NIST analyzes cybersecurity of responders' mobile and wearable devices
- By Susan Miller
To ensure first responders can securely connect their mobile and wearable devices to the FirstNet wireless broadband public-safety network, the National Institute of Standards and Technology has issued a draft report that analyzes the devices' current and potential uses from a cybersecurity perspective.
Draft Interagency Report 8196, "Security Analysis of First Responder Mobile and Wearable Devices," focuses on land mobile radio and cellular technology as well as wearable devices for firefighters, emergency medical crews and law enforcement. Such devices include clothing with biosensors, Bluetooth accessories, smart watches, body cameras, phone handsets and wireless headsets. The report analyzes a number of public safety use cases for cybersecurity and identifies known vulnerabilities to similar equipment to provide a reference for those developing and purchasing such equipment.
Although "these new technologies have a strong potential to introduce new vulnerabilities into a jurisdiction’s network, NIST said, "[l]ittle guidance exists for the appropriate configurations for public safety devices, let alone configurations for specific disciplines."
The report aims to expand public safety officials' understanding of the risks posed to devices, networks and users so they can prevent life-threatening scenarios caused by "malicious or accidental failures of technology."
The body of the report analyzes threat events and describes the particular vulnerability, its source (accidental, adversarial or disaster related), the threat category (confidentiality, availability), severity and likelihood (very low to very high) for fire, EMS and law enforcement personnel.
So, for example, a threat in which preinstalled spyware accesses a mobile device's sensitive data could trigger a lack of supply-chain controls, which would threaten confidentiality of data. The probability of such an adversarial threat is considered low, but its impact could be high for law enforcement.
The report describes 11 threats to mobile devices – from interception or accidental leaking of sensitive information to interoperability issues and equipment failures due to insufficient ruggedization. Seven threats to public safety wearables are outlined, covering spoofing, jamming and malicious attacks on hardware that cause overheating.
Besides the specific threat analyses, NIST includes two security problems it considered "particularly worrisome."
Wireless device tracking can help law enforcement officials keep track of officers in the field, but it can also be used as a "staging point for physical and digital attacks against specific public safety individuals." Jamming is another unresolved problem because modern mobile devices use protocols susceptible to wireless jamming, which requires "inexpensive hardware and little expertise," the report states.
"It is critical that the transition of public safety communications systems and devices to next generation technology occur in a smooth manner," the report concludes. "By understanding the threats and risks posed to public safety systems and their users, life-threatening scenarios can be prevented from escalating due to malicious or accidental failures of technology."
Comments are due by Jan. 7, 2019.