Enterprises worldwide are living dangerously, skating by with inadequate visibility and security into their mobile attack surface. While many organizations have adopted some level of management over the mobile devices connected to their systems, it's not the same as mobile security and leaves them unprepared for a growing threat. Attacks against mobile phones and tablets continue to increase, and chances are good that a devastating WannaCry-level attack is just over the horizon.
The WannaCry ransomware attack caught the world unaware in 2017, infecting hundreds of thousands of computers in 150 countries worldwide. And it could have been worse had a British security research group not discovered a kill switch that stopped it from spreading within hours of the attack. But its impact was substantial nevertheless, crippling systems, causing several car manufacturers to stop production, and even forcing some hospitals in the UK to turn away patients. Damage was estimated to be in the billions of dollars.
By heeding the lessons of that attack, enterprises can now work to avoid a "mobile WannaCry" before it hits, rather than dealing with the damage after the fact. A mobile-based attack of that scale is possible, and its impact could be far worse because of the ubiquity and utility of mobile phones, along with the fact that almost everyone's device is vulnerable. As a US House Intelligence Committee recently heard, mobile spyware has even infected the phones of US diplomats worldwide.
Devices Hold the Keys to the Kingdom — and They're Everywhere
In the five years since WannaCry's appearance, mobile devices have become even more critical targets than laptops or desktop PCs. Smartphones are with us every minute of the day and are loaded with personal and organizational data. They hold passwords and email accounts, credit card and payment data, and biometric data often used in multifactor authentication (MFA) for logical and physical access. They also have microphones, cameras, and location data that can add to the risks if a device is compromised.
But as much as we depend on them, enterprises have not adequately addressed the mobile attack surface presented by these devices. Beyond changing the security mindset to include the mobile space, there are unique challenges that apply to mobile endpoints. Bring your own device (BYOD) is one of the biggest challenges to addressing an enterprise's mobile attack surface, due to the privacy needs and requirements regarding personally owned devices. Because of privacy concerns, standard products like mobile device management (MDM) are typically used only for corporate-managed devices and are often insufficient in detecting, reporting, and securing mobile devices against modern threats.
Mobile devices can present attackers with virtual keys to the kingdom if they are compromised and used to get past MFA. Email access is a prominent attack tool, but a mobile device also can provide access to accounting, finance, and customer relationship management tools such as Salesforce, Microsoft Office 365, or Google Workspace. And with these tools now available on personal devices, outside the scope and visibility of the security infrastructure, enterprises are putting their data and services at risk in the name of technological benefits like BYOD.
Mobile Ransomware Would Have a Double Impact
The risks of mobile ransomware essentially exist on two fronts.
- Mobile devices as a delivery mechanism for ransomware: The compromising of a device, which can be accomplished with or without the owner's knowledge, could allow the sending of a ransomware-spreading email that appears to come from a trusted co-worker or source. Mobile devices can be used to spread traditional ransomware in ways that are very difficult to detect and stop.
- Actual mobile ransomware: Early versions of mobile ransomware were somewhat faux ransomware, using overlays to take advantage of accessibility features. But Apple and Google effectively closed those holes, leading attackers toward actual mobile ransomware.
A mobile attack could lock not only an organization's data and systems, but a user's as well, threatening to wipe out their bank account, for instance, if a ransom is not paid. The attacker who took ownership of that device could leave its microphone and camera on at all times to bug corporate meetings.
The bottom line is mobile ransomware attacks could do everything WannaCry did, plus a lot more.
The Time to Focus on Security Is Now
A future large-scale and impactful ransomware attack against mobile is inevitable. Each year, we see mobile malware become more complex, with new features and capabilities introduced to impact the victim. These advancing malware techniques are only proofs of concepts for future attacks, laying the way for larger dangers to mobile endpoints. It is only a matter of time before malicious actors deliver complex mobile ransomware with a significant impact on users and enterprises.
Enterprises have not placed a high-enough priority on mobile security as devices have become indispensable in our personal and business lives. Mobile devices are ripe for an attack of WannaCry proportions, but whether that takes the form of ransomware or something else, the time to focus on mobile security is now, before it's too late.