Tablet Security: A Bitter Pill

Tablet Security: A Bitter Pill
Tablet Security: A Bitter Pill

They’re small, sleek, and swipable – but are they secure?

Over the last two years, the developed world has embraced tablet computers like no other device. Eleven percent of Americans own one, according to data from the Pew Research Center’s Project for Excellence in Journalism (in collaboration with The Economist Group). Within three years, that will rise to more than one in three, predicts research firm eMarketer.

Not Your Grandma’s Computer

John Dasher, senior director of mobile marketing at McAfee, argues that tablet devices are perhaps the first category of computing product that has been built with security in mind from the ground up. PCs and Macs come from an era when security was an afterthought, and companies have spent the last 20 years compensating for those mistakes.

That may have merit, but tablet security still has a long way to go. There are no standard builds for these devices in the same way that there are for corporate desktop computers. “Every time we purchase a laptop, we flash it with this corporate disk image”, Dasher says. “We have a starting point. But we don’t really have that capability with mobile devices.”

Chris Burchett, CTO at mobile protection software firm Credant Technologies, says that manufacturers could do more. PCs increasingly take advantage of the Unified Extensible Firmware Interface (UEFI), which provides secure booting capabilities for operatingsystems. Windows 8 will use it, which means that tablets based on that platform can have safer booting mechanisms.

"Although Apple says that it looks for security vulnerabilities in the apps it approves, nobody knows about the process. No one knows what it checks for"
Oliver Ng, Security Compass

Support for UEFI isn’t evident among modern tablet platforms. Its inclusion, however, could drastically improve security, Burchett says. “If the manufacturer has shipped the device so that the right management capabilities can plug into it, then I can enforce my policies and I can be much more certain about the security posture of the device”, he explains.

However, some companies are working behind the scenes on custom tablet OS implementations designed to connect more closely with the underlying hardware. In November, Intel Capital invested $10 million into Insyde Software, a Taiwanese company that produces UEFI firmware, and customized Android distributions for OEMs.

Getting the Keys to the Castle

Custom corporate implementations of tablet operating systems are becoming a more urgent necessity. One of the measures that protects tablet users the most from being compromised is also paradoxically one of the most crippling when it comes to implementing security measures: the lack of administrative access.

“When you purchase a tablet of any kind, by default, you don’t have administrator rights to that device”, explains Rob Shaughnessy, CTO at WAN optimization firm Circadence.

Restricting administrative rights stops users from doing dumb things, such as installing apps with unknown provenance. “But it also means that you cannot implement the best types of security software unless they are preloaded, and the manufacturer has a pre-existing relationship with the mobile provider”, Shaughnessy points out. “If you want to use a Motorola Xoom with Cisco AnyConnect, you have to root the tablet, and then modify the kernel.”

Shaughnessy runs a firewall on his Xoom, having rooted the machine to gain administrative access. Yet, he is not a typical user. It will be up to an IT department to root each new Android device and install the necessary security software. But if users are bringing in their own tablets, will they be willing to give the IT department such powers?

At least IT departments have a choice with Android, which is why the US Army chose it to operate its smartphones early in 2011. In doing so, it snubbed Apple’s iOS. Like Android, iOS operates on both smartphones and tablets, but it has a notorious reputation for being locked down. Each time a new version ships, there is a frantic battle between Apple and the jailbreakers, who find new ways to root the operating system.

"If you had a VPN connection to your enterprise and someone jailbroke the tablet, then that’s the perfect bounce point"
Lawrence Pingree, Gartner

Apple’s tight control of the software and security ecosystem leaves users saddled with whichever security measures Apple chooses. This can be a mixed blessing, argues Shaughnessy. “Apple provides a native VPN in iOS 5, and it offers a specific set of capabilities”, he says. “If your organization uses a model that Apple doesn’t support, what do you do?” Such requirements may include custom IP tunnels, or specific encryption algorithms.

“The access control element is also becoming as critical, or more critical, than encryption in the tunnel itself”, he adds. “There is no way to install access controls in an Apple device.”

Cupertino’s Iron Fist

Apple relies heavily on its control of the App Store approval process, in concert with its locked-down operating system, to ensure that badly behaved software doesn’t make it onto its tablet devices. Apple made its guidelines for developing applications available to developers, but this worries Oliver Ng, director of training at security consulting firm Security Compass.

“Although Apple says that it looks for security vulnerabilities in the apps it approves, nobody knows about the process. No one knows what it checks for”, he points out.

Security researcher Charlie Miller discovered a flaw in code signing policies in iOS from version 4.3 onward that would allow third-party apps to download and run unauthorized code. Miller created InstaStock, a program that purportedly listed stock tickers. The program also contacted Miller’s server and downloaded unapproved code, giving him remote access to the device. Apple approved it.

