NIST finds security issues with first responder mobile, wearable devices
A range of potentially serious security issues with mobile information collection and sharing involving public safety mobile devices, backend storage locations, and virtual private networks used by first responders, were reported in the new National Institute of Standards and Technology’s (NIST) Draft NIST Interagency/Internal Report 8196, Security Analysis of First Responder Mobile and Wearable Devices. The public comment period on the draft report began December 3, and ends January 7, 2019.
The draft report explained that, “Public safety practitioners utilizing the forthcoming Nationwide Public Safety Broadband Network (NPSBN) will have smartphones, tablets, and wearables at their disposal. Although these devices should enable first responders to complete their missions, any influx of new technologies will introduce new security vulnerabilities.”
The draft document “analyzes the needs of public safety mobile devices and wearables from a cybersecurity perspective, specifically for the fire service, emergency medical service (EMS), and law enforcement. To accomplish this goal, cybersecurity use cases were analyzed, previously known attacks against related systems were reviewed, and a threat model was created. The overarching goal of this work is to identify security objectives for these devices, enabling jurisdictions to more easily select and purchase secure devices, and industry to design and build more secure public safety devices.”
For example, the Draft NISTIR 8196 said there are security concerns when a police officer in the field utilizes his mobile device “to record and capture pertinent information for a missing person’s case” that’s “relayed back to his department’s data storage facility to be reviewed by investigators, supervisors, and other command staff” may also use his “mobile device to share specific details of the missing person’s information to responders, public, and media, which may lead to a quicker resolution of the incident,” but, “The data stored on the officer’s mobile device and the backend storage facility may be unencrypted.” And, “The data in transit for the data transfer to the backend storage location may be unencrypted if a VPN is not utilized.”
Consequently, “The unencrypted data allows for easy access of information by unauthorized users,” NIST stated, noting the “lack of network availability could delay the officer from quickly transferring the missing person’s information to the necessary parties and media outlets.”
Shared equipment by multiple law enforcement users is also problematic, NIST said.
Let’s say “a police officer selects a device from a charging station. Although the device is “different from the device the officer used yesterday, the officer proceeds to log into the device. After login, the device is automatically configured with the officer’s Quality of Service, Priority, and Preemption (QPP) information, and public safety mobile applications are configured with the appropriate settings.” According to NIST, the inherent security concern is that, “The officer may have unauthorized access to sensitive information that was authorized for a previous user. Additionally, accidentally collected Personally Identifiable Information [PII] may be exposed, and QPP values may be incorrectly assigned (e.g., higher priority incorrectly assigned to a lower priority user).” As a result, the NIST draft warned, “Location data and health information may also be incorrectly associated with the previous user. The audit logs for the device or applications may be inaccurate. Availability concerns exist if the single sign-on (SSO) service goes down and the device needs to quickly be used for an emergency.”
Gathering and processing biometric information also becomes a security concern if “a law enforcement officer needs to identify an individual in a remote area. They use a wearable sensor to capture biometrics to facilitate the identification of the user. The information is transmitted to HQ for processing. The officer receives the results, which provide improved situational awareness and enable an informed action. Depending on coverage, the device may operate in limited offline mode, over 802.11 wireless, LTE, or satellite communications.”
“Data at rest protection for the information on the officer’s mobile device and the associated databases storing the biometric information is important to ensure that only authorized officials receive the information,” NIST said. Saying, “Data in transit protection for the biometric information is also important and could be provided by encrypting the data at the application level and encrypting the communications path (i.e., encrypted data and encrypted tunnel).”
“Encrypting this data can protect against unauthorized extraction or modification of the data in transit.” And, “in addition to authenticating to the mobile device, the officer must be strongly authenticated to the applications and backend public safety databases.”
Lost or stolen devices can also “allow potentially malicious individuals to access sensitive public safety information,” NIST pointed out. “Even with lockscreen authentication, some public safety information may be exposed. For instance, notifications from cellular services (e.g., text messages, missed calls), or installed apps may be shown on the lockscreen.”
The vulnerability here is that “this situation is impacted by the lack of or improperly implemented access controls, including both local and remote authentication. In terms of local authentication, the lack of a lockscreen could allow this information disclosure to occur. For remote authentication, a persistent session that does not log out after a pre-determined period could compromise confidentiality of the data.”
Another “threat source” is mobile “public safety devices may be lost or stolen with the same frequency as commercial and enterprise devices.”
For lost or stolen EMS devices, NIST said there is a “moderate confidentiality impact” because “patient information is unlikely to be exposed in this instance as these databases often require additional levels of authentication.”
NIST considers there’s a “low confidentiality impact” for fire service mobile devices because “PII or other sensitive information is unlikely to be exposed.”
There is, though, a “high confidentiality impact” for lost or stolen law enforcement mobile devices. NIST explained that, “The exposed information could be quite sensitive with regard to ongoing emergency incidents.”
Mitigations involve “properly configured mobile devices that authenticate users or roles before providing access to sensitive information can prevent unauthorized access. For local authentication, a proximity token could be used.”
“For instance,”the NIST draft says, “if an officer’s badge contains a proximity token, and their badge is physically separated from the phone, the phone automatically locks and requires further authentication. Other forms of authentication may include biometric or behavioral authentication methods.”
With regard to mitigations for remote authentication scenarios, “time-based session logouts and regular re-authentication may be useful,” NIST said.