Mobile devices have become a battle ground for cyber security, and the mobile cyber war has heated up last week (end of August 2016) with Pegasus, a mobile spyware reported as “a cyber weapon, which is by far the most sophisticated ever detected on a mobile device”.
What to think of it? What to do about it? Please share your point of view and comment on the subject.
Why is the mobile threat so heated?
The small fashionable and personal devices we cherish and carry with us all day long are “integral to how we live, organise and enjoy our lives, whether socially, professionally or personally”. For example, “In 2014/15, the mobile device became the primary technology used by consumers to access financial services in many developing and developed nations with more than 50 per cent of interactions with banks conducted through mobile devices”.
Mobile devices have become a key target for cyber criminals, because those devices are the gateway to our digital lives and they “are collecting and storing an increasing amount of sensitive corporate information and criminals are exploiting weaknesses in a number of communication protocols like SMS, Wi-Fi networks and Bluetooth”.
Mobile devices have then understandably become:
- “an attractive target for cyber criminals, particularly for financial gain and identity theft.“, and
- the subject of “a dramatic increase in not only the number of new malware, but also an increase in sophistication and complexity… Unique mobile malware samples collected by McAfee Labs—72% increase from Q3 (Q3 2014 to Q4 2015)”
The enterprise cyber attack surface is naturally growing fast, following also the BYOD mobile device trend. Cyber criminals simply have more endpoints to give a shot too, and the mobile endpoint security may still have some catch-up to do when compared to traditional enterprise security.
What are the key mobile threats & risks?
The mobile cyber threats are evolving, and include the following examples (non-exhaustive list):
- Ransomware, such as basic screen lock function which can be unlocked when a ransom is paid.
- Trojans, such as banking trojans intercepting SMS banking authorisation codes and forwards them onto the hacker, enabling them to conduct fraudulent transactions from the user’s account.
- SMS malware, sending SMS messages to premium services to extract payments without the user knowing.
- Remote Access Tools, commonly referred to as a RAT and which is used by hackers to give full control to a system.
- Spyware, see Pegasus below, and other types of malware.
Mobile technologies also present key risks, such as the following ones (non-exhaustive list ) :
- A confidentiality and data loss risk and a challenge to best manage the cohabitation of corporate and personal data on mobile devices, see for example “How do personal tech and professional data mix?” .
- A compliance risk & challenge. Some of the challenges identified in “How to comply with the proposed Australian Government mandatory data breach notification scheme?” may be significantly amplified with mobile devices in mind (e.g. detect a corporate data breach on a mobile device). Other compliance requirements also add to the challenge.
- An increasing privacy risk to end-users, especially in a BYOD context, see for example “The privacy conundrum of context-aware security, user behaviour analytics and awareness APIs in a BYOD Mobile environment”.
Mobile exploits are also getting increasingly sophisticated, and Pegasus is a clear proof of that.
Pegasus, August 2016
Just a few days after publishing my latest article on the subject of mobile & privacy, I got news of the Pegasus mobile exploit. A good summary of the exploit is available here: “Inside ‘Pegasus,’ the impossible-to-detect software that hacks your iPhone”.
This is an incredible report of an exploit that is designed to do two things:
- completely take over all aspects of the iPhone, and
- operate like a “ghost” that a user would never be able to see.
The spyware gathers “an incredible amount of data on an affected user. Every single text message, calendar entry, email sent through Gmail, or WhatsApp message is vacuumed up and sent back to whoever is behind the spying. It constantly updates and sends the user’s location from the phone’s GPS. And it even fully downloads the user’s various passwords and steals the stored list of WiFi networks and passwords the phone connects to.“ It can also “intercept audio from calls, to include those made through WhatsApp and Skype, or the microphone can be remotely turned on to listen in.”
It doesn’t get any better than that for a spyware… and Pegasus also leaves “absolutely no indicators of compromise to the user”.
Interestingly, the exploit was discovered because a target of a Pegasus attack, an alleged prominent human rights activist in the United Arab Emirates, had the good reflex to report a suspicious SMS to cyber security researchers. Without that report, we would probably still don’t know about the exploit, which Lookout provides a comprehensive analysis for in “Technical Analysis of Pegasus Spyware , An Investigation Into Highly Sophisticated Espionage Software” .
What to do about it?
First of all, if you have an iPhone, ensure you have applied the latest available iOS patch (v9.3.5 or later) that addresses Pegasus.
Report suspicious mobile activities, especially those that have created an impact already. Follow your organisation’s process to report cyber incidents. In Australia, you can also go to the Australian Cyber Security Centre (ACSC) for example: https://www.acsc.gov.au/incident.html .
General mobile security recommendations are provided by many good sources such as the following ones (no promotion here): Telstra Cyber Security Report, McAffee Mobile Threat Report, Symantec Internet Threat Report and importantly Government recommendations such as from the Australian Government Secure your mobile device.
What do you think about it?
Please submit your comments.