SYS.3.3 Mobile Phone
The mobile phones considered in this building block, also called 'feature phones' or 'dumbphones', have fewer features than a smartphone but offer more functions than pure telephony...
Description
Introduction
The mobile phones considered in this building block, also called “feature phones” or “dumbphones”, have fewer features than a smartphone but offer more functions than pure telephony. Such mobile phones can additionally be equipped with a camera for videos and photos, a calendar, e-mail programs, games, an MP3 player, or a radio receiver. “Classic” mobile phones generally do not have a touchscreen or an operating system on which additional apps can be installed. These missing functions distinguish the mobile phone from a smartphone.
Mobile phones are identified by an internationally unique serial number (International Mobile Equipment Identity, IMEI). User identification of the mobile phone is performed by the SIM card, which is assigned by the cellular provider upon conclusion of a contract.
Objective
The objective of this building block is to identify typical threats that can arise during the use of mobile phones, as well as to secure information stored on or transmitted via mobile phones.
Scope and Modeling
The building block SYS.3.3 Mobile Phone must be applied to all mobile phones used for official purposes.
This building block deals with general aspects of typical mobile phones, with security aspects regarding telephony and messaging over the cellular network, and with security aspects of handling the devices. This building block thus covers a broad spectrum of different devices that can be connected to cellular networks. Supplementary aspects that go beyond communication over a cellular network and the handling of the devices can be found in further building blocks of the IT-Grundschutz Compendium. Security requirements for smartphones and the operating systems used on them can additionally be found in the building blocks of the SYS.3.2 Tablet and Smartphone layer. Aspects of data-based telephony are addressed in the building block NET.4.2 VoIP. If the mobile phone under consideration uses VPNs, the building block NET.3.3 VPN should additionally be taken into account. For smartphones or tablets, the building block SYS.3.2.1 General Smartphones and Tablets must be applied.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to represent the threat landscape. The following specific threats and vulnerabilities are of particular importance for the building block SYS.3.3 Mobile Phone.
Inadequate Planning When Procuring Mobile Phones
If relevant properties of mobile phones to be procured are not identified during the planning phase, urgently needed functions may not be available. If certain cellular standards are not supported, the devices cannot be used in certain countries. In the worst case, the functional scope does not match the intended use, so that these devices cannot be deployed at all. There are also often further conditions that must be met for devices to be usable. These include, for example, security features that are often not immediately apparent but can lead to problems regarding availability and confidentiality when used.
Loss of the Mobile Phone
Because mobile phones are generally small and constantly carried, they can easily be lost, forgotten, or stolen. In addition to the economic damage, the loss of confidentiality and integrity of the data contained is particularly serious. Via a stolen mobile phone, attackers could access institution-critical information. Additionally, costs and effort arise to restore a working state.
Carelessness in Handling Information During Mobile Telephony
Through inattentiveness and carelessness of employees during mobile telephony, third parties can obtain sensitive information. For example, information during phone calls can be overheard or recorded, and messages can be read while being composed.
Unauthorized Private Use of the Official Mobile Phone
Company-owned mobile phones can be used without authorization for private purposes. Through inattentiveness and careless handling, information security problems for the institution can arise, for example when private and official content is mixed. In this way, unauthorized parties could gain knowledge of internal institutional matters. If official mobile phones are used privately, additional costs for the institution can also arise.
Failure of the Mobile Phone
The failure of a mobile phone can have several causes. Users may have neglected to charge the device’s battery, or the battery may have lost its ability to store energy. It is also possible that users have forgotten the access password or PIN and can no longer use the device. The device can lock itself after multiple incorrect entries of the access code. If the phone is not handled with care, it can be damaged, for example by being dropped. In all the cases mentioned, users are subsequently no longer reachable and can in turn no longer reach anyone via the mobile phone.
