​Smart Phones Have Not So Smart Security

Smartphones. They have spurred a global revolution in how we work, play, shop, and relate to one another. They fuel innovation and productivity in astonishing ways, reaching even the most distant and underdeveloped corners of the world. They have empowered the disenfranchised, democratized information sharing, and shined a spotlight on corruption. They are also addictive and pervasive, affecting everything from personal health to public safety. And all of this has happened in less than ten years.

By 2020, there will be over 6 billion smartphone users worldwide, compared to the current 2.6 billion smartphone subscriptions. This meteoric growth over the next 5 years will stimulate more positive developments, powering innovations we can’t yet imagine. But there is a downside to the rapid growth of mobile devices, especially when it comes to BYOD programs in the workplace. Long gone are the days when work and play were kept separate, one on a BlackBerry and the other on an iPhone. Because we use smartphones for every kind of communication and computing task all day long, the boundaries between business and personal use are blurred and all types of data, including sensitive corporate information, are commingled.

Smartphones are so wildly popular because of the convenience and ease they bring to our daily lives; paying careful attention to security measures or restricting our use goes against our human nature. Of course, we must create and enforce BYOD policies and raise awareness through training—for the sake of personal security and the protection of business networks and assets. But with billions of mobile users and a rapidly proliferating Internet of Things, no amount of policy or training will solve the growing risks created by these devices and their users. The technology itself must be made smarter and more secure. Everything from operating systems to device settings to apps to data to hardware is subject to attack. And each device and platform has proprietary and transparency issues; consumers are left with few truly secure choices. Options that are affordable as well as secure are even more limited.

As of 2015 Q2, Android market share was 82.8%, iOS 13.9%, and BlackBerry 0.3%. Android handsets tend to be more affordable, in part due to the competition among manufacturers; Samsung, Huawei, Xiaomi, and Lenovo are on top for now. Unfortunately, this also means that the more insecure devices, OS, and apps are the most prevalent. The Stagefright security flaws (now identified as two strains) potentially affect over a billion Android users. The flaws make it possible for hackers to take control of a device and steal data, with the trigger being as simple as receiving a text message or auto-playing an audio or video file. Google promptly issued patches, but the device manufacturers are notoriously slow to release updates and consumers are even worse at applying them. A particularly egregious example from earlier this year is Samsung’s pre-installed SwiftKey keyboard. SwiftKey updates over unencrypted lines, leaving devices vulnerable to man-in-the-middle attacks wherein hackers create spoof proxy servers to send malicious code to the devices. Users were not able to download a new keyboard to fix the bug, and because it was tied to the operating system, couldn’t uninstall or disable the vulnerable feature, even if they were using a different keyboard app. Samsung required months to fix the issue, and rollouts to carrier networks were slow and spotty. In the end, even savvy users ready to install patches (not the majority, by the way) were left exposed for half a year.

The most obvious cyber security risks related to mobile devices arise from mobile apps. Employees’ and consumers’ insatiable appetite for more and better apps and games has driven rapid development, much of which is not properly tested for security. Cyber criminals have taken advantage of the situation, developing their own malicious apps and exploiting the vulnerabilities of popular apps to gain illicit access to devices and data. Exploited and malicious apps spread malware and spyware that eventually makes its way from the personal device to the corporate network; the stolen access and data can be used to drain bank accounts, hold data for ransom, download intellectual property, orchestrate social engineering campaigns, strengthen broader cyber attacks, and much more. Even Apple’s famously rigorous App Store review process was violated, when malicious code called Xcode Ghost made it past the process and into hundreds of apps.

Many businesses run their entire operation through apps, yet still struggle to build them securely. Uber, for example, has had a rash of data breaches related to their insecure apps for both drivers and customers, resulting in exposed personal information and hacker control of user accounts. Uber is a huge, well-funded company with a remarkable ability to withstand negative publicity, but many app-driven companies will be destroyed by similar security lapses. Moreover, as organizations develop apps internally for operations, marketing, finance, and other purposes, app security becomes directly linked to enterprise security. Rapid app development can lead to rapid demise if testing and security concerns are not top priority.

One of the reasons mobile devices make us so vulnerable to cyber attack is that they are constantly collecting, storing, and transmitting data about us, often without our explicit knowledge or consent. The data layer inherent to apps, web browsers, ecommerce, and social media is a treasure trove of PII, demographics, geo-location data, and online behavioral habits. Companies and marketing organizations are still working through the security and privacy implications of amassing, analyzing, and applying all this consumer data, and a host of regulations have sprung up to protect individuals. But cyber criminals, obviously, operate outside of policy and regulations and are clawing their way through to this invaluable data via multiple attack vectors. Securing this information should be the urgent mandate of any enterprise that uses it. On the other hand, consumers and citizens must be highly vigilant about their personal security and assets, operating always under the assumption that far too much of their information is out of their control and can be used against them.

