NIST security guidance for first responder mobile and wearable devices
Friday, 29 July, 2022
During an emergency, a first responder should have some assurance that their devices are reliable and secure.
Public safety first responders are the first at the scene of an emergency incident. Their day-to-day work life may include life-saving and sometimes life-threatening activities. As commercial and enterprise technologies advance, first responders have the opportunity to take advantage of this technology to enhance their efficiency, safety and capabilities during an incident.
The United States nationwide public safety broadband network (NPSBN), which is steadily being deployed across the US, will allow first responders to use modern communication technology (eg, mobile devices) as well as other Internet of Things (IoT) devices (eg, wearables) to accomplish their public safety mission. But, as with any new technology, there are security concerns, such as vulnerabilities of data and users. In the case of public safety there are concerns that exploitation of vulnerabilities may inhibit first responders from performing their duties, and put their safety at risk.
As a result of this concern the US National Institute of Standards and Technology (NIST) produced NISTIR 8196: Security Analysis of First Responder Mobile and Wearable Devices. The document captures the various use cases of public safety mobile and wearable devices, the known attacks on public safety mobile and wearable devices, plus information received from interviews with actual public safety officials. Due to their unique roles, environments and situations, the information in NISTIR 8196 is important for grasping the first responder perspective and analysing the security objectives necessary for all first responder devices.
Mass production of mobile and wearable devices makes it easy to find and buy any device that may meet one’s wants and needs. But technology is primarily produced for the general consumer or enterprise and not specifically designed with public safety in mind.
This could lead to potential repercussions if the appropriate device is procured without consideration of the security and safety of first responders. When it comes to selecting mobile and wearable devices, there is little security guidance that focuses on the particular needs of public safety. During an emergency, a first responder should have some assurance that their devices are reliable and secure.
The public safety mobile devices analysed by NIST use rich operating systems supporting downloadable applications, usually based on operating systems found on consumer electronics. Typically, the mobile devices used an Android operating system. The version of the operating system varied per device, some being 4–5 versions behind the latest release.
Wearable devices made specifically for public safety are slowly being introduced to the marketplace. Outside of public safety-specific wearable devices, the public safety communications research (PSCR) engineers in this study also acquired wearable devices that may assist first responders in different ways, such as with awareness, communication and data-sharing.
Examples of wearable devices included the following:
- Bluetooth headset
- body camera
- vital-sign monitors/body sensors.
Most of the wearable devices analysed use some variation of Bluetooth and/or Wi-Fi as their wireless communication protocol. These protocols allow for communication between a wearable device and a mobile device or desktop. Wearable devices typically do not have a complex operating system and perform minimal tasks that enable them to process and send information to be interpreted by an application on another system, such as a mobile device or desktop computer. Many of the wearable devices analysed through this research are dependent on being able to send information to a mobile application to be interpreted, stored and possibly shared through cloud services.
With the information gathered from NISTIR 8196, PSCR engineers were able to take the steps necessary to analyse the security of current mobile and wearable devices and compare their analysis with the security objectives of first responders. This exercise resulted in NIST IR 8235 with security guidelines that describe the security capabilities that should be included in mobile and wearable devices for first responders.
Guidance for mobile and wearable devices
PSCR engineers suggested the following high-level guidance for public safety officials interested in acquiring mobile and wearable devices:
- Identify your public safety needs and devices.
- Protect yourself by applying security and training users.
- Detect issues by logging and monitoring your devices.
- Respond with a prepared plan.
- Recover by implementing the plan and constantly improving.
In addition, PSCR engineers detailed specific information and features that should be taken into consideration to accomplish the guidance.
Mobile devices have many built-in security capabilities. This is partially due to their size, storage capability and fully fledged operating systems. Somewhat mimicking traditional desktops, a mobile phone has various network capabilities (eg, Bluetooth, Wi-Fi and cellular connectivity), along with the ability to update firmware and download software to expand the device’s abilities even further. Many mobile devices are capable or have the information necessary to meet the security objectives of first responders.
Wearable devices are very different from mobile devices in that they are typically built primarily to accomplish a specific use (eg, communication through a headset or to record vital signs). Due to their often limited processing power, wearable devices do not have various options when it comes to functionality and security.
Device information and capabilities vary per wearable device and the inconsistency with wearable device information makes it difficult for interested parties to find what they need to make risk-decisions. While there is a variance in capabilities, this could be beneficial if the capabilities meet the needs of first responders using them (ie, functionally and security-wise).
The configuration of wearable device capabilities is not as flexible as with mobile devices. Often wearable devices only come with preset abilities and are not updatable. For some wearable devices that interfaced with a mobile application or other external software application, some areas of functionality/firmware could be updated.
From this analysis of mobile and wearable devices, PSCR engineers found that mobile devices have advanced greatly over the years and are capable of meeting most of the public safety security objectives. But mobile technology still has room for improvement when it comes to capabilities, such as rogue base station detection.
Wearable devices are still being introduced to the public safety market and, due to their limited functionality, wearable devices struggle to meet some of the public safety security objectives. Wearable device information was inconsistently provided in manuals and many devices lack the ability to be updated or reconfigured to apply different security settings.
Some wearable devices interact with an application programming interface, which allows a little more flexibility in gathering information or applying different settings.
While Bluetooth specifications are constantly being improved and updated, commercially available wearables still seem to use older versions of Bluetooth, with minimal security levels.
Overall, PSCR engineers found that few devices are built with features that are specific to public safety, such as a ruggedisation rating that meets the needs of firefighters.
Optimising RF connector selection: technical considerations for signal integrity
Whether you're designing a new circuit or upgrading an existing one, connector choice...
Bridging the present and future of telecommunications with field service
While we don't take the act of communicating with each other for granted, the infrastructure...
Multifaceted tech can help tame Australia's bushfire threat
There is no single solution to Australia's bushfire problem. Rather, it will require a...