Mike Hughes, Senior Vice President, Product Development Software Operations

 

If Jeff Bezos’ phone can be hacked, so can your study devices. Is your #eCOA security strategy up to snuff?

Anti-Malware and other data breach prevention efforts are increasingly moving into the tablet and smartphone domain. Sophisticated cyber attackers are constantly finding new ways to exploit your network. That’s why cybersecurity should be part of your eCOA risk management strategy. This blog addresses widely-used, but vulnerable industry practices. There are two key areas to keep in mind for device security:

  • Avoid rooting devices
  • Invest in device providers who provide timely security updates for more than two years

Rooting

Although a common practice to customize device behavior for specific use cases, (in digital health and many other industries) device rooting introduces major security vulnerabilities.

What does “rooting” mean?

Rooting, or “jailbreaking,” devices gives privileges to modify the software on the device or install other apps that the manufacturer would not normally allow (e.g. giving apps system permissions to avoid pop-ups or asking to allow Bluetooth connection).

Rooting a device means that you become the “superuser” - which essentially makes it possible to gain complete access to almost everything in the operating system. When you use or sign into a device, you are considered a “user”, which gives you certain permissions to do or access things on the device. Specific apps also are considered users, and they have their own set of permissions. That’s why when you open an app, and you want to use the device’s camera within that app, a box often pops up that says “Allow this app to access the camera?” By default, the app user does not have permission to access the camera within the OS, but your user does - so you can grant it that permission. The Root User is the most powerful user, and has permission to do anything, to any file, anywhere in the system - which is extremely dangerous. 

What can you do with root / superuser access?

Once you have root access, you can pretty much do anything you want on the device. Rooting allows malicious parties to access or replace files, add malware, or even take over the entire device.  What’s more, while rooting used to be limited to the domain of those with advanced technical skills, anyone with the ability to follow instructions can watch and learn from scores of freely available online videos.

How does this impact eCOA deployments?

Although the use of rooting is not uncommon in eCOA devices, best practices for eCOA use prohibit all the following scenarios:

  • User ability to delete any apps
  • User ability to change, read, or delete any data that are stored on the device (either within a specific app or on the device in general)
  • Camera accessibility (without the user knowing)
  • Microphone accessibility (without the user knowing)
  • User ability to install malicious or unwanted apps onto the device (e.g. bitcoin mining app)

Importantly, an eCOA provider should retain the ability to:

  • Monitor user inputs and behavior
  • Pull a device location or IP addresses
  • Remote off, lock and wipe capabilities, in the event of device loss or theft

Security Updates

As with any technology, there are security exploits - both big and small - being discovered every day (on iOS, Android, etc.). Most of the time, security updates are made available by the owner of the OS right away (Apple for iOS, Google for Android). The big difference between iOS and Android however, is that because Apple owns the OS and the hardware, they make the updates available to their users almost as soon as they are released. With Android, there are dozens of different OEMs, and each one is responsible for then taking the security update and rolling it into their version of Android. To make things more complicated, the different carriers for each device must then also integrate the security update into the OS that has been modified for carrier specific devices. This is a very tedious process, which can sometimes take months. The larger OEMs are typically timely with releasing the security updates quickly for their flagship devices. However, for lower end devices, lesser known OEMs, or devices that are 2+ years old, it can take much longer to make a security release available (if it ever is released at all). Security coverage for older devices is limited as well:

  • The T-Mobile Samsung galaxy S5 stopped receiving security updates in December 2016.
  • The last OS update in Lenovo’s YOGA Tablet 2 was Android version 5.0, for which Google stopped supporting security patches in November of 2017.

Importantly, an example of one of the scarier vulnerabilities was Blueborne - which allowed hackers to remotely take control of a device as long as it was in Bluetooth range.

eCOA Best Practices

  • Key selection criteria for devices should include regular updates to security patches.
  • Long-term device support is mission critical with device procurement. Even for older devices, security patches support coverage should be longer than traditional OEM timelines.

In the digital age of increasingly sophisticated malware, high profile cyberespionage and ever-increasing investments in new cyber defenses, device performance is only one part of your eCOA device selection criteria. Security and operating system control are more important than ever. For more on this topic, keep reading our data integrity blog series.