Mobile and wearable devices perform a variety of tasks for first responders, including providing awareness, communication, and data sharing.
However, cybersecurity vulnerabilities of these devices may inhibit how well first responders perform their duties, and ultimately put their safety at risk. The National Institute of Standards and Technology (NIST) addresses security concerns about first responder mobile and wearable devices in publication NIST IR 8235. This article includes highlights gleaned from that report.
Band 14 spectrum
Equipment used by first responders may include technology designed for the general consumer and not with public safety applications in mind. There are potential repercussions if the equipment is procured without adequately considering the security and safety of first responders.
These devices typically use the portion of the 700 MHz signal band designated for use by first responders, also known as the Band 14 spectrum.
Mobile devices
An outdated OS may leave a mobile phone vulnerable because it has not received the necessary patches
Mobile devices typically use an Android operating system, although the operating system may be four or five versions behind the current one.
An outdated OS allows a device to continue operating public safety applications, but it may also leave a mobile phone vulnerable because it has not received the necessary patches.
testing criteria
Engineers gather a series of mobile and wearable devices advertised for public safety use in their testing. Testing centered on eight security objectives – availability, ease of management, interoperability, data and application isolation, confidentiality, authentication, integrity, and a healthy ecosystem.
Most mobile devices have built-in capabilities and information necessary to meet the security objectives of first responders. However, security is not automatically enabled on mobile devices. Enabling the security requires additional application programming interfaces (APIs). Testing engineers leveraged a free third-party mobile application called a Mobile Threat Defense tool to analyze potential or current vulnerabilities.
Testing results
A common attack uses a rogue base station as an IMSI catcher, which gathers a device’s information
Testing showed that mobile devices are not able to detect a rogue/fake base station (not owned by the Mobile Network Operator), which can be used for person-in-the-middle (PitM) attacks to eavesdrop, perform a denial of service, or to gather information to track a user’s location.
A common attack uses a rogue base station as an International Mobile Subscriber Identity (IMSI) catcher, which gathers a device’s information and can track a device from a base station to a base station.
minimal functionality
Examples of wearable devices include Bluetooth headsets, body cameras, and body sensors that monitor vital signs. Wearable devices are designed to have minimal functionality, which also limits their security capabilities.
Wearables often do not have a screen display and require another (mobile) application to interface with the device. While Bluetooth specifications are improving and being updated, commercially available wearables still use older versions of Bluetooth, which provide minimal security.
Impacting usability
A device administrator can obtain information about prospective to confirm if devices have the required features
Wearables can adhere to a minimum number of public safety security objectives; they are built to emphasize usability rather than security. Without proper hardening, however, a security attack could impact the usability of the device.
Understanding an organization’s needs is the first step in making decisions about buying technology, suggests the NIST report. A device administrator can obtain information about prospective or current devices to confirm if devices have the required features.
Security features
Some devices have security features enabled automatically, but most require secure configuration to an organization’s specific needs. Public safety device administrators should consider both usability and security when applying security.
Compliance monitoring
First responder mobile and wearable devices should be monitored constantly to check for compliance, vulnerabilities, and other issues.
Compliance monitoring will check for changes to the device configuration, such as changing the password or downloading an unauthorized application on the device.
Vulnerability monitoring
Vulnerability monitoring can check for concerns such as application, network, or OS vulnerabilities
Vulnerability monitoring can check for concerns such as application vulnerabilities, network vulnerabilities, or OS vulnerabilities.
A plan of action might be to remove a device from deployment and provide an alternative/backup device during an emergency incident, or it might be to disconnect a device’s access to a public safety resource.
Best practices
Best practices listed in the NIST report to guide public safety officials seeking to acquire mobile and wearable devices include:
- Identify public safety needs and devices
- Provide protection by applying security and training users
- Detect issues by logging and monitoring devices
- Respond with a prepared plan
- Recover by constantly improving
ruggedization rating
Mobile devices have advanced well and are capable of meeting most of the public safety security objectives, but there is room for improvement when it comes to capabilities such as rogue base station detection.
Because of their limited functionality, wearable devices struggle to meet some of the public safety security objectives. Few devices are built with features that are specific to public safety, such as a ruggedization rating that meets the needs of firefighters.