Mobile and wearable devices perform a variety of tasks for first responders, including providing awareness, communication, and data sharing.

However, cybersecurity vulnerabilities of these devices may inhibit how well first responders perform their duties, and ultimately put their safety at risk. The National Institute of Standards and Technology (NIST) addresses security concerns about first responder mobile and wearable devices in publication NIST IR 8235. This article includes highlights gleaned from that report.

Band 14 spectrum

Equipment used by first responders may include technology designed for the general consumer and not with public safety applications in mind. There are potential repercussions if the equipment is procured without adequately considering the security and safety of first responders.

These devices typically use the portion of the 700 MHz signal band designated for use by first responders, also known as the Band 14 spectrum.

Mobile devices

An outdated OS may leave a mobile phone vulnerable because it has not received the necessary patches

Mobile devices typically use an Android operating system, although the operating system may be four or five versions behind the current one.

An outdated OS allows a device to continue operating public safety applications, but it may also leave a mobile phone vulnerable because it has not received the necessary patches.

testing criteria 

Engineers gather a series of mobile and wearable devices advertised for public safety use in their testing. Testing centered on eight security objectives – availability, ease of management, interoperability, data and application isolation, confidentiality, authentication, integrity, and a healthy ecosystem.

Most mobile devices have built-in capabilities and information necessary to meet the security objectives of first responders. However, security is not automatically enabled on mobile devices. Enabling the security requires additional application programming interfaces (APIs). Testing engineers leveraged a free third-party mobile application called a Mobile Threat Defense tool to analyze potential or current vulnerabilities.

Testing results

A common attack uses a rogue base station as an IMSI catcher, which gathers a device’s information

Testing showed that mobile devices are not able to detect a rogue/fake base station (not owned by the Mobile Network Operator), which can be used for person-in-the-middle (PitM) attacks to eavesdrop, perform a denial of service, or to gather information to track a user’s location.

A common attack uses a rogue base station as an International Mobile Subscriber Identity (IMSI) catcher, which gathers a device’s information and can track a device from a base station to a base station.

minimal functionality

Examples of wearable devices include Bluetooth headsets, body cameras, and body sensors that monitor vital signs. Wearable devices are designed to have minimal functionality, which also limits their security capabilities.

Wearables often do not have a screen display and require another (mobile) application to interface with the device. While Bluetooth specifications are improving and being updated, commercially available wearables still use older versions of Bluetooth, which provide minimal security.

Impacting usability

A device administrator can obtain information about prospective to confirm if devices have the required features

Wearables can adhere to a minimum number of public safety security objectives; they are built to emphasize usability rather than security. Without proper hardening, however, a security attack could impact the usability of the device.

Understanding an organization’s needs is the first step in making decisions about buying technology, suggests the NIST report. A device administrator can obtain information about prospective or current devices to confirm if devices have the required features.

Security features

Some devices have security features enabled automatically, but most require secure configuration to an organization’s specific needs. Public safety device administrators should consider both usability and security when applying security.

Compliance monitoring

First responder mobile and wearable devices should be monitored constantly to check for compliance, vulnerabilities, and other issues.

Compliance monitoring will check for changes to the device configuration, such as changing the password or downloading an unauthorized application on the device.

Vulnerability monitoring

Vulnerability monitoring can check for concerns such as application, network, or OS vulnerabilities

Vulnerability monitoring can check for concerns such as application vulnerabilities, network vulnerabilities, or OS vulnerabilities.

A plan of action might be to remove a device from deployment and provide an alternative/backup device during an emergency incident, or it might be to disconnect a device’s access to a public safety resource. 

Best practices

Best practices listed in the NIST report to guide public safety officials seeking to acquire mobile and wearable devices include:

  • Identify public safety needs and devices
  • Provide protection by applying security and training users
  • Detect issues by logging and monitoring devices
  • Respond with a prepared plan
  • Recover by constantly improving

ruggedization rating

Mobile devices have advanced well and are capable of meeting most of the public safety security objectives, but there is room for improvement when it comes to capabilities such as rogue base station detection.

Because of their limited functionality, wearable devices struggle to meet some of the public safety security objectives. Few devices are built with features that are specific to public safety, such as a ruggedization rating that meets the needs of firefighters. 

Download PDF version Download PDF version

Author profile

Larry Anderson Editor, TheBigRedGuide.com, Notting Hill Media

In case you missed it

Siemens Expands Fire Safety With Danfoss Acquisition
Siemens Expands Fire Safety With Danfoss Acquisition

Siemens Smart Infrastructure has completed the acquisition of Danfoss Fire Safety, a Denmark-based specialist in fire suppression technology. This strategic step will boost growth...

Specification And Installation: The Key To Effective Door Controls
Specification And Installation: The Key To Effective Door Controls

Safe and seamless movement in our built environment hinges on accurately specified and installed door hardware, explains Russell Marks, managing director of Boss Door Controls. Wi...

AEI Cables: Fire Safety And Building Compliance
AEI Cables: Fire Safety And Building Compliance

Many of the new requirements under the new Building Safety Act 2022 are still not understood by those making critical decisions in the fire safety supply chain, says cable supplier...

vfd