Security on the Go
In April, Google’s Project Zero released information about how any mobile device using a Broadcom chipset (used in both Android and IOS phones) were vulnerable to being hacked using a malicious WiFi. The attack could be carried out against any phone with a Broadcom chip, within the WIFi range. The attack allowed the execution of malicious code without any user intervention – a new twist on the phrase ‘hands-free’. The hack exploited a buffer overflow vulnerability, which was quickly fixed by Apple in an update. Android phones are proving more of a challenge, purely because of the update rollout policy of Google.
The above vulnerability is just one in a long and growing number of endpoint threats. Our mobile phones have become our portable computers, often replacing the traditional desktop. According to the mobile industry body GSMA, there are currently 4.8 billion mobile subscribers, with an expected 5.7 billion by 2020. In North America, 82% of mobile subscribers will be on 4G – Gartner predicting that by 2018, 40% of all enterprises will use WiFi as their main method of connection. The global enterprise mobility and Bring Your Own Device (BYOD) market, continues to grow at a rate of around 27% per year, with 67% of employees using their own device at work. Whether we agree with it, or not, the mobile device is now part of our extended network; mobile devices are the new end point.
There are many advantages to allowing our workforce to use their own device to work from. It has the potential for cost savings, workers like using their own, familiar device, so training needs are lowered, and they can be used at home as well as work, so workers can continue on projects outside of the office. What’s not to like?
The problem is, as ever…security.
Mobile Device Security and the Enterprise
Cybercriminals are also fans of the BYOD movement. Mobile devices, along with the Internet of Things (IoT) are creating an amorphous enterprise perimeter, which is much more difficult to identify and therefore protect. This has been taken advantage of by cybercriminals with mobile device security being one of the fastest growing areas of weakness. According to Symantec in 2015, there was a 214% rise in mobile-based malware.
The methods of attack on mobile devices are increasing in scope and type. OWASP has a top ten threat list dedicated to mobile devices – with improper platform use and insecure data storage being the top two threats. Here, I’ve outlined a few examples of notable attack vectors:
Typhoid Android or Infected IOS?
Android phones, still remain more likely to have malware specific to the device, than the iPhone. This seems to be predominantly because of less tight controls over app distribution, rather than an inherently insecure OS. If you look at the latest vulnerabilities in either OS, there are 192 vulnerabilities on Apple IOS for 2017, and 193 vulnerabilities on Android devices. However, Android’s reputation for having an insecure environment isn’t helped when companies, such as Check Point report that 36 Android devices, used within a large a telecommunication company, came with preinstalled malware – the malware being installed on the devices somewhere along the supply chain.
Beware the Rogue App
The story about preinstalled malware infections is much rarer than actual malware ridden mobile apps. The download of mobile apps is the single most likely route to malware infection on a mobile device. The HummingBad virus infected 86 million Android phones in 2016 and continues in a new guise today as the HummingWhale. It was found in 20 different apps available in the Google Play store. The most worrying thing about malware infected apps is that they are available from official stores such as the Google Play Store. Even Pokemon Go was used to spread mobile malware, when a guide to playing the game published on the Google Play Store, contained a Trojan.
Mobile apps are now being used to spread the dreaded ransomware too. Usually, infected apps will lock the device demanding payment for an unlock code. In some variants, the ransomware threatens to sell off your personal information on the black market unless you pay within a certain time limit.
It is likely, given the convenience of apps, and the ubiquitous nature of mobile devices within our working and personal lives, that cybercrime will continue to pursue the use of apps as malware conduits.
It’s a Smishing Day
Phishing has moved out of the email inbox into the text message with ‘Smishing’. In 2016, 33% of mobile users received a phishing attempt via a text message. In March of this year, China saw a spate of phishing text messages originating from fake mobile base stations. The message encouraged a user to click on a link, which then downloaded malware to the phone. The malware built to then expose personal data and also bypass 2-factor authentication (SMS text codes) so steal back login credentials.
In Through The Outdoor
The mobile device has created positive disruption within our organizations. It has freed up resources and encouraged workforce engagement. But with the ying must come the yang, with mobile devices pushing our security boundaries ever outwards. Mobile devices are now part of our extended perimeter, giving us more flexibility and control, as individuals. As an organization, we need to make sure that this control is measured, and in creating opportunities for our staff does not then also create opportunities for cybercriminals. Keeping an inventory of mobile devices used within our organization is a crucial first step in preparing a holistic security strategy. Any intelligent led penetration testing exercise will also take the mobile threat landscape, and our extended end points into account, allowing us to work out a strategic management process for mobiles.
Susan Morrow has spent the last 20 years of her life working in various areas of security, and more recently online identity. She is most interested in the interplay between the cybercriminal and the victim – the games that are being played out in the world of cybercrime.
Notice: The views expressed here are those of the authors and do not necessarily represent or reflect the views of Cursive Security.
Be Informed. Stay One Step Ahead.
Sign up for our newsletter and stay up to date with the latest industry news, trends, and technologies