You are on page 1of 27

Summer 2010

Device Security

Mobile & Smart Device

Security Survey 2010:
Concern Grows as Vulnerable Devices Proliferate,
Smartphones are the Tip of the Iceberg

Kurt Stammberger, CISSP

Mocana Corporation
350 Sansome Street Suite 1010 San Francisco, CA 94104
415-617-0055 Phone | 866-213-1273 Toll Free |
Copyright © 2010 Mocana Corp.

Respondents to our 2010 Mobile & Smart Device non-PC, connected devices. Yet over 57% responded that
Security Survey recognize the quickly growing world of their device security budgets would either be “staying the
connected smart devices — the Internet of Things — and same”, “decreasing” or “decreasing substantially.”
acknowledge that device security problems are not only
inevitable, but potentially serious. 71% of our respondents We can see from these results that there is a growing
expect a serious incident arising from attacks on, or awareness of the urgency of the security threats that face
problems with, connected smart devices within the next our expanding world of smart devices. The incredibly
24 months. Additionally, 65% report that attacks against popular smartphone market has likely aided this
their smart devices already require the regular attention awareness — 77% of our respondents report that they’re
of their IT staff, or will start requiring it this year. In fact, concerned about mobile phone security. Protective
23% of organizations surveyed already repel device measures, however, are lagging while new categories of
attacks at least once monthly, while 10% must do so on a smart devices continue to connect to networks across the
daily basis. globe. With virus attacks (just one category of the greater
ecosystem of device threats) — and the defenses against
Despite this level of awareness, results show that them — already costing businesses billions each year,
relatively few organizations are prepared for today’s now is the time to address smart device security head-on.
device security problems and those that lie ahead. Less
than half of respondents described their organizations
as having “completely” or “mostly” adequate resources
dedicated to protecting themselves from attacks targeting

Methodology & Demographics

PCs are no longer the dominant form of computing. By Mocana distributed this survey via e-mail in July, 2010
far, most “computers,” and most nodes on the Internet to its internal database of over 11,000 professionals
are now non-PC smart devices—an “Internet of Things.” who have expressed an interest in learning more about
In the next few years, as this trend accelerates and “smart devices”—the 20 billion mobile, datacom,
everyday gadgets and machines of every imaginable type smartgrid, federal, consumer, industrial and medical
connect, security threats to individuals and society at non-PC devices that connect across every sector of our
large are likely to grow substantially. But how real is this economy.
threat to those actually creating the device ecosystem?
And to what extent are these organizations actually
preparing for it?


What kind of
business is your
company in?

kind of
does your
use (or
Check all
that apply.

The 269 self-selecting respondents came from network printers, routers and datacom equipment
a variety of industries, with particular at their companies while over half said their
concentrations in manufacturing (including company used VoIP devices or networked
computers, electronics and telecom equipment); building security features (such as digital cameras
professional, scientific, and technical services; and and computerized electronic locks). As might
information (including software publishing). be anticipated in a survey of a population of
individuals connected to Mocana, a substantial
Our survey (unsurprisingly) confirms the percentage of respondents—much larger than
increasing pervasiveness of non-PC, connected would be anticipated among IT professionals
devices within business settings. Over two-thirds in general - participate in the actual creation or
of respondents reported the use of smartphones, marketing of these connected “smart devices.”

©2010 Mocana 415.617.0055
Selected Organizations Represented in Survey

6Connex Captech Ventures Fujitsu

A.L.M. Associates Centers for Disease Control Garrettcom
ABB CDH Adventures GE Sensing & Inspection
ADVA Optical Networking NA, Inc Certivox Genesee Isd
AES Cisco Systems GEP Washington
Alamjaad Est. Cnisf GMV
Alcorn Mcbride Inc. Comcast Cable Goodrich Corp
Alsim Comtech Aha Corp Graham Consulting
Ambient Condoplex Monitoring Systems Green Hills Software
Amy Sa Conocophillips General Services Administration
Anchiva Systems Conscious Security Guidewire Software Ltd
Anna University Cornwall College Harris Corporation
Anova Cosmo Hewlett-Packard Company
Appliance Innovation, Inc. CTS Hitachi Medical Systems America, Inc.
Applied Signal Technology, Inc. Cyclone Solutions HITK
Arc Kannur Data Respons Norge As Hologic
Arcadian Networks Inc. Data Track Honeywell
Arictocrat Techologies Dell Huawei Technologies Co.Nig.Ltd
Aselsan A.S. Dexter Magnetic Technologies IBJ Llc
AT&T Digicore India Ghandi Center for Atomic Research
Avaya Diversified Labs Imagination Technologies
Avnet DSO National Labs Infineta Systems
Bat Gsd DSR Management Inc Instituto Nazionale di Fisica Nucleare Italia
Berker Gmbh EC Joint Research Centre Innovasmith
Best Buy Edventure Inso4U
Blackmore EIG Consulting Intel
Blade Network Tech. Einfochips Limited Internetassist
Bmcc EIP Elektronika Co. Interphase Corporation
Boeing Elektron Irdeto
Bosch Security Systems Embassy Jands Pty Ltd
Boston Engineering EMC Corp Karpagam College Of Engineeing
Bridgeco Software Services India Pvt. Ltd EMD Kearfott Corp Msd
Broadband Consulting ENE Legg Mason
Brush Ford Motor Company Legrand Home Systems
Buttery Network Services Fortinet Lenard Engineering, Inc.
Cache-A Corporation Fox Electronics Library Of Congress
Calsoft Labs Freescale Semiconductor Lockheed Martin
Cannon Design Fremont Pd Lund University
Canon Communications Frontier Communications Mantech International Corporation


