Nearly every year the big brands will bring out a new smartphone, full of fresh and exciting technology, but these devices don’t come without risks. The rise of mobile devices particularly in business use, has led to cyber-criminals targeting enterprises and high-profile individuals through vulnerabilities in their latest iPhone or Android. So how are these attacks taking shape and what can we do to protect against them?
Firstly, the aim of these criminals is quite often to breach the security system in a device in order to have access to, and steal high-value personal or sensitive data that they can then ransom back for large sums of money. Not only are there potential gateways to data but cash and intellectual property too, and there are also keyholes through which criminals can listen to private conversations or decisions taken by senior executives.
It is a message that has not always got through. Despite all the warnings and the discovery of XcodeGhost malware in 2015, the revelation last year that Pegasus spyware could be installed on a device simply by clicking a disguised link still shocked many. This piece of malware can read text messages, track calls, aggregate passwords, plot the phone’s location, and harvest information from apps.
The added vulnerability of mobile devices
It was a vivid reminder of the many potential ways in which a mobile device can be exploited by criminals. Although these devices share the same threats as laptops and desktop endpoints, their additional complexity and sophisticated sensors open them up to a broader set of vulnerabilities.
Unlike office devices, mobile devices are susceptible to attack vectors using standard SS7 signalling through which they communicate. Alongside this is an entire underworld ecosystem of threats to the mobile applications used daily by millions of people for social, private or business purposes. These are in addition to threats from phishing emails or text messages and lax protection for clear text emails.
Criminals can also penetrate security measures and steal information by setting up their own spoofed Wi-Fi access points or cellular base stations, mimicking what is legitimate.
Distinct challenges for mobile security also arise from the ever-growing reliance on cloud services for business and social media use and the fact that unlike desktop devices, smartphones are almost always switched on.
It is a daunting list of potential weak-points, even if in reality, few of us have yet experienced a cyber-attack on our mobiles. To a considerable extent our devices are protected by a combination of SMS firewalls, encryption, the security built in to home routing solutions and the regular flow of software updates. Nonetheless there are important steps that individuals and organisations must take in order to minimise vulnerability as the threats develop.
The steps we can take
First of all, it is easy to overlook the importance of passwords when they concern small devices. Passwords need to be changed from factory settings, as anyone who remembers the UK’s tabloid newspaper phone-hacking scandal should know. Whether in private hands of part of an organisation’s IT estate, devices need strong passwords that are regularly updated.
Given the critical relationship between mobility and cloud applications, authentication for application accounts in the cloud must also be strong. For businesses supervision of these accounts may need to be under their direct control rather than that of staff.
Then, we must all accept the necessity for patching of operating systems to stop exploitation of new vulnerabilities. For businesses it also requires the patching of their mobile device management systems, which can themselves become gateways to the devices.
Although mobile operating systems vendors have designed their products to shut out cyber criminals, the reality is that new weaknesses are regularly discovered. It is important, therefore, that users ensure all the patches and updates issued by vendors are applied immediately. Patches make it harder for hackers, requiring them to put in more time and effort to find new areas of vulnerability to exploit.
It also is a big advantage for businesses if they use the latest versions of the operating systems used by their mobile devices. While this may feel uncomfortably costly, it does give them the protection from security architecture created to combat the latest threats. It is important too, to obtain undertakings from vendors that security updates will continue to be provided for a set period and when that expires, those devices should be decommissioned.
Securing your apps
Vigilance is also required in relation to apps, even though security in this sphere is complex. With Apple and Google having approximately two million applications available, criminals are ready to exploit their coding vulnerabilities or to build entirely malicious versions.
With legitimate new apps, users should be aware that the typical pattern is for security to be lax when they are first launched and then increase steadily in relation to uptake. Best practice clearly requires the purchase of apps from only reputable vendors, along with the acceptance of all security updates.
These are all steps that consumers and businesses can take to protect themselves, but telecommunications companies also need to play their part by testing their networks for vulnerabilities using the objective security expertise of consultancies. Engineers who are expert in telecommunications will combine their skills with ethical hackers to simulate a full-scale cyber-attack, exposing vulnerabilities and providing the technical expertise to fix the problems.
With the proliferation of cyber-crime and state-sponsored hacking, it is important that consumers and businesses alike now take the security their mobile devices far more seriously. Neglect could be tantamount to leaving the doors unlocked.
Conclusions for desktop and office applications
If patching seems obvious for mobile devices then this should be mandatory for office devices, desktop applications e.g. computer operating systems, internet browsers, desktop applications, etc.
The latest WannaCry ransomware attack revealed the threat coming from outdated systems on corporate networks. This massive attack infected over 300,000 computers across industries and countries some among them providing critical services. Despite the available patch of Microsoft provided several months before the attack, it seems that many companies ignored installing such critical update (MS17-010).
The advantages of patches and release updates are known in the market though the problem of outdated systems exists for quite some time and threats seems to be regularly ignored. Technology companies such as Apple, Google, and Microsoft frequently release software patches that fix major security vulnerabilities and IT organisations are challenged to keep up with the increasing number of updates and patches.
Additionally, lessons learned today are that cyber-attacks and security breaches may find their way to a company’s network also via networks of connected partners and vendors i.e. the need of understanding the patching state of 3rd parties becomes also evident.
Continuous patch management seems to become a challenge for IT organisations today. Nevertheless, there are tools in the market, which support organisations to determine whether their own IT infrastructure or the ones of critical vendors and partners, are outdated such as operating systems and internet browsers. This can help to understand breaching risks and determine mitigation strategies for businesses of all sizes.
[su_box title=”About Hakan Ekmen” style=”noise” box_color=”#336588″][short_info id=’103340′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.