Does mobile mean a handheld device in today’s world? Not necessarily. The term ‘mobile’ often applies to a phone or even a laptop computer, but in my opinion the definition is changing. Mobile is no longer something you carry, but rather somewhere. The place that you access your systems and the Internet (which is not from an internally managed LAN and doesn’t include a PC on the other end), this is mobile. And this broader category can extend to devices such as Internet accessible cars and the ‘things’ of the Internet-of-Things (IoT) – TVs, gaming consoles, fancy refrigerators.
The IoT will have a profound impact on nearly all of the things we’ve come to know and love in the world of Information Security and its arrival is upon us. Driving changes into daily life and impacting us positively and perhaps negatively, preparation is important to consider with regards to this immutable trend. As with all massive trends, it is not possible to forecast all consequences, however a few early changes in the information security space are clearly visible and should be factored into future programs.
What Threats Does ‘Mobile’ Pose to Modern Security?
The IoT, by its very definition, means that we are transitioning from mobile threats to omni-present threats. The nature of the connection is into an environment that no longer means handheld, but rather something that could be a consumer or industrial device (e.g. TV, refrigerator, home security system), a wearable device (e.g. Google Glasses, Fitbit), or really anything which is connected. This can lead you to envision a future environment where the need to even carry a handheld device diminishes as the world around you becomes aware of its Internet-self. Given these circumstances, the attack surface will increase dramatically, potentially to a point where enterprise security professionals may enter a realm of utter unmanageability.
This causes a dramatic change in approach – similar to the way military aircraft had to change with the invention of threat radar systems and handheld surface-to-air launched missiles. The threat environment is clearly complex and, quite possibly, as dangerous. Simply said, IoT raises the prospects of conscribed devices being put to work against you in a future ‘bot army.’
How is Mobile Security Getting Infiltrated?
One way hackers are infiltrating mobile security is through browser exploits. Client-side attacks on browsers remain the most popular approach and although vulnerabilities in WebKit-based browsers are not new, these attacks are on the rise. They occur by sending a link to the victim and followed by victim’s natural call to action (open the link) the attacker will gain the same permission as the browser. Most attackers will now chain an Elevation of Privileges (EoP) attack to achieve persistency on the device.
Vulnerable Client-Side applications, such as PDF Reader are another potential point of infiltration. Malicious files, such as a PDF, DOC, AVI, etc. can exploit a weakness in less than 40 seconds. This attack is becoming increasingly common for mobile users and similarly to browser attacks, attackers will chain PDF vulnerabilities with EoP attacks. Also other client-side software (calendar invites, default handlers, etc.) are an additional risk.
It is important to understand that Apps are not the most important threat vector. In the past 2-3 years, it seemed that Apps were the master of all evil and nearly every mobile security upstart focused (or is currently focusing on) the App. The security protection industry grew up by conjecturing a threat generated from Apps with solutions based on ‘containerization and additional sandboxing technology’ – all of this to promote Apps as the primary threat vector. Although helpful, and not to minimize the threat associated with Apps, but the reality is that the data doesn’t really support the problem today. No, the reality of today’s tactical mobile security mobile problem is actually something different. Put yourself into a cyber-criminal’s mind. Do you think you’d wait for a prospective target to download an app in which you can exploit? Or is it more desirable to have more control of who and where you’d like to infiltrate? For a myriad of reasons, at the moment, it is unlikely Apps will be used by the most heinous hackers to infiltrate organizations.
Both iOS and Android devices have been hacked using other methods from what I’ve described and both iOS and Android should be equally considered legitimate targets for today’s threats. Embedded code is the real issue – – especially in light of the prevalence of ‘rooting’ phones. Droid and iPhones are routinely rooted or ‘jail broken’ and this represents outliers in security controls and data. This can result in out-of-date O/S code, unauthorized modifications and also the ability to add code which was previously deemed unsafe.
What Can You Do About These Threats?
Mobile security is not simple and one should take multiple factors into consideration in terms of protection. First, ensure the device, source and endpoint reputation. This is valuable, and can be accomplished by looking at the way in which the device connects or at its ‘session analytics.’ The way in which the authentication and authorization series is executed can reveal any anomalies in usage such as an attempt to pollute up and down stream through improper session and account management. Lastly, and also important to consider, is the behavioral impacts of abusive transactions within a session itself, such as the ability to add code which was previously deemed unsafe.
Like any data communication network, mobile contains a range of security threats. Though some threats are easy to identify and mitigate, others are illusive, due to the unique structure and complexity of mobile networks. If you’re interested in learning more on not just device threats but the threats faced by the mobile networks, including information on mobile network entry points and a thorough rundown of availability threats to mobile networks, I invite you to download the recent Availability Risks in Mobile Networks research report from the Radware Emergency Response Team.