56.5 F
Washington D.C.
Friday, September 30, 2022

PERSPECTIVE: Government-Funded Mobile Security Contributions, from DHS to DEFCON

At a time when every day seems to bring more bad news about cyber security in the context of our nation’s critical infrastructure – foreign invasion of industrial control systems, national election tampering by outsiders, challenges retaining cyber talent in our agencies – it was refreshing to see a serious effort funded by the Department of Homeland Security (DHS) highlighted at DEFCON, the flagship conference for researchers focused on offensive exploits that took place earlier this month in Las Vegas.

Specifically, Kryptowire, a commercial offshoot of the Center for Assurance Research and Engineering (CARE) at George Mason University, successfully reported a serious exploitable weakness in commercially available Android devices. Led by professor Angelos Stavrou, Kryptowire is funded by the DHS Science and Technology (S&T) Directorate, and has built up a solid reputation in high-assurance mobile computing security.

What Kryptowire discovered was something that requires a bit of background understanding to fully appreciate: Recognize first, that when university professors like myself teach graduate students about the holy grail of cyber exploits, we tend to focus on the attainment of the following capabilities during an offensive engagement: Ability to execute privileged commands, ability to read information and logs, and ability to modify information and commands.

What we teach our students is that when a targeted resource becomes vulnerable to these types of controls, then a truly serious compromise has occurred. And, worse, when these controls are obtained remotely, the result – unless quickly rectified – is game-over from the perspective of the cyber offense. What the Kryptowire team demonstrated was precisely these types of controls, achieved through pre-installed apps on Android devices from major carriers.

The specific devices addressed include Android models from Asus, LG, and China-based ZTE. The core issue is that these original equipment manufacturers (OEMs) always make software changes to the open Android operating system to differentiate their mobile solution. It is when these software changes include bad code that the problems arise – and there is little Google or any carrier can do about it, other than to coordinate over-the-air patch updates for users.

The technique used to detect these Android problems, which are existent out-of-the-box upon purchase by consumers and business, involved a type of firmware scanning tool that permits focused examination – like with a microscope, so to speak – on the mobile device. This supports deep cyber forensic analysis of the type required to detect exploitable vulnerabilities that might otherwise be hidden. The mobile security community has clearly benefited from the work.

What U.S. taxpayers should recognize is that companies like Kryptowire will often have trouble, in my opinion – which is based on my direct observation of thousands of security start-ups over the years – obtaining sufficient commercial seed funding to build these types of advanced tools. Firmware scanning is such a niche opportunity – albeit an important one – that DHS S&T does a great service by supporting such work. This is our government operating at its best.

If you’d like to learn more about this specific mobile ecosystem vulnerability, additional detailed information is available from Kryptowire on their website. And if you’d like to learn more about the DHS S&T program and how you might get involved in their research and development program (I’ve been a speaker at their fine annual cyber showcase in the past), then check out the information available on their website.


The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email HSTodayMag@gtscoalition.com. Our editorial guidelines can be found here.

Dr. Ed Amoroso
Dr. Ed Amoroso is currently Chief Executive Officer of TAG Cyber LLC, a global cyber security advisory, training, consulting, and media services company supporting hundreds of companies across the world. Ed recently retired from AT&T after thirty-one years of service, beginning in Unix security R&D at Bell Labs and culminating as Senior Vice President and Chief Security Officer of AT&T from 2004 to 2016. He is author of six books on cyber security and dozens of major research and technical papers and articles in peer-reviewed and major publications. Ed holds the BS degree in physics from Dickinson College, the MS/PhD degrees in Computer Science from the Stevens Institute of Technology, and is a graduate of the Columbia Business School.

Related Articles

- Advertisement -

Latest Articles