3.31.23 – SSI – Darnell Washington
New and emerging hacking tools and exploits targeting mobile devices present challenges to systems integrators and their clients.
More than 90% of U.S. citizens aged 16-60 have smartphones. These aren’t the third generation of flip-phones but highly intuitive Apple, Samsung, Motorola, Nokia and other brands. These complex innovative, multipurpose and flexible mobile devices are irreplaceable in our business and personal lives, yet the risk to privacy, health and national security has created critical consequences to our public safety like never before.
We now must adapt to new challenges that require us to have a greater level of understanding of how to ensure your mobile devices are safe and secure to protect yourself, your family and your business from being the victim of mobile device attack and exploitation.
Today’s smartphones are used for almost anything and everything other than conversations with others. We use our phones for entertainment, games, taking photos and selfies, access our banking apps, texting and finding locations of interest using GPS systems. Companies that still allow employees to use personal phones in corporate environments (Bring Your Own Device, or BYOD) expose themselves to a multitude of risks — including corporate espionage, data exfiltration and ransomware.
According to Paldesk, U.S. smartphone users send and receive five times more texts than they do making or receiving calls. This opens the door for increased human error in accepting malicious downloads, agreement of terms and conditions from malformed text hyperlinks, and manipulation of configuration settings on mobile phone devices. New legislation requiring cyber breach notification on a national level is expected later this year.
Meanwhile, recent legislation requiring federal agencies and corporations to report cyber breaches has created a new age of what must be done to protect mobile devices. Healthcare applications that are used within smartphone devices will likely require much more stringent regulations from the FDA as they begin to classify smartphones as “medical devices.”
The landscape is also changing as we evolve from talk, text and web as the primary services offered by our smartphones and mobile devices. We now have integrated sensors that detect motion, environment (temperature, humidity) and position. We also have more complex integrations with applications used for medical diagnostics (blood pressure, diabetes treatments, treatment monitoring) further highlighting how the need for increased security on mobile devices has never been more critical.
Without greater education and focus on mobile device security, cyber attackers will continue to have myriad tools that capture exploitable data that will ultimately lead to cyberbreach and loss of personal information. That encompasses stored passwords, photos, emails, files and account information. Also, network credentials that enable privileged access to your company-owned and protected networks and systems will be compromised, exploited and used for financial gain.
While users may trust the manufacturers of the phones for providing appropriate security … what about the app developers? Those include downloads for everything from opening your garage door, turning on lights/fans, monitoring video surveillance or tracking your heartbeat and steps at regular intervals.
Additional mobile device compromises consist of the monitoring of corporate email accounts by unauthorized users, leading to corporate espionage and loss of intellectual property, ransomware, fines, and diminished reputation by shareholders and stakeholders.
Basics of Mobile Device Security
If you are using a smartphone for business and personal use, it is essential that you and your organization understand not only the security precautions but also assurances by third-party vendors that provide mobile access to legacy applications it is essential that they meet baseline cybersecurity requirements.
Mobile device security, or mobile device management (MDM), involves mostly remote administration using third-party vendors to companies that have a wide assortment of duties. With an increasingly diverse alternative work or work from home environment, protecting devices from anywhere, anytime, even in environmentally challenging conditions, is essential. The goal is to keep devices secure while keeping the workforce flexible and productive.
There are five primary tools used in MDM, providing the cybersecurity administrator (or even an IT administrator for a small office) to control the use of smartphones within an organization. Most small businesses are extremely lax in understanding the risks of BYOD — and personally owned smartphones within a small business environment. These MDM tools include:
- Device Tracking: Knowing where the devices are.
- Mobile Management: Able to maintain lifecycle management and support of devices.
- Application Security: Whitelisting, blacklisting and managing third-party application governance.
- Identity & Access Management: Protecting user controls from circumvention and ensuring trusted between the user and the device from unauthorized activity.
- Endpoint Security: Protection of the device from perimeter and location-based threats.
Successful MDM within an enterprise requires a complete set of controls that identify and detect rogue devices that connect to wireless networks and scan the perimeter and environment.
