Mobile phones evolved into what we now call SmartPhones: A mobile device with the characteristics of a personal computer that allows the owner, in addition to the basic features of a regular mobile phone, to be connected and integrated with social networks (Facebook, Twitter, LinkedIn,etc.), surf the Internet (WiFi or 2/3/4G), send/receive e-mails, work with office files (Excel, Word, PDF, etc.), take pictures and videos, install productivity applications and access corporate calendars among other things.
According to statistics, in December 2010, 31% of the USA population already owned a SmartPhone and this figure is expected to reach 50% by the end of 2011. The acceptance level of these devices is easily noted in the work environment, where more and more Employees carry SmartPhones to their work place.
These new possibilities of interaction, interconnection and new technologies offered by these devices lead to new personal and corporate security risks, forcing corporate security borders to move towards endpoint devices.
What are the risks that corporations might face by using SmartPhones in their work environments?
Some of the risks corporations could face with the adoption of SmartPhones in their work environment are:
- Confidential information disclosure and associated impacts
- Theft or use of access credentials of corporate or personal applications
- Damage to Corporate image
- Malware spread/attacks
- Social engineering attacks
Next, I will describe the possible attack vectors that corporations might face for each of the mentioned risks:
Confidential information disclosure and associated impacts
Confidential information disclosure could be executed by the following attack vectors:
- Device theft or loss: SmartPhones allow users, among other things, to save documents as well as e-mails or SMS messages in either main or external memories. A corporate Executive may be subject of a planned attack (i.e. industrial espionage), where the attacker would steal the device and later on access the information contained in it. Also, the user might simply lose the device and expose the information.
- Extraction of confidential information: Many corporations have implemented a set of technical controls to prevent Employees from extracting information classified as confidential. Smartphones, also might be used as removable drives (i.e. USB drives, Memory Cards, etc.) in order to extract these types of information.
- Use of Cameras / voice recording: SmartPhones have built in cameras as well as voice recording functions. These functionalities could be used by an Employee to extract confidential information (i.e. taking pictures of documents, blueprints, etc.).
- Rouge applications: By installing rouge applications, like Trojans, an attacker might get remote access to the device and extract information contained inside it.
- Residual information / Data remanence: The re-assignment of mobile devices in corporations is an everyday thing. The lack of a correct media sanitization and device reset procedures might allow a new device user to access information (might be confidential or personal) belonging to previous users.
Theft or unauthorized use of access credentials to corporate or personal applications
Credentials to access corporate or personal applications could be obtained by the following attack vectors: - Device theft or loss: Almost all SmartPhone applications have the functionality to save (or remember) the users login ID and password. If an attacker gains access to a device, he might have access to corporate (Intranets, Extranets, etc.) or personal applications (Webmails, social networks, etc.) simply by executing them.
- WiFi networks eavesdropping: Almost all Smartphones have WiFi functionality. If a user connects to an unsecure WiFi hotspot (i.e. no WEP / WPA / WPA2 encryption), an attacker could sniff the connection in order to obtain access credentials.
- Malicious applications: With the installation of malicious applications, like Trojan horses, an attacker could obtain application access credentials. As an example, an attacker could install a key logger and send the captured keystrokes by e-mail or post them on a web page.
An attacker that gains access a Corporate Executive device could use the Address Book to launch a smear campaign against the corporation by sending e-mail or SMS to the contacts obtained.
Malware spread/attacks
Corporations have malware controls (i.e. antivirus) installed at server, network, desktop, notebook, mail and internet gateways layers. Still, a SmartPhone is not normally considered a malware entry or distribution point. The installation of rogue applications in these devices and the subsequent connection of them to corporate networks and services may allow the spread of Worms, Trojans, Virus and other type of malware.
Corporations have malware controls (i.e. antivirus) installed at server, network, desktop, notebook, mail and internet gateways layers. Still, a SmartPhone is not normally considered a malware entry or distribution point. The installation of rogue applications in these devices and the subsequent connection of them to corporate networks and services may allow the spread of Worms, Trojans, Virus and other type of malware.