That flaw has now been fixed (after Miller informed Apple of the bug, and was unceremoniously dumped from its iOS Developer Program). But, what other such flaws exist, and what is the value of such an opaque software development and approval process?

Apple may claim to protect its users, but researchers have been able to exploit vulnerabilities in the Safari browser to jailbreak iOS when it is pointed at a particular website. Visiting Jailbreakme.com with an iPad running various versions of iOS up to 4.3.3 will root the phone for you by hacking the browser.

Jailbreakme.com jailbreaks iOS with the user’s consent, and is clear about what it is doing. But how hard would it be to exploit such a vulnerability on a website to root a tablet and initiate a drive-by download? “You can run web servers or SSH daemons on these things”, says Lawrence Pingree, research director at Gartner. “If you had a VPN connection to your enterprise and someone jailbroke the tablet, then that’s the perfect bounce point”.

Destroying the Village to Save It

Ironically, jailbreaking Apple devices has sometimes been a way of making them more secure. In 2010, German researcher Stefan Esser developed a jailbreaking technique that modified iOS with Address Space Location Randomization (ASLR). This technique, which has been a part of Windows since Vista, randomizes the places in RAM where software runs, making it a moving target for malware trying to attack it. A year later, Apple introduced ASLR natively (and Google followed with ASLR in Ice Cream Sandwich, the latest version of its mobile operating system).

These tablet operating systems continually vie for supremacy with security features. For example, while Apple beat Google to the punch with ASLR, Google beat Apple with full-disk encryption, which it unveiled in Ice Cream Sandwich. The iPad features hardware encryption, but only for the purpose of secure wiping, which it implements by replacing the AES keys used to encrypt the data. An unwiped iPad responds to requests for data by happily decrypting it, making the encryption effectively useless for data protection. A separate data protection feature introduced in iOS 4 improves the situation by encrypting data using software classes, but it only works for applications designed to support them, and is not a full-disk encryption solution.

Getting Physical

The encryption issue is an important one, argues Alexander Gad, managing director of Compulocks, which specializes in physical security devices for laptops and tablets. “The cost of replacing the tablet is not the receipt for a new device”, he says. “It’s the data you have on it that’s important.”

Gad observes that when connected to an electrical outlet and plugged to a number of peripherals, the likelihood of a laptop being stolen falls. “With a tablet, the whole discussion of closing the device and detaching it from peripherals is suddenly non-existent”, he adds. Thieves can easily swipe such a small, pocketable device.

Compulocks sells tablet covers with a security lock integrated into the skin. The lock can be used to seal the cover and affix a metal tethering cable to a secure fixture.

While Apple and Google duke it out for supremacy in tablet security, Research in Motion is busy fighting its own battles. The company’s much-maligned Playbook tablet, which has experienced sub-par sales, is based on QNX, an operating system that it purchased from Harman International in 2010.

"The cost of replacing the tablet is not the receipt for a new device. It’s the data you have on it that’s important "
Alexander Gad, Compulocks

Traditionally, the company has enjoyed a solid security reputation with its Blackberry OS and BlackBerry Enterprise Server platforms, but in December, hackers released DingleBerry, a tool to jailbreak the Playbook’s alternate operating system. The company issued an over-the-air patch for its system in early December, only to watch hackers break it again the following day.

That said, the Playbook has a security feature that the others don’t; it doesn’t store work data locally. It uses BlackBerry Bridge to tether to a BlackBerry device, essentially becoming an even thinner client for the already thin phone, and providing apps that can use the phone’s resources over an encrypted session.

Separating Data Types

This is an effective but questionable way to separate work and personal data. On the one hand, BlackBerry failed to sell even a million units in 2011 because it crippled its tablet. QNX limitations made it difficult for the company to offer a native email client for the Playbook. On the other hand, maintaining the BlackBerry smartphone as the secure data storage mechanism and using the Playbook as little more than a connected viewer certainly walls off sensitive corporate information.

Some companies are already exploring the challenge of separating personal from enterprise data on tablets in other ways. Good Technology offers secure browsing and messaging software that separates enterprise from personal data.

Sooner or later, however, operating system vendors themselves would do well to support the separation of these two domains more effectively from within their own software. The challenge will be to do it while making the tablet as functional as possible.

Organizations wanting to allow tablets on to their networks while maintaining security must consider which security features are most important to them. For some, encrypting specific data types will be crucial. For others, low-level system access to introduce custom firewall, VPN, and anti-malware capabilities will be more important.

However, some may be unable to dictate the make or model of tablet that employees use, making mobile device management systems even more important. In the meantime, IT departments must do their best to secure these popular and attractive devices, before attackers turn their attention more readily to tablets, and put a whole new tier of software and data at risk.

What’s hot on Infosecurity Magazine?