With the pervasive growth of smart phone and tablet use, cybersecurity professionals are worried these devices could present new vulnerabilities to company systems. The Cipher Brief spoke with Michael Covington, Vice President of Product at Wandera, about the growing threats emanating from mobile devices and how he sees companies potentially addressing this new threat vector.
The Cipher Brief: What do you view as the greatest threat to mobile phones right now?
Michael Covington: We are seeing companies embrace mobility in the workplace and allowing employees to use these devices for both personal as well business functions. There are a number of risks these companies can encounter with mobile device deployments, including sensitive information leakage, non-compliant usage, as well as a data connection that is always on and always being billed. How does a company manage that?
We think about security risk holistically, so it is not just the threat that comes from a malicious actor, but also the risks that get introduced to the organization because of mobility. The biggest challenge most companies adopting broad mobility programs face is the lack of visibility; they simply do not know where the risk is so they can better manage it.
TCB: One of the more malicious activity-based aspects has been ransomware. How are threats like ransomware figuring into the mobile space?
MC: Mobile devices used as a pivot point for ransomware is interesting, but we haven’t seen that in any real, widespread way. Nobody has deployed a threat that sophisticated on mobile to my knowledge. And that’s a positive thing.
From a security perspective, ransomware does not present the same threat on mobile, because in reality, most people have their mobile data being automatically backed up. You have iCloud on iOS devices and Google Drive on Android. Everything on the phone is already backed up, so if you have ransomware infect the device, the end user is most likely to simply wipe the device, reset it, and download all the same data right back to it.
That said, we have seen a couple of ransomware incidents that were started by attacks against mobile operating systems that are also used in the embedded space. There was one ransomware variant that was actually developed for the Android platform; this attack made its way into an Android-based TV and prevented access to content and local media.
The attackers are probably testing the grounds right now, trying to see what platforms they can impact. But we’re not seeing anything too worrisome at the moment in terms of ransomware on mobile.
TCB: If ransomware is not such a threat, what is something that you find worrisome?
MC: One of things that jumps out at me is how people perceive mobile devices—they think they are secure. Most people do not run any type of security software on their mobile device, and that is because there is this widespread belief that these platforms are immune to any kind of malware, virus, or whatever may attack them. That’s not true.
We have seen some pretty nasty threats hit mobile devices over the last year. On the Android platform, the Stagefright vulnerability would allow an attacker to execute commands remotely on the device; proof of concept demonstrations showed how an MMS message could trigger the attack, without the user’s involvement. Similarly, on iOS, we saw the XcodeGhost incident, where a malicious version of Apple’s development environment was being used by developers to build apps that exfiltrated data and communicated with a command and control service. Believe it or not, we are seeing some even more aggressive attacks now.
I’m now starting to get worried about the next wave of malware that’s going to attack these platforms. It’s not going to be the type of malware that will hold them hostage; it’s going to be the type of malware that will use these platforms as a pivot point to get into the enterprise. As we see companies layer on security technologies, we hope that they don’t just do something as simple as, “let’s just put a VPN on it.” In many large organizations, there’s a faulty assumption about virtual private networks (VPNs) being the best way to secure a mobile device. In reality, a VPN doesn’t add any threat detection or mitigation capabilities; all a VPN does is secure traffic from the mobile device to the data center, and that includes malware traffic.
The industry needs to wake-up and look more at securing and hardening these platforms. They really haven’t done that to date, and with the threats we are seeing, it’s time for the users of mobile devices to become a bit more aware of what’s in their hands.
TCB: How does that interact with the rise of “bring your own device” (BYOD) culture?
MC: It starts with a company’s policy on what you can do with the device. Most of our customers have tried BYOD and actually pulled away because they’ve found it limited their ability to secure the devices as needed. In many situations, users are not obligated to use corporate tools on their personal devices. BYOD is a really interesting trend, but it is being weighed against the company’s need to protect the data as it goes in and out of those devices.
TCB: What can both enterprises and individuals do to try to keep their mobile devices more secure?
MC: Be mindful of what you do with the device. We have a lot of people who download any random application, regardless of source, because they want to see what it’s like. We saw it with PokemonGo. As soon as PokemonGo was announced, people were downloading it from third party app stores in order to jump ahead of the regional release schedule. That’s a big no-no; very quickly following that release, we saw malicious instances of that app already on those same third-party stores. So be mindful of the apps that you download.
Also, be mindful of the infrastructure that you connect to. So many people have been trained to save money when travelling by connecting to Wi-Fi. We have started to see more malicious hotspots pop up that are giving me concern, because now I’m seeing infrastructure that is not reliable. Users who see the infrastructure trying to force trust upon the device might want to think twice before connecting.
TCB: Looking towards the future in regards to cyber security on mobile phones, are you feeling optimistic?
MC: Analysts have taken note, they’re actually talking mobile threat defense as a rising capability that enterprises need to adopt. And we’re seeing a lot of the enterprise mobility management capabilities give an acknowledgement to the need for extra security as well.
“Mobile Security” is not just about making sure that there is a passcode on the device and that you can wipe it when you leave it in the back of a taxi cab. We have real malicious actors out there who are trying to get information off these phones. I’m optimistic that there is going to be a solution out there that will work to keep both enterprises and individuals safe as mobile technologies become even more pervasive in our world.