Evaluation of Connection Data When Using Mobile Phones
Due to the properties of mobile communication, it is not possible to prevent the transmitted signals from being overheard and recorded by unauthorized parties given sufficient effort. Furthermore, for most wireless services, mobile communication devices must be located for technical reasons in order to be reachable. Location information can thus be used by network operators or service operators to create movement profiles.
Eavesdropping on Room Conversations via Mobile Phones
Mobile phones can be used to record or eavesdrop on conversations unnoticed. In meetings, connections to unauthorized listeners can be established via mobile phones brought along. Many mobile phones are equipped with a hands-free facility, so that conversations throughout the entire room can be easily captured. For many devices, it is not visible whether they are switched on or not. Thus it cannot be directly detected whether conversations are being recorded or overheard.
Use of Outdated Mobile Phones
Since smartphones can be used more diversely than mobile phones, many manufacturers now offer exclusively smartphones. As a result, the supply of smartphones far exceeds the supply of mobile phones and hardly any mobile phones are produced any more. Due to the limited supply, numerous mobile phones from old inventories are used. Age-worn components such as batteries are often replaced by replicas from third-party providers, allowing these mobile phones to continue to be used decades after production.
Often, outdated operating systems are installed on these old mobile phones that are no longer being further developed or supported. Software vulnerabilities can therefore no longer be eliminated through updates. Frequently, the manufacturing institutions of the mobile phones no longer exist or have shifted their business to other markets. Original accessories and spare parts can therefore often no longer be purchased. Third-party manufacturers also often no longer offer corresponding products for very old mobile phones. When third-party manufacturers do offer spare parts, it is not guaranteed that these components have the same quality as the original parts. For example, replica batteries are often less powerful than the originals. Generally, these devices also often can no longer be repaired and when problems arise there are hardly any suitable contacts who can help.
Requirements
The following are the specific requirements of the building block SYS.3.3 Mobile Phone. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO must always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. These should be filled insofar as this is sensible and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | IT Operations |
| Additional responsibilities | Users |
Exactly one role should be Primarily responsible. Beyond that, there may be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the heading of the requirement. The use of singular or plural says nothing about how many people should fill these roles.
Basic Requirements
The following requirements MUST be met with priority for this building block.
SYS.3.3.A1 Security Policies and Regulations for the Use of Mobile Phones (B)
With regard to the use and control of the devices, a security policy MUST be created. Each user of a mobile phone MUST be provided with a copy of the security policy. It MUST be regularly checked whether the security policy is being adhered to. The security policy for official use of mobile phones SHOULD be part of training on security measures.
SYS.3.3.A2 Blocking Measures in the Event of Loss of a Mobile Phone (B) [Users]
In the event of loss of a mobile phone, the SIM card used in it MUST be blocked promptly. Where possible, available mechanisms for theft protection, such as remote deletion or locking, SHOULD be used. All necessary information for blocking the SIM card and mobile phone MUST be immediately at hand.
SYS.3.3.A3 Sensitization and Training of Employees in the Use of Mobile Phones (B)
Employees MUST be made aware of the special threats to information security posed by mobile phones. They MUST be instructed in the security functions of mobile phones. Users MUST be familiar with the process by which mobile phones can be locked. Users MUST be informed about how mobile phones should be stored securely and correctly.
SYS.3.3.A4 Decommissioning and Proper Disposal of Mobile Phones and Storage Cards Used in Them (B)
Mobile phones MUST be reset to factory state before disposal. It MUST be checked whether all data has been deleted. It SHOULD also be ensured that mobile phones and any storage cards used in them are properly disposed of. If mobile phones and storage cards are to be disposed of at a later point in time or in larger quantities, the collected mobile phones and storage cards MUST be protected against unauthorized access.
Standard Requirements
Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be met.
SYS.3.3.A5 Use of Security Mechanisms of Mobile Phones (S) [Users]
The available security mechanisms SHOULD be used on the mobile phones and preconfigured. The SIM card SHOULD be protected by a secure PIN. The super-PIN/PUK SHOULD only be used by those responsible within the defined processes. The mobile phone SHOULD be protected by a device code. Where possible, the device SHOULD be bound to the SIM card (SIM lock).
