Mobile Security Demystified

1.  Preface

As per the report by the Internet and Mobile Association of India (IAMAI) and IMRB, there has been a year-on-year growth of 15 per cent in mobile internet users between October 2015-2016. It is said that the number of mobile internet users in India was estimated to reach around 420 million by June 2017 from the estimated 389 million users as on December 2016. Urban India is witnessing a growth of around 9% percent and rural India around 26%. In urban India, communication, social networking and entertainment (videos, songs etc) are the top usages of mobile internet, while in rural India, entertainment rules the roost with social networking and communication being the other services in order of preference.

A decade ago, mobile malware was considered a new and unlikely threat. Many mobile device users even considered themselves immune from such threats.  Fast forward to 2017, and more than 1.5 million new incidents of mobile malware have been detected by McAfee Labs in the first quarter of the year alone for a total of more than 16 million mobile malware incidents.

2.  The New Situation

Today, mobile devices are coming under increasing attack and no one is immune. Some 20 percent of companies surveyed by Dimensional Research for Check Point Software said their mobile devices have been breached. A quarter of respondents didn’t even know whether they have experienced an attack. Nearly all (94 percent) expected the frequency of mobile attacks to increase, and 79 percent acknowledged that it’s becoming more difficult to secure mobile devices.

While Apple and Android have made strides in creating more secure and robust operating systems, malicious actors continue to pump out new and more deceptive malware. What’s more, security is still not a top priority in app design, with some apps allowing users to store or pass credentials in the clear or by using weak encryption.

Couple of those weaknesses with the ubiquity of mobile devices in the workplace and the proliferation of BYOD policies, and you’ve got the perfect recipe for mobile attacks on the enterprise.

Almost half of information workers today are using bring-your-own laptops, 68 percent are using their own smart phones, and 69 percent are bringing their own tablets at work, according to Forrester’s annual security survey. Obviously, the risks are high, especially when you look at all the corporate data that’s held on these devices, such as customer information, intellectual property, contracts, competitive data and invoices, not to mention the potential access to corporate networks themselves, says Chris Sherman, Forrester senior analyst.

Many people believe that when they purchase a smartphone it is already secure. They don’t realise that a hacker with only rudimentary skills can access their smartphone in only 30 seconds. These days, we should understand that a device that can access the internet is inherently vulnerable and open to malicious attacks, whether it is a PC or smartphone, and look to implement adequate security software. For the most part, it is up to the business to continually educate employees and create mobile management policies that include the ability to remotely lock or wipe a device should it become lost or stolen. As these devices become smaller and lighter, they are also easier to leave in a taxi, at a restaurant restroom or lose during a morning jog. Smaller devices are also easier to steal and often victims don’t notice the theft for a while, making it too late for forensic countermeasures.

Even wiping or locking a smartphone doesn’t eliminate the threat of a third party accessing company data. Forensic data retrieval software allows wiped phones to be restored so that data can be accessed.

Then there are threats from malware and personal attacks. Smartphones are just as vulnerable to browser attacks as PCs are and buffer overflow exploits leave mobile devices just as exposed. Malware attacks via social media and texts are prevalent with smartphones, as well as what has become known as Malvertising. Malvertising is a term used to describe ads that contain Trojans or other malicious software aimed at being embedded in one phone and then spreading to other devices.

Free Wi-Fi and cellular data transmissions also make smartphones vulnerable to eavesdropping, data leakage or hijacking.  Improper session handling, unintended data leakage, poor authorisation and authentication, and lack of binary protections are vulnerabilities that can often be exploited when using unsecured Wi-Fi access or during cellular data transmissions.

In addition to security threats created by employee ignorance, laziness or lack of awareness of where they last left their cell phone, companies also need to protect against malicious intent when it comes to security breaches.

Disgruntled employees have always been a threat to organisations and their intellectual data. Mobile devices offer the ability for individuals to bypass many standard security measures in their attempt to extricate and transmit company information. An employee can use a memory stick to store large amounts of company data, transmit it via an email, or upload the data to a cloud server, all without detection by standard data loss prevention technology.

Internal threats have always been a concern for organisations in an attempt to prevent data loss, regulation violations and security breaches. However, as selling stolen data becomes more lucrative for hackers, external threats are now causing legitimate mobile security concerns.

3.  Currently evolving Threats

There are several mobile threats that are causing serious concern in the business world and are being aggravated by the use of personal devices in the workplace.

3.1.  Cross device transactions:

An individual may access their work email, eBay account or mobile banking services from different devices, sometimes even on the same day. Companies want to make their services convenient for customers, so they need to find a way to allow for this different device access while still protecting secure information. Mobile security for this type of access is often unsuccessful and leaves both the company and clients vulnerable to malicious attacks. Once a smartphone is hijacked, the vulnerable device is then brought to work or used to access a company email account, giving the hackers access to your company’s information.

