perhaps emergency was code word for business as usual, in which case the entire policy was only a stunt for the press.
The smartphone ban followed the aftermath of an unrelenting assault against Indian institutions by Chinese students who had targeted both governmental, commercial and educational enterprises.
If the government was hoping to revert its technology back to the days of ‘secure’ landlines, this was definitely not the way since landline hacking via configuration attacks are so simple, even a ten-year-old could pull it off. There is no doubt that government employees in India will continue to use wireless devices, so instead of attempting to swipe the problem under the rug, wouldn’t it be better to find a solid solution?
Note to the USA – Android will not save you
Over the last year or so, the United States Government has traded the BlackBerry in favor of Android-based phones like Samsung Galaxy. The FBI has just recently ‘adopted’ over 40,000 Samsung Galaxy phones and the Military is devising secured Android devices for its personnel as well. Simultaneously, we are seeing both a 60% rise in Android market share and, more importantly, a 50% rise in the number of mobile malware attacks aimed at Android phones.
However, as previously discussed, a determined hacker will have no more trouble breaking into an Android device than an iPhone or vice versa. The reality is that no phone in its off-the-shelf configuration can be considered sufficiently secure for confidential data or voice communication. Before the Air Force Materiel Command gave their pilots iPads, they had carried an additional 90 pounds worth of navigational maps with them. The switch, of course, saved on paper and fuel costs and made navigation easier, but at what cost?
The UK Cloud-Based Wi-Fi – Could it work?
The United Kingdom has rolled out a plan to provide the public sector with cloud-based Wi-Fi. The idea was to run a centralized government-controlled Wi-Fi that would provide both staff and guests with a secure and seamless Wi-Fi connection as they move from place to place. The safety premise was that each user would be provided with encryption keys, each building would ensure WPA2 enterprise encryption and everyone would be sure that his device was configured to automatically check network certificates to ensure they were on a real network. Furthermore, the system would randomly create new credentials that only work with certain systems.
Current mainstream technologies attempt to protect the upper layers (application, presentation, session), while all but ignoring the lower levels (transport, network and data link) and the UK secured network is no different. From WindTalker Attacks which track even the smallest variations in a signal and link those changes with typing, or Eavesdropping which uses malicious nodes to send a query to a friendly node to grab information, the UK cloud-based Wi-Fi will be less than secure.
Governments do not have to go to expensive lengths to secure their wireless devices. Once decision makers realize that when the transport, network and data links are secured, it will not really matter what hardware they use, because the networks themselves will be secured.