SYS.3.3.A6 Updates for Mobile Phones (S) [Users]
It SHOULD be regularly checked whether there are software updates for the mobile phones. The handling of updates SHOULD be regulated. If new software updates are available, it SHOULD be defined how users are informed about them. It SHOULD be determined whether users may install the updates themselves or whether mobile phones should be submitted to a central location for this purpose.
SYS.3.3.A7 Procurement of Mobile Phones (S)
Before mobile phones are procured, a list of requirements SHOULD be created. Based on the list of requirements, the products available on the market SHOULD be evaluated. The product SHOULD be selected based on whether manufacturers offer updates for the planned deployment period. It SHOULD be ensured that spare parts such as batteries and chargers can be subsequently procured in adequate quality.
SYS.3.3.A8 Use of Wireless Interfaces of Mobile Phones (S) [Users]
Wireless interfaces of mobile phones such as IrDA, WLAN, or Bluetooth SHOULD be deactivated as long as they are not needed.
SYS.3.3.A10 Secure Data Transfer via Mobile Phones (S) [Users]
It SHOULD be regulated which data may be transmitted via mobile phones. The interfaces permitted for this SHOULD be defined. It SHOULD also be determined how the data is to be encrypted if required.
SYS.3.3.A11 Contingency Planning for Mobile Phones (S) [Users]
The data stored on a mobile phone SHOULD be backed up at regular intervals on an external medium. If a defective mobile phone must be repaired, all data SHOULD be deleted beforehand and the device reset to factory state. Replacement devices SHOULD always be available to be able to quickly replace a failed mobile phone.
SYS.3.3.A12 Setting Up a Mobile Phone Pool (S)
When official mobile phones are used by frequently changing users, collective storage (pool) SHOULD be set up. The issuing and return of mobile phones and accessories SHOULD be documented. Before issuing, it SHOULD be ensured that mobile phones are charged and equipped with the necessary programs and data for the new users. Users SHOULD also be reminded to adhere to the security policy. After devices are returned, they SHOULD be reset to factory state.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. The proposals SHOULD be considered when there is a higher need for protection. The concrete definition is made in the context of an individual risk analysis.
SYS.3.3.A9 Ensuring Power Supply of Mobile Phones (H) [Users]
Appropriate measures SHOULD be taken to ensure the continuous power supply of mobile phones. Depending on needs, replacement batteries or power banks SHOULD be used.
SYS.3.3.A13 Protection Against the Creation of Movement Profiles When Using Cellular (H) [Users]
It SHOULD be clarified whether the creation of movement profiles by third parties can have a negative impact or is considered a problem. To prevent location tracking via GPS, this function SHOULD be switched off. If location tracking via the cellular network is to be prevented, the mobile phone SHOULD be switched off and the battery removed.
SYS.3.3.A14 Protection Against Phone Number Identification When Using Mobile Phones (H) [Users]
To prevent the phone numbers used from being assigned to specific persons, phone numbers for outgoing calls SHOULD be suppressed. Furthermore, NO SMS or MMS messages SHOULD be sent. Phone numbers of mobile phones SHOULD NOT be published or passed on to unauthorized third parties.
SYS.3.3.A15 Protection Against Eavesdropping on Room Conversations via Mobile Phones (H)
To prevent confidential information from being overheard, it SHOULD be ensured that no mobile phones are brought into the corresponding rooms for confidential meetings and conversations. If required, the prohibition on bringing devices SHOULD be verified using cellular detectors.
Additional Information
Good to Know
The International Organization for Standardization (ISO) provides requirements for the use of mobile end devices in the standard ISO/IEC 27001:2013, particularly in Annex A, A.6.2.1 Mobile device policy.
The National Institute of Standards and Technology (NIST) provides the document “Security and Privacy Controls for Federal Information Systems and Organizations: NIST Special Publication 800-53, Revision 4, December 2014”.