How to Secure the Changing Face of Mobile

Roger Jover spends his time hacking devices. Don’t worry, though, he’s one of the good guys. The devices he’s concerned with aren’t your everyday smartphones. They’re the gadgets you’ll be relying on tomorrow. But in an era when hardware and software are evolving more quickly than ever, how can we secure future technology and make enterprise communication devices more secure?

Roger is a security research scientist at Bloomberg who specializes in wireless networks and his job is to help answer that question. After hacking smartphones and cellular networks for his own personal research, he started analyzing Near Field Communications (NFC), WiFi, and Bluetooth devices.  He has recently been exploring the security of LoRaWAN, a rapidly expanding new technology for low-power, long-range connectivity for IoT applications.

The Internet of Things (IoT) trend excites Roger because it will deeply affect Bloomberg’s technology and services and those of its customers. Over the last few years, Bloomberg has been quick to introduce new mobile products for the latest connected devices, including Apple’s iPad Pro and Apple TV, and last year Bloomberg dipped its toe into wearable technology when it was early to launch an app for the Apple Watch.

“This is the first time I’ve seen the technology moving faster than the standards,” says Jover.

The Internet of Things presents new security challenges, say Bloomberg security researchers, the first of which is an explosion of new devices to protect. Gartner estimates there will be more than 20 billion devices connected to the Internet by 2020, up from about 6 billion this year.

The IoT will also involve securing new kinds of communications networks. They will be low-power networks that allow connectivity across long distances, often relying on battery-powered sensors and gadgets that don’t have screens. Complicating matters, the industry has not yet settled on a network standard for very-low-power IoT wireless devices. The IoT presents an especially big challenge for Bloomberg, a company that operates in the highly regulated financial industry, where security and compliance are major focuses.

“In terms of our regulatory environment, we have all these devices and information that will be outside the office and the office network,” says Phil Miller, the Head of Mobile Engineering for Bloomberg Professional. “We’re focusing on empowering our clients to be able to make the right choices for their employees’ data, according to their own policies, while thinking creatively about ways we can use emerging technologies to provide better tools for managing the risks they face. We’re seeing increased usage of biometrics, and entirely new areas such as embedded wearables – things that we now may think to be a bit strange, but that might become the way of the future.”

In the near term, Phil believes the personal nature of wearable technology may transfer from the consumer space to the enterprise. “If we can trust that a watch has stayed on you and hasn’t been taken off, it might allow us to simplify the authentication experience,” he says. “We’re finding new challenges in managing all of these additional inputs which can feed into deciding how confident we are that the user is who we think they are, including location information. Do end users have different access if they’re in the office, at home, or elsewhere? How do we manage the conflict with their privacy needs?”

One thing Phil is certain about: We’re long past the days of the simple password. “Passwords now have become increasingly complex, users need to authenticate more frequently, and multi-factor authentication is now commonplace,” he says.

While Bloomberg’s security researchers carry out work on the devices and networks of tomorrow, there’s also the here and now to consider. Securing the current crop of mobile products—without making them too difficult to use—is the first step in conquering future challenges.

For Bloomberg, one big answer has been a credit card-sized device called the B-unit that uses two-factor, time-synchronized authentication. Users enroll with a fingerprint, taken when they first register with the desktop Bloomberg Professional service. They then log in to the mobile app with their username, password, and a one-time token generated by the B-unit. During that process, an encryption key is derived from the user’s password and then discarded after use.

The B-unit was ahead of its time, presaging the growing use of stronger workplace authentication. For Bloomberg’s security experts, it’s an inspiration and reminder that they constantly have to be at the cutting edge to provide solutions that are both simple and secure.