Marvell Semiconductor, Inc. Progeny Systems ThyssenKrupp Elevadores
Medical Telecomm Prometheus TigerDirect, Inc.
Metatechnic Systems Proteus Tinker London
Metric Group Ltd Proto6 Trak Engineering
Micro Technology Services Quatech Trapeze ITS
Mindray Medical Radvision U.S. Government
Montagem E Manutençao Eletrica RB & Associates UC Berkeley
Montavista Software Renault Pars University of Georgia
More Fun Technologies, Llc Rockwell Automation University Of Helsinki
Morgan Ruckus Wireless Universidad De Belgrano
Motorola RV College Of Engineering Universidad Tecnológica De Pereira
Narda-STS Samsung University Of Limerick
National Informatics Centre Sandia National Laboratories University Of Minnesota
NetIQ Santa Clara University University Of Phoenix
Netresearch Schenck Trebel US Army
Netrino Sertek Inc. US Department of Agriculture
Netsuite Shan Dong University Utah Transit Authority
Network360 Sharp UWBT
NextGen GES Soft Servo Valeo
Niams - NIH Solustan, Inc. Vector Magnetics
Nokia Space Systems Loral Vengear, Inc.
Northrop Grumman Spacelabs Healthcare Vicom Systems
Network Technologies Inc. Spark Integration Technologies Inc Vista Microsystems
Nucleus Technologies Society of Petroleum Engineers Visteon Corp
Nudesign Technologies Inc. SRA International Von Braun Center
Omnitron Stoneridge Wernher Von Braun Labs
Op-Pohjola Group Stonesoft Wi-Tech Consulting
Oracle Corporation Strategi Coakley Winvale
Packer Engineering Strong Mind Designs Wipro Technologies
Panasonic Symantec Xenterra
Penspen International Ltd Technoware Xerox
Pentreed Communications Llc Tekcomm Xylenes Software
Philips Health Care Telcel Xytronix Research & Design, Inc
PKI Engineering Teleca Zeal Interactive Pvt. Ltd.
Playboy Enterprises, Inc. Tennant Company Zippan
PMC-Sierra Tesla Laboratories
Polycom Canada Ltd Texas A&M University
Potts Engineering & Consulting Thai Airways
Prism Clinical Imaging, Inc. The Winvale Group

©2010 Mocana 415.617.0055
71% expect
a serious
incident arising
from attacks
on, or problems
with, connected
smart devices
within the next
24 months
(page 8)


©2010 Mocana 415.617.0055
Perceptions of the Threat to Smart Devices

Understanding the Need for Device Security

The survey found that in the context of this rapidly expanding connected device
ecosystem, there is a strong awareness of the range of potential security threats
these devices face. A significant percentage of businesses surveyed said that attacks
on smart devices have already impacted their business operations.


Are you concerned about the security
of mobile phones?

Considering your peers in your

industry, how would you characterize
your industry’s level of AWARENESS of
threats to connected, non-PC devices?

In your personal opinion, when do you

expect to NEXT hear about a serious
security incident in your industry,
arising from attacks on, or problems
with, connected, non-PC devices?

More than 76% of respondents said they were security incident” involving non-PC devices
“concerned” or “very concerned” about the within their line of business is imminent, and
security of mobile phones. Only about more than half believe that incident would
1 person in 20 said that they were “not very” probably occur sometime this year. (For
or “not at all” concerned about this issue. the purposes of the survey, we defined a
“serious incident” as one causing a personal
But when we asked our survey subjects injury or death, a service outage of at least 8
to comment on their industry as a whole, hours, the loss of more than $100,000, or the
less than half of respondents felt that their compromise of more than 1,000 records of
own industry has a “high” or “very high” sensitive information).
awareness of the threats to smart devices
like mobile phones. Still, the vast majority
anticipate a serious attack involving smart
devices—and soon. Over 80 percent of
respondents anticipate that a “serious

©2010 Mocana 415.617.0055
65% say
that attacks
against their
non-PC smart
devices already
require the regular
attention of their
IT staff, or will
start requiring it
this year.


©2010 Mocana 415.617.0055
Over 94 percent of respondents report that attacks on non-
PC smart devices will inevitably require the regular attention
of their company’s IT/security staff. Over 60% believe this is
required this year, while nearly one-third believe that such
attention is required immediately. In our opinion, this is one
of the most surprising results of the survey, and the finding
that may have one of the most immediate impacts on the
bottom line of any organization.

