When enterprise security teams ask me to describe the current state of mobile security, the famous line from Charles Dickens’ “A Tale of Two Cities” comes to mind: “It was the best of times, it was the worst of times.” This year marks a high point in mobile security, probably the highest since the Blackberry heyday, as it pertains to end-to-end security options that enterprises can deploy for mobile technologies.
Unfortunately, very few enterprises are actually taking advantage of these security capabilities, either because of lack of understanding about the technologies’ capabilities or lack of support or funding to implement them. Whatever the hesitance, security organizations should be focused on how to improve their mobile security programs using advancements in the field, and they can start by asking themselves: How should we perceive the current threat situation and where should we invest our resources to best protect ourselves from threat actors?
Device Hygiene – The Simple Stuff
The number one thing any enterprise can do to better protect itself from mobile vulnerabilities is to make sure that users install the latest operating system updates. For iOS, that means having the discipline to retire pre-iPhone 6 devices, which are incapable of updating to iOS 11 and are thus not protected by Apple’s latest security features. Having spent the last year performing mobile device and application penetration tests and conducting extensive mobile security assessments for large clients, the extent to which enterprises continue to allow inherently vulnerable devices to connect to their enterprise mobile infrastructure and email systems still amazes me.
In the last year we have seen a decrease in the frequency of users installing iOS updates. In one global enterprise, over 60% of their iOS device fleet was more than 6 weeks out-of-date. Almost 10% of their device fleet was not even capable of installing iOS 11. These are material numbers which make a huge difference when trying to defend mobile systems from attack and exploitation, and can dramatically affect the enterprise if devices are not properly managed or if the enterprise is unaware of the risk posed by unpatched devices touching the network.
Over the last five years, mobile security researchers have observed that our mobile security adversaries take about three weeks’ time to develop exploitation tools for any vulnerability which is disclosed—and can (often) be fixed by a security update. That 21-day window is an important threshold, as it is the boundary we, security defenders, set when challenged to perform a mobile device or application penetration test. Especially when a known exploit is in the wild, systems must be tested thoroughly so that organizations can understand their risk. In an ideal situation, clients would supply the resources to let testing teams buy iOS zero-day exploits for testing purposes.
However, these exploits on the black market can run anywhere from $200,000 to $2 million USD, depending upon their function, deployability, and complexity to develop and detect. As such, most defenders are forced to wait about a month after a security update is released to find commodity exploits (sometimes on GitHub, always on the underground mobile exploit markets) which we can use for testing. Quite simply, though, if the enterprise enforced a policy which allowed only updated mobile devices to connect, far fewer vulnerabilities would be found during testing, to begin with.
For Android devices, the OEMs continue to play security games with their users. It amazes me that Google lets OEM partners misrepresent what updates are on devices and that Google does not hold their OEM community to even the most basic of software quality and maintenance standards. I am most disappointed in Samsung after reading the latest research by Karsten Nohl and his team about how most Android phones hide security updates from users. When people ask me if they should support Android, I tell them, specifically that from a policy perspective, that I only recommend supporting Pixel and Android One devices. Unfortunately, many in the mobile community, especially in the US and Western Europe, have not heard about Android One. Google, likely in response to the OEM problems mentioned above, has implemented a low-cost device program for OEMs to release a “pure” version of Android, just like what ships with the Pixel platform.
For emerging markets, Android One devices represent the best value for money to have direct and immediate access to Android security updates when Google ships them to the core Android platform. This eliminates any need for OEMs or Mobile Network Operators (MNOs) to get in the middle of software update delivery. Nonetheless, Pixel and Android One represent less than 10% of deployed Android devices among the enterprises for which I have conducted mobile security assessments. That leaves 90% of the Android enterprise ecosystem in a state of either getting updates late or not at all.
The bottom line from a device hygiene perspective: require that users install the latest updates for iOS and Android. If they don’t install the updates in a timely manner, cut off corporate email access until they do. It is impossible to implement any kind of mature mobile security program without first having the discipline for this foundational step.
When an underlying mobile device is vulnerable, attackers can do all sorts of bad things to compromise any of the enterprise systems associated with that device. For example, in one mobile security assessment with a global financial services company, we were able to clone an iOS one-time-password-generating mobile application and leverage those cryptographic seed materials to impersonate users on VPNs and other applications which required multi-factor credentials generated by the soft token application. We were only able to achieve that level of credential compromise when the iOS version was out-of-date to the extent that we could use commodity exploits to attack the device, gain non-persistent kernel-level access to iOS, and then harvest all of the data from the iOS keychain.
The same holds true for any mobile security tools, whether mobile device management, mobile application management, and mobile threat defense. If you aren’t updating the underlying operating system, then those tools are not effective.
Mobile Ecosystem Vulnerabilities
For the vast majority of enterprise mobile technology users, the bad guys are going to leverage remotely-exploitable technologies, such as vulnerabilities in the SS7 network. If I think about the perfect attack against our global mobile infrastructure which could net attackers millions of dollars in profits in relatively a short period of time, the SS7 network has all the attributes that attackers love: A proprietary protocol network with very little visibility into the actual traffic flowing through it. A high-trust network with few controls and very little visibility into anomalies…what could possibly go wrong? Still, MNOs—even with the numbers of known vulnerabilities and exploits that could be/have been used against them—have not offered services to enterprises to monitor for any SS7 anomalies for their users.
I am a strong proponent of educating enterprises about how to perceive mobile networks as zero-trust infrastructure. Organizations should not put any trust in the MNOs’ network integrity, whether at the physical base station level or the back-end SS7 network. Tools from firms like Koolspan, Silent Circle, and Cryptophone all offer excellent protection from network manipulation and integrity attacks. For enterprises with large numbers of international travelers, I would suggest that if they are not using one of the enterprise-manageable encrypted communications platforms for voice and text, I’d probably consider them negligent.
For organizations without the resources to deploy enterprise-grade tools, there is real value in using tools like Signal. That said, be mindful of certain regulatory and data retention policy requirements when using the consumer-grade products, as things can get rapidly out of control with a large user base that relies on WhatsApp or any of the other personal encrypted communications tools.
What Does the Future Hold?
From a big-picture perspective, we’re about due for another round of mobile technology disruption. I don’t pretend to have a crystal ball, so I don’t know what form that disruption will take. Looking at mobile technology patterns over the last 20 years, it’s time for another wild ride. The best thing that enterprise mobile security teams can do is to do the simple things well. Have the discipline to shed vulnerable devices from your fleet, offer the training and awareness for users to understand the importance of keeping devices up-to-date, secure the resources to protect material communications that are flowing through enterprise mobile devices. These are the areas that will matter in both the near- and long-term.