Mobile security: The risk of blurring boundaries

Hackers only have to get lucky once, whereas an enterprise has to stay lucky every day.

What a year 2016 has been. The UK voted to leave the EU, Teresa May became Prime Minister and in arguably the most contentious election cycle of all time the USA decided Donald Trump should be President. A possible contributor to Hillary Clinton’s loss is the email scandal that broke during her campaign. For all those living (blissfully) under a rock over the past few months, Mrs. Clinton was found to have used her family's private email server for official communications while Secretary of State. 

While it was determined that no criminal wrongdoing took place in this practice, the scandal does introduce an interesting debate about the use of personal technology for work purposes. Indeed, how many of us use our personal phones to access work emails or send them without ever thinking about security?  Sure we may not be the Secretary of State, but many of us casually use our mobiles for both personal and professional purposes, without thinking twice. The same mobile that is used to access an important email or presentation on the go, is then used to download the latest game, productivity app or to stream a viral online video. 

Now you may think this is totally fine, but that’s a dangerous mindset. In the wrong hands, the sensitive professional data you access from your phone could be harmful to the company you work for.

The threat in your employee’s palm

As a species we’re very bad at judging risk. We all think about worst case scenarios, but in the same breath will utter, “but that will never happen to me”. The problem is in today’s connected, ‘always on’ society in which people are all too willing, sometimes naively so, to connect to links or open attachments on their mobile - everyone is at risk. People open, download and interact with materials on their mobiles that they wouldn’t usually when using a corporate PC, making these devices the perfect access point for cyber criminals. 

And whilst almost every corporate organisation puts anti-virus software on their computers — they don’t have any security measures available on their employee’s smartphones.  Mobile phishing attacks can come through a number of channels. It can be through the classic email message, a SMS, and these days increasingly via apps made to look like well-known brands, but that instead trick people into giving over their information and most victims won’t even know until it is too late. Perhaps worse yet, legitimate apps that hide functionality in the small print. 

Add to this the fact that mobiles are also always “on” and have a consistent set of features which makes them ideally designed surveillance tools — including microphones, high resolution cameras, embedded GPS and multiple network types, including WiFi and bluetooth — and you start to realise just how vulnerable these devices are. Each employee in your company holds a potential vulnerability in the palm of their hand.

It’s not all doom and gloom, but don’t be fooled

The threat landscape is ever expanding, and hackers are continually finding new ways to exploit vulnerabilities in mobile devices. In recent months we have seen more sophisticated actors getting involved in mobile security breaches, as the value of the data being stored, unprotected, on the mobile increases. With malware becoming increasingly prevalent on mobile devices, security companies such as ourselves are constantly working to try and stay ahead of these attackers. 

To put it into context, our researchers currently acquire roughly 90,000 unique mobile apps each day. We use this visibility to identify malicious campaigns and new malware families as they emerge, allowing us to deploy mitigations to our consumers before serious damage is done. To combat the continual rise in mobile malware, our researchers utilise machine learning algorithms to track and automatically flag different malware families over their lifetime. This raises the bar significantly for the developers behind these malicious apps and essentially forces them to rewrite their entire code base, a costly process. The thing is all of this becomes irrelevant if the mobile device that is attacked by these adversaries isn’t protected.  

Hackers only have to get lucky once, whereas an enterprise has to stay lucky every day. That said, you have an opportunity to change the odds in favour of your business. You need to start treating mobiles the same way you would your corporate networks, PCs and laptops. You would never provide employees with a laptop that didn’t have an anti-virus software installed and unless you and all your employees are willing to go back to using a Nokia 3310 or a flip phone that has no data connection, mobile devices need to be treated in the same way.

Michael Flossman, Security Analyst at Lookout
Image Credit: Nito / Shutterstock

ABOUT THE AUTHOR

Michael Flossman is a Security Analyst at Lookout and was part of the team that uncovered the recent Trident iOS vulnerability.