At this year’s SecureCIO event in San Francisco, in front of an audience of CISOs, CIOs, VPs, Directors collectively representing some of the largest corporations in America, John McAfee, the enigmatic founder and namesake of McAfee, proclaimed a veritable state of emergency in enterprise security.
"Our paradigms for protecting corporate assets [online] no longer work," said MacAfee, who, after a brief hiatus (one in which he went toe to toe with the Belize Government), is back on the security scene serving as a consultant as well as founding his own startup.
In this talk, McAfee took square aim at mobile. He discussed a recent consulting engagement with an unnamed defense contractor. Apparently, out of nowhere and for no apparent reason, the contractor began losing contracts it would normally win. Eventually, it was discovered that a man-in-the-middle attack had successfully infiltrated the mobile devices belonging to the sales team. Anything they saw wound up in the hands of the competition.
As he explained, thanks to mobile devices, each employee has become a potential weak link in the enterprise security chain. Corporate data shared on mobile devices and tablets has become highly valuable to competitors. Meanwhile, forced permissions within mobile applications are granting access to sensitive data stored on phones.
It really is a big problem
The size and scope of this problem is substantial, and there is no end in sight. Anonymized data from more than 6 million active customer mobile applications analyzed by RiskIQ helps quantify the issue:
- 245,000+ apps have account grabbing capabilities
- 497,000+ apps can control vibration
- 212,000+ apps are capable of accessing the camera
- 184,000+ apps can access contacts
- 66,000+ apps can read SMS
Why should we care if an application has access to a phone’s vibrate function? Because when hackers access a phone they can make changes, receive messages, download other applications, change settings, etc., without setting off the vibration alert. "Read SMS" allows hackers to capture SMS-based authentication tokens. "Get Accounts" allows the phone to access online accounts. With access to contact lists a cyber criminal can steal this information. There are literally dozens of standard permissions one could leverage to carry out a cyber attack -- without needing malware.
With many large consumer-facing businesses like banks and healthcare providers distributing their own branded mobile applications the risks associated with copycat apps distributed and controlled by cyber criminals are magnified by escalating app permissions.
SMS text phishing
A recent example of this technique is Operation Emmental, discovered by Trend Micro. The attack uses an email phishing campaign to target customers of banks that use SMS-based authentication. It tricks victims into installing a fake but official-looking mobile app, which captures SMS messages sent from the bank. (Trend Micro found several variations of these apps wrapped with names and logos of popular German banks.) By stealing the victim’s username and password, and intercepting “out of band” authentication tokens sent to his or her mobile phone, attackers can take over the bank account to commit fraud.
In addition to excessive permissions and fake apps, mobile platform vulnerabilities are putting data at risk. For example, security firm Blue Box recently reported a major flaw in the Android operating system it dubbed "FakeID." It affects Android’s verification of digital signatures, which are used to vouch for the identity of mobile applications. Theoretically, this would allow attackers to successfully impersonate legitimate apps, like an online banking app, since the Android cryptographic code will not be able to verify its origin.
It’s becoming apparent that mobile applications are posing expanding risks to both enterprises and their customers. Whether it’s excessive permissions, fake (e.g., copycat) apps that claim to be from a trusted brand, or platform vulnerabilities like FakeID, it appears being paranoid about mobile might actually be healthy for security.