Mobile Security and why I Hate BYOD Policies
Mobile security has become a hot topic as of late, because of the increased number of people who are using their mobile devices (often, personal devices) in our new era of working from home. What does this mean for workplace security? And what are the implications to users now relying so heavily on their mobile devices?
To answer the last question first, YES! There are major implications to users relying on mobile devices, especially if the mobile devices are their own! Think of all the data that could be accessed if there is lax security on the device; there is both personal information and corporate information within their e-mails (some using the default mail apps!) This security risk is compounded in multiple ways by Bring Your Own Device (BYOD) policies, where users are taking their phones with them into the office.
It's a phone, what damage can it really do? Plenty, and I promise none of it is good.
The Physical and Application Threat Potential
First, there is the physical threat potential, particularly the OSI layer of 0 - Physical connections. Every phone has the capability of using physical connections, whether for data transfer and charging (unless you have a Qi charging capable phone). “It's a charging cable, what could it possibly do aside from charge your phone?” What if someone embedded a WiFi module within the cable? That has been done and it's a sneaky way to gain access to a user's computer without them even realizing something is amiss (until they see the actions occurring on the machine). This method relies on the user being within WiFi proximity to the cable being used, so the range is not great.
Other ways to get access to the device, in theory, include any USB port which could be a juice-jacking point if someone goes through the pain of modifying the cable. This could even mean forging a connection within hotel rooms or public spaces, given enough time, and lax enough security to perform the "swap" of parts. There is also the "Bad USB" which gets in through existing USB cables and drops payloads on machines. This could enable anything from attempting to exfiltrate logins (aka rubber ducky) or open up remote connectivity which allows a user access to the plugged-in machine and mobile device which is also connected. This vulnerability applies to both Androids and iPhones, really anything that could have a USB connection into the corporate environment.
Potential Software Issues
Back in the day, I was a Google device supporter for many years. I tested their G1 before it was released, tearing it down to find out what was inside (for work reasons, of course). I was a Chromebook tester (still have the OG chromebook with lifetime Verizon data connection). Back then, it was all about open source and security; do whatever you want, but if you root the phone or put on a different OS (ROM), the onus of liability falls on you, the user.
Unfortunately, that approach has shifted due to manufacturers adopting Android, but not the AOSP update model, which is making things like "Strandhogg 2.0" all the more dangerous. Considering that 15-20% of Android devices are running the latest version, you might say "well, people should be updating their phone", but what if you CAN'T update? Not because it is a rooted device with custom ROM running on it, but unable to get updates from Google themselves or the phone’s manufacturer. Sadly, this happens more than you would think and it's the main reason so many people are running deprecated operating systems on Android devices.
As mobile devices are now a point of entry into environments, how can you keep yourself and your corporate data safe? Personally, I use a zero-logging VPN on my phone which works on cellular and on WiFi. This helps to keep my device a bit more inaccessible as it's bouncing through any number of cities. I also make sure to keep strong passwords and use any available security feature to make it that much harder to access my phone (2FA being a very strong frontrunner for mobile!)
In February of 2020 there was a widespread infection of 300,000+ Android-based devices by “Joker”, and it happened after a veritable purge of the Google Play store which took close to 2,000 malware-embedded apps down. Google has attempted to keep the Play Store as clean as possible, but with so many submissions and the capability for users to “sideload” applications to devices, Google can only do so much.
Joker has multiple different components and is classified as a trojan with a C&C server on the back end. Once the malware is on your mobile device, it starts to subscribe the device to premium services and intercepts/deletes the SMS messages before the user sees them. Deleting the malware doesn’t stop the payments, so the user must track them down and cancel them which is annoying and time-consuming. To avoid this you need a mobile protection solution that can handle the adapting threat landscape and handle the analysis of those files while being able to adapt on the fly.
How long is it going to take for someone to pack ransomware into the manifest of an Android app, use the app as a dropper which only drops to the host machine once the device is plugged in via USB? The program could manipulate the device and utilize USB file transfers with the proper permission set. This would make a BYOD device, which is fast becoming one of the most common forms of enterprise-based devices, the perfect entry point for bad actors looking to gain easy access into a corporate environment. Further worsening the risk profile of BYOD is that almost all mobile-based AV solutions are still reliant on content updates delivered to them on a regular basis. It’s evident this threat is going to be persistent, undoubtedly the time has come to leverage a mobile protection product which is always learning with the power of AI and deep learning to help keep your employees, and most importantly your corporate data, safe from bad actors!