The security threats affecting mobile devices have been evolving quickly in 2013, and here are a few things that you can look forward to in the new year.
Mojave’s top 5 mobile security predictions for 2014
1. Concern about over permissive and insecure apps (non-malware) will come to the forefront
Enterprise mobile users will become increasingly aware and more vigilant about involuntary data leaks by legitimate apps. Apart from malware, which are written with malicious intent, this threat category covers legitimate applications which contain inadvertent vulnerabilities. These vulnerabilities occur when apps which are written insecurely, with more permission than is required, or collects user data and activities which may leak sensitive information.
2. Web-based attacks will continue to increase, including watering hole and spear phishing attacks
Due to the nature of their use and form factor, mobile devices make great targets for browser and web based attacks. Attackers have built expansive tool chains to exploit PCs over the past years, and more recently have begun to combine those frameworks with mobile exploits. Two web-based threats that specifically target enterprise users are watering hole and spear phishing attacks. Spear phishing is the more well known threat in which an attacker sends a potential vicim a well disguised email containing a URL that links to a browser exploit. Watering hole attacks on the other hand require no user interaction, instead the attacker first compromises a website which the intended victim frequently visits then adds browser exploits to the existing URLs. In both of these scenarios the victim is compromised by simply visiting an infected web-page. We expect to see attackers shift more of their resources to mobile-based web attacks as both the attacker’s tool chains and the mobile markets mature.
3. A shift away from passwords and PINs as the primary or sole authentication mechanism
This year’s security breaches have brought some much needed attention to brittle nature of passwords. This spawned a lot of lively debate over the future of authentication, including an organization dedicated to replacing the password as we know it (http://www.petitionagainstpasswords.com). Some of the companies that disclosed leaked password information were: Adobe, Evernote, Twitter, and Living Social. These compromises leaked over 100 million hashed passwords. While password strength is the front line of defense, the prevalence of password reuse multiplies the risk of any password leak regardless of whether that leak was from an internal resource or a public website. Once an attacker has compromised a list of passwords for a given user from a public website, they may attempt to use the same passwords against corporate resources used by that user. For all of these reasons we believe that in 2014 users will look for alternatives and we’ll see a sharp rise in multi-factor authentication including:
> Mobile device tokens
> SMS or voice authentication
> Biometric authentication
> Single-Sign-On systems
4. Rise in attacks against mobile-based multi-factor authentication systems
As mobile devices are increasingly relied upon as multi-factor authentication, we expect to see a more concerted effort by attackers to target mobile devices with the intent of compromising these additional security measures. We have already seen this with malicious apps targeting banking accounts and using the victim’s mobile device to intercept SMS authentication messages.
5. Attackers will use mobile devices as stepping stones into internal resources
Sophisticated attackers leverage a compromised device to “pivot” to other resources that the device has access to. So far we have seen primarily seen attackers compromising the mobile device itself to gather information or use it for toll fraud. As attackers become more sophisticated, we expect that they will develop tool chains similar to their PC tool chains. These tool chains allow them to compromise a single device, perform reconnaissance on the device’s network, then pivot to compromise additional hosts around it. This approach is particularly lucrative with mobile devices as they frequently connect to less-secured or hostile wi-fi networks, then rejoin the secure corporate network. We have seen evidence of attackers proxying traffic through devices, and we expect to see attackers leveraging this type of proxying to “pivot” to internal resources through compromised mobile devices.