New research is changing the way CISOs perceive the risks to critical data from the mobile ecosystem — and how they should secure it.
Mobile devices, even those that are corporate owned, are personal. Your CEO uses the same smartphone to send confidential emails, snap family photos, inspect customer records, get directions to meetings, and scrutinise financial reports. Every employee in your organisation does the same thing. Your organisation’s critical data is constantly being accessed by mobile devices, and once it leaves the network you have no visibility into where it goes, and little or no ability to enforce your security policy to protect it.
Your organisation’s sensitive data has made the mobile ecosystem the new frontier for a wide spectrum of risk that every CISO must now understand. Take a deep dive into all twelve elements of the Mobile Risk Matrix in the interactive table below.
App threats are specific applications created to steal information, damage a device, or provide unauthorised remote access for the purposes of surveillance and monitoring of a target.
Common examples include legitimate applications that have been trojanised or injected with malicious code, malware that gets onto the device through exploitation or careless user permission, or abusive apps with masked intent.
Device threats have significant potential to cause catastrophic data loss because they break through a device’s app sandbox and embed themselves deep in the operating system to achieve heightened permissions for the attacker.
The Pegasus spyware is the most relevant example of a targeted, low-prevalence, high-impact threat. This device threat exists on both iOS and Android and is capable of activating a phone’s cameras and microphone to snoop on conversations around the device. It can also track a victim’s movements and steal messages from end-to-end encrypted chat clients.
Critically, Pegasus only requires a victim to visit a malicious web page and does not need the targeted individual to install an app to activate.
Network threats are specific attacks that occur over the network connection of a mobile device.
These attacks can be executed directly by human threat actors or through malware using automated means. For most mobile devices, these attacks would occur over Wi-Fi or the cellular network.
Attack examples include Man-in-the-Middle (MitM) attacks, certificate impersonation, SSL/TLS stripping, and SSL/TLS cipher suite downgrades.
Phishing attacks containing URLs that lead to malicious websites are significantly more likely to be tapped on a mobile device than they are to be clicked on a desktop PC.
Examples of web-based threats include malicious web pages that can cause downloads or directly exploit a device. Malicious URLs are most commonly delivered via phishing emails or SMS messages.
Mobile apps have vulnerabilities just as PC software does, but vulnerabilities are a significantly bigger problem on mobile because most mobile apps are selected by end users and are more likely to be built by small teams of developers. PC applications, on the other hand, are more likely to be vetted by IT and developed by large software companies.
The significance of this risk is confirmed in the OWASP Mobile Top 10 report from 2016 which calls out “Poor Code Quality” as one of the top ten risks, with a prevalence rating of “common.”
Examples of mobile app vulnerabilities can include errors in parsing code that allow maliciously formed input to cause remote code execution and takeover of the application.
Mobile device vulnerabilities are defined by the growing universe of known vulnerabilities. Every month both Google and Apple release a security bulletin detailing the increasing number of patches for new device vulnerabilities during the previous month. Nearly every “software update” notification contains security updates to patch new vulnerabilities.
Vulnerabilities that are not found first by the security community can lead to zero-days that are then exploited by professional espionage organisations like what the NSO Group did with the Trident vulnerabilities and Pegasus spyware originally discovered by Lookout.
Enterprises can measure risk from device vulnerabilities by tracking their “vulnerability window,” or the amount of time it takes from the release of a new patch to full adoption of that update in their mobile fleet. Generally, mobility programmes based on BYOD tend to have a longer window than COPE and Android-heavy device fleets are longer than iOS. For example, iOS 10 has reached over 90% adoption in just 8 months.
Mobile network vulnerabilities are based on exploitable software or hardware flaws/errors in the network interfaces of the device or its applications that make a mobile device vulnerable to a network. An example is the Heartbleed SSL vulnerability and OS network driver flaws that allow remote code execution.
In a recent talk from Black Hat Asia, researchers showed how to “exploit an iOS device remotely via Wi-Fi without any user interaction, completely bypassing the iOS sandbox.” Even more recently, Apple issued iOS patch 10.3.1 to correct a code execution flaw that could be exploited via Wi-Fi. This vulnerability could “allow an attacker within range of a vulnerable device to exploit a stack buffer overflow flaw in iOS and would allow arbitrary code execution on the Wi-Fi.”
