Mobile malware is climbing alarmingly and the threat to companies increases with each day. The challenge is unlike any that IT has faced because it contains just about every threat that whole IT systems have faced concentrated in a small vulnerable shell.
There is the obvious problem of losing a phone. Unlike a laptop, it can slip down the sofa or simply be left in the pub after a bit of relaxation following a busy day at work. The average UK user does not even bother to set a PIN or password to protect their phones – devices that now have the equivalent power of desktop PCs of less than ten years ago.
Around 67 percent of users do not have this basic level of security enabled on their phones, according to the results of a Sophos survey of 1,075 people published earlier this month. That is set against a background of 22 percent admitting to losing at least one phone in the past and 12 percent claiming their phone was stolen.
Apart from the onboard storage capability, it raises questions. How many have auto logon enabled for their business apps, how many use unsecured cloud services or storage, and how many store physical passcodes for building entry pads?
The susceptibility to social engineering is also more likely. The mobile user who does not get their phone out in public places is in the minority – if such a beast exists at all. This advertises that they have a phone and opens them to any number of con tricks to part them from their phone – even just for a minute. Ask to see photos of the family and many people will open the multimedia app, pass the phone across and assume that the key presses made by the viewer are merely them flipping through the gallery.
Such close-quarters hacking is not necessary. Waiting around airports can run down the power of a device as its owner browses the Internet, checks emails, reads a book or plays a game. Fortunately many public places like these have charging stations for a free charge-up.
Innocent though these power points may seem, a team of security professionals from Aires Security used the DefCon conference to show how these charging stations can be used for “juice jacking”. Plug in to charge through a USB link and the connection may simultaneously pump in power and suck out data.
“Anyone, who had an inclination to, could put a system inside of one of these kiosks that, when someone connects their phone, can suck down all of the photos and data, or write malware to the device,” Brian Markus, president of Aires Security, told Krebs on Security recently.
Even phones that allow the user to switch off USB transfer when charging appear to have a flaw that would allow the charging station to turn it on again. How real this threat is has yet to be shown but the demonstration showed that it was more than an academic exercise. For truly proactive safety, Markus reckons that switching the device off completely will protect from any future exploit that may be planted within these stations.
Most users are viewing their smartphones as business and entertainment devices and there have been many cases discovered, especially in the Android world, where applications are used as Trojan horses to plant malware. The threat is less on iPhones, because of the vetting procedures that Apple have in place but the advent of HTML5 is allowing companies to produce browser apps and circumvent the iTunes AppStore.
This is commendable but the same situation applies as Sophos found with PIN passwords – you can provide a pool of apps but you can’t make the users drink from it. There are no stats for how many of these on-board apps are immediately disabled but, by inference, the number is likely to be high.
We live in a zero day world where no-one can predict where the next exploit will attack. Day Zero means that everything is vulnerable whether the anti-malware software is enabled or not. Security software lessens the likelihood of being hit substantially but there is still a chance that something will get through.
Cloud services suppliers that have been totally focused on PC protection are now looking at mobile devices.
“As business is increasingly conducted away from the desktop, there is a real need for enterprise-grade apps that provide organisations with flexibility that don’t sacrifice security,” said Fahim Siddiqui, chief product officer at cloud security provider IntraLinks.
As an intial play in this new market, Intralinks has developed an iPhone or iPad app that securely links into the company’s collaboration and messaging cloud.
“IntraLinks users will continue to benefit from the same key features such as the ability to maintain full document tracking and audit compliance while receiving information in the palm of their hand,” Siddiqui claimed. He also said that time outs, pin codes, server authentication and encryption address security concerns, within the IntraLinks environment.
Other companies are also tackling the new challenges but mobiles are still risky endpoints that exist outside the company firewall but communicate within it. The best protection is a rigorous security policy to ensure that the users protect themselves to a suitable standard.
Naturally, two key requirements will be to implement login protection and enable the malware protection.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…