As far as the types of problems that are anticipated with

devices, our respondents seem to feel that several avenues
of attack are likely. Most are expecting that their connected
devices will be subject to attacks from viruses and
malware, trojans or ”imposter” updates and phishing, and
eavesdropping, sniffers, and data leakage.

What types of attacks do you

think your connected devices
will need to repel in the next
24 months? (Multiple answers


When do you think attacks
against non-PC connected
devices are going to start to
require the regular attention of
your IT or security staff?

Device Makers & OS Vendors:

On the Hook

Who do you think should be While our survey subjects were largely in
PRIMARILY responsible for
delivering (selling or building-
agreement about the need for IT staffs to
in) security features for mobile start taking mobile device security threats
phones? seriously, our subjects were divided on who
should be held responsible for making security
features available in the first place. When
asked “who do you think should be primarily
responsible for delivering security features for
mobile phones,” our responders were almost
evenly split between the device maker (for
example, Samsung), and the OS vendor (for
example, Google). The carrier and security
software specialists came in a distant third and
fourth. The technology-savvy executives and
individuals among our sample seem to exhibit
a certain expectation that their security features
should come already “baked in” to the device
when they buy it—a marked departure from the
expectations of PC and workstation buyers of a
decade ago.

©2010 Mocana 415.617.0055
Device Security Impacting Business Operations

Our survey found that while most anticipate that most device attacks are yet to come, many
have already experienced first-hand the consequences of device security breaches. More than
two-thirds of respondents reported that device security issues have already disrupted their IT
networks, with more than one-third reporting “some” or “serious” operational impact from
these security incidents.

Almost a quarter of respondents with When it came to the types of attacks

knowledge of their company’s patching experienced (or patched against), viruses and
procedures report that patches focused on malware (unsurprisingly) came out on top.
remediating device security issues are applied But trojans and so-called “imposter
to their company’s systems at least monthly updates”—where malicious code is delivered
— and in some cases weekly or even daily. down to a device, masquerading as a
legitimate software update—came in a close


Has your organization ever
had to apply a security patch
for a non-PC device, or ever
encountered a security issue
with any of your connected,
non-PC devices, including
printers, smartphones,
routers or other devices
like the ones mentioned

Respondents without knowledge

of patching procedures excluded.

Have those security

issues (or the
responses required
to avoid them)
ever impacted your
business operations in
some way?

What type of attacks did your

devices experience (or, what
type of attacks were the
patches you applied designed
to avert)? Multiple responses
allowed. (Respondents
stating “unsure” have been

©2010 Mocana 415.617.0055
Devices and the “Dangerfield Paradox”

Over the past year, analysts and technology press have While attacks on devices are increasing exponentially,
forwarded the notion that attacks originally targeting they are still just a fraction of the millions of attacks
PCs will almost certainly be retargeted towards the targeting PCs every day. Therefore, device security issues
comparatively defenseless device infrastructure. These haven’t received much attention in the press—or in the
same analysts have noted that traditional PC security boardroom. So despite the inevitability, importance, and
approaches are rarely practical for the tight systems difficulty of solving the problem, devices aren’t getting
environments that are typical of today’s smart devices. So much respect: a “Dangerfield Paradox”. Our respondents
the device security problem will be, in the words of one make it clear that virtually all industry segments are
device expert, a “tough nut to crack.” Consider too that eagerly connecting new devices to their networks, but
industry experts frequently assert that smart devices often aren’t yet demanding much security from their device
perform more critical roles in our power, medical and vendors, or applying much add-on security software after
transportation infrastructure, so that a device failure or the fact. But like everything else on the Internet, this is
compromise is felt more acutely than that of a PC glitch. likely to change—and quickly—as the connected device
population grows into the double-digit billions.


Considering your industry
as a whole, how would you
characterize your industry’s
vulnerability to attacks on their
connected devices?
Only 14% of respondents believe that
their industry’s vulnerability to attacks on
connected devices has decreased over
the past year. When looking at overall
preparedness for security threats to
connected devices, we found that over 40%
consider their own companies unprepared
for device threats. Less than 12% of
In your opinion, does your
respondents described their organizations organization dedicate enough
as having “completely” adequate resources resources to protect its
dedicated to protecting themselves from networks and information
from attacks and malware
attacks targeting non-PC, connected devices. targeting DEVICES that
Yet over three-quarters of our subjects said aren’t PCs (printers, routers,
that their device security budget would be smartphones, etc)?
increasing or at least staying steady this
year - significant in a recession when most IT
budgets are being cut.

Here’s where the survey got down to brass

tacks. We asked our subjects to tell us
how much they would be willing to pay to
“properly secure” their smartphones. Not As far as you know, how
would you characterize your
surprisingly, our respondents said that organization’s security budget,
their business organization would (or does especially as it pertains to
already) pay much more on a per phone, guarding against attacks
directed at non-PC devices
per month basis than they personally would like printers, smartphones and
be willing to pay for the same services as network appliances?
individual consumers.

How much do you

think your organization
would (or does)
pay per month to
fleet of smartphones? $2.22 per phone/month* $1.44 per phone/month*
Pertaining to your
personal smartphone,
how much would you
pay as a consumer?

