Mobile malware moves fast.

As the electronic security industry increasingly drives its solutions using apps on smart devices, the threat posed by mobile malware becomes greater. But how serious is the threat and what can integrators and end users do to ensure that threat is minimised?

The threat is real and growing. There were 116.5 million attacks on smart phones in 2018, compared with 66.4 million attacks in 2017 with cyber criminals increasingly seeking access to the vast amount of personal data stored on such devices. Threats include malicious installation packages, mobile banking Trojans, adware, load-generating mobile miner Trojans, RiskTool apps, mobile ransomware Trojans and dropper Trojans that are designed to bypass detection by hiding malicious code from hash-based detection.

Same as with other cyber security threats, the greatest risk with mobile malware comes from human error. According to Raymond Frangie of consultant NDY, malicious software that explicitly targets the operating systems on mobile phones is a threat that is real and needs addressing.

“There are many types of mobile malware variants and different methods of distribution and infection,” says Frangie. “Many organisations depend on mobile phones to do business or they allow employees and visitors to use their own devices as part of a bring your own device (BYOD) policy. In all cases, protecting mobile devices from cyber threats is at least as critical as protecting wired networks.

“Mobile devices connect to many wireless environments – these could be either personal, guest, free or corporate wireless networks. Wi-Fi, in its own right, has numerous cyber risks and is inherently insecure. To help reduce these risks, deployment of mobile device management technologies that harden, lockdown, and secure mobile operating systems come into play. Mobile device management is an industry term for the administration of mobile devices, such as smartphones, tablet computers and laptops and is a core component of enterprise mobility management (EMM). Further to MDM and EMM, redirection of traffic through cloud access security brokers (CASB) also assists in minimising risks of mobile device usage.”

Frangie argues that security teams need to look beyond threat perceptions and consider the scale of risk.

“We need to look at the bigger picture concerning IoT devices rather than wondering about the vulnerability of the latest IoT devices to cybersecurity attacks,” he explains. “The current industry expectation is that by 2035, there will be more than 1 trillion IoT devices connected to the Internet. Given these numbers, ensuring the secure configuration of an organisation’s environment exists in its entirety is imperative.

“The cyber threat landscape (of mobile devices) is severe and is only getting worse. In 2016, insecure hijacked environments with IoT devices were able to perform terabit-scale attacks across sites and organisations. If nothing changes, IoT devices could potentially be the world’s newest weapons of mass destruction.”

Con Sgro of Gallagher agrees that numbers are the real threat when it comes to IoT devices.

“I think the greatest threat here is the large number of devices that are appearing in our computing environments,” he says. “Previously an IT department had a definable number of systems to check, update and monitor. Now with the proliferation of products that can and are joined to the infrastructure, just the simple effort of making sure that the latest updates are done to all the products may take a team in itself.

“Of course, there are ways to limit devices on a system, to stop or limit BYOD’s or to use the same group of mobile products. Another consideration with mobile devices is that many of these products have moved from a personal use case to the commercial arena – they weren’t made to be used in commercial environments and they feature limited security programming functionalities.

“One good way of ensuring systems are kept up to date is the full use of software maintenance agreements that manufacturers supply,” says Sgro. “In this way some of the risk is migrated. It’s also important to ensure that all IoT devices are field upgradable, and that they use strong device authentication and encryption, like our HBUS protocol.”

Meanwhile, Matt Nordlund of Clavister says the vulnerability of IoT devices to cyber security attacks is a looming threat.

“One big global attack and we’ll realise how essential it is and how we’ve been proliferating devices without considering the consequences,” Nordlund says. “Consider that we’re talking about 20-65 billion sensors and devices in the next few years — devices that control nuclear plants, airplanes, self-driving cars and medical devices. It keeps me up at night, wondering when we’ll create robust standards and protocols to secure the IoT ecosystem.”

According to consultant, Shane Norton, before security managers start worrying about mobile malware, they need to look at staff who act as mobile malware mules.

“I’ve seen a picture of electronic cigarettes being plugged into a USB port of a SIL rated safety control system within a secure control centre to get a recharge,” Norton says. “Other examples are third parties bringing their USBs and accessing equipment. Strangely enough, these USBs are previously infected, and the system immediately starts alarming on the detection of newly introduced viruses.

“Certainly, the application of smart devices without thinking about the consequences is worrying. People have smart devices at home they can control via their mobile phones for convenience and they think: wouldn’t it be great if I could do this at work to make my life easier? However, many of these IOT devices and apps have been built to be low cost and low security.

“Connecting your system directly to the internet and opening the ports is scary. Look around your office and look at all the smart monitors with built in microphones and cameras. From the seat I’m sitting at, I can count at least 20 and if I raise my head a bit more it’s a sea of them. So how do you secure them? Personally, I’d look to put them in their own Virtual Private Network (VPN) which can only be accessed via an appropriately configured firewall which can only be interfaced via an encrypted and authenticated device…but oh dear, there goes the usability!”

Norton says that a good idea would be to follow the example of the banking industry or even Netflix. If anyone new accesses a smart device, users get a message and can monitor what is happening.

How vulnerable are the latest IoT devices to cyber security attacks – how serious is the threat?

“That’s an interesting question which is fast moving,” Norton says. “So, let’s break it down a bit and look at the full picture.

1) There are many competing standards and the environment is rapidly changing.
2) How much encryption is being used to lock down vulnerable transmission media?
3) How hardened are the operating systems?
4) How are end points uniquely identified?
5) With the explosion of IOT and the requirement to support large addressing ranges then there is pressure to support IPv6. It is surprising how many of the old IPv4 exploits get repeated in IPv6.
6) As IOT is in its infancy the number of updates for remote IOT systems can be large.

“So many systems are non-hardened from a security point of view. Lots of the systems are unencrypted so are easily sniffed, as are the contents of the messages. Can someone replace your end device and use it as a means of entry into your network without you detecting it’s gone? Have you hardened your network and applications to take in IPv6? How are you managing updates and ensuring this update avalanche does not allow malware to enter? Given large IOT networks, how do you look for network changes and how do you partition this network into segments so that contagion of one particular area does not spread? How do you defend against an internal Distributed Denial of Service (DDOS)?

“These are some of the questions which need to be considered and answered,” Norton says. “The idea of allowing uncontrolled growth and uninformed structures would not seem sensible. Your network should be engineered from the start so you can reap the benefits of your hard work in the form of lower maintenance, lower cyber incidents, and quicker response times when things go wrong, which they certainly will.”