Social engineering attacks
Many users save their personal information (Full name, Company name, address, telephone, etc.) stored in their SmartPhones as “Owner Details” o “personal cards”. An attacker with access to the device could gain access to this information and the Address Book among other things. This information could be used to launch a targeted social engineering attacks against the user or the corporation.
What security measures must corporations implement in order to minimize the mentioned risks?
Corporations should treat SmartPhones as another device that must be protected. Following, I will mention some of the safeguards that should be implemented:
Corporations should treat SmartPhones as another device that must be protected. Following, I will mention some of the safeguards that should be implemented:
- Establish a security policy: Corporations must establish and implement an issue specific security policy that defines the security requirements that SmartPhones must comply with.
- Establish security baselines: Corporations must develop security baselines that define the minimum configuration requirements that SmartPhones must have, such as:
- Screen lock: Configure the device to request a PIN (or password) in order to unlock the screen. With this basic protection, an attacker won’t be able to unlock the device or he must factory reset it in order to access it (erasing all personal information stored in main memory, including address book, SMS, mails and others stored in it)
- SIM Lock: Configure the device to request the SIM card PIN in order to access or use it. An attacker that does not know the SIM PIN won’t be able to use it.
- MicroSD card encryption: Configure the device to encrypt data stored in external memory. This will provide confidentiality for the data stored in the MicroSD card, even if the attacker has access to the card itself.
- Default USB Port mode: Configure the device’s USB port mode to “Charge only”. Normally, the USB Port mode of the device can be configured between “USB Storage” (or “removable storage”), “USB tethering” and “Charge Only”. Setting it to “Charge only” will prevent an attacker to access the external or internal memory through a USB connection.
- Synchronization / Docking configuration: Configure the device to request a PIN in order to Synchronize data with a desktop or Laptop computer (such as the Screen Lock PIN). This will prevent an attacker from synchronizing data and obtain personal information stored in the device, such as the address book, calendar, etc.
- Credential encryption: Configure a strong password for the device credential storage. Credentials, such as SSL or VPN certificates are stored in a special vault controlled by the SmartPhone OS. Most OS allow users to specify a password that must be entered each time an application wants to access the credentials stored in it.
- Bluetooth configuration: By default, disable all Bluetooth functionality and configure the device to request authentication and to be invisible to other devices.
- WiFi configuration: By default, disable all WiFi functionality and always use networks that offer some type of security / encryption (WPA, WPA-2 or WEP). Beware of rogue Access Points!
- USB Teethering / Wifi HotSpot configuration: Disable all functionalities that allow the device to share its Internet connection with other devices (i.e. USB Teethering / Wifi HotSpot)
- Prevent the use or rooted (or jailbreak) devices: By not allowing rooted or Jailbreak devices, only approved and tested applications by the OS provider can be installed in it. A rooted or jailbreak SmartPhone allow the users to install any application, thus increasing the risks installing rogue applications that could contain malware.
- Application recommendations:
- Do not store / remember application passwords: if passwords are not remembered, attackers with access to the device will not be able to use the application.
- Use secure connections: Configure or design the application to use secure connections, such as SSL. This will prevent an attacker from eavesdropping on a WiFi connection and sniff application credentials.
- Only install digitally signed applications by the manufacturer or the ones that its source can be verified (such as the OS manufacturer sites, like Android Market, iPhone Store, etc.): By taking this into consideration, the chances to install rouge applications can be reduced drastically. It is always important to validate the applications permission requirements before installing it.
- Always apply OS and applications security patches / updates: SmartPhone OS, as well as applications, are updated each time a new vulnerability is detected or an enhancement is made. This is why it is important to monitor the different software vendors for new releases (normally distributed by the different OS stores).
- Never fill in the device “Owner Data” or Personal Cards: To help the prevention of Social Engineering attacks, the Owner Data sections should be left blank.
- Antivirus software: If available, install antivirus software in the device.
- Tracking and remote wipe: there are applications that allow users to send remote commands to a stolen or lost device which enables the GPS functions in order to determine its position. Also, these applications allow the user to remotely wipe all stored information in the device.
By Agustin Chernitsky