*For averaging purposes, responses

of “Less than $1” were calculated
at $0.50, while responses of “$6 or
more” were calculated at $6.50.

©2010 Mocana 415.617.0055
Solving the Device Security Problem

With products ranging from medical devices, office link encryption was by far the most “wished for”
printers, smartphones and household appliances, security feature, garnering more than double the
to smart grid utility meters, security cameras and number of responses as the second-most popular
industrial controls; securing the Internet of Things security feature: Authenticated Code Updates and
is going to be a challenge. It’s not as simple as Booting. Results were similar when respondents
using an off-the-shelf software program to protect were asked about devices that their company,
a PC. Device platforms are as varied as the devices themselves, made or sold.
themselves, often consisting of proprietary
software coded over many years to run in very “Smartphones” are a subset of the larger “smart
specific environments for cars, dishwashers, and devices ecosystem”—the collection of all non-PC
televisions. Each device, each manufacturer has computers that communicate via Internet Protocol.
slightly different needs. Processor limitations, When we focus our responders on the smart phone
memory constraints, battery life and a slew of other subset of smart devices, and ask them about what
constraints and idiosyncrasies peculiar to device attack types concern them the most, their answers
environments conspire to make device security a change in interesting ways.
nontrivial undertaking.
Also, when we rephrase the question to focus on
There are widely recognized “best practices” the organizations “unaddressed needs” specific to
approaches to guarding the security of devices smartphone (as opposed to the device ecosystem
and the data they shepherd. Our survey asked holistically), priorities seem to shift somewhat. We
respondents to opine first about the devices their invite you to see the charts at right, and draw your
company USES, and later about the devices their own conclusions.
company MAKES or sells. When it came to devices
that a company uses in-house, on-device and


What type of attacks against
SMARTPHONES concern you
the most? (Multiple responses

Of the measures you

DON’T use yet, which
ones do you think your
organization should
apply NEXT to devices.
(Multiple responses

What do you think are your

organization’s most pressing
it comes to the security of the
smartphones you use? (Multiple
responses allowed).

©2010 Mocana 415.617.0055
(If your company builds or sells
devices) — Are you planning to
introduce security-centric cloud
services for your devices?

Apps, The Cloud & Devices

Nearly one-third of device

manufacturers surveyed report that
their organizations are planning
HOW USEFUL would it be
to introduce security-centric cloud to your company to be able
services for their devices. That’s to deliver (or subscribe to)
customized, ad-hoc security
not surprising, considering that
services to your company’s
over 80% of our respondents devices…from the cloud?
said that such a cloud-delivered
security service for their connected
devices would be “very” or at least
“somewhat” useful.

So-called “app stores” for mobile

phones are proliferating, and we
found that a surprisingly large
segment of our sample worked
for organizations that either have,
Lots of companies develop their
or are planning to deploy their own software for internal use.
own internal “app stores” for their Does your company yet offer
employees. Almost a quarter of its own internal MOBILE “app
store” or app repository?
our respondents said that their
companies either had, or soon
would have, an “app repository.”


Headlong, Into the Future

Virus attacks on PCs used to cost American organizations nothing. They were too
infrequent, and of too little consequence. Then everything changed.

Virus attacks — and the global defense against them — now cost businesses billions
every year. And viruses are just one category of the threat in an ecosystem that
steals, spends, wastes, invests and destroys hundreds of billions of dollars annually.
Our respondents acknowledge the fast emergence of the Internet of Things and see
device security problems as inevitable and potentially serious. Because they are so
closely integrated with our critical infrastructure, device security problems are even
more likely than PC problems to result in physical consequences. But relatively few
organizations are prepared. One can only conclude that when the inevitable tide of
attacks on the device infrastructure rises, it will likely end up costing us a lot more
than it should have.

©2010 Mocana 415.617.0055
Further Reading: Device Security in the News from Mocana’s DeviceLINE Blog:

