May 9, 2013
If you are concerned about having mobile devices on your network, and about BYOD in particular, you are not alone — and you are right to worry. Mobile devices face a variety of threats, depending on the platform. Here are five of the most important, in no particular order.
1. Theft or loss: theft is much more of a problem with smartphones and tablets than with desktops, plus they are easier to lose than laptops — indeed, probably the only thing easier to lose than a phone is a USB stick.
The chances are a smartphone or tablet will be stolen merely for the value of the hardware, but of course you cannot take the risk. Necessary precautions include encryption of all sensitive data, plus mobile device management (MDM) software that can remotely wipe a missing device. Bear in mind though that if the theft IS targeted, the first thing a clever thief will do is remove the battery and/or put the device into a Faraday Cage so it can’t receive a wipe signal or report its position, so encryption is a must.
2. Vulnerabilities: just because there is less malware in the heavily curated Apple Appstore than in the more open Android market, don’t let that fool you into thinking that iPhones are a safer bet. When computer security specialist SourceFire studied operating system security for its “25 Years of Vulnerabilities” report earlier this year, it counted more known security holes — a total of 210 — in Apple iOS than in Android, Windows Phone, and Blackberry put together.
The iPhone’s popularity and its relatively affluent users make it a rich target for criminal hackers, and given that it is a lot harder to break into an iPhone via dodgy apps, that means that hackers have more motivation to find security holes in iOS than in other systems. Apple also limits the kinds of security software that it will allow on its Appstore — it doesn’t like anti-virus and firewall software, for instance. On the plus side, the SourceFire researchers note that Apple has been working hard on mitigating its security problems.
There are also application vulnerabilities, though. Research by security specialist Trustwave for its 2013 Global Security Report showed that 90% of vulnerabilities common in desktop Web application tests were also present in mobile tests for Android and iOS.
As on the desktop, regular patching is essential, as unpatched vulnerabilities can be used to install malware. The importance of patching could be a reason to block the use of older handsets for BYOD, as they will no longer be getting security updates.
3. Malware: open platforms such as Android have notable advantages, but that openness brings risks too. The most notable is misuse of the ability to load unsigned apps and use appstores other than the main Google one, which does now scan apps for bad behavior. You do need to enable access to other appstores within the device, but this is fairly simple to do — and few users think to turn the feature off once it has been prompted for. Typical threats include legitimate-looking but fake (or pirated) apps hiding Trojans which send premium-rate text messages or log your keystrokes.
It is not just Android at risk: in 2011, Trend Micro researchers reported finding variants of the Zeus family of Trojans on Blackberry, Windows Phone, and Nokia Symbian devices, all targeting banking passwords. And if the attacker can get hold of your phone for a few moments, commercial spyware such as Finspy is available for pretty much every platform.
Fortunately, anti-malware and firewall software is available for most platforms. Sandboxing, either in software or built into the platform as with Blackberry Balance and Samsung Knox, can also help by keeping business and personal usage separate. And if you need to install extra company-specific apps but don’t want to expose those to the Web, you may be able to set up your own private appstore or subscribe to a curated service.
4. BYOC (Bring Your Own Cloud): installing unauthorized apps is only part of the problem. Even if the apps are malware-free, the cloud storage that sits behind them is another matter. As well as the questions of jurisdiction and legalized espionage, some services store data unencrypted — very useful if you want to share a note with a friend or colleague, but less so if the URL is discovered by a stranger.
And then there is the matter of control — with staff using freemium versions of note-taking and task-list services such as Evernote, Google Keep, and Microsoft OneNote, not only does your organization have no control over the storage, but the service contract is owned by the employee. If anything drastic happens to that person, or if they leave the organization in a hurry, can you recover their data? What is the legal position, and who is liable for compliance or regulatory breaches?
One solution to the BYOC problem is for the organization to improve coordination and collaboration by buying into these services itself and providing them to staff, along with secure hosting. They do need to be at least as good as the freemium offerings, but many of those suppliers also offer commercial services — indeed, your colleagues could already be in breach of their terms and conditions in using the free version for work.
5. Spear-phishing: this is the most insidious, because a personalized attack is likely to involve unpatched zero-day exploits and/or specially crafted malware that will not be detected by standard scanners. Restricting mobile devices to specific VLANs, firewalling the BYOD network, and all the things you should do anyway on a company network, such as intrusion detection, data leakage prevention, and of course staff training, can all help. Look, too, at your mobile apps to see what data they are downloading to the device, where it is more vulnerable — some software development kits enable the app framework to live on the handset, but with data only pulled down in encrypted form at run-time.
Image credit: cogdogblog (flickr)