The bottom line for enterprises is that there is a risk from mobile network vulnerabilities, primarily from public Wi-Fi (though this is not a requirement for some exploits).
The best way to understand web and content vulnerabilities is that any malformed content, including web pages, videos, and photos, can trigger specific vulnerabilities to exploit targeted application or OS/system level components to gain unauthorised access to a device.
The most widely known example is Stagefright, a web vulnerability exploited by an .MP3 or .MP4 video file to access the media processing libraries of Android that could lead to exploitation over any number of vectors such as MMS messaging or through arbitrary channels like file downloads over the web where various media files will be processed.
Another example is the web browser vulnerability in the case of Trident that exploited Safari in iOS to deliver the Pegasus spyware payload.
Mobile exploits also tend to rely on end users that are undereducated on mobile security to tap the malicious emails or MMS messages that exploit web vulnerabilities.
App behaviours and configurations have the potential to lead to leakage of enterprise data to which the insecure application has access. Data leakage, in addition to having a high impact on the enterprise itself, can also pose a significant regulatory compliance risk. Examples include applications that both access sensitive enterprise data and public cloud-based storage services that are not under enterprise control, or applications that would have access to data with compliance requirements such as credit cards or records with personally identifiable information without adequate protections in their use, transmission, and storage.
Risks from device behaviours and configurations can come from employees using jailbroken or rooted mobile devices or be as simple as not enabling a passcode on the device.
Other examples of device configuration risks include enabling USB debugging for Android, installing apps from non-official app stores, and certain options set by enterprise configuration profiles on iOS.
Network risks associated with behaviours and configurations are best highlighted by the example of employees using public Wi-Fi. The more “promiscuous” end users are with connecting to public Wi-Fi, the greater the risk to enterprise data. Taking advantage of “free” Wi-Fi in airports, hotels, or coffee shops, can easily lead to a connection to non-SSL websites, which means, for example, not being encrypted when logging into mobile banking.
Travelling employees may be rushing and may never know if they connect to a malicious Wi-Fi network, unknown captive portal, or a network that decrypts traffic for content filtering.
As with many of the mobile spectrum of risk components, users not being aware and not taking proper care of how they use mobile devices can lead to significant enterprise data leakage.
Risks linked to behaviours and configurations around web and content can be summed up by an action enterprise employees do regularly: opening email attachments from unknown people or clicking links in SMS messages or other messaging apps.
Those attachments and messages may contain any type of content, but tend to be media files that – when accessed – expose the organisation to unacceptable risk with the potential to exploit a vulnerability or endanger compliance.
The next steps for extending your security programme to mobile start with thinking through each element of the Mobile Risk Matrix and developing a strategy to manage that risk in the context of your organisation.
The example to the left shows a global 2000 bank at high risk from network threats over rogue Wi-Fi connections encountered by travelling employees, and by auto-rooting Android malware app threats.
Read the case study to see how this global 2000 bank got visibility into their risks then mitigated them with Lookout Mobile Endpoint Security.
Many mobile risks require user interaction to execute, and the most likely interaction that can lead to a breach is a socially-engineered phishing attack.
Phishing on mobile has shown to be more effective than on the PC because traffic typically does not flow through a secure network gateway (as enterprise PC traffic often does) and mobile browsers obscure website URLs both by hiding the address bar while a user is scrolling and limiting the number of characters displayed in the address bar by the width of the screen.
A key insight is that mobile devices can increase the chance of success for social engineering and phishing attacks across a number of the mobile risks described on this page.
The Mobile Risk Matrix, developed by Lookout, helps organisations understand the Spectrum of Mobile Risk, and the prevalence and impact of mobile threats and vulnerabilities.
Read this exclusive research to gain insights into mobile risk from Lookout’s uniquely massive global threat intelligence data.
Complete this online mobile risk assessment to get insight into your current level of mobile risk based on your mobility policies and existing controls such as EMM. This assessment is based on a framework called the Mobile Risk Matrix, outlining risk across threats, software vulnerabilities and risky behaviours & configurations for each of the attack vectors on mobile devices.
Get a custom assessment of GDPR and business risks to personal data by answering 20 questions about the state of mobility in your organisation.
In this data-based report, you'll benefit from a comprehensive overview of the real-world risk...
Read this case study to learn how a Forbes Global 2000 bank achieved secure mobility with Lookout....