Mobile security is improving, but unprotected communication paths leave the ecosystem vulnerable, according to recent report from the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST).
The study details five primary components of the mobile ecosystem (mobile device technology stack, mobile applications, mobile network protocols and services, physical access to the device, and enterprise mobile infrastructure), as well as the attack surface for each of them. The report provides Congress with a view of the mobile security threats government workers face, while noting that defenses must cover the entire threat surface, not only the categories these threats fall into.
According to DHS’ Study on Mobile Device Security (PDF), mobile operating system providers have made advances, mobile device management and enterprise mobility management systems offer scrutiny and security configuration management, and best practices guides issued both by NIST and private industry further improve the landscape. Despite that, communication paths that remain unprotected create vulnerabilities, and further new fifth generation network protocols require additional hardening, and research still needs to be done, the report says.
Mobile operating systems
Currently the most popular mobile operating system out there, Android is seeing improvements to its security patch lifecycle, courtesy of an “Android security patch level” indicator that Google has introduced several months back. Because security fixes are delivered monthly, users and enterprises can easily assess the security state of their devices simply by looking at the patch level.
Google is pushing patches quickly to Nexus and Pixel devices and multiple manufacturers have already committed to distributing these fixes in a timely manner, but most Android devices is use remain unpatched for long periods of time, the report notes. This was also the conclusion of a June 2016 report from Duo Security, which revealed that, while most Android devices were eligible to receive updates, only a very small percentage actually got them.
“These security architecture improvements across all the mainstream mobile and PC operating systems (Google’s Android and Apple’s iOS as well as Microsoft’s Windows and other operating systems) are to be encouraged and applauded because they increase resilience to attack and raise the level of difficulty and the cost for attackers to discover vulnerabilities and develop exploits. Nevertheless, sufficiently motivated parties will continue to find exploitable vulnerabilities in mobile operating systems and other lower-level device components,” the report reads.
Additionally, there’s the issue of zero-day vulnerabilities, which have large monetary values associated, and which could be used by advanced attackers against high-value targets where the investment is justified (the Pegasus iOS malware serves as a great example). Apple and Google offer significant monetary rewards to researchers who disclose such flaws, but large prizes such as Zerodium’s $1.5 million for an exploitable zero-day in Apple iOS might seem more appealing.
Devices with unlocked bootloaders are more exposed to attacks, the same as jailbroken or rooted devices, which represent a major issue when used within enterprise environments. Thus, enterprises should advise employees not to root or jailbreak their devices, and should also ensure that the latest available patches are installed on all devices, thus keeping them safe from publicly known security vulnerabilities.
Mobile applications
Most mobile applications are available to users via dedicated portals, such as the Apple App Store and Google Play (each with around two million apps), but third party stores also exist, and some of them are non-legitimate sources of applications. Furthermore, the reliability and security of applications distributed through these stores may vary, especially since the vetting process is more opaque or less robust when compared to that of the public stores of OS vendors.
Applications pose security risks because of vulnerabilities that could be exploited or because they have been created for malicious purposes. Some of the vulnerabilities could expose users to excessive risks, and these include: insecure network communication, insecure file permissions/unprotected location when storing files, sensitive information written to system log, web browser flaws, vulnerabilities in third-party libraries, and cryptographic vulnerabilities.
App provenience is important when considering defenses against apps with inherent vulnerabilities, especially when it comes to software used by the Federal Government (which includes apps commissioned or built specifically for internal or external use and commercially available apps). App developers should follow security best practices and use mobile application vetting tools, enterprises should deploy and maintain Enterprise Mobility Management/Mobile device management (EMM/MDM) tools, and threat intelligence should be used to understand the potential risks associated with apps installed on devices, the report notes.
Malicious or privacy-invasive applications, on the other hand, are often focused on exploiting vulnerabilities in the operating system. These include apps that gather privacy-sensitive information, eavesdropping apps, programs that exploit flaws in other apps or access to sensitive enterprise networks or data, ransomware, software meant to enable fraud, rooting/jailbreaking apps, programs that manipulate trusted apps, or exploit public mobile app stores.
