Mobile devices have revolutionized the way we do work, enabling on-demand access to services and information anytime from anywhere. In the United States, there are an estimated 200 million smart mobile devices and two billion such devices worldwide. Within DHS, more than 38 percent of employees have government-issued mobile devices, totaling approximately 90,000 devices in use. To promote the safe and secure adoption of mobile technology in DHS and across the federal government, the DHS Science and Technology Directorate (S&T) created the Mobile Device Security (MDS) project.
Motivation
Mobile technology promotes lower costs, geographic flexibility and other advantages to government services such as public safety, health, education and finance. However, as government services grow more dependent on mobile technology, mobile devices become bigger targets for cybercriminals. As a result, the cyber threats the government faces include physical tracking of government personnel, unauthorized access to sensitive information and denying or degrading government services. Government mobile users need assurances that the apps on their devices execute securely on a “safe” device. A verifiable, trusted execution environment is needed to detect when the mobile device’s system has been maliciously modified. Additionally, one-time validation schemes that rely on passwords and tokens are PC-centric security approaches that are insufficient for mobile device security. New approaches are needed to leverage the unique capabilities and functions of mobile devices.
Approach
Several DHS mobility working groups and federal interagency working groups gathered requirements for the MDS project. This interaction enabled a prioritization of mobile security capability gaps that are impeding mobile implementations both at the federal level and across the Homeland Security Enterprise. Several of the high-priority target areas addressed by the project include mobile device management, trust implementation for executables, and identity management and authentication. The project has established three overarching objectives to accelerate the adoption of secure mobile technologies by the government.
To address these gaps, the MDS project has established several R&D initiatives that encompass projects related to:
Mobile software roots-of-trust -- Developing tamper-evident modules that continuously measure and verify a chain of cryptographically strong evidence to prove the trustworthiness of the device’s environment prior to executing software.
Continuous authentication -- Developing capabilities to do continuous, multi-factor verification that leverages contextual attributes on a mobile device to make real-time security decisions within the device and when accessing remote systems; leveraging a device’s innate functionality (e.g., application sandboxing, camera, GPS, etc.) to sense and measure the environment, user interaction and app interaction to ascertain risk.
Virtual mobile infrastructure extensions -- Developing mobile access control functionalities that leverage cloud-based technology to secure access to critical data without the need for resident data on the mobile device.
Performers
BlueRisc: Software-only Roots of Trust for Mobile Devices
Mobile roots-of -trust (MobileRoT) technology, which is based on software that measures and verifies a mobile device’s static and runtime state, was created to enable trust and overall device security.
HRL Laboratories, LLC: Continuous Behavior-Based Authentication for Mobile Devices
The Continuous Behavior-Based Authentication for Mobile Devices effort developed an anomaly-detection system for mobile devices based on HRL’s neuromorphic chip. It includes algorithms for continuous, behavior-based authentication for mobile devices.
Kryptowire LLC: Quo Vandis: A Framework for Mobile Device and User Authentication
The Quo Vandis effort created a framework for continuous device and user-behavioral authentication to prevent unauthorized access to mobile app functionality and sensitive enterprise data.
Rutgers University: Dynamic Data Protection via Virtual Micro Security Perimeters
For this effort, the primary output was a data-protection architecture for mobile operating systems using dynamic information flow tracking and cryptographic policy enforcement technologies to isolate data, instead of isolating the information processing environment.
University of North Carolina at Charlotte (UNCC): Theseus: A Mobile Security Management Tool for Mitigating Attacks in Mobile Networks
The Theseus effort developed a mobile device security management tool that monitors user activities, detects threats and provides situational awareness tailored to emerging first responder mobile networks.
Intelligent Automation, Inc.: TrustMS: Trusted Monitor and Protection for Mobile Systems
The TrustMS effort consists of two processor-level components: an offline instrumentation engine and a runtime multi-core security monitor. The instrumentation engine inserts security check code into target vulnerable programs and optimizes the instrumented code through static analysis. The runtime security monitor dedicates a central processing unit (CPU) core to monitor instrumented programs executed by other CPU cores to reduce processing overhead.
Hypori Federal: Process Level Security for Mobile System Assurance
The Process Level Security for Mobile System Assurance has developed and currently is piloting secure mobile infrastructure in virtualized environments.
Resources
For the latest information about S&T Cybersecurity, visit the S&T Cybersecurity News, Publications, Videos and Events pages.
Publications & Fact Sheet
- S&T Strengthens Mobile Device Email Security and Privacy
- DHS Study on Mobile Device Security
- Mobile Security R&D Program Guide, Volume 2
- Mobile Device Security Fact Sheet
Contact
Email: SandT.PCS@hq.dhs.gov