Your Smartphone is Showing: The Mobile Threat Exposure

Phones - They're What Hackers Crave

We love our phones. We stare deeply into glowing rectangles at every opportunity. We love messenger apps. We love free Wi-Fi and expect businesses to offer it. We might love a friendly P2P game, or playing Internet radio over the Bluetooth system in a rental car. We love the idea of paying for just about anything from an app rather than fumbling for money.

Don’t think this love affair has gone unnoticed. Cybercriminals increasingly want to come between us and our phones. And who can blame them? With as much as 75% of US Internet traffic coming from mobile devices, that is where the most valuable data -- and the money -- is moving. Why would they stick to hacking standard computers?

You might think your mobile device is rather secure. Indeed, it does have some design advantages over PCs and servers, where most of the security and antivirus activity has focused to date. Unlike conventional computers, smartphones have much of their operation handled at the hardware and firmware level, they have memory but not hard drives, they have a leaner OS … but they are still fully functional, powerful computing devices on their own, with enough sophistication and constant change happening to leave doors open for hackers. 

Looking at the most recent Symantec ISTR report (Dec 2016) which is rich in security stats, while most forms of email phishing and web attacks show rather stagnant growth or decline, new mobile malware variants jumped by 214%. Expect this growth trend to continue, as mobile devices have become the new cyber attack surface of choice.

MDM, EMM and BYOD

Around 2011 as smartphones were joining the mainstream, we started seeing huge investments driving a new class of vendors supporting secure mobility -- companies like Airwatch (now vmware airwatch) and MobileIron. Citrix, CA and Blackberry began expanding their corporate security and mobility initiatives to include BYOD (bring-your-own-device) management.

The main thrust of these MDM (Mobile Device Management) or EMM (Enterprise Mobility Management) solutions was the ability to manage multiple employee devices and the apps on them to improve compliance with corporate standards, which should lead to safer usage behaviors and lower mobile data costs.

For instance, the MDM system can require you to set or reset a phone password before you can access company email. It might put all of the required “corporate” apps in a controlled folder, and prevent a user from installing non-approved apps, playing huge media files over the air, or pop up a warning if they connect to an unknown network. It could remotely wipe the data from a phone if it gets compromised, lost or stolen.

Not all control and security functions are available to MDM software, especially in a BYOD scenario. Several countries have regulations against companies accessing private data on an employee’s personal device. Even if a privacy mandate doesn’t apply in your region, you run the risk of ticking off your entire workforce if the corporate HQ imposes heavy-handed demands on their phones. More than half of employees surveyed by Bitglass said they would refuse a corporate MDM install on their personal devices because of privacy concerns. (Kind of easy to say if your current job isn’t riding on such a requirement though!)

Through the glass: The mobile attack surface

Note that while all of the above capabilities contribute to device security, they are not specifically addressing all of the exploits that can happen on smartphones at a device, network and application layer. 

These exploits can be stupidly simple - sending an email or text message with a bad link to ask the user to enter their password or account number -- yes, it still works occasionally. Or quite beautifully sophisticated, for instance loading an SMS image in the preview window that executes remote code and quietly establishes root control of the device without alerting the user in any way -- see the infamous Stagefright exploit discovered on Android (now patched but the hole is still there on many phones).

Some adware and malware providers have taken to creating realistic, but unsanctioned third-party app stores outside of Google Play and Apple App Store. Popular game titles like Pokemon Go and retail apps on these sites look like the real thing, but they might be sending more of your personal data to unknown locations than you’d like.  

The quantity of new threats to mobile devices is increasing at a rate of more than 2x every six months. If you read the latest TrendLabs 2016 Mobile Threat Report, you get an immediate picture of how fast-moving these exploits can be. Once hackers have used a novel Day 0 exploit and it is identified and patched, they are moving on to the next one. Right now, ransomware is one of the hottest growth areas -- attackers remotely encrypt or “lock up” the data on your device, then demand a payment to restore it. Hopefully you backed it up! No guarantees you’ll ever see your data again if you do pay.

Exploits delivered to your door by MTD

You need to have something on the device that can protect against these advanced new threats, and that’s where a new class of Mobile Threat Defense (MTD) tools come in. Some of the bigger players in security such as Symantec, Trend Micro and Intel have recently bought or delivered new solutions geared for endpoint security, but a lot of the excitement in this space is around newer, more MTD-specialized firms such as Zimperium, Lookout and Skycure.

Basically an MTD solution has three components: 

1. Some kind of app running on the device that should detect a possible threat.

2. Some kind of cloud-based service for gathering alerts and threat data for reporting, and updating devices with the latest exploit definitions. 

3. Some way of taking action to remediate the threat and reduce its impact.

For threat detection, some tools employ a technique called “sandboxing” which is basically a way to maintain surveillance of the device from a cloud based service, then have the application step in if an offending message or potential malware is detected to remediate the threat.  Another way is to have an on-device detection and self-service remediation app installed, which uses the cloud service only for reporting and updates of threat definitions back to the phone. This approach offers some user data privacy advantages and still works without an Internet connection.

You know how a Trojan horse or worm can “weaponize” a computer or device and use it to spread itself across a network? What’s cool about today’s MTD solutions is how the detection capability can turn millions of immunized devices into early warning defense beacons and sources of data on mobile attack vectors. If a known or unknown cyber attack starts becoming detected in a certain region or exploiting a specific device/OS/app/network combination, that gets filtered back to the lab, where security researchers can define the exploit, determine workarounds, and even alert OS and device manufacturers and the global security community, if necessary.

You can’t patch mobile security complacency

Despite software innovation and collaboration among mobile network operators (MNOs), device manufacturers and international standards groups, don’t get your hopes up that we’re about to become threat-free anytime soon. A recent Ponemon Institute study on mobile cyberattacks says 60% of respondents have already experienced some kind of security breach due to mobile attacks. Enterprises know they are vulnerable to mobile attacks, but many seem to lack the wherewithal to do much to prevent them.

To make the problem more confounding, that recent Symantec report mentions that as many as 85 percent of corporate data breaches go unreported, a rapid increase from just 2014 when more than half were reported. Less costly to sweep embarrassing security lapses under the rug and hope they aren’t noticed for a couple quarters?

You would think CIOs and CISOs would be looking beyond the standard network security perimeter, firewalls, anti-virus and email filtering stuff and investing to get ahead of this attack vector, but no: the latest Gartner Predicts 2017 report on Endpoint Mobile Security estimated that by 2019, only 25% of mobile-ready enterprises will deploy mobile threat defense capabilities on enterprise-issued mobile devices. That's company equipment, not bring-your-own.

Clearly, complacency is the greatest threat to mobile security, and it will likely require a few more high profile mobile attacks in the headlines to change that. Until then, watch your phones.