Security Experts Offer Warnings, Recommendations During UConn’s Cybercrime Prevention Conference
The world is in the throes of a love affair with mobile technology and it shows no signs of abating.
We love to do our banking on our phones, text our friends—whether a block away or halfway around the world—and even set our thermostats using our mobile devices.
But the freedom and power that technology gives to mobile users is also a gateway to trouble for professional hackers, said Roger Piqueras Jover, a wireless security research scientist at Bloomberg. Because every time your phone or mobile device switches to a different transmission tower, a passive eavesdropper in your vicinity could potentially track the location of your smartphone, he said.
Jover was among a group of top security experts who spoke at a two-day security conference called, “TakeDownCon,” which was sponsored by the University of Connecticut School of Business and the EC-Council Foundation. Some 100 people, many of them CEOs or top corporate security executives, participated in the conference, while others took advantage of a four-day certificate training program. The program was the first that the prestigious EC-Council has offered on the East coast.
“The program was very successful and the speakers addressed a wide range of issues from safeguarding corporate information to thwarting threats to our nation’s food supply,” said James Simon, director of information technology at the School of Business at Stamford and a program organizer. “There was something of interest for everyone who attended.’
“The guest speakers were excellent, many among the most respected in the world in this emerging field,” Simon added. “There was also a tremendous sense of camaraderie and networking among the participants who are seeking to tackle this evolving criminal threat in a very anticipatory, well-prepared way.”
Jover’s presentation on mobile security drew rave reviews from conference participants.
“Regardless of the authentication and strong encryption, a mobile device engages in substantial exchange of unprotected messages with any LTE base station that advertises itself with the right broadcast information,” Jover said. “It is well understood as well that GSM (Global System for Mobile Communications) networks are insecure. In GSM, we are working with encryption developed in the 1990s. Our smart phones are faster than the most high-speed computers of the 1980s, rendering some of the cellular legacy technology either old or obsolete in terms of security.”
Prior to working at Bloomberg, Jover spent five years at the AT&T Security Research Center, where he was principal member of the technical staff, leading projects on mobile network security and winning numerous awards for his work.
People falsely assume that rogue base stations are not possible in LTE, but any mobile device will connect with an LTE station, whether it is legitimate or not. It is not until the authentication step that the device can tell whether it is a legitimate base station or not, he said.
“I believe there is a big disconnect between mobile security research and the industry,” he said. “Things that are obvious in my field are not being addressed. I’m trying to get the community involved, especially academics and graduate students, in research. This is a ‘hot’ research topic. I want to bring people’s attention to the fact that bad things can happen, in an effort to make mobile networks more secure. The more minds working on this problem the better.”
The security void can allow anyone to read your messages, just by being in your vicinity if your phone is connected to GSM, he said. Furthermore, a hacker can easily access approximate GPS coordinates from a compromised cell phone or device. More sophisticated hackers can intercept your calls and silently page your phone by sending a Facebook message to a folder you never see.
“Cybercrime is a major challenge for business and keeps chief information officers, CEOs and members of corporate boards of directors up at night,” said John A. Elliott, dean of the UConn School of Business. “The risks are rampant, the hackers are ruthless and security breaches are monumentally expensive.”
“The School of Business was pleased to partner with the EC-Council to present a series of programs and training opportunities over six days to help those on the ‘front lines’ of the cybersecurity battle—whether CEOs or information technology specialists or aspiring young professionals. The programs included training for people seeking designation as a professional, people who were already licensed security officers and people who wanted to augment their knowledge about attacking systems, defending systems, or both.”
“UConn has a mission to help Connecticut’s business stakeholders grow and remain competitive,” Elliott said. “This program fits that mission.”