More than 90% of U.S. citizens aged 16-60 have smartphones. These aren’t the third generation of flip-phones but highly intuitive Apple, Samsung, Motorola, Nokia and other brands. These complex innovative, multipurpose and flexible mobile devices are irreplaceable in our business and personal lives, yet the risk to privacy, health and national security has created critical consequences to our public safety like never before.
We now must adapt to new challenges that require us to have a greater level of understanding of how to ensure your mobile devices are safe and secure to protect yourself, your family and your business from being the victim of mobile device attack and exploitation.
Today’s smartphones are used for almost anything and everything other than conversations. We use our phones for entertainment, games, taking photos and selfies, banking apps, texting and finding locations using GPS systems. Companies that still allow employees to use personal phones in corporate environments (Bring Your Own Device, or BYOD) expose themselves to a multitude of risks, like corporate espionage, data exfiltration and ransomware.
According to Paldesk, U.S. smartphone users send and receive five times more texts than phone calls. This opens the door for increased human error in accepting malicious downloads, agreement of terms and conditions from malformed text hyperlinks, and manipulation of configuration settings on mobile phones. New legislation requiring cyber breach notification on a national level is expected this year.
Meanwhile, recent legislation requiring federal agencies and corporations to report cyber breaches has created a new age of what must be done to protect mobile devices. Healthcare applications that are used within smartphone devices will likely require much more stringent regulations from the FDA as they begin to classify smartphones as “medical devices.”
The landscape is also changing as we evolve from talk, text and web as the primary services offered by our smartphones and mobile devices. We now have integrated sensors that detect motion, environment (temperature, humidity) and position. We also have more complex integrations with applications used for medical diagnostics (blood pressure, diabetes treatments, treatment monitoring) further highlighting how the need for increased security on mobile devices has never been more critical.
Without greater education and focus on mobile device security, cyber attackers will continue to have myriad tools that capture exploitable data that will ultimately lead to cyber breach and loss of personal information. That encompasses stored passwords, photos, emails, files and account information. Also, network credentials that enable privileged access to your company-owned and protected networks and systems will be compromised, exploited and used for financial gain.
While users may trust the manufacturers of the phones for providing appropriate security … what about the app developers? Those include downloads for everything from opening your garage door, turning on lights/fans, monitoring video surveillance or tracking your heartbeat and steps at regular intervals.
Additional mobile device compromises consist of the monitoring of corporate email accounts by unauthorized users, leading to corporate espionage and loss of intellectual property, ransomware, fines, and diminished reputation by shareholders and stakeholders.
If you are using a smartphone for business and personal use, it is essential that you and your organization understand not only the security precautions but also assurances by third-party vendors that provide mobile access to legacy applications it is essential that they meet baseline cybersecurity requirements.
Mobile device security, or mobile device management (MDM), involves mostly remote administration using third-party vendors to companies that have a wide assortment of duties. With an increasingly diverse alternative work or work from home environment, protecting devices from anywhere, anytime, even in environmentally challenging conditions, is essential. The goal is to keep devices secure while keeping the workforce flexible and productive.
There are five primary tools used in MDM, providing the cybersecurity administrator (or even an IT administrator for a small office) to control the use of smartphones within an organization. Most small businesses are extremely lax in understanding the risks of BYOD — and personally owned smartphones within a small business environment. These MDM tools include:
Successful MDM within an enterprise requires a complete set of controls that identify and detect rogue devices that connect to wireless networks and scan the perimeter and environment. Mobile device administrators must become cognizant and aware of privacy controls, device settings, and educate end users so that they may become intimately aware of the terms and conditions regarding what information is stored, processed, and collected. Company IT administrators must also ensure that legal requirements to install applications without consent of the owner are very restrictive and could lead to criminal investigation and prosecution.
Cost pressures requiring organizations to allow BYOD reduces the ability from a legal perspective to monitor the activities of employee- owned smartphone devices. While password hacking remains at the top of the list, reused credentials, stored passwords, and cached credentials stored in browsers and applications continue to plaque organizations with data loss, and copying, and sharing company data.
The most common way to compromise a mobile phone is through downloading malware from an untrusted site or from a malicious link. This type of attack does not require the cyber attacker to be in physical proximity to the smartphone. This type of malware install requires a code injection or script injection.
Code injection is when malware is introduced to alter the way an application works or how the operating system behaves. This may include keyloggers, or other software that collects names, phone numbers and transmits them externally to remote locations. Script injections are known to perform specific tasks, such as opening a wireless port, and turning on or off specific security features on your mobile device.
Now consider new exploits that cyber attackers can perform when they are within physical proximity to the smartphone. We have known about man-in-the middle attacks where the attacker relays the communication between two parties to an outside third party, but now we can add attacks. This is where the attacker receives the communication, alters the communications being sent and received, and modifies the message being relayed to outside parties.
If a criminal gets hold of your physical smartphone, they can extract the SIM card, clone the phone using commercial off-the-shelf mobile forensic kits, and generate SMS and text messages to gain access to multifactor authentication (2FA) to access corporate applications, email, and proprietary third-party vendor apps. This is known as SIM swapping.
Regardless of the fact that hacking a smartphone violates federal wiretapping laws and carries a maximum sentence of 20 years in prison and a $100,000 fine, you can purchase cellphone hacking tools directly from the web. Malicious USB and cellphone charging cables can be purchased on the Internet that have similar functionality to standard cables, except that prescripted malware is injected into your phone. An example of this hack is listed at www.mitnicksecurity.com/blog/the-latest-malware- threat-the-usb-ninja-cable. There is even technical support for various products in the event you have questions or issues configuring or using these products!
Don’t forget the bad USB devices and “rubber ducky” exploits, where all that is required is a powered-on machine and an open USB port. Host devices are then infected with malicious code to extract personal or corporate information. This can also be done wirelessly, known as “WiFi duck.” In this case, a phone that has not been jailbroken using detectable WiFi can be injected from a remote location. Another popular tool that can be used when a physical phone is present is known as “MalDuino W,” which can plug and play into a USB C port on an Android device.
GoodFirms reports that only 63% of mobile phone users change their passwords, with the remainder using the same password for multiple applications within their smartphone. Over half reported that they share this password with family, friends and colleagues.
It is predicted that humans will eventually no longer use smartphones but will be directly connected to the Internet through advanced brain-to-computer interfaces. Even these interfaces will have various security challenges and vulnerabilities that can be exploited by cyber criminals. Until that time, expanded solutions include mobile device intrusion detection and intrusion prevention similar to fixed and wireless network components. Smartphones will have machine intelligence that will automatically respond to security breaches by shutting the phone down until remediation or investigation has been performed. Delivering this level of security is complex and requires persistent access to vulnerability data feeds to provide information at the operating system level of the phone. It will export relevant digital forensic information such as how and when the attack took place, what impact it has, and then provide a log of events and actions taken.
Until self-protecting smartphones are developed, we must protect ourselves today. Password hygiene remains at the top of the list along with reused credentials, and stored passwords and cached credentials stored in browsers and applications. These oversights continue to plague organizations that succumb to cost pressures, allowing employees to continue using BYOD laptops and mobile phones for corporate use.
Here are some best practice tips:
As humans continue to be the weakest link in any physical or digital security medium, we need to continue to educate ourselves. Be vigilant and stop doing foolish stuff! SSI
President and CEO of SecureXperts