Why Smartphone Security is Fundamentally Broken

By Ernest Worthman

August 1, 2017

Perhaps the most useful tool of the modern age is the smartphone. Nothing else has such a ubiquitous interconnect with just about everything we do and are. In many ways, this wireless device is the locus of our existence.

It isn’t necessary to elaborate on all of the functions the device is capable of. We are all aware of that. What is necessary is to drill down on the vulnerabilities of this device. This observation from Cisco kind of tells it all.

Cisco’s 2017 Mid-Year Cybersecurity Report notes that it has been warning about cyberthreats for years to alert defenders of the increasing sophistication of threats and the techniques that adversaries use to compromise users, steal information, and create disruption.

“With this latest report, however, we find we must raise our warning flag even higher,” the OEM said.

That is the global picture, and it paints a rather bleak landscape. But that same state of the global landscape can be layered on the smartphone segment.

There is a ton of discussion around smartphone security. I write about it a lot – it is that important. And I am also an advocate of hardware versus software implementation. That is because, in hardware, it is key-based and if properly implemented, eliminates the endless update cycle and provides excellent immunity to malware, ransomware and the like. Key (and token, if properly managed) are the best options for smartphone security, especially now, as the financial app landscape evolves in the smartphone segment.

There has been some movement by hardware manufacturers of late. Moreover, if one listens to them, smartphone security issues are moot. That is really far from the actual reality.

Take the case of the recent hack of Samsung’s Galaxy S8. The hack is performed by simply using a consumer-grade camera and a contact lens to fool the phone’s iris scanner. It has also been shown that it is possible to hijack a user’s smartphone if the hacker has the phone’s number, and use its camera and audio recording capabilities to spy on the user.

So, obviously, we are a long way from figuring out smartphone security and the present state of smartphone security really is broken.

Is There a Magic Bullet?

Going forward, however, there is a significant belief that Biometrics are considered the next level of security (and to some the permanent fix). Nevertheless, the ugly truth is that current consumer (and even some commercial) biometric apps are not that sophisticated (in terms of the complexity required to implement methodologies that have sufficient levels of verification). There are countless cases of fingerprint lifting and image reproduction using various methods, including the use of something as benign as gummy bears and rubber cement, and images and videos of faces. These have all been successfully used to fool biometric sensors.

On the horizon are much more sophisticated biometrics. Things like hand and face scanning (in combination or individually), blood vessel mapping, voice scans, facial thermography, DNA matching, odor sensing, blood pulse measurements, skin pattern recognition, nailbed identification, gait recognition, even ear shape recognition. And there are the more eclectic biometrics as well. Research has shown that individuals have distinct brain and heart patterns that are unique for each individual. This “futuristic” technology is more fraud-resistant than conventional biometrics such as fingerprints and retinal scans.

But beware. While biometrics may be the next coming thing, it isn’t foolproof. And, to be five-nines accurate requires a fair amount of processing power. Today’s smartphones are only beginning to have those kind of resources.

Even once these hardware resources are common, there is still the biggest faux pas of all – the user. Users are notorious for not being security diligent, especially on smartphones. And to be fair, having to use a complex verification metric every time you purchase a Starbucks can get tiring. So any biometric techniques must be user friendly. Plus, things like fingerprints and retinal scans are one of a kind and they cannot be changed if compromised.

So the smartphone security landscape has a “fur piece” to go. And it is complex. Solutions are available, but just because they exist, doesn’t mean they are practical or adoptable in their present, or future form.

How all of this will come together is a matter of great debate among a variety of entities. It will be a while before we have anywhere near a clear vision as to what will work, when and how. In the meantime, we need to focus on alternatives, especially hardware keys, and how to implement them in the vast sea of diverse products.

Ernest Worthman is the Executive Editor of Applied Wireless Technology and a Life Member of the IEEE. His 20-plus years of editorial experience includes being the Editorial Director of Wireless Design and Development and Fiber Optic Technology, the Editor of RF Design, the Technical Editor of Communications Magazine, Cellular Business, Global Communications and a Contributing Technical Editor to Mobile Radio Technology, Satellite Communications, as well as computer-related periodicals such as Windows NT. His technical writing practice client list includes RF Industries, GLOBALFOUNDRIES, Agilent Technologies, Advanced Linear Devices, Ceitec, SA, and others.