Lost and stolen smartphones and other mobile devices are the biggest mobile security threat to enterprises, according to security experts watching the evolving threat
I think these are still the early days and we still need to get a handle on the new risks and threat models and learn how to use some of the security strengths of the mobile platforms correctly.
Chris Wysopal, co-founder, CTO, Veracode
The risk of an employee leaving their smartphone behind at a restaurant or bar and having it fall into the wrong hands is far greater than an employee downloading malware onto their device, said Vikram Thakur, Symantec's principle security response manager.
While malicious activity on mobile devices is rising, all the known cybercriminal monetization schemes on smartphones fail to reach the revenue achievable in Windows, Thakur said in an interview with SearchSecurity.com. The potential still exists for a sustained and exponential increase in mobile device attacks, but it will likely take years before cybercriminals flock from the desktop to mobile devices, he said. New payment technologies, such as near field communications (NFC), which can turn any smartphone into a virtual credit card, may make attackers take a closer look at mobile platforms, Thakur said.
“There is a lot more real estate that the desktop malware authors have at their disposal, so the desktop will remain the most lucrative for years to come,” Thakur said.
But security experts are quick to caution enterprises from ignoring the future risks that smartphones pose to corporate data leakage. The attack surface is much greater on mobile devices and there are far fewer security controls, said Chris Wysopal, co-founder and CTO of Burlington, Mass.-based application vulnerability testing vendor Veracode Inc. Mobile platforms are going to be harder to secure, he said.
“You can do everything you can do on a laptop but you also have other things like location information, an SMS channel, voice dialing, a camera and sensors that are a potential way in,” Wysopal said. “I think these are still the early days and we still need to get a handle on the new risks and threat models and learn how to use some of the security strengths of the mobile platforms correctly.”
SearchSecurity.com spoke to several experts about the top five mobile phone security threats for 2012. Here’s what they had to say:
1. Geolocation madness
Europe has quickly caught on to the perceived invasion of privacy that location services pose on mobile device users. The U.K,’s Data Protection Act sets limits on location data collection. A person’s location in the U.K. can only be traced to the physical address of their Internet service provider. Many European Union countries have privacy laws in place regulating how Google, Yahoo and other tech firms can tag the location of individuals to provide relevant location-based content.
Many people believe the data could be abused. A device user’s location can be an extremely valuable piece of data for marketers. It also can add important and valuable functionality for certain applications. In April, Apple came under fire when a researcher discovered a file on the iPhone that contained a record of everywhere a user had been. Apple said it had never tracked users locations and it quickly updated its firmware to eliminate the data leakage.
Andrew Jaquith, CTO of Perimeter E-Security predicts the U.S. will follow Europe with a new privacy protection law in 2012. Privacy protection legislation will mostly address location-based services, but look for loopholes put in place for mobile carriers and other entities, Jaquith said.
“We’re going to see indiscriminant use of location-based information become a crime,” Jaquith said.
Other experts predict cybercriminals could eventually latch onto this location-based services trend with malware and other tricks that take advantage of location data to trick users into giving up more sensitive information about themselves, including account credentials.
2. Excessive permissions
Application permission requests were built into mobile platforms as a way to improve security, but those notifications, which require the end user to confirm an application’s breadth on a device, are being largely disregarded by device users. People are quick to choose functionality over security and privacy, said James Lyne, senior technologist at U.K.-based Sophos. Most device owners continue to give applications elevated privileges and that means the latest game they downloaded may have the functionality to tap into the device’s messaging app or location data.
“We don’t yet have the same security concerns and paranoia on the mobile device,” Lyne said. “As long as users think these devices are magically secure, they’re much more likely to fall for basic attacks.”
The permissions model isn’t perfect, but it does increase transparency, Lyne said. In November a researcher discovered a rogue mobile carrier diagnostics application running stealthily on some mobile devices. Carrier IQ software was placed on some devices by mobile carriers, but the software was not always optional, and in many cases users didn’t even know it was on their devices. Security and privacy advocates were outraged because the software could report GPS location data, record which dialer buttons were being pressed and the URLs being visited by device owners.