FasTrak or FastHACK? Latest Cell Phone Worm Tricks Users Voice Encryption Comes to Blackberry
September 30th, 2008 February 23rd, 2009 May 15th, 2009
worm-tricks-users/ comes-to-blackberry/
Cisco Moves to Plug Router Software Flaws
October 6th, 2008 Netbook Web Surfers Beware Star Trek Security Lessons March 9th, 2009 May 15th, 2009
beware/ lessons/
How Much Do You Really Know About (SSH) Security?
October 6th, 2008 SCADA Under Fire… Again. InformationWeek: 3G Security Coming Along, But… March 9th, 2009 June 1st, 2009
Traffic Lights Hacked in Los Angeles Who’s responsible for Mobile Security?
November 24th, 2008 March 23rd, 2009 DOE: First Smart Grid Security Standards June 1st, 2009
in-los-angeles/ responsible-for-mobile-security/
Nokia and the Internet of Things Wireless Access Points Get Wireless Access Points Get
December 5th, 2008 Sneaky Great Netbooks! Free Malware Included. March 23rd, 2009 June 1st, 2009
points-get-wireless-access-points-get-sneaky/ malware-included/
Embedded Technologies On Ice
December 5th, 2008 Consumer (and Hacker) Friendly Buggy Breathalyzer Bounces Boozers March 23rd, 2009 June 1st, 2009
friendly/ bounces-boozers/
25C3: Serious Security Vulnerabilities in DECT Wireless
Telephony Pwn2Own, No Winners IP is the glue
January 12th, 2009 March 23rd, 2009 June 16th, 2009
Mobile Security’s “Big Rub” Selling to the Government and FIPS
Researcher Creates ‘Write Once, Run Anywhere’ Cisco March 23rd, 2009 July 21st, 2009
January 12th, 2009 security%e2%80%99s-big-rub/ government-and-fips/
write-once-run-anywhere-cisco-hijacks/ Smart Grid, Smarter Hackers Once More, With Feeling: Don’t Use WPA for Wireless
April 6th, 2009 Security
The Five Coolest Hacks of 2008 August 28th, 2009
January 12th, 2009 hackers/ feeling-dont-use-wpa-for-wireless-security/
of-2008/ Reinfected BIOS with every Reboot
April 6th, 2009 Security in Wireless Sensor Networks
New Mobile Malware Silently Transfers Account Credit September 21st, 2009
February 9th, 2009 every-reboot/ security-in-wireless-sensor-networks/
silently-transfers-account-credit/ Malware hijacks 100,000 home routers into Botnet
Building Firewalls for Embedded Systems Off-the-shelf mobile devices becoming government-issue
February 9th, 2009 100000-home-routers-into-botnet/ standard September 21st, 2009
embedded-systems/ Spies Hack into US Electricity Grid
April 17th, 2009 off-the-shelf-mobile-devices-becoming-government-issue-
Zombie Crossing? standard/
February 9th, 2009 electricity-grid/ Skype VoIP: Who’s listening in?
Intel/GE and Next-Generation Home Health Technologies September 21st, 2009
“War Cloning — It’s the New Hacker Sport,” April 17th, 2009
February 9th, 2009 listening-in/ generation-home-health-technologies/
new-hacker-sport/ Is Your Office Printer Secure?
The (not-so) Dumb Adversary September 21st, 2009
French Fighter Planes Grounded by Virus! May 4th, 2009
February 9th, 2009 secure/ adversary/
grounded-by-virus/ TI Calculators: Master Keys Cracked
Conficker Infects Critical Medical Devices October 6th, 2009
Do You Know Where Your Phone is? May 4th, 2009
February 23rd, 2009 keys-cracked/ critical-medical-devices/
your-phone-is/ NIST Publishes Security Standards for Smart Grid Devices
2009’s Five Most Dangerous Attacks October 6th, 2009
Hackers Take Aim at Smartphones May 4th, 2009
February 23rd, 2009 security-standards-for-smart-grid-devices/ dangerous-attacks/


Company Forced to Give Up Source Under GPL iPhone Worm has 2 Million Targets New Technology to Connect The Internet of Things
October 6th, 2009 November 16th, 2009 January 10th, 2010
give-up-source-under-gpl/ million-targets/ connect-the-internet-of-things/

Clobbering the Cloud Integrity for Implanted Medical Devices? Expert Warns of Industrial Control Security Risks
October 12th, 2009 November 16th, 2009 January 10th, 2010
implanted-medical-devices/ industrial-control-security-risks/
Hacking robots to turn into murderous gangs… more
news at 11 Cavium Buys MontaVista Fed Certified Flash Drives Easily Hacked
October 12th, 2009 November 16th, 2009 January 10th, 2010
turn-into-murderous-gangs-more-news-at-11/ montavista/ drives-easily-hacked/

