• Tags

  • Author

  • June 19, 2018

Desktop workstations, servers, network firewalls and switches, HVAC units and UPS devices all have one thing in common: as traditional in-house hardware they are quite easy to physically secure, either through restricted access, video monitoring, alarms and other anti-intrusion and anti-theft mechanisms.

Mobile devices, on the other hand, are far more difficult to secure due to their unique features. I discussed the challenges involved with mobile security with Sinan Eren, founder and CEO of mobile security provider Fyde.com and together we came up with the following problems and recommended strategies.

1. Portability

Mobile devices are at risk due to their very nature of being portable. Their comparatively small size and lack of being physically secured renders them susceptible to loss or theft, which is why I recommend always keeping them on your person rather than in a purse or bag. These devices represent an attractive target for thieves since they can be resold with relative ease, unlike an HVAC system or Dell server, and are harder to track if the operating system has been wiped and SIM card removed. Always maintain control of your phone; don't leave it unattended in a public place, and make sure you know how to use "Find my iPhone," Google's "Find my Phone" or some similar service.

2. Peeping Toms

When mobile devices are used in public, confidential information might be observed by unauthorized individuals - including passwords or access codes. Even biometric protection may not mean much when it comes to keeping a malicious individual from accessing your phone. If your phone is stolen while unlocked access to the contents becomes immediately available. And after all, someone under duress would likely be happy to provide a thief with a fingerprint swipe if it meant avoiding physical harm.

3. Risky device configuration

Mobile devices usually run with administrator rights and rarely use anti-malware protection, particularly in the case of consumer devices permitted for company use such as in a Bring Your Own Device (BYOD) arrangement.

 

In addition, stored data may be unencrypted, particularly on external micro-SD cards, which can put information at risk even with controls such as password requirements or biometric readers. Mobile device management solutions can help centralize and enforce security controls on these devices, but they are not without certain limitations and challenges. At the very least, enforce strong passwords and storage encryption on mobile devices.

TechRepublic editor Jason Hiner recently reported on a mobile device technology called TrustZone, which separates trusted apps/functions from those which are non-trusted. This promising concept can serve to sandbox potential threats and prevent them from impacting the device or the data involved, so this is something which should be considered when available for additional security.

4. Phishing attacks

"The main threat vector to mobile devices remains to be human-centric threats," Eren told me. He cited phishing attacks as a particular risk factor, pointing out these do not target the operating system or the apps directly unlike with desktop/laptop operating systems such as Windows.

Phishing attacks are problematic on mobile devices due to their small and narrow screens which won't display fake urls / domains on mobile browsers as you can't hover the mouse cursor over a link to show the actual location it represents. Additionally, attackers can attempt to trick potential victims into thinking a certain link is legitimate by using different alphanumeric characters such as Spanish letters with accents. As a result, mobile users should be especially cautious opening links through email, and may want to refrain from doing so until they can access their desktop or laptop system for a better analysis of the email.

5. Unauthorized iCloud/Google account access

Eren informed me that attackers have discovered that gaining access to an iCloud or Google account which controls the mobile device via the App Store/Play Store is much more effective than trying to find vulnerabilities and develop exploits for mobile, which is a labor and time intensive endeavor. The access provided represents the keys to the kingdom: confidential data, credit card information and more. An attacker with a compromised iCloud account can access the iCloud backups of the iDevice and recover data belonging to all apps on a mobile device, including messages, contacts and call logs.

One who steals these accounts can permanently track a device and remotely control several key actions (such as making unauthorized purchases or installing malicious apps), causing further damage. For this reason, utilizing complex passwords for iCloud/Google accounts which are frequently rotated and which have associated security questions which cannot be researched/easily guessed is a good protective technique.

6. Text-based attacks

Another issue Eren has observed is the fact out of band communication channels, such as SMS/text messaging for mobile devices, do not offer sufficient filtering solutions and capabilities. Any attacker can easily acquire a Twilio account (Twilio is a cloud-based app development service upon which a developer can send or receive text messages via application programming interfaces or APIs) for small fee and phish thousands of users within an hour. Phone number spoofing gives an attacker an additional edge here. If the attacker can spoof the short text message number your bank usually communicates with you, it's quite likely that you would take it seriously. Always call the institution directly to inquire if the text message is legitimate; do not reply to requests for credentials or confidential data.

7. Malicious Wi-Fi networks

Eren's organization is also seeing attack schemes based on public Wi-Fi networks. These networks, offered by malicious individuals, require the use of a portal which asks users to sign-in with a Google or Facebook account which then provides them access to the user credentials involved. Since many users employ the same passwords across multiple apps this can result in a serious series of data breaches.

A particularly hazardous variation of this threat involves these malicious networks being set up next to financial institutions and asking users to sign-in with their bank username/password to gain Internet access. Never utilize an unknown public network which demands your personal credentials in order to obtain access.

8. Desire for convenience

Eren noted that the nearly seamless user experience and reduced friction across user workflows is precisely what makes mobile devices less secure. Attackers can more easily trick users because they do not want to waste time on prompts, warnings, having to log into separate applications, remembering multiple passwords and so forth. In short, users seek a hassle-free user experience without interruptions or flaws such as those which security apps might impose such as by blocking malicious activity or apps, which is why security training - including outlining the dangers and risks of being complacent - is so essential.

"We like to think smart assistants (essentially on-device deployment of smart agents leveraging ML and other statistical techniques) can be quite helpful to combat phishing and other fake content / site issues in the near future," Eren concluded.