Mobile networks
“Vulnerabilities in this element of the mobile ecosystem are the most difficult to remediate because they are an intrinsic part of the design and operation of live cellular networks. Attempts to fix or update deployed systems can lead to outages that can affect the entire country,” the report reads. “It is important to note that each generation and family of mobile networks is a unique implementation and
is not forward or backward compatible.”
Evolved from GSM through UMTS, Long Term Evolution (LTE) represents the most recent generation of radios used in mobile phones and is significantly more advanced than previous standards. However, GSM is still in use and will continue to be at least for the next three years, and LTE inherits some of the GSM architectural weaknesses, which creates security risks for all users. To that, one can add the attack surface that Signaling System 7 (SS7) opens (recently abused to steal money from bank accounts).
Threats to consider at the network level include those related to SIM cards (theft, cloning, or stealing cryptographic keys), radio access networks (jamming or denial of service, physical attacks on base station infrastructure), LTE (downgrade attacks, eavesdropping, device and identity tracking, prevention of emergency phone calls, network level denial of service), backhaul networks (eavesdropping), core networks (attacks against SS7), and external networks.
Device physical access
Once an attacker has physical access to a device, they can potentially obtain data, access it, or modify it, depending on the configuration of the device. Many people don’t use a passcode, pattern, or Personal Identification Number (PIN) on their devices, which means their data is exposed if their devices are lost or stolen. Recently, the addition of fingerprint sensors on devices has encouraged users to add a screen lock passcode, which is required for enabling the sensor, the report notes.
While activation lock capabilities Apple and Google added to mobile devices prevent actors from factory resetting lost or stolen devices, other physical-based attack vectors do exist, such as USB attacks. Also possible are scenarios where the mobile device is used to spread malware when connected to a computer.
Mobile enterprise
“Mobile devices do bring new threats to enterprises and can be used to target enterprise systems. Mobile devices form a unique class of end user equipment that frequently moves inside and outside of enterprise networks. This movement means that mobile devices compromised elsewhere can be used as vectors to compromise other enterprise devices or even the enterprise,” the study notes.
Incidents where malware spread from Android devices to other systems are becoming more frequent. This happens when a user attempts to charge a compromised device through an available USB port although they shouldn’t. The recently discovered DressCode Android malware was observed attempting to infect enterprise networks through compromised mobile devices.
Attackers can target EMM – technologies that help IT admins to control and manage mobile data, mobile devices, and their connections with enterprise resources – to gain unauthorized access to the admin console, or can impersonate an EMM server, allowing them to track users, access all mobile devices, or install malware for further attacks.
Private mobile application stores that enterprises use to manage and distribute software face threats as well: “impersonation or unauthorized use of administrator credentials, app developer credentials, or distribution certificates. Bypass or subvert application security analysis or vetting techniques,” the report reads. This could allow attackers to distribute enterprise apps to third-parties, and modify apps or deploy malicious apps to facilitate further attacks.
Emerging threats
In addition to the above, the report identified a series of probable emerging threats, which fall into the following categories: Open Source Signals Intelligence; Advances in decryption of cellular network authentication and privacy standards in the public sector; Advances in “IMSI Catcher” capabilities; Increasingly sophisticated cybercrime and fraud targeting individuals and corporations; and Increasing use of broad spectrum jamming by citizens seeking privacy.
Focused on identifying gaps in current defenses that require further research or improvement, the report also delivers a framework to help identifying attacker tactics and techniques, and informs on areas where current mitigations can’t properly protect mobile devices. Further, the report analyzes emerging threats, lists mobile security best practices collected from NIST and other government and non-government organizations, and also points out weaknesses in SS7 and Diameter.
“Threats to the Government’s use of mobile devices are real and exist across all elements of the mobile ecosystem. This is evident from the threat assessment conducted for this study and documented in the previous sections. The corresponding analysis of available defenses shows that despite significant advances in addressing both deliberate and accidental threats to mobile security, gaps remain that will command additional effort by Government and industry to reduce the risk of using mobile technologies,” the report reads.
Related: DHS Uses Cyber Kill Chain to Analyze Russia-Linked Election Hacks
Related: DHS Publishes National Cyber Incident Response Plan
