Could Smartphones be the Unsuspected Entry Point for a Network Attack?
Last year, during the 2009 Black Hat event in Las Vegas, two security professionals presented research about the possibility of SMS attacks across a GSM network. Since that time, the frequency of inquires from our clients about how to protect the enterprise from mobile-based attacks has increased. Although we personally have not seen mobile malware attacks “in the wild” and think mobile attacks will be a relatively low priority for attackers for this year – we do believe that the concerns about enterprise management of cell phones in the corporate environment are legitimate for a couple of reasons.
Back in the late ‘90’s, many companies standardized on BlackBerrys. This meant that network and security folks only had to worry about one mobile operating system and a single enterprise management system to control device encryption, antivirus and malware detection. But things have changed. Employees are now buying (and using) Windows Mobile, Palm, Apple, Symbian, Android and whatever other types of phones and operating systems that they want. With the various operating systems, it can be extremely difficult for companies to manage and secure all of the disparate mobile devices found in their environment. This has made the conditions ripe for a multitude of different mobile device attacks.
For instance, hackers sometimes impersonate carriers and send SMS and MMS messages to users’ phones. The hackers provide hyperlinks and ask for account information under the guise that they’re planning to activate new services. When victims click on the links, they can download malware that can expose personal data, including emails, contact lists and calendars. Compounding this issue is the myriad of apps folks put on their phones, which makes the probability that they willingly download an infected file much greater because their ability to determine its validity is limited.
Bluetooth, because it offers a more open delivery system, also is being leveraged to attack smartphones. For example, a hacker could walk by or stand in close proximity to unsuspecting users (somewhere within 10 to 30 meters), and use Bluetooth to send viruses or browse any unencrypted personal data. Most phones and Bluetooth headsets are configured to use a default password - and many users never change this password. This type of attack is becoming increasingly common in hot spots such as restaurants, hotels and airports.
I know … it’s all very interesting, but why should you care? The reason: viruses on mobile devices provide an often-undetectable entry point into corporate networks. As soon as employees sync their phones with their laptops or desktops, they’re introducing viruses, malware and bots back into the corporate network.
Fortunately, there are measures you can take to protect your users and your company. For example, you can install software on corporate mobile devices that detects when someone is trying to attack using an MMS message or Bluetooth and blocks the attack automatically. There also is software that encrypts mobile device data so that the information cannot be accessed when devices are lost or stolen. And, if the enterprise standardizes on RIM-based smart phones, they can easily enforce “kill pills” – which are designed to kill all the data on mobile devices when they are lost or stolen.
However, mobile security software isn’t a silver bullet. It is important for companies to enforce policies and implement processes for employee use of phones. And, user education is one of the most valuable steps a company can take. It is their responsibility to provide users with as much protection as possible, but it’s also up to the users to know what applications they are using on corporate owned mobile devices and what they’re clicking on, along with who’s contacting them and why.