Nervous Smartphones Make Smarter Security


When John Michelson from Zimperium told delegates at NetEvents that his company provides a ‘nervous system’ for smartphones, we wanted to know more.

We are being encouraged to rely more and more on smartphones for everyday financial transactions – such as Uber, online purchase and meals in restaurants. Even if we prefer a desktop computer, dual factor authentication may still mean reaching for the phone.

On an office network you are probably well shielded behind sophisticated intrusion prevention systems using Deep Packet Inspection (DPI) to mine every signal on the network for any signs of suspicious activity. That demands plenty of processing power, either from the Cloud via very high speed Internet links, or on high-end servers in house. But out of office it’s a very different story.

Even today’s most powerful mobile devices have nothing like the muscle needed to host DPI security, and inconsistent mobile connectivity speeds would never support Cloud Security as a Service. That makes mobile data a very tempting target, and smartphones are increasingly under attack, from malicious apps, from rogue emails, from adware, and from many sources of incoming network traffic. We are immersed in an ocean of communication signals – from cellular networks, WiFi, Bluetooth and global positioning satellites – any one of which might be infected with malware. So how can we trust our smartphones to manage sensitive financial and personal data?

Among the panellists at last month’s NetEvents Global Press & Analyst Summit in San Jose, California, was John Michelson, Chief Product Officer for a company called Zimperium – with a very interesting approach to protecting mobility. Speaking at a panel discussion on the use of AI in cybersecurity he said: “We took the philosophy of wanting to put a ‘nervous system’ on that device.  So that it would sense attack, so it would feel what it’s like for it to be attacked, whether it’s network connection, via Apps, over Bluetooth, whatever the means you could attack that device. That lent itself to non-deterministic machine learning techniques.”

In a later interview for NetEvents TV, Alan Zeichick asked Michelson to expand on his ‘nervous system’ approach. He explained: “We do on-device machine-learning based detection rather than collecting data and evaluating that in the cloud.  The reason this is important is two-fold; first, privacy is such an important aspect of mobility that being on-device makes us very privacy friendly.  Second, we’re in a race with a hacker, we must perform the detection as quickly as possible and start remediation as quickly as possible, not requiring cloud-based round trips.  This gives us the fastest, most complete detection, and the fastest ability to remediate when detection does occur”.

He went on to explain: “AI, and specifically machine learning, is a really important tool for us to use because there are certain types of detections that simply can’t be performed with traditional “if-then-else-dot dot dot” type logic, or by looking up signatures in a database in the cloud.  There are things we need to do on the device that take inference and evaluation and have to deal with non-deterministic approaches, as opposed to direct-deterministic approaches, and machine learning is a really good means to do that”.

The big question then was how does Zimperium manage all this on a little mobile device, when corporate systems need powerful data mining and high-speed connection to cloud services to achieve security?

The secret behind a powerful new technique he called ZPI – Zero Packet Inspection. Instead of mining deep into the packets of data, ZPI just looks at the routes taken by the packets. Good user experience depends on fast, efficient data transfer and that means that software developers make sure that data always move efficiently between apps and peripherals along well-defined paths. The ZPI agent looks at the movements instead of the actual data, and that makes for very fast and accurate diagnoses using surprisingly little processing power. If something is behaving oddly, it sticks out.

The company’s machine learning algorithms are designed to ensure that ZPI reliably recognizes suspicious traffic patterns. It is tested by generating every sort of attack on the system – for example, a data worm wandering around the device looking for vulnerabilities – and making sure it is correctly diagnosed every time. So how is this deployed on an actual phone?

“In two ways” according to Michelson, “for a device, we deploy an app onto the phone that runs just like any other app, comes from the App Store, but it is continuously evaluating the security state of the device.  If something offensive occurs – like a malicious app lands on it, or the network is compromised – detection invokes defensive action.”

The second type of deployment would be built into an app by the app developers. “The app developer doesn’t own the device, doesn’t even necessarily know the user – here the responsibility is to protect the app itself.  So when a device gets attacked, your app needs to defend itself; wipe out personally identifiable information, close down sensitive network connections into your legacy systems, et cetera.  Maybe bump up two-factor authentication in order to make sure that it’s not a malicious actor on your app as opposed to the real user”.

So a mobile banking app could contain and embedded DPI agent making sure that no malicious network traffic passes to and from that app. The mobile user’s banking data and transactions will be protected from attack, whether or not there’s any general anti-malware solution installed on the device.

If this solution has been designed specifically for mobile devices with limited processing power and uncertain connectivity, might that give it broader implications for the Internet of Things (IoT)?  The answer, according to Michelson, is definitely ‘yes’.

“We’ve been spending the last few years also supporting IoT type architecture. An iPad’s and a Tesla’s automation system look a lot alike, and they are attacked essentially in the same way: through the device itself, through compromise, through network attacks, or through malicious content being delivered to the devices. So our technology is applicable… In the future we’ll be a part of the build of IoT devices – it’s quite a shift for the company, but the technology is very applicable.”

So the wide and growing world of IoT lies ahead, while for now the company’s market strategy is focused on defence against mobile threats. As to the future plans in the mobile arena, Michelson concluded: “Zimperium’s vision is to make mobiles so safe hackers that don’t even bother!  In order to do that, we’ve got to get our detection technology into as many apps, onto as many devices, as we possibly can. So we OEM through partners, we partner with Telcos, we design our Software Developers’ Kit (SDK) so app developers can take it into their apps. We’re soon introducing a freemium model SDK so small apps can use it for free.  We’re doing everything that we can to get as much protection into the market as possible – because that really is our mission.”