Finally, the hardware aspect of mobile devices is in itself a huge problem. The wireless mobility, small form factor, and our habitual public use of these devices makes them all too easy to lose or steal. Thanks to security features added to recent models, more users are using screen locks, but those who don’t have left themselves wide open at any point their device is not in hand. Researchers have found ways to remotely manipulate phones by sending radio signals to headphones; these kinds of vulnerabilities will be exploited more frequently as hackers look for new, more sophisticated ways to control mobile devices undetected.

As the infrastructure of smart, connected devices (IoT) begins to take shape, mobile devices will increasingly be used to remotely control machines, read sensors, and activate other consumer devices (e.g., appliances, home security systems). This presents yet another urgent reason to figure out how to lock down mobile devices in the event of loss or theft, and to harden the security of every component from hardware to operating system. The potential consequences of kinetic attacks in the physical world launched via mobile device are gravely alarming and will hopefully prompt more serious reflection and remediation than we’ve seen in the wake of numerous massive PII data breaches.

We love our smartphones and they are indeed miraculous inventions, but we’ve begun to open our eyes to their dark side. What can we do to protect ourselves and our workplaces? I found this summary helpful.

Here’s a partial list of recommendations:

• Use strong passwords and do not re-use across different sites/apps.
• Lock screen with password/pin
• Set up remote lock-out and find my phone features
• Encrypt your phone to protect sensitive data
• Back up routinely (to mitigate data loss in the event of a lost, stolen, ransomed, damaged phone)
• Use app permissions to control what each app is allowed to do (read messages, record audio, read call logs, manipulate the camera, gather location information, etc.)
• Do not install apps from unknown sources and set your phone to block third party apps from installing. Install only from Google Play, Apple Store and verified internal sources (trusted enterprise apps).
• Turn on “Do Not Track” features, and log out of browsers, especially Chrome
• Delete apps you don’t use
• Patch immediately, especially for OS or commonly used apps
• Don’t leave Siri or Google Now enabled on login screen

As I mentioned before, relying on consumer Internet and mobile hygiene habits is no way to secure a globally connected ecosystem comprised of billions of roaming devices. So what should we demand from technology vendors and device manufacturers? We know it is possible to make more secure devices: several companies have begun offering elite, specialized security platforms and smartphones: Samsung’s KNOX platform, Sikur’s GranitePhone, SilentCircle’s Blackphone, and BlackBerry’s Priv are a few examples. These phones are all more expensive than the relatively secure iPhone, which is already out of reach for the average consumer. We can only hope (and urge) that the advanced security features in these phones quickly become standard in mass-market devices as well. Google’s new Marshmallow OS for Android devices includes some encouraging upgrades, including encryption by default.

In the meantime, everything from operating systems to app development to BigData practices requires greater scrutiny, better planning, and intense testing. Clearly, the development and release of patches needs to be sped up and streamlined. Segmentation of work and personal spaces on each device would ensure that corporate data was more protected and could be more easily controlled by endpoint security solutions and mobile device management products. Vendors should be more transparent with consumers about which apps are accessing data and smartphone functions (e.g., camera, audio recording). They must make it easier in general for users to understand how secure their device is overall, and how to tweak settings for more control and privacy, even if that doesn’t always work in the vendor’s favor.

We are literally all in this together. Our billions of devices are all interconnected, our data is free ranging, the cyber criminals are targeting all of us, and every type and size of business is at risk because of mobile device vulnerabilities. We should expect and demand better products and services, and use security features whenever feasible. Enterprises should already be setting up overarching training, policy, and technology solutions to protect their supply chains, employees, customers, and assets. Any organization that has failed to do so is courting disaster. Mobile security is a growing challenge that can be dealt with now. Make sure to make mobile security a priority so you won’t be left behind or be left exposed.

About the Author

With more than 30 years of successful entrepreneurial leadership and management experience, Dan Ross is responsible for strategic direction and day-to-day global management at Promisec. Promisec is a pioneer in endpoint visibility and remediation, empowering organizations to avoid threats and disarm attacks that can lead to unwanted headlines and penalties. Its technology assures users that their endpoints are secure, audits are clean, regulations are met, and vulnerabilities are addressed proactively.

Want to know more?

Why not become a CSO member and subscribe to CSO's mailing list.

Get newsletters, updates, events and more right here.