3.2.  Phishing Attacks:

The rise of mobile commerce, banking has opened door to a flood of phishing attacks. Phishing is when a user is compelled or fooled into visiting a compromised website or reveal personal information, such as login credentials, credit card numbers and banking information. These attacks are more effective on mobile devices because users are more likely to click on links. Also, because of difficult navigation on mobile devices, it becomes difficult for the user to discern whether the link was legitimate or illegitimate.

3.3.  Mobile Web browser hacking

Mobile Web browser hacking is on the rise, due to the fact that it is the most effective way to bypass smartphone system level security measures. Webkit-based exploits coupled with OS/kernel-level exploits can bypass a browser sandbox and then leverage OS vulnerabilities. Stage fright has been giving Android and Android-based app programmers a run for their money as security experts try in vain to create effective security patches.

3.4.  Man-in-the-middle (MITM) attacks:

This have also increased as more people are using free Wi-Fi for tablets, smartphones and laptops. With the ability to save data usage by using Wi-Fi networks, more people are using mobile hotspots whenever they are available. Eavesdropping and hijacking are easier using these open Internet access points and if an employee is using them to access company data, the hacker will have an all access pass into your corporate network.

3.5.  Distributed Denial of Service attacks (DDoS) :

DDos have become more sophisticated as hackers learn new ways to leverage old school attacks. Malevolent programmers have learned how to turn devices into DDoS bots once the hacker has gained control of them. These DDoS bots are harder to detect or prevent compared to traditional attacks, making corporations vulnerable to a threat they aren’t aware exists.

3.6.  Persistent, enterprise-class spyware

Employees use their mobile devices in nearly every aspect of their lives with mobile devices never more than arms-length away. With such close proximity to corporate network access, voice activation and GPS tracking, state actors are looking at ways to infect mobile devices with spyware. The tactic has proven successful on both iOS and Android devices.

Last Augusts Pegasus spyware, capable of hacking any iPad or iPhone to harvest data about and conduct surveillance on the victim, was just the beginning. Researchers also uncovered three iOS zero-day vulnerabilities that, when exploited, formed an attack chain that subverted even Apple’s strong security environment. Apple quickly fixed all three Trident iOS vulnerabilities in its 9.3.5 patch.

By April 2017, malware authors struck again, this time on a Pegasus spyware version for Android that masquerades as a normal app download, while secretly gaining root access to a device to do broad surveillance on the user over time. Since then, Google has bolstered security measures, including Play Protect security within the Play Store.

If you’re a nation state actor and you want to compromise a company, one possible route would be to compromise a mobile device that you know is going into a particular organization,Shier says. We still have organizations that are allowing their mobile device to exist on the corporate network along with some of their other devices of higher value.

3.7.  Mobile botnets

New malware can quickly turn legions of mobile devices into a botnet that is controlled by hackers without the knowledge of their owners. Malware researchers have identified about a dozen more mobile botnets, including Hummingbad, which infected over 10 million Android operating systems in mid-2016. User details were sold and advertisements are tapped on without the user’s knowledge and in doing so generates fraudulent advertising revenue. We have seen rooting millions of devices, with malware opening back doors on infected devices, which could potentially be used for any purpose, including stealing sensitive data. While mobile devices don’t have the bandwidth and computational throughput as a desktop computer, botnet functions don’t require a lot of compute power to pose a threat. What’s more, mobile devices are often on all the time, which gives that botnet owner 24/7 access to large numbers of potential zombie bots.

3.8.  Ad and click fraud

Ad and click fraud in mobile devices is a growing concern, researchers say. “Compromising that mobile device [through ad and click malware] would be a nice way for a criminal to gain access to the internal network of a company, possibly by sending an SMS phish, getting someone to click on a link where they download a malicious app, and then now that they’re on the phone and can control it, they can steal credentials and gain access to the internal network, Shier says.

The scary part, Padon says, is that they start as adware, but they can just as easily decide to spread spyware to the entire botnet. Then you have 10 million devices that record their owners every move.  It has a devastating potential with just a click on the app, he says.

3.9.  Outdated operating systems:

Users today fail to realize the importance of OS updates. They tend to ignore or block updates that are being sent by OS vendors. This leaves their mobile devices vulnerable to common malware and exploits. Moreover, many users tend to jailbreak their devices which enables the downloading of apps, extensions etc. that are often unavailable through regulated channels. This opens another door for vulnerabilities.