Mobile device administrators must become cognizant and aware of privacy controls, device settings, and educate end users so that they may become intimately aware of the terms and conditions regarding what information is stored, processed, and collected. Company IT administrators must also ensure that legal requirements to install applications without consent of the owner are very restrictive and could lead to criminal investigation and prosecution.
Exploiting Mobile Devices
Cost pressures requiring organizations to allow BYOD reduces the ability from a legal perspective to monitor the activities of employee-owned smartphone devices. While password hacking remains at the top of the list, reused credentials, stored passwords, and cached credentials stored in browsers and applications continue to plaque organizations with data loss, and copying, and sharing company data.
The most common way to compromise a mobile phone is through downloading malware from an untrusted site or from a malicious link. This type of attack does not require the cyber attacker to be in physical proximity to the smartphone. This type of malware install requires a code injection or script injection.
Code injection is when malware is introduced to alter the way an application works or how the operating system behaves. This may include keyloggers, or other software that collects names, phone numbers and transmits them externally to remote locations. Script injections are known to perform specific tasks, such as opening a wireless port, and turning on or off specific security features on your mobile device.
Now consider new exploits that cyber attackers can perform when they are within physical proximity to the smartphone. We have known about man-in-the middle attacks where the attacker relays the communication between two parties to an outside third party, but now we can add woman-in the-middle attacks. This is where the attacker receives the communication, alters the communications being sent and received, and modifies the message being relayed to outside parties.
If a criminal gets hold of your physical smartphone, they can extract the SIM card, clone the phone using commercial off-the-shelf mobile forensic kits, and generate SMS and text messages to gain access to multifactor authentication (2FA) to access corporate applications, email, and proprietary third-party vendor apps. This is known as SIM swapping.
New Tools of the Trade
Regardless of the fact that hacking a smartphone violates federal wiretapping laws and carries a maximum sentence of 20 years in prison and a $100,000 fine, you can purchase cellphone hacking tools directly from the web.
Malicious USB and cellphone charging cables can be purchased on the Internet that have similar functionality to standard cables, except that prescripted malware is injected into your phone. An example of this hack is listed at www.mitnicksecurity.com/blog/the-latest-malware-threat-the-usb-ninja-cable. There is even technical support for various products in the event you have questions or issues configuring or using these products!
Don’t forget the bad USB devices and “rubber ducky” exploits, where all that is required is a powered-on machine and an open USB port. Host devices are then infected with malicious code to extract personal or corporate information. This can also be done wirelessly, known as “WiFi duck.” In this case, a phone that has not been jailbroken using detectable WiFi can be injected from a remote location. Another popular tool that can be used when a physical phone is present is known as “MalDuino W,” which can plug and play into a USB C port on an Android device.
GoodFirms reports that only 63% of mobile phone users change their passwords, with the remainder using the same password for multiple applications within their smartphone. Over half reported that they share this password with family, friends and colleagues.
What You Can Do
Until self-protecting smartphones are developed, we must protect ourselves today. Password hygiene remains at the top of the list along with reused credentials, and stored passwords and cached credentials stored in browsers and applications. These oversights continue to plague organizations that succumb to cost pressures, allowing employees to continue using BYOD laptops and mobile phones for corporate use. Here are some best practice tips:
- Use a separate smartphone for business. Isolate personal data and business data on each device.
- Do not use cables or cords that belong to others.
- Understand the configuration settings of your device and customize permissions for each application.
- Use a password manager for your mobile device.
- Use a mobile phone VPN client if you connect you a public WiFi.
- Avoid websites that are not owned specifically by a product manufacturer or company. Cyber attackers will divert you and prompt you to download malicious APK files and viruses on your phone my embedding them into text applications. Once installed, the attacker will continuously gain access to sensitive information stored on your device.
- Avoid entertainment and social media applications like TikTok that are owned by nation-state attackers that can manipulate or collect important data from users.
- Carefully read all the terms and conditions of applications that store medical and financial data.
- Hire a qualified consultant to conduct a digital forensics analysis on your current devices, and harden the security baseline on your device.
As humans continue to be the weakest link in any physical or digital security medium, we need to continue to educate ourselves. Be vigilant and stop doing foolish stuff!
Darnell Washington is President and CEO of SecureXperts.