Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/12/2013
12:58 AM
50%
50%

4 Mobile Device Dangers That Are More Of A Threat Than Malware

Worried about malware? Other threats should come to mind first for North American users, from losing the phone to inadvertently connecting to an insecure or rogue access point

From Trojan horses to viruses, botnets to ransomware, malicious software garners a great deal of attention from security vendors and the media.

Yet mobile users -- especially those in North America -- should worry more about other threats. While smartphones and tablets could be platforms for a whole new generation of malicious functionality, the ecosystems surrounding the most popular devices work well to limit their exposure to malware. The number of malware variants targeting the Android platform is certainly expanding -- surpassing 275,000 as of the first quarter of 2013, according to security firm Juniper Networks -- but few of the malicious programs have snuck into the mainstream application marketplaces.

Instead, the top threats to organizations grab fewer headlines. While security experts continue to put malware as a significant threat, lost and stolen devices, insecure communications, and insecure application development affect many more users. Juniper, for example, puts insecure communications at the top of its list, says Troy Vennon, director of the mobile threat center at Juniper Networks.

"We see a lot of organizations that have gone to the BYOD model, and they are encouraging their users to connect back into the enterprise for access to data and resources," he says. "They are trying to figure out how they are going to secure that communication and secure that transfer of data."

Enterprises also have to be aware of what their users are installing on their phones and how they may be using the devices for handling sensitive corporate data, says Con Mallon, a senior director of Symantec's mobility business.

"You can only secure what you know about, so knowing what you have walking around your enterprise is important," he says, adding that the defenses should extend to applications and how those applications deal with data. "I should not be able to take the company data and put it in my own personal Dropbox folder."

Based on data and interviews with experts, here are the top four threats:

1. Lost and stolen phones
In March 2012, mobile-device management firm Lookout analyzed its data for U.S. consumers who activated the company's phone-finding service, estimating that the nation's mobile users lose a phone once every 3.5 seconds. In another study released around the same time, Symantec researchers left 50 phones behind in different cities and found that 83 percent of the devices (PDF) had corporate applications accessed by the person finding the phone.

"Mobile phones and tablets are being lost or stolen on an increasing basis," says Giri Sreenivas, vice president and general manager for mobile at vulnerability management firm Rapid7. "The challenge is that there is relatively easy techniques for evading some of the on-device security controls, such as bypassing a lock screen password."

[Embedded device dangers don't just plague consumers or industrial control systems. See Tackling Enterprise Threats From The Internet Of Things.]

While Apple's TouchID, announced this week, may help consumers and employees better secure their devices against theft, the majority of users still do not even use a passcode to lock their devices against misuse. Companies should train users to lock their smartphones and tablets and use a mobile-device management system to erase the device if necessary, Juniper's Vennon says.

In the company's latest mobile-security report, Juniper found that 13 percent of users used its MDM solution to locate a phone and 9 percent locked a device. Only 1.5 percent of users -- or about one in every eight that lost a device -- wiped the smartphone, indicating that the device was likely not found, Vennon says.

"Every company should be able to locate, lock, and wipe," he says. "It's hugely necessary."

2. Insecure communications
While there is a lot less data on how often mobile users connect to open networks, companies consider insecure connections to wireless network a top threat, Rapid7's Sreenivas says. The problem is that wireless devices are often set to connect to an open network that matches one to which it had previous connected.

"A lot of people will look for a WiFi hotspot, and they won't look to see if it is secure or insecure," he says. "And once they are on an open network, it is quite easy to execute a man-in-the-middle attack."

The solution is to force the user to route traffic through a mobile virtual private network before connecting to any network, he says.

3. Leaving the walled garden
Users who jailbreak their smartphones or use a third-party app store that does not have a strong policy of checking applications for malicious behavior put themselves at greater risk of compromise. For example, while only about 3 percent of users in North America have some sort of suspicious or malicious software on their smartphones, the incident of such badware is much higher in China, with more than 170 app stores, and Russia, with more than 130 stores, according to Juniper's Third Annual Mobile Threats Report.

A well-secured app store, which vets each submitted application, is part of the overall ecosystem that secures a mobile device. Users who buy from a marketplace with little security put their phones at risk, Juniper's Vennon says.

"There is no question that if you, as a user, are making the decision to download an app from an unknown source in a third-party app store, you are opening yourself up for the potential of malware," he says.

4. Vulnerable development frameworks
Even legitimate applications can be a threat to the user if the developer does not take security into account when developing the application. Vulnerabilities in popular applications and flaws in frequently used programming frameworks can leave a device open to attack, Rapid7's Sreenivas says.

The Webkit HTML rendering library, for example, is a key component of the browser in most smartphones. However, security researchers often find vulnerabilities in the software, he says. Companies should make sure that employees devices are updated -- currently the best defense against vulnerabilities.

"Understand the corresponding vulnerability risk and make sure that the devices are patched," Sreenivas says. "It is very interesting that proximity attacks, and techniques for jailbreaks, and other attacks can all be mitigated by bringing the mobile platform for your device up to date."

Malicious And Suspicious Software
Malware, adware, and other questionable software are a threat, but mainly in China, Russia, and other countries. Yet, while North American users have less to worry about malware, suspicious software -- including privacy-invasive apps -- is quite rampant. Juniper, for example, has blocked infections of malicious and unwanted software on 3.1 percent of its customers' devices.

Moreover, security researchers continue to analyze mobile devices for vulnerabilities, and cybercriminals are getting better at monetizing mobile-device compromises -- two prerequisites for the malware to take off on mobile devices, Symantec's Mallon says.

"We can see malware and monetization happening; toolkits are out there -- all of these things parallel the development of malware in the Windows world," he said.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...