With new Android vulnerabilities being exposed on almost a daily basis, mobile security is rising up the agenda. CBR spoke to Roy Tuvey, President and co-founder of Wandera, to find out more about the landscape.
CBR: Has Stagefright been a watershed for mobile security?
I think there’s a lot more activity that’s been publicised recently on Android, but I think it’s worth noting that the evolution of the mobile threat landscape is attacking all platforms.
There was very recently something that was well-publicised around this MASK attack that’s targeting the iOS platform. Internally in our Wandera team there’s a lot of focus on man-in-the-middle attacks that are targeting iOS. There’s already some discussion of the potential vulnerabilities of Windows 10.
So I do think it’s something that’s happening across platforms. But in terms of Android, I think there is a growing realisation on the part of enterprise customers and individual consumers that mobile devices are vulnerable and exposed to attack.
I think there’s been quite a lot of talk about Android being less secure than iOS. There was talk a few years ago around some of the app stores on Android that don’t have the same kind of protections that you might expect from iOS.
We’re not sure it’s a watershed, it’s just another announcement that exposes some of the vulnerabilities. I think it’s worth noting in the case of some of these attacks, it’s not actually identifying threats in the wild. It’s just exposing vulnerabilities that if attackers wanted to focus on they’d be successful.
I think if we step back a second, all of the data particularly from an enterprise perspective that is being provided to these devices to enable the workforce to make them more productive. It’s just very logical and obvious to anyone that hackers are going to try and compromise these devices and get access to this data.
Obviously, the more that we have events like Stagefright, the more the focus is on specific vulnerabilities and what’s going to happen.
CBR: Is iOS getting more attention from hackers recently?
Definitely. There’s a number of areas in which mobile devices differ from the old desktop environment. Number one is that they’re always connected to either 3G, 4G networks or wi-fi.
There have been well documented cases in the US when the phone is automatically connecting to 3G or 4G and the cell tower is a rogue spoof cell tower and so your cellular traffic is being rooted via a rogue host that is pretending to be a carrier.
Far more prevalent are wi-fi attacks. If you take your phone into Starbuck’s or wherever you’re going, iOS has a setting to save on battery that’s very different to the way that desktops and laptops connect to the internet. If you’ve connected to a network before it will automatically connect you.
That means that if someone is sitting in one of these hotspots pretending to be Starbuck’s, they can connect your device automatically to their network. They can then do a man-in-the-middle attack and intercept traffic.
That’s something iOS is vulnerable to; it’s possibly more vulnerable to that than Android because of the way its probe works.
Also applications that are deployed and installed are threats even on Apple. We all know that Apple carries out credential checks for apps to be loaded. But it’s looking at factors such as usability; it’s not doing very detailed security checks in the back-end.
We’ve identified lots of applications that are sending user information in the clear, unencrypted, that could be vulnerable to interception.
It’s fair to say that Android, because it’s more vulnerable and has less sandboxed architecture, is more vulnerable than iOS.
CBR: How do they impersonate 4G or 3G networks?
If you take the wi-fi example, we actually do a demo in our offices here where you can buy a router off the internet called a Pineapple. It comes with software pre-packaged that enables you to impersonate a wi-fi network and you can set one of these things up in an airport or Starbucks.
Then you as a user when you come in and log on it gives you a captive portal page, saying click here to sign up to the wi-fi. Basically, if you do that, you can connect through to something that’s a rogue wi-fi. So that’s a very low-cost, easy option for someone to do. It means they have to program it the right way, enter into all the normal wi-fi you might connect to and hope to catch you.
In terms of the rogue cellphone towers, that’s something that’s much more complicated. It’s been identified in a number of instances in the US, where it’s masquerading as a cellphone tower to intercept. It’s more complicated and obviously needs to be much bigger as well because it’s carrying mobile traffic.
There have been a number of documented cases already. It’s certainly more rare, but an example of things going on. The one message of all of this is that it’s really nascent; it’s assumed that we’ve all got mobile phones and we’ve had them forever. These devices are very new.
The rate of change of these different types of threats is very fast. If you fast-forward a year or two, it will be where it was in desktop-land where you were hearing about new threats on a daily basis.
CBR: What are the dangers of this?
This is happening automatically. In September last year there was a big discussion about it. They’re called IMS eye-catchers or interceptors. What they do is perform a number of tasks; they can eavesdrop on your phone messages or text messages. Sometimes they can push something down to your phone that you install.
It works seamlessly; it’s just pretending to be Vodafone or whoever is your carrier. Apple just put a release out that on the next version of iOS the phone will automatically flip you from wi-fi to 4G when the connection is low. If you’re travelling and you lose the connection, today, your video will stop working until you restart it.
But now, the new version of Apple they will do this for you. As an end-user it will be flipping automatically, so it’s really difficult to keep on top of this. It comes down to the fact these devices are always on and always connected, meaning they’re more vulnerable to interception than laptops.
CBR: The Carphone Warehouse hack came from an attack on IT. When will we see a breach through a mobile device?
The ones that we read about, such as Sony, Ashley Madison and Carphone Warehouse, the reality is that all of these events are targeted attacks specifically to gain that information. They don’t necessarily start and end with one attack vector. It could be that through the mobile device they pick up a specific password that they then use in a network-based attack.
It’s very difficult and very rarely do companies break down all of the steps that the hacker took to infiltrate that data, if they know them. It’s showing what can be done. A lot of this is being done without anybody’s knowledge
A lot of companies haven’t invested in security solutions and the general public haven’t invested in mobile security solutions to anywhere near the same extent they did with desktop. It’s quite difficult to say the impact of this because it’s happening silently.
I still think it’s nowhere near where it was in the desktop world but it’s growing very quickly. It gives you credential information that you can then use to target something within the network as well.
CBR: How does a mobile gateway work to prevent this?
We have an application that resides on the end-user’s device that monitors the heartbeats, the process information from the device, looking out for anomalous behaviour. That is sending that information up to the Wandera cloud.
We also have what’s called a proxy; we act as the equivalent of a cell carrier so we see the data coming to us. We correlate what’s coming to us and what’s on the device to find unusual activity.
What if the user is uncomfortable with somebody else being aware of what they’re doing on their device?
First of all, there’s no one set flavour. Every company is doing it differently. Some big banks have this concept of a device being supervised, where the user isn’t able to install an app without the company’s say-so.
That’s one extreme from security-conscious companies. The other extreme is where they are able to do whatever they want and the company mandates very little. Most companies are somewhere in the middle between those two things.
In the BYO context we have a very neat way of bypassing employee concerns. For one thing, the data is completely anonymous; you don’t know who it is, you just know you’re protecting them. The other thing is we don’t go into the detail of the individual traffic. We can see for example that a lot of data is being sent to Facebook or YouTube, but not what they have sent or written.