by Gregg Smith
Device Atlas, the world’s most authoritative source on device data, states that there were 2.6 billion smartphones and over 4 billion mobile phone users in the world in 2016. This number is expected to double over the next few years. These devices are attached to us 24 hours a day, seven days a week. They have replaced our computer and camera, allow us to scan barcodes to check prices and act as a credit card. They help us email co-workers, message friends, and can, surprisingly, even make phone calls!
With so many devices performing mission critical functions and moving exabytes if not zettabytes of data, mobile platforms and their vulnerabilities have become prime targets for attackers. These malicious actors use cellular monitoring, intercept, and data exfiltration techniques and run the spectrum from cybercriminals to nation states. Both the United States and the United Kingdom have admitted that they develop offensive cyber weapons for espionage and sabotage.
The contrast between informed and uninformed mobile device users is stark. Retired General Keith Alexander, former Commander of United States Cyber Command and the National Security Agency recalled an anecdote to the audience at a Cyber Security Hall of Fame dinner: The general’s wife occasionally bought him a coffee at Starbucks using her mobile device to pay. When Alexander discovered this, he was horrified. He concluded the story by noting that he would never use his mobile device to buy anything. Listening as the CEO of a mobile security company, this message resonated with me.
One’s preferences, purchases, and web surfing experiences are collected, analyzed and used to influence behaviors while online. Internet services and providers gather personal information from computers tablets and smartphones, and sell it to advertisers. The trend has been accelerated (or exacerbated, depending on your perspective) by the recent rollback of U.S. privacy rules governing internet service provider’s (ISP) sale of consumer data. It’s hardly surprising that American consumers do not believe that their data is secure. Conflicting advice as to how consumers should protect their online privacy only adds to the confusion and uncertainty.
IT and information security staff are responsible for protecting the enterprise’s primary asset, its intellectual property (IP). IP is what makes an organization competitive in the marketplace.
- Eight of the top ten mobile banking applications have been fraudulently developed and deployed on various app stores. Once downloaded, the app delivers malware to the device which steals personal information.1
Using unsecured Wi-Fi, such as that found in hotels, airports and restaurants, is dangerous. Government agents, cyber criminals and other attackers routinely compromise Wi-Fi hotspots in what’s known as a Man-in-the-Middle (MITM) attack. During an MITM attack, the attacker sets up a device that pretends to be the legitimate hotspot. When users connect to the fraudulent hotspot, the attacker captures all data sent or received by the user, such as login credentials and credit card numbers without the user’s knowledge.
- Product barcodes at retail establishments are often overlaid with a sticker displaying a false barcode. When a mobile device scans the barcode, a navigable link is displayed. The links often connect to sites that download malware, thus enabling information theft.
- When traveling internationally, devices are vulnerable to lawful cellular intercept by governments collecting political intelligence or conducting industrial espionage. Many governments work with local wireless carriers to ensure that malware is installed as devices connect to towers owned by that carrier. Certain countries also block data or Voice Over IP (VOIP) communications.
Additionally, the architecture of mobile network infrastructures possesses inherent vulnerabilities:
- The backbone of the wireless roaming system is called the SS7 network and it was originally built for landline billing. When it was updated, security was not a serious consideration in its design. As a result, one of the major wireless carriers in Germany, Telefonica’s O2 network, was compromised and many banking customers were victimized.
- Smartphones’ baseband processor (the chip that manages the device’s radio functions) is also vulnerable. It appears that only limited testing is conducted, and vulnerabilities remain undiscovered. Security researchers have demonstrated how easy it is to use these vulnerabilities to impact the target device, changing code execution, causing denial of service outcomes and even destroying the device.2
- Cellular intercept, or eavesdropping, is common. Wiretapping is legal with a court order for law enforcement and the commercial equipment to carry such activity out is now easily obtained and used by cyber criminals and drug cartels who listen to the movements of law enforcement along the United States’ southern border. There are pricing discussions being intercepted between enterprises and governments and board meetings being compromised by cyber criminals who collect inside stock trading information.3
In the course of traveling around the world, the author has encountered a number of countries with laws permitting law enforcement to intercept cellular communications without any sort of notification or warrant. Similarly, the author has noted both criminal and nation state actors that use cellular intercept to monitor law enforcement.
As ubiquitous and useful as mobile devices are, it’s clear that they can pose significant threats to enterprises and consumers alike. There are, however, ways to mitigate the risk:
- Install a mobile device management (MDM) product on all devices. MDM products provide the ability to remotely wipe stolen devices, automates the installation of patches and applications across the enterprise and and assists with regulatory compliance.
- Have an antivirus product running on the device, if possible (Apple devices do not permit the installation of antivirus apps).
- When travelling overseas use a secure voice and messaging product. Such applications provide the ability to do peer to peer communication, group messaging and conference calling. Some enable secure calling from hostile network environments by offering a secure link which transfers you to a landline phone. Additionally, messaging applications should contain a burn feature that enables users to set a timer within the application to determine how long a message stays resident on the device.
- Ensure all your data communications are secure by using a virtual private networking (VPN) product. VPNs create a secure “tunnel” connecting the user to enterprise backend systems. This ensures that data is securely passed from one party to another.
- Avoid free Wi-Fi when travelling abroad.
- Use a VPN when you are away from the security of your home or office network.
- Ensure the validity of the applications you download. This is as simple as ensuring that all apps are downloaded from valid sources like the the Google Play store, Apple’s AppStore or directly from a bank or retail outlet’s website.
- When travelling abroad use secure messaging and voice applications.
- Be wary when a foreign carrier prompts you to download a file in order to connect.
- Never scan a barcode.
The mobile phone market will continue to expand and evolve over the coming years. Implementing best practices for mobile use into daily routines now will help to ensure that you, your company, and your family will not become the target of cybercriminals.
This article originally appeared in the Summer 2017 edition of US Cybersecurity Magazine.