Letting workers bring their own devices to the office allows malware to outpace the security measures available, says Eric Doyle
Mobile malware is climbing alarmingly and the threat to companies increases with each day. The challenge is unlike any that IT has faced because it contains just about every threat that whole IT systems have faced concentrated in a small vulnerable shell.
There is the obvious problem of losing a phone. Unlike a laptop, it can slip down the sofa or simply be left in the pub after a bit of relaxation following a busy day at work. The average UK user does not even bother to set a PIN or password to protect their phones – devices that now have the equivalent power of desktop PCs of less than ten years ago.
Around 67 percent of users do not have this basic level of security enabled on their phones, according to the results of a Sophos survey of 1,075 people published earlier this month. That is set against a background of 22 percent admitting to losing at least one phone in the past and 12 percent claiming their phone was stolen.
Questionable Security Levels
This is a shattering revelation for IT departments that are subject to company “bring your own device” (BYOD) policies. What percentage of the unprotected devices were also used for company business is not specified in the Sophos research but, even if it were half, it could be over 360 phones.
Apart from the onboard storage capability, it raises questions. How many have auto logon enabled for their business apps, how many use unsecured cloud services or storage, and how many store physical passcodes for building entry pads?
The susceptibility to social engineering is also more likely. The mobile user who does not get their phone out in public places is in the minority – if such a beast exists at all. This advertises that they have a phone and opens them to any number of con tricks to part them from their phone – even just for a minute. Ask to see photos of the family and many people will open the multimedia app, pass the phone across and assume that the key presses made by the viewer are merely them flipping through the gallery.
Such close-quarters hacking is not necessary. Waiting around airports can run down the power of a device as its owner browses the Internet, checks emails, reads a book or plays a game. Fortunately many public places like these have charging stations for a free charge-up.
The Power Of Juice-Jacking
Innocent though these power points may seem, a team of security professionals from Aires Security used the DefCon conference to show how these charging stations can be used for “juice jacking”. Plug in to charge through a USB link and the connection may simultaneously pump in power and suck out data.
“Anyone, who had an inclination to, could put a system inside of one of these kiosks that, when someone connects their phone, can suck down all of the photos and data, or write malware to the device,” Brian Markus, president of Aires Security, told Krebs on Security recently.
Even phones that allow the user to switch off USB transfer when charging appear to have a flaw that would allow the charging station to turn it on again. How real this threat is has yet to be shown but the demonstration showed that it was more than an academic exercise. For truly proactive safety, Markus reckons that switching the device off completely will protect from any future exploit that may be planted within these stations.
Most users are viewing their smartphones as business and entertainment devices and there have been many cases discovered, especially in the Android world, where applications are used as Trojan horses to plant malware. The threat is less on iPhones, because of the vetting procedures that Apple have in place but the advent of HTML5 is allowing companies to produce browser apps and circumvent the iTunes AppStore.
All of this means that there is an opening for protection systems – and the anti-malware companies have been investing a lot of money into mobile device protection. As with desktop or laptop protection, anti-malware software is always advisable and phone manufacturers are starting to preload security software as a standard app.
This is commendable but the same situation applies as Sophos found with PIN passwords – you can provide a pool of apps but you can’t make the users drink from it. There are no stats for how many of these on-board apps are immediately disabled but, by inference, the number is likely to be high.
Day Zero Is Ever-Present
We live in a zero day world where no-one can predict where the next exploit will attack. Day Zero means that everything is vulnerable whether the anti-malware software is enabled or not. Security software lessens the likelihood of being hit substantially but there is still a chance that something will get through.
Cloud services suppliers that have been totally focused on PC protection are now looking at mobile devices.
“As business is increasingly conducted away from the desktop, there is a real need for enterprise-grade apps that provide organisations with flexibility that don’t sacrifice security,” said Fahim Siddiqui, chief product officer at cloud security provider IntraLinks.
As an intial play in this new market, Intralinks has developed an iPhone or iPad app that securely links into the company’s collaboration and messaging cloud.
“IntraLinks users will continue to benefit from the same key features such as the ability to maintain full document tracking and audit compliance while receiving information in the palm of their hand,” Siddiqui claimed. He also said that time outs, pin codes, server authentication and encryption address security concerns, within the IntraLinks environment.
Other companies are also tackling the new challenges but mobiles are still risky endpoints that exist outside the company firewall but communicate within it. The best protection is a rigorous security policy to ensure that the users protect themselves to a suitable standard.
Naturally, two key requirements will be to implement login protection and enable the malware protection.