Any service provider is going to want to be able to track the usage of their network and their systems to improve and diagnose failures, said Veracode’s Wysopal. “The problem is people were surprised because it wasn’t disclosed to them,” Wysopal said. “It should be really clear what it’s used for, when it is turned on and what it collects so it’s not a mystery for anybody.”
3. Mobile application vulnerabilities
Researchers have been warning that the Google Android and Apple iOS app stores have given rise to a new crop of mobile application developers. Mobile application frameworks lack maturity, and when combined with the need for speed, that has resulted in applications with shoddy code, flaws and functionality that is not needed. Some developers churn out new mobile applications too quickly, Wysopal said. “We have customers who tell us they actually built their mobile app in two weeks. … That’s an indicator that a lot of security thinking isn’t going into this kind of development.”
Researchers studying mobile applications are finding a lot of coding errors. In an analysis conducted by researchers Mike Zusman and Zach Lanier of New York-based security consultancy Intrepidus Group, many applications had hidden coding errors that could lead to data leakage or privilege-escalation vulnerabilities. Speed leads to costly mistakes, such as authentication or authorization errors, poor file-system permissions and application permissions that are too lax, Lanier told SearchSecurity.com.
4. Unsecure Wi-Fi
At the airport or the local café, most devices automatically roam for the nearest open Wi-Fi hotspot. Unfortunately, automated tools make it easy for just about anyone to snoop on people or even take over their browsing session. Researchers have demonstrated that by using basic tools of the trade they could take over a person’s unsecure webmail session, Twitter or other social media account. Many services, including Google, have responded, supporting encrypted sessions that protect users on open Wi-Fi, but the threat remains.
The fear is that websites that don’t use SSL/TLS encryption correctly could be putting smartphone users at risk to a well-known Wi-Fi hotspot attack called sidejacking, network security expert Lisa Phifer told SearchSecurity.com in August. Last year, an automated tool called Firesheep was developed as a simple Mozilla Firefox plug-in that automates session hijacking attacks over unsecured Wi-Fi networks. The packet sniffer could analyze traffic between a Wi-Fi router and a person’s laptop or smartphone. Phifer said the tool reduces sidejacking to "point-and-click" simplicity on any network where other Web user's session cookies can be captured.
As a result of Wi-Fi insecurities, IBM researchers have developed a new Secure Open Wireless standard. The system uses a digital certificate to secure the Wi-Fi hotspot itself, preventing sidejacking or man-in-the-middle attacks. “We’re simply checking to make sure the SSID of the wireless access point is legitimate and when a client connects they establish an encrypted connection,” Tom Cross, threat intelligence manager at IBM X-Force and lead researcher behind Secure Open Wireless, told SearchSecurity.com. Until the standard is broadly adopted, many security experts warn smartphone and laptop users to limit browsing on open wireless networks.
5. Lost and stolen devices
With all the chatter from security experts about mobile malware, phishing, and other attacks that can take place remotely, the number one threat to individuals and enterprises remains lost and stolen devices. In New York City, taxi cab drivers report dozens of lost mobile phones found in the back of their cabs each week.
Four in 10 organizations have had mobile devices lost or stolen, and half of those lost or stolen devices contained business critical data, according to a smartphone security study (.pdf) issued in May. The study, undertaken by researchers at Carnegie Mellon University, and commissioned by McAfee, found that enterprises need to set appropriate policies and deploy encryption of sensitive data. “It comes down to access control, key management for collaboration and data sharing,” Chris Burchett, CTO and co-founder of Addison, Texas-based data encryption vendor Credant Technologies, told SearchSecurity.com.
Device owners rarely use a passphrase or code to protect unauthorized access to their device. That leaves the phone wide open to a thief. Contacts, email messages and data saved in some applications can be easily accessed by the average criminal. While most enterprise mobile security software suites have device location and wipe features, but a lack of security policy around personally owned devices means many employees and their organizations remain at risk. By the time a device is reported lost or stolen, a thief could have already made off with the data.