As mobile devices increase in usage and popularity, hackers have been looking for more ways to exploit them. People are using their devices in all aspects of their daily lives and are willing to share and store sensitive personal information in order to do so. Because there there is more information available for exploitation, hackers have begun to avoid the quick attack, preferring to wait in the shadows and silently gather data. This week, we will go into detail on the top four security threats Metova foresees in mobile.
Threat #1: Mobile Devices Acting as Wi-Fi Enabled Trojan Horses
According to Pew Research Center, 64% of American adults now own a smartphone, and a majority of smartphone users carry their phone from place to place throughout the day. Users with compromised devices may inadvertently give attackers access to a number of networks throughout the day among home, office, and public Wi-Fi hotspots.
Despite what Hollywood may lead you to believe, most cybersecurity incidents are not obvious, acute problems that are easy to discover. Instead, sophisticated attackers will compromise networked devices and silently collect data for weeks or months. It is entirely possible for an attacker to infect a user’s mobile device and then collect any data visible on networks that trust the mobile device. This includes places of business, public Wi-Fi hotspots, and home networks. The data that can be gathered in such an attack is not limited to data sent or received by the infected device. Smartphones can be configured to passively listen for any data transferred over their local network, meaning data sent or received by any other mobile device or computer connected to the same Wi-Fi network will be compromised.
Further, the infected mobile device can be used as a launch pad for larger attacks. Once a vulnerability is discovered for other networked devices, an attacker can instruct an infected mobile device to infiltrate other devices on the trusted network. For example, a compromised smartphone can perform man-on-the-side attacks, generating false data or instructions for other devices on the network. A man-on-the-side attack can inject new code into visited web pages, replace login pages with false duplicates which report login credentials to a malicious server, and even replace application downloads with an infected application to further increase the attacker’s pool of compromised devices.
All of the above is possible because most households and businesses only focus on protecting their network perimeter. Once a trusted-but-compromised device is allowed on the network, little or no monitoring or verification of device behavior occurs, leaving the rest of the network open to attack from the inside.
Threat #2: Internet of Things as an Increasingly Large Attack Surface
There are numerous known security exploits for mobile devices, and savvy users can navigate around many of these exploits by only connecting to trusted Wi-Fi networks, avoiding malicious websites, and scrutinizing which applications are installed and running on their mobile device. However, the emerging trend of an Internet of Things (IoT) — a world full of Internet-connected devices and sensors — presents new challenges. IBM calls the insecurity of IoT devices “a time bomb ready to explode”.
Many IoT devices are small, embedded devices that do little in terms of security. Once an IoT device is configured to work with your smartphone or home network, the IoT device is trusted and assumed to be safe. However, an attacker could replace, modify, or spoof IoT device signals to trick a mobile device into performing undesirable functions. This opens the door to more security challenges for mobile devices. As more physical objects become connected to the Internet, there will be more opportunities for attackers to exploit newer and less sophisticated devices. Similar to the “Wi-Fi Enabled Trojan Horse” scenario described in Threat #1, once a trusted device is compromised or spoofed, other networked devices can be compromised, resulting in a domino effect.
For example, a Bluetooth Low Energy (BLE) device such as an iBeacon may be connected to a smartphone to detect when the smartphone user enters a room. An attacker targeting the smartphone user could set up a second iBeacon in a different location, designed to broadcast an identity that matches that of the first iBeacon. When the smartphone user comes within range of the malicious second iBeacon, the iBeacon could instruct the smartphone to visit a web page containing malicious code. From this web page, a known smartphone vulnerability could be employed to gain control of the smartphone through arbitrary code execution or installation of a malicious mobile application.
Threat #3: Mobile Ransomware Is on the Rise
In 2014, mobile security firm Lookout identified some of the first ransomware applications to hit Android devices. Ransomware is malicious software which encrypts files or otherwise cripples device functionality until the user agrees to pay significant sums of money — often hundreds or thousands of dollars — to regain access to their files. This type of software has been known to infect desktop PCs for a few years, but 2014 saw the introduction of ransomware variants on Android devices. As the importance of smartphones grow in our everyday lives, ransomware creators will see Android and iPhone devices as more enticing and lucrative targets for attack.
Cryptolocker is perhaps the most successful piece of ransomware in existence. The software infects PCs, requiring users to pay a ransom in order to regain access to their computer. Simplocker similarly attacks Android devices. While ransomware is not yet widespread, iOS devices will certainly become a target as these types of attacks increase in frequency and sophistication.
Threat #4: A False Sense of Security on iPhone and iPad
Apple’s mobile operating system has had such a good track record of being relatively secure that mobile app developers and iPhone users alike have a false sense of security. In part, this security track record is due to a past lack of incentive to attack iOS devices. As the average user continues to spend more time on mobile devices and trust smartphones with more sensitive information, attackers will see iOS devices as a more appealing target.
As there are a relatively low number of known exploits for iOS devices, developers will oftentimes create applications without taking secure coding practices into consideration. Compared to other smartphone platforms, iOS does an excellent job of sandboxing applications, ensuring that data is not unintentionally shared between third-party apps. However, there are attack vectors that breach these walls. The knowledge that applications are sandboxed can lead to oversights and missteps in identifying and mitigating these risks.
The lack of prominent attacks on iOS devices will also lead to end users who are relatively less informed about the risks of mobile computing than their Android counterparts. Appropriately provisioned applications can be distributed to targeted iOS device users without going through the App Store. While this is not currently a popular attack vector, with the potential payoff of access to users’ mobile wallets, cyber criminals may shift their focus toward this and other tactics to infiltrate newer Apple Pay enabled devices.
Come back next week when we discuss opportunities in mobile security!
U.S. Smartphone Use in 2015: http://www.pewinternet.org/2015/04/01/us-smartphone-use-in-2015/
 Man-on-the-side attacks: http://en.wikipedia.org/wiki/Man-on-the-side_attack
 Beware the ticking Internet of Things security time bomb: http://www.networkworld.com/article/2921004/internet-of-things/beware-the-ticking-internet-of-things-security-time-bomb.html
 Android Phones Hit By ‘Ransomware’: http://bits.blogs.nytimes.com/2014/08/22/android-phones-hit-by-ransomware/?_r=0
 Cryptolocker: A Thriving Menace: http://www.symantec.com/connect/blogs/cryptolocker-thriving-menace
 Mobile Crypto-Ransomware Simplocker now on Steroids: https://blog.avast.com/2015/02/10/mobile-crypto-ransomware-simplocker-now-on-steroids/