Current trends in cyber attacks on mobile and embedded Cell DDoS Attacks Imminent Cybersecurity of Airport Scanners Still Up in the Air
systems November 22nd, 2009 January 10th, 2010
October 18th, 2009 imminent/ airport-scanners-still-up-in-the-air/
Twitter Hacked via SSL Flaw Mobile Market Poised for Massive Expansion
So You Think You Can Hack? November 22nd, 2009 January 10th, 2010
October 18th, 2009 ssl-flaw/ for-massive-expansion/
The Body-Area-Network: Wide Open Smart Grid Security Need Grows Urgent
President Obama declares October as National November 22nd, 2009 January 17th, 2010
Cybersecurity Awareness Month
October 18th, 2009 network-wide-open/ need-grows-urgent/
obama-declares-october-as-national-cybersecurity- Newer, Nastier iPhone Worm Spreads Google Hacked by Serious Pros
awareness-month/ November 23rd, 2009 January 17th, 2010
Thousands of Unsecured Devices Found worm-spreads/ serious-pros/
October 26th, 2009 Mobile Devices Not Enterprise-ready. Yet. Moscow Billboard Hacked with Adult Content
unsecured-devices-found/ December 8th, 2009 January 17th, 2010
Opening the “Closed Circuit” enterprise-ready-yet/ hacked-with-adult-content/
October 26th, 2009 Another Top Security Exec Warns of Mobile Industry Crypto Flaws Found in Smart Meter Chips
circuit/ Vulnerability January 24th, 2010
December 8th, 2009
Cable Customers Open to Attacks smart-meter-chips/
October 26th, 2009 exec-warns-of-mobile-industry-vulnerability/ First Smart Grid Standards Guide Issued
open-to-attacks/ The Automated Home — Coming Soon to a Neighborhood January 24th, 2010
Near You
Mobile Devices Leaking Their Own Crypto Keys December 8th, 2009 standards-guide-issued/
October 26th, 2009 coming-soon-to-a-neighborhood-near-you/ Popular Portable Router Easily Hacked
leaking-their-own-crypto-keys/ January 24th, 2010
Kicking the Tires on Google’s Chrome OS
Feds Putting the “Smart” Cart Before the Horse? December 8th, 2009 router-easily-hacked/
November 3rd, 2009 googles-chrome-os/ Expert Warns of Enterprise Security Risks Posed by
smart-cart-before-the-horse/ Smartphones
FedEx Packages Sending Packets of Their Own February 4th, 2010
CONFERENCE SUMMARY: December 14th, 2009
2009 Control Systems Security Conference enterprise-security-risks-posed-by-smartphones/
November 3rd, 2009 sending-packets-of-their-own/ Despite Warnings, Remains Infected with
summary2009-control-systems-security-conference/ Attacks on SCADA Equipment Up 37% in 2009 Malware
December 14th, 2009 February 4th, 2010
Hackable Factories
November 8th, 2009 equipment-up-37-in-2009/ kitchenaid-com-remains-infected-with-malware/
FPGAs Vulnerable to Power Analysis Hacks? Are Cyber-spies Tracking You Across The Border?
Tech Heavyweights in Secret Crash Program to Fix December 14th, 2009 February 4th, 2010
Serious SSL Flaw
November 8th, 2009 power-analysis-hacks/ tracking-you-across-the-border/
secret-crash-program-to-fix-serious-ssl-flaw/ The Best of the Internet of Things, 2009 Ensuring Security of Military Embedded Systems
December 14th, 2009 February 4th, 2010
4 Doors, Dual Airbags, 100 Million Lines of Code
November 8th, 2009 internet-of-things-2009/ military-embedded-systems/
100-million-lines-of-code/ U.S. Military Surveillance Drones Hacked Malicious App Found in Android Marketplace
December 16th, 2009 February 4th, 2010
Delivering Phone Fixes Over the Air
November 16th, 2009 military-surveillance-drones-hacked/ in-android-marketplace/

©2010 Mocana 415.617.0055
Smart Dust: Coming Soon (Security Not Included). Android Phone Now Shipping With Malware Pre-Installed Security Industry Experts Warn of Enterprise IT
February 9th, 2010 March 8th, 2010 Weaknesses April 5th, 2010
soon-security-not-included/ shipping-with-malware-pre-installed/
Critical Infrastructure Under Persistent Attack Serious Flaw Found in OpenSSL
February 9th, 2010 March 8th, 2010 Understanding “The Internet of Things” April 7th, 2010
under-persistent-attack/ in-openssl/
Cable Modems Make for Easy Hacking Cyber-skimmers Stealing Credit Cards at the Gas Pump
February 9th, 2010 March 16th, 2010 AT&T Wants Everything Online April 7th, 2010
for-easy-hacking/ stealing-credit-cards-at-the-gas-pump/
Successful Attack on TPM Cybercriminals Stalking and Eavesdropping with Cell
February 9th, 2010 Phone Software Security Patching Now Necessary Every Week March 16th, 2010 April 7th, 2010
stalking-and-eavesdropping-with-cell-phone-software/ now-necessary-every-week/
Smart Grid Security Spending to Jump to $3.7B
February 15th, 2010 FDA Investigates Dangerous Insulin Pump Malfunctions Medical Devices Hacked March 16th, 2010 April 8th, 2010
dangerous-insulin-pump-malfunctions/ hacked/
Cisco Projects Mobile Traffic to Grow to >3.6 Exabytes
per Month. The Expanding Machine-to-Machine Sector New Wireless Standard for Medical Devices
February 15th, 2010 March 22nd, 2010 April 12th, 2010
traffic-to-grow-to-3-6-exabytes-per-month/ machine-to-machine-sector/ standard-for-medical-devices/

