Research directions in security and privacy for mobile and wireless networks Book Chapter

Reiher, P, Makki, SK, Pissinou, N et al. (2007). Research directions in security and privacy for mobile and wireless networks . 1-22. 10.1007/978-0-387-71058-7_1

cited authors

  • Reiher, P; Makki, SK; Pissinou, N; Makki, K; Burmester, M; Van, TL; Ghosh, T

authors

abstract

  • The mobile wireless future is here, and, predictably, the security community isn't ready for it. Cellphones are ubiquitous, and increasingly have data capabilities in addition to voice, often using multiple different networking technologies. Laptops are in use everywhere, sometimes disconnected, sometimes working off wireless local area networks. Radio Frequency Identification (RFID) is poised to enter our lives, embedded in everyday applications. An increasing number of data appliances of various sorts have become popular, and those of them that are not already augmented with networking capabilities will be soon. Applications are beginning to be built around the very idea of mobility and the availability of wireless networks. And all of these devices and applications are being built for and used by the masses, not just a technologically elite class. As popular as these technologies are today, we have every reason to expect them to be vastly more so tomorrow. Unfortunately, we are not prepared to secure even the mobile wireless present properly, much less the future. Some technologies and techniques are widely available to help address some problems: cryptography, virtual private networks, and at least the knowledge required to create digital authentication. But these are not nearly sufficient to solve the problems we are likely to face. A few years ago, more or less by accident, the folly of allowing mobile computers to move into and out of an otherwise secure environment became clear, when the Blaster worm used that method to spread into organizations whose firewalls were expected to keep it out. The first worm designed to move from desktop machines to cell phones was recently discovered. The recent cases in Afghanistan of sales in bazaars of stolen flash drives filled with classified data have pointed out that data can be mobile even when full computing and communications capabilities are not. Who knows what other unpleasant surprises are waiting to pop up in this rich, powerful, and poorly understood environment? The problems are not all unpredictable, either. Providing security for many proposed mobile wireless scenarios is known to be difficult. Mesh networks, and the more mobile ad hoc networks, are known to pose challenges to secure operation that we cannot properly address today. Similarly, the extreme constraints of sensor networks, which usually rely on wireless communications and sometimes feature mobile elements, make many of our standard security solutions infeasible. The scale and openness of proposed ubiquitous computing environments pose tremendous challenges to security. As the available bandwidth and deployment of wireless networks increase, we can predictably expect to see new challenges arise, such as denial of service attacks not easily handled by methods imported from the wired world, stealthy spread of worms by numerous vectors, and clever misuse of the special characteristics of wireless networks for various undesirable purposes. The same observations are true of the increasingly important issue of privacy. The burgeoning problem of identity theft has made clear that disclosure of private information is not a vague threat only of interest to a handful of activists, but is vital to everyone. The ever growing number cases of disastrous privacy disclosures based on the portability of devices and the openness of wireless networks should make clear that the privacy threats inherent in the wired Internet are going to become much worse in our mobile wireless future. We can so easily lose control of data whose confidentiality we wish to protect when devices holding it are so mobile. And, to a much greater extent than was ever possible before, the presence of ubiquitous wireless networks and portable computers that use them suggests disturbing possibilities for our every move and action being continuously monitored without our consent, our knowledge, or any ability for us to prevent it. Of particular concern is anonymity and its counterpart, accountability. The loss of privacy and the wholesale surveillance enabled by cell phones, Bluetooth and Wi-Fii capable laptops and devices, as well as RFID tags, affects all of us and may have disastrous consequences. Surveillance, triggered by conflicting interests of companies, corporations and organizations, tracks the electronic footprint of mobile users over network systems, and affects all of us. We urgently need to find simple solutions that give back the user control of their anonymity, while guaranteeing accountability. One important aspect of securing the wireless mobile future that must not be overlooked is that it will be a future of the everyman. The users will not be elite, will not be security (or even networking) specialists, will not be willing to learn many new skills to make use of their devices, and will not have regular access to trained security and system administrators. The security for this future world cannot depend on complex manual configurations, deep understanding of security threats by typical users, or reactions to ongoing problems by the humans working with the system. One of the most consistent lessons of computer security technologies is that only the technologies that are invisible to the average user are widely used. We cannot require any significant setup by the average user, we cannot require ongoing human monitoring of the behavior of the typical device in this environment, and we cannot expect user-initiated reactions to either potential or actual threats. Anything that is not almost completely automatic will not be used. If we look ahead to the predicted ubiquitous computing and sensor network future, this observation becomes even more critical. There will not be a security professional monitoring and adjusting the behavior of smart wallpaper in the typical home or vast undersea sensor networks monitoring the ocean's floor for seismic activity. We must move to a future where these devices and networks are secure on their own, without ongoing human supervision. So the computing world is already mobile and wireless, and is becoming even more so rapidly and unalterable. And we cannot even secure the relatively simple environment we see today. These dangers motivated the National Science Foundation to fund this study of the requirements for research in the field of mobility and wireless networks. The study is based on the deliberations of a group of leading researchers in this field at an NSF-sponsored workshop on security and privacy for mobile and wireless networks (WSPWN), held in March 2006 in Miami, Florida. This workshop presented position papers on the threats and possible mechanisms to handle these problems, which lead to deep discussions by the participants on what was lacking in the current research in these areas, and where the National Science Foundation and other agencies able to fund and direct research should try to focus the research community's efforts. This report distills the results of that workshop. The report opens by presenting a brief view of the current situation in the fields of privacy and security for wireless and mobile networks, covering both the knowledge we have available already from existing research and the range of threats we have seen and can predict. The report goes on to discuss areas where the workshop participants agreed more research was vital. We also discuss the general character of the kinds of research we feel is more necessary and elements that funding agencies should look for in research proposals in this area. © 2007 Springer Science+Business Media, LLC.

publication date

  • December 1, 2007

Digital Object Identifier (DOI)

International Standard Book Number (ISBN) 13

start page

  • 1

end page

  • 22