3.10.             Untested Mobile Applications:

Users sometimes tend to download apps from third party vendors instead of downloading it from regulated app stores. Many of these apps don’t have clear app sources and become very vulnerable because of coding errors that are not updated enough to prevent exploitation. This is true for legitimate software as well, as some of them are not updated on regular basis.

3.11.             Dead apps

Employees need to check the status of their mobile apps regularly, and then update or delete them if they’re no longer supported in Google or Apple stores.Security teams for both operating systems have been quietly removing an undisclosed number apps from their stores at a growing rate, but they haven’t revealed a list of the removed apps or offered any reason for their removal, which can vary from malware issues to copyright infringement to the discovery that the app was leaking data to a third party. The lack of transparency could impact the enterprise because there is more sensitive data at stake by infiltrating enterprise networks.

3.12.             Wi-Fi Enabled Trojan Horses

According to Pew Research Center, 64% of American adults now own a smartphone, and a majority of smartphone users carry their phone from place to place throughout the day. Users with compromised devices may inadvertently give attackers access to a number of networks throughout the day among home, office, and public Wi-Fi hotspots.

Despite what Hollywood may lead you to believe, most cybersecurity incidents are not obvious, acute problems that are easy to discover. Instead, sophisticated attackers will compromise networked devices and silently collect data for weeks or months. It is entirely possible for an attacker to infect a user’s mobile device and then collect any data visible on networks that trust the mobile device. This includes places of business, public Wi-Fi hotspots, and home networks. The data that can be gathered in such an attack is not limited to data sent or received by the infected device. Smartphones can be configured to passively listen for any data transferred over their local network, meaning data sent or received by any other mobile device or computer connected to the same Wi-Fi network will be compromised.

Further, the infected mobile device can be used as a launch pad for larger attacks. Once a vulnerability is discovered for other networked devices, an attacker can instruct an infected mobile device to infiltrate other devices on the trusted network. For example, a compromised smartphone can perform man-on-the-side attacks[2], generating false data or instructions for other devices on the network. A man-on-the-side attack can inject new code into visited web pages, replace login pages with false duplicates which report login credentials to a malicious server, and even replace application downloads with an infected application to further increase the attackers pool of compromised devices.

All of the above is possible because most households and businesses only focus on protecting their network perimeter. Once a trusted-but-compromised device is allowed on the network, little or no monitoring or verification of device behavior occurs, leaving the rest of the network open to attack from the inside.

3.13.              Advanced Persistent Threats (APTs):

One of the most dangerous examples of stealth. APTs target individuals, businesses, governments and their data and redirect it via mobile connections. Data leaks, including espionage and exposure of corporate data is common with this type of threat. This threat is cheapest to implement because they use off the shelf malware and hacker tools like viruses and Trojans.

3.14.             IoT

Internet of Things (IoT) malware is still in its infancy, but it hasn’t stopped malware authors from making the jump, says Irfan Asrar, senior manager in mobile malware research at McAfee. The number of [IoT malware] families out there is just 10, and most of them are just variations of the same code base, but we’re starting to see in the underground sites that people are peddling mobile malware kits and are moving into the IoT arena,” and many IoT devices are largely connected to and being configured by smart phones and devices, such as mobile entry into a building or through a checkpoint.

There are numerous known security exploits for mobile devices, and savvy users can navigate around many of these exploits by only connecting to trusted Wi-Fi networks, avoiding malicious websites, and scrutinizing which applications are installed and running on their mobile device. However, the emerging trend of an Internet of Things (IoT) a world full of Internet-connected devices and sensors presents new challenges. IBM calls the insecurity of IoT devices “a time bomb ready to explode”.

Many IoT devices are small, embedded devices that do little in terms of security. Once an IoT device is configured to work with your smartphone or home network, the IoT device is trusted and assumed to be safe. However, an attacker could replace, modify, or spoof IoT device signals to trick a mobile device into performing undesirable functions. This opens the door to more security challenges for mobile devices. As more physical objects become connected to the Internet, there will be more opportunities for attackers to exploit newer and less sophisticated devices. Similar to the “Wi-Fi Enabled Trojan Horse” scenario described in Threat #1, once a trusted device is compromised or spoofed, other networked devices can be compromised, resulting in a domino effect.

For example, a Bluetooth Low Energy (BLE) device such as an iBeacon may be connected to a smartphone to detect when the smartphone user enters a room. An attacker targeting the smartphone user could set up a second iBeacon in a different location, designed to broadcast an identity that matches that of the first iBeacon. When the smartphone user comes within range of the malicious second iBeacon, the iBeacon could instruct the smartphone to visit a web page containing malicious code. From this web page, a known smartphone vulnerability could be employed to gain control of the smartphone through arbitrary code execution or installation of a malicious mobile application.