Cordless Phone Crypto Hacked Blogger: Security Mainstream Still Ignorant of Security Medical Device Malfunctions Cost Company Millions
February 15th, 2010 Problems in Industrial Controls & Embedded Devices April 12th, 2010 March 22nd, 2010
crypto-hacked/ malfunctions-cost-company-millions/
Cars With (Many) Minds of Their Own? controls-embedded-devices/ Will Update Make iPhone Enterprise-ready?
February 15th, 2010 April 13th, 2010 Project costs 60x higher when security addressed late in
minds-of-their-own/ the development cycle – IOActive Study iphone-enterprise-ready/
March 22nd, 2010
Smartphone Hacks Paid $15,000 Per Security Expert Warns of Potential Economic Attack
February 22nd, 2010 higher-when-security-addressed-late-in-the-development- April 14th, 2010 cycle-ioactive-study/
paid-15000-per/ of-potential-economic-attack/
Over 100 Cars Remote Attacked by Disgruntled Hacker
25 Errors that Leave Software Vulnerable to Attack March 22nd, 2010 Industrial Control Systems Hit by Malware
February 22nd, 2010 April 15th, 2010 attacked-by-disgruntled-hacker/
software-vulnerable-to-attack/ systems-hit-by-malware/
Will iPad be Secure Enough for the Enterprise?
Symantec to Vouch for Phone Apps March 29th, 2010 Google Readies Cloud Printing
February 28th, 2010 April 18th, 2010 enough-for-the-enterprise/
for-phone-apps/ printing/
New “Sniffer” Hijacks Wireless Data, Sends Rogue
Experts Warn of National Cybersecurity Weakness Commands Workplace Gaming Threatens Enterprise Security
February 28th, 2010 March 30th, 2010 April 20th, 2010
national-cybersecurity-weakness/ wireless-data-sends-rogue-commands/ threatens-enterprise-security/

Rutgers Study Roots Smartphones VIDEO: A New Look at The Internet of Things New Smart Grid Security Document Released
February 28th, 2010 March 30th, 2010 April 25th, 2010
smartphones/ the-internet-of-things/ security-document-released/

Experts Warn of Smart Grid Security Weakness Major Security Flaws Found in Smart Meters Shrill Verizon Slams Security Whistleblowers
March 8th, 2010 March 30th, 2010 April 26th, 2010
smart-grid-security-weakness/ found-in-smart-meters/ security-whistleblowers/

Android Platform Quickly Growing Beyond Phones, iPad Not Yet Available. But Already Hacked? Microsoft Researcher Recommends Password Tattoos for
Security Concerns Remain March 30th, 2010 Pacemakers
March 8th, 2010 April 27th, 2010 but-already-hacked/
quickly-growing-beyond-phones-security-concerns-remain/ recommends-password-tattoos-for-pacemakers/
Connected Devices to Reach 1 Trillion
British Press Execs in Phone Hacking Conspiracy March 30th, 2010 Fraudulent Card Readers Skim Customer Data
March 8th, 2010 April 28th, 2010 reach-1-trillion/
phone-hacking-conspiracy/ readers-skim-customer-data/
iPod Your Hotrod
April 5th, 2010


Medical Device Malfunction Case Continues Secure E-Medical Records Now Available on iPhone, iPad Malware Discovered in Olympus Digital Cameras
April 28th, 2010 May 23rd, 2010 June 15th, 2010
malfunction-case-continues/ records-now-available-on-iphone-ipad/ in-olympus-digital-cameras/

Researchers Find Ways to Track and Spy on Mobile Ex-Intel Exec Funds Medical Engineering Program Windows Mobile Malware Targets Gamers
Phones, Legally May 23rd, 2010 June 16th, 2010
April 28th, 2010 medical-engineering-program/ targets-windows-gamers/
Designing Medical Device Antennae for Top Performance Intel Fields Prototype Home Appliance Controller
Create Your Own Cellphone Network May 25th, 2010 June 17th, 2010
May 2nd, 2010 device-antennae-for-top-performance/ energy-monitoring-prototype/
Man “Infects” Himself with Computer Virus Nice Work if You Can Get It: Security Retrofit for 800
House Votes to Secure Energy Grid May 26th, 2010 Million Smart Meters?
May 3rd, 2010 June 20th, 2010 with-computer-virus/
secure-energy-grid/ continue-despite-major-security-concerns/
Bugs Leave Buildings’ Critical Systems Vulnerable
New Bluetooth Coming To Your Wristwatch May 26th, 2010 Juniper Exec: 4G Devices Bringing Malware with Speed
May 3rd, 2010 June 21st, 2010 critical-systems-vulnerable/
coming-to-your-wristwatch/ deliver-higher-speeds-new-security-concerns/
Spy Games In Cyberspace
Getting Bigger Things from Smaller Processors May 31st, 2010 Android Platform Sees First Military Application
May 3rd, 2010 June 22nd, 2010 cyberspace/
from-smaller-processors/ first-military-application/
Nearly Half of TVs Will Ship With Internet By 2013
New Embedded Device Security Specs Now Online For May 31st, 2010 Anti-Virus Software To Become Required for Internet
Comment Access?
May 3rd, 2010 ship-with-internet-by-2013/ June 24th, 2010
device-security-specs-now-online-for-comment/ VA Medical Devices Infected With Malware become-required-for-internet-access/
June 2nd, 2010
Jailbreak Your iPad Smart Heart Devices in Development
May 4th, 2010 infected-with-malware/ June 27th, 2010
New Android Apps for Wiretap-proof Communications in-development/
Connected Glucose Meter Scores Points For Kids June 6th, 2010
May 5th, 2010 Buyer Beware: Android Security Study Cautions Users wiretap-proof-communications/ June 28th, 2010
UK Researches Develop “Holy Grail” of Cryptography security-study-cautions-users/
VIDEO: Huge Security Risk Found In Digital Copiers June 7th, 2010
May 6th, 2010 Billions Slated for Smart Grid Security develop-holy-grail-of-cryptography/ June 29th, 2010
Tech Giant Hands Out Malware at Security Conference smart-grid-security/
New Protocol Addresses RFID Vulnerability June 7th, 2010
May 9th, 2010 The Evolution of Mobile Threats malware-at-security-conference/ June 30th, 2010
FBI Warns of Growing Mobile Malware Threat mobile-threats/
U.S. Army Plans for Wider Drone Use June 8th, 2010
May 10th, 2010 New Smart Grid Security Draft Released growing-mobile-app-dangers/ July 1st, 2010
iPad Security Breach Embarrasses Apple, AT&T security-draft-released/
FDA Sets Tighter Standards For Medical Devices June 9th, 2010
May 12th, 2010 iTunes Store Hacked by Rogue Developer creates-privacy-concerns/ July 5th, 2010
Ford’s Planned “App Store for Cars” Raises Security by-rogue-developer/
Serious Security Risks Found in Modern Cars Concerns
May 13th, 2010 June 10th, 2010 Understanding EAX’ Smart Grid Security July 6th, 2010
serious-security-risks-found-in-modern-cars/ new-security-concerns/
Hacker Plans to Unveil ATM Rootkit 60 MINUTES: Devices Controlling National Infrastructure
May 17th, 2010 Have Already Been Hacked 50 Arrests Made in Smartphone Spyware Probe June 13th, 2010 July 7th, 2010
officials-warn-of-national-vulnerabilities/ smartphone-spyware-probe/
Depsite IT, Industrial and Utility Security Still Weak
May 17th, 2010 Software Glitch in Respirator Device Kills Minnesota Government Introduces “Perfect Citizen” Woman July 8th, 2010
and-utility-security-still-weak/ June 14th, 2010 program-to-monitor-critical-infrastructure/
USAF Unveils “Cyberspace” Badge caused-by-possible-software-malfunction/
May 18th, 2010

