Welcome to Part I of our three-part coverage of the landscape of mobile security threats. Over the course of this series, we will cover:
- Network threats
- Apps and configuration threats
- Actions and solutions to protect yourself
Lately, concern over the safety of our beloved smartphones has begun to grow. While in the past, computers were most vulnerable to phishing and data-collection attacks, the portability of smart devices has brought mobile device security to the forefront of security initiatives.
Attacks such as the so-called DoubleLocker have had significant impact on the impact of device security – perhaps greater even than its material impact.
Although Windows-based attacks will remain a major point of focus in terms of mobile security, data from specialized analysts suggest that mobile threats will, within one to two years, represent 25% of all data-related threats. To provide a better understanding of the risk to smart devices as phones and tablets, it helps to have an understanding of how data thieves access and manipulate data and credentials.
We’ve all had to connect to public wifi networks occasionally: in airports, cafeterias, restaurants, or even when visiting the offices of a client or supplier. Doing so has become so common as to be automatic. While wifi networks were originally intended to operate laptops, users are increasingly connecting their smartphone devices to networks in order to avoid data usage. Smartphones, being constantly in motion and by their very function moving far more frequently than the average laptop, are confronted significant additional threats.
The main danger comes from these unsecured hotspots. With a few minutes of searching on Google using a few well-chosen keywords, one can find many free programs that allow spying on any device connected to the same network as an unsuspecting laptop, smartphone, or tablet. Armed with this info, bad actors can settle quietly into a corner at Starbucks and start intercepting the internet traffic of users around them completely unnoticed.
This simple technique of intercepting traffic is called Address Resolution Protocol (ARP) Spoofing. It is usually detected immediately when used in the networks of companies with minimally advanced security equipment; this is not the case for public access points, convenience networks (such as at stores or malls), or at home. The nature of how and where we use our smartphones leaves them completely defenseless against these attacks.
GSM “Man in the Middle” (MiTM) Attacks
Danger is not limited only to unsecured wifi. With a modicum of tech knowledge and a hardware investment of less than $1000, an attacker can simulate the network of a public 3G / 4G operator, deceiving nearby smartphones that plan to communicate with their usual operator.
Normally, data circulating in the operator’s network cannot be seen; networks circulate encrypted to a remote point in the operator’s network. For this reason, the attacker simulating an “antenna” of the operator will try to force the devices to communicate using the 2G protocol, and whose encryption is very weak or even disabled (called 2G fallback mode or downgrade). In this way the attacker will be able to access all the IP traffic of the device, and much as with compromised wifi points, start analyzing the data traffic.Fortunately, as smartphone operators and manufacturers retire dated 2G networks, these kind of attacks are become more difficult to carry out, reducing the possibility of unsafe 2G data communications and MitM attacks.
Intercepting Unsafe Traffic
Once an attacker has access to internet traffic by interposing himself between a device and the rest of the internet (Man In The Middle), all information not encrypted using secure socket layer (SSL), transport layer security (TLS) or another method becomes accessible to the attacker:
This intercepted data may include
- Session identifiers
- Poorly encrypted passwords
- Database connections
- Non-encrypted personal data
In addition to compromised data, more sophisticated breaches may force the device browser to access a site to download malicious code, access data within the device, control device operation, or force downloads of malicious applications.
Falsification of Digital Certificates (Fake SSL)
Beyond simple poaching of non-encrypted data, some attacks intercept encrypted traffic by supplanting the server to which the device wants to connect.
This can be achieved in three relatively simple steps:
- The device connecting to the server receives a “digital certificate” from this server, containing a key used to encrypt all data transmissions.
- The attacker requests the certificate to the server on behalf of the device. Once secured, it returns a false certificate to the device. The device will now communicate with the attacker using this false certificate known by the attacker, who will be able to decrypt all data exchanges.
- In turn, the attacker will communicate with the server with the real certificate, relaying the data back and forth as if it were the device, as an intermediary with full visibility into all transmissions.
Digital certificates are issued by Certifying Authorities (CA), and the information of who issued the certificate is contained within the certificate. Anyone can generate certificates, however; there are reputable entities called trusted CAs. The devices have a “factory” list of these trusted CA entities (about 100 in total).
- Most attackers use certificates generated and signed by themselves in the moment the connection is established (self-signed). When these certificates are used, it prompts a browser alert which describes the certificate as “not trusted” and outlines the cause.
- A certificate contains the information of the domain for which it can be used to communicate, as an additional check mechanism.
- However, some mobile apps accept the certificate despite not coming from a trusted entity, exposing their communications to the attackers. These apps are vulnerable to this kind of attack.
- There have even been cases of trusted CAs that have been tricked by attackers into issuing certificates for large public domains (i.e. google.com). These “false true certificates” have been used by attackers. In these cases, browsers and applications cannot detect the attack as the Certificate is authentic and issued by a trusted CA.
Not all Hackers are Created Equal
Small-time hackers are not the only actors to engage in this type of data collection. For instance, such was the case in an Iranian government breach in 2011, who allegedly used fraudulent certificates to gain access to Gmail in order to access the accounts of thousands of Iranian citizens.
These attacks can also be performed by less organized attackers. From time to time, some false / true certificates leak to the dark web, to be used by all manner of hackers. To counter this weakness in the certification mechanism, between 2016 and 2017 a public, non-forgery record of all issued certificates launched, creating a centralized method to consult and verify the certificates are valid and authentic (“Certificate Transparency System”).
While these data breaches have far-reaching impacts for organizations and individuals, you can minimize risk by implementing mobile security solutions and networking best practices when using unsecured networks.
For more information about app-side threats, such as non-secure app downloads, unsafe OS versions, and configuration issues, check out Part II of our series.
If you would like to learn how Samoby is reducing the threat of compromised devices and data “in the wild,” email us at firstname.lastname@example.org to learn more about our innovative, real-time data monitoring solutions and see a demo.