4.  Quickfix

Although mobile phones are taking on more capabilities formerly available only on PCs, technical security solutions for mobile phones are not as sophisticated or widespread as those for PCs. This means that the bulk of mobile phone security relies on the user making intelligent, cautious choices. Even the most careful users can still fall victim to attacks on their mobile phones. However, following best practices regarding mobile phone security can reduce the likelihood or consequences of an attack.

  • When choosing a mobile phone, consider its security features. Ask the service provider if the device offers file encryption, the ability for the provider to find and wipe the device remotely, the ability to delete known malicious apps remotely, and authentication features such as device access passwords. If you back up your phone data to a PC, look for an option to encrypt the backup. If you plan to use the device for VPN access, as some users do to access work networks, ask the provider if the device supports certificate-based authentication.
  • Configure the device to be more secure. Many smartphones have a password feature that locks the device until the correct PIN or password is entered. Enable this feature, and choose a reasonably complex password. Enable encryption, remote wipe capabilities, and antivirus software if available.
  • Configure web accounts to use secure connections. Accounts for certain websites can be configured to use secure, encrypted connections (look for HTTPS or SSL in account options pages). Enabling this feature deters attackers from eavesdropping on web sessions. Many popular mail and social networking sites include this option.
  • Do not follow links sent in suspicious email or text messages. Such links may lead to malicious websites.
  • Limit exposure of your mobile phone number. Think carefully before posting your mobile phone number to a public website. Attackers can use software to collect mobile phone numbers from the web and then use those numbers to target attacks.
  • Carefully consider what information you want stored on the device. Remember that with enough time, sophistication, and access to the device, any attacker could obtain your stored information.
  • Be choosy when selecting and installing apps. Do a little research on apps before installing them. Check what permissions the app requires. If the permissions seem beyond what the app should require, do not install the app; it could be a Trojan horse, carrying malicious code in an attractive package.
  • Maintain physical control of the device, especially in public or semi-public places. The portability of mobile phones makes them easy to lose or steal.
  • Disable interfaces that are not currently in use, such as Bluetooth, infrared, or Wi-Fi. Attackers can exploit vulnerabilities in software that use these interfaces.
  • Set Bluetooth-enabled devices to non-discoverable. When in discoverable mode, your Bluetooth-enabled devices are visible to other nearby devices, which may alert an attacker or infected device to target you. When in non-discoverable mode, your Bluetooth-enabled devices are invisible to other unauthenticated devices.
  • Avoid joining unknown Wi-Fi networks and using public Wi-Fi hotspots. Attackers can create phony Wi-Fi hotspots designed to attack mobile phones and may patrol public Wi-Fi networks for unsecured devices. Also, enable encryption on your home Wi-Fi network.
  • Delete all information stored in a device prior to discarding it. Check the website of the devices manufacturer for information about securely deleting data. Your mobile phone provider may also have useful information on securely wiping your device.
  • Be careful when using social networking applications. These apps may reveal more personal information than intended, and to unintended parties. Be especially careful when using services that track your location.
  • Do not root or jailbreak the device. Third-party device firmware, which is sometimes used to get access to device features that are locked by default, can contain malicious code or unintentional security vulnerabilities. Altering the firmware could also prevent the device from receiving future operating system updates, which often contain valuable security updates and other feature upgrades.

Act Quickly if Your Mobile Phone or PDA Is Stolen

 

  • Report the loss to your organization and/or mobile service provider. If your phone or PDA was issued by an organization or is used to access private data, notify your organization of the loss immediately. If your personal phone or PDA was lost, contact your mobile phone service provider as soon as possible to deter malicious use of your device and minimize fraudulent charges.
  • Report the loss or theft to local authorities. Depending on the situation, it may be appropriate to notify relevant staff and/or local police.
  • Change account credentials. If you used your phone or PDA to access, any remote resources, such as corporate networks or social networking sites, revoke all credentials that were stored on the lost device. This may involve contacting your IT department to revoke issued certificates or logging into websites to change your password.
  • If necessary, wipe the phone. Some mobile service providers offer remote wiping, which allows you or your provider to remotely delete all data on the phone.

5.  Few Closing Words

Mobile computing has become smarter and ubiquitous and very powerful. This means that our perception must change and we must be aware of the new threats that these new functions and facilities mobile computing is offering.

Unlike the bygone era of mobile phones when intelligence of the network was at the centre (i.e service providers and network), the intelligence is becoming increasingly concentrated at the edges, i.e. at the user level.

In other words, our mobile phones are increasingly becoming enterprise level functionalities but the burden of the security is with the end user, i.e. an individual.

Leave a Reply