©2010 Mocana 415.617.0055
Imagining Cyber-Warfare
July 11th, 2010

Everything You Ever Wanted To Know About Mobile App Development

July 12th, 2010

FBI Reveals Telephony Denial of Service Scam

July 14th, 2010

Mobile Subscriptions Surge to 5 Billion

July 15th, 2010

Replacing Batteries With Radio Waves

July 18th, 2010

This Mobile Phone Will Self-Destruct

July 19th, 2010

Google and Blackberry Get Upgraded Security

July 20th, 2010

A Smart Grid Reference Library

July 21st, 2010

Apple Leads the Pack in Security Bugs

July 26th, 2010

Millions of Home Routers Vulnerable to Hackers

July 27th, 2010

Sophisticated Malware Exploits Zero-Day Vulnerability, Targets Industrial Systems

July 28th, 2010

Citi Group Finds Flaw in Mobile App

July 29th, 2010

BlackBerry Ban Coming to United Arab Emirates, Saudi Arabia

August 1st, 2010

Apple Security Breach Allows for Total Unauthorized iPhone Access

August 2nd, 2010

Robbed At The Pump — Literally!

August 3rd, 2010

BP Spill Related to Control System Cyber Incidents

August 4th, 2010

From The Internet of Computers to The Internet of Things

August 5th, 2010



Mocana secures the “Internet of Things”— the 20 billion smartphones,

datacom, smartgrid, federal, consumer, industrial and medical devices
that connect across every sector of our economy. These devices already
outnumber PC’s on the Internet by five to one, representing a $900
billion market that’s growing twice as fast as the PC market. Every
day, millions of people use products sold by over 100 companies that
leverage Mocana’s Device Integrity software, including Dell, Cisco,
Honeywell, General Electric, General Dynamics, Avaya, Nortel Networks,
Harris and Radvision, among others. Mocana won Frost & Sullivan’s
Technology Innovation of the Year award for 2008 for Device Security,
and was named to the Red Herring Global 100 as one of the “top 100
privately-held technology companies in the world” in January 2009.


Kurt R. Stammberger, CISSP

Kurt Stammberger is a certified information systems security

professional (CISSP) and Mocana’s VP of Marketing. He has spent most
of his career around security and cryptography technologies, with over
20 years of experience in the industry. He joined cryptography startup
RSA Security as employee #7, where he led their marketing organization
for eight years, helped launch spin-off company VeriSign, and created
the brand for the technology that now protects virtually every electronic
commerce transaction on the planet. Together with Jim Bidzos, Mr.
Stammberger founded the annual RSA Conference, the world’s largest
gathering of computer security professionals, which draws over
25,000 people to events in the United States, Europe and Japan. He
also founded Coda Creative, an award-winning technology marketing
firm that focused on security startups, and served as VP of Content &
Services for consumer healthcare startup Mr. Stammberger
holds a BS in Mechanical Engineering from Stanford University, and an
MS in Management from the Stanford Graduate School of Business,
where he was an Alfred P. Sloan Fellow. He can be reached at or by calling Mocana at 415 617 0055.

©2010 Mocana 415.617.0055