Uncovering Mobile Vulnerabilities for Organisations
The mobile phone today is not only connected to the internet, it is immensely capable in terms of the range of capabilities that it can carry out. Everyone holds the mobile phone and use it constantly.
Many people take for granted the risks that are posed by the mobile phone. Some even argue that it is paranoia to imagine that the little device called the mobile phone can compromise the security of an entire organization.
But threats to mobile devices are not only real but increasingly sophisticated.
Mobile Security Breaches Are Real
One interesting case study shared by a major pharmaceutical company illustrated this danger. In a classic whaling scam, an innocent looking gaming app was deployed which targeted executives, causing them to divulge confidential company information and to scam payment to a fake supplier.
It started when the son of a mid-level purchasing manager used the company’s mobile phone to download a mobile game.
Unfortunately, the game itself contained stealthy malicious code and a key logger that registered every keystroke entered into the device. The app recorded the corporate email login credentials, which the attacker then used to log into the email account to browse through the history of emails and obtained information about their suppliers.
With this knowledge, the attackers sent an email to the purchasing manager, impersonating themselves as a supplier, and requested that payment now be made to their “new bank account”. The company made the change and fell victim to this scam.
While the hacking did not take place directly within the enterprise’s network, the attackers were nonetheless able to gain access to sensitive corporate information and executed an attack.
Mobile threats can also come from sources that appear to be legitimate. Another example is that of the CFO of a company who downloaded a malicious app at a conference which he attended.
Prompted by a banner at the event, he scanned a QR code unaware that the downloaded app contained malicious code. The code allowed the attacker to remotely control the infected mobile device and turn on the microphone and listen in on the CFO’s conversations and meetings.
The attackers were able to record a board meeting on quarterly results and had information before they were publicly announced. This allowed them to engage in stock market activities which adversely impacted the company’s stock price.
Mobile Phones More Vulnerable Than PCs
The threat landscape has changed as more websites are now accessed on smartphones and tablets than on desktop computers, a trend that underlines how computing is rapidly shifting to mobile.
Mobile phones today are much more vulnerable as work devices. While computers used in the office are subjected to corporate policies on security and best practices, mobile devices used by employees often lack the same protection policies thereby opening up potential loop-holes to be exploited.
How Mobile Phones Are Attacked
In general, there are four main ways where mobile devices are attacked.
- Malicious Apps
This is likely the easiest to understand because it resembles the way most viruses attack personal computers. When new apps are downloaded, there is a chance that they contain malicious codes that can compromise your security. Unfortunately, this applies even if the app is downloaded from the Play store or App store or even when you download an app for free drinks in a restaurant.
- WiFi Attacks
WiFi attacks are a little more insidious. Hackers can put up WiFi hotspots which the user unwittingly logs into, thus giving the attacker access to corporate network and data. This can happen anywhere, in an airport, at a shopping center, or a restaurant.
- Jailbreak vulnerabilities
Some users, for whatever reasons, choose to jailbreak their phones. What this means is that certain operating system level restrictions are removed. Needless to say, this opens your phone to exploits by malicious hackers.
- SMS Phishing
SMS phishing is very similar to email phishing. Effectively, the user gets a message asking them to download a file, an app, or even to visit a website. Once the action is taken, the malicious code would have gained entry into the mobile phone.
Both users and the companies need to understand the impact of these attacks for the company as well as for the individual. The entire organization can be put at risk if there is a single employee whose mobile device is compromised. That device can serve as a bridge that will allow the attackers access to the corporate network.
This can result in information such as contact lists, emails, confidential documents, and even employee location can be tracked. Other malicious actions such as secretly activating the phone’s camera and microphone can result in secrets being exposed.
These impacts not just the business, but can potentially affect the individual in his or her private lives.
Protect Your Organisation
Knowing the threats, it is prudent that companies start to take steps that will protect them. Using mobile protection solutions will allow companies to have advanced detection of threats and help to limit the damages from such attacks.
For more information on how to enable mobile protection for your organisation, visit us at http://www.starhub.com/business/solutions/mobility-solutions/enterprise-managed-mobility.html
StarHub Data Centre
Co-locate with the next generation software defined data centre that provides you complete visibility and control.
Connecting over 100 countries worldwide for any business requiring a reliable yet cost-effective service for high speed internet or with a secured IPSec tunneling.