Hacking your back pocket

Oct 27, 2015


IT, security



There are two primary reasons why your smartphone is more likely to be hacked than other devices, according to Paul Hill, senior consultant with SystemExperts: the physical security of the devices and the use of untrustworthy networks.

“Mobile devices are more likely to be physically accessible to an attacker because the devices are not always within the security perimeter of company offices or data centers,” Hill explained. “Since the devices are taken out of the office, they are more likely to be stolen, lost, or accessed by an unauthorized individual if left unattended.”

Convenient, but vulnerable

As for the problem with untrustworthy networks, users tend to forget how easy it is for hackers to eavesdrop unencrypted traffic. “If a user of mobile devices uses any unsecure protocols while the network is being monitored by a third party, account names, passwords, or any confidential data will be revealed to the eavesdropper,” said Hill.

In addition, Hill added, a compromised or hostile host on an untrustworthy network could send packets to devices on the local network and seek to discover known vulnerabilities on the mobile device, and then exploit the discovered vulnerability by sending the correct packets.

The cost of free WiFi

The very nature of mobile computing exposes more vulnerabilities than it hides, which increases the risk of an attack. There has been an increase in attack vectors that are unique to mobile devices, all of which are susceptible because users aren’t thinking about security in the same way they would on a traditional computer.

Take the problem of rogue infrastructure, for instance. Rogue infrastructure is unique to mobile devices and did not previously threaten the enterprise because end users stayed within the confines of the protected network, said Michael J. Covington, Senior Director of Product Management for Wandera, which develops mobile security solutions. As users began to connect to corporate resources from outside that perimeter, threats had more direct access to the network and its data, largely because users aren’t taking the precautions to avoid untrustworthy situations. They continue to use open WiFi sources with zero authentication.

Apps have become so ubiquitous that it easy to overlook basic security protocols before downloading. Also, because users have been repeatedly told that apps downloaded from the App Store or Google Play or a similar trusted source, they are safe. However, we’re beginning to see that that isn’t always the case.

“The reality is that there are very few security checks in place for the software in each of the major apps stores–and this was demonstrated recently with the XcodeGhost malware that was distributed via the Apple App Store,” said Covington. “We have seen legitimate apps that leak sensitive personally identifiable information (PII) and the malicious ones are even worse.”

Making the situation more complicated, this type of “malware” cannot be identified using traditional approaches; detection can only be done in real-time as the app communicates with cloud-based services.

A holistic approach toward BYOD security

Security tools haven’t kept up with smartphones. There is still a tendency to approach mobile security in the same way that desktop security has been implemented. “Battery life and the overall user experience both need to be respected as security solutions are deployed to mobile devices,” said Covington. “If administrators cannot win the support from end users, the security solutions they deploy will simply be disabled and ignored.”

So how can users and IT administrators best protect smartphones from hackers? The first place to start is with greater visibility, especially when the phones are personally owned and used as BYOD. “Administrators need to understand what their devices and networks are being used for in order to fully understand the risks they face and the defenses they need in place to protect the organization,” said Covington.

Once visibility is achieved, mobile professionals need to look holistically at risk. “Looking just at device configuration, for example, leaves the device vulnerable to infrastructure threats like rogue hotspots and man-in-the-middle attacks,” Covington added. Likewise, focusing too much on malware and “bad” apps ignores the real-time nature of the mobile device.

Smartphone users still tend to think of the device as a phone as opposed to a handheld computer that literally contains more personal information than any other single device they own. Because of that, users rarely take enough precautions to avoid security risks. Until they understand the reasons why a smartphone is a hacker’s dream device, users–and the networks they connect to–will continue to be primed for a breach.

Post by Sue Poremba

Sue Poremba is a security and technology writer based in central Pennsylvania.