Quantum Encryption May Offset Android Security Risk in New DHS/FBI Report

Datacenter-based security crews struggling with threats to data and network security amidst waves of BYOD and mobile-computing initiatives got more to worry about this week via a warning from federal law enforcers, and a dim hope for the future from quantum-encryption researchers.

In a memo circulated to law-enforcement agencies July 23 and posted publicly Aug. 27, the Dept. of Homeland Security and FBI warned that Android devices “continue to be a primary target for malware attacks due to its market share and open architecture.”

Forty-four percent of Android devices still run versions of the Google Android OS from two years ago, despite a long list of well-known security flaws in those versions, which were patched in later editions, according to the report.

Trojan horses, viruses and other malware delivered via text messages make up almost half the malicious software running on older versions of Android, rendering the devices vulnerable to high-cost premium-online-service phone scams and other threats. Rootkits are also widely available that can record users’ keystrokes and passwords, while fake app download sites can steal user data and login information, the report warned.

The report from the DHS Office of Cyber Intelligence and Analysis, the National Protection and Programs Directorate, the U.S. Computer Emergency Readiness Team and the FBI’s directorate of Intelligence warned that the threat will grow as federal and state agencies expand their use of Android devices without proper security and patching protocols driven from central datacenter security operations.

The number of malicious high-risk applications circulating for Android devices rose to 718,000 during the first quarter of this year, up from 509,000 during the last quarter of 2013, according to the 2Q 2013 Security Roundup from TrendLabs.

The number of attacks targeted at specific corporations is also on the rise, according to the report, with high-profile successes such as a much-publicized attack on the Associated Press Twitter account, as well as an attempt to steal data on 1.27 million users from Yahoo! Japan.

Super-secure encryption may not be able to solve all those threats, but quantum cryptography could secure data that might otherwise be stolen, while ensuring the validity of text and email messages sent from Android devices, and make it far more difficult for hackers to steal passwords or other data via WiFi.

Using a technique in which only one of the two parties involved in the exchange of quantum-encrypted data needs to have sophisticated optical-computing equipment, researchers at the University of Bristol have made it possible to allow handhelds to receive and reply to quantum-encrypted messages.

While exchanging quantum-encrypted data still requires the sending and receiving nodes to be carefully aligned, the technique makes it possible to create seriously secure communications between handheld devices, according to Quantum Physics, where the paper was published Aug. 15.

Researchers offered no projections on when the technique might be practical for existing mobile devices. If, as the DHS/FBI report indicates, mobile users tend to stick with insecure operating systems and applications long after exploits for attacks on them become common, however, secure quantum encryption may end up available for Android and other mobile devices long before anyone actually begins to use them.

 

Image: bloomua /Shutterstock.com

Related