LAS VEGAS–The way that things are right now in mobile security, there does not look to be much hope for keeping corporate and personal data secure. A panel of researchers who focus on looking for attacks and bugs at various levels of the mobile device and infrastructure said at Black Hat that there are so many ways an attacker can compromise phones from the infrastructure all the way down to the application level, defending against all of them is highly problematic.
Attacks against smartphones such as BlackBerrys, iPhones and Android phones have become quite prevalent in recent years and many of them have focused on getting malicious apps on users’ phones. That’s a quick and easy way to get access to user data and sensitive information. But there are a slew of other real and potential vectors that attackers have at their disposal no, as well. Going after the device firmware is one potential method, as is attacking the mobile infrastructure itself.
“If I can update your phone remotely, I own the phone at every level and I own you. It’s game over,” said Don Bailey, a senior security consultant at iSEC Partners, said during the panel discussion.
Bailey has done research on similar attacks against GSM-based devices recently.
“We could force firmware updates on every GSM module on all of these devices. It would have been complete mass ownage,” he said. “There’s no logs, no record of it.”
Such an attack against a widely deployed smartphone platform would give an attacker easy access to the data of millions of customers. But that kind of attack so far hasn’t been necessary in order to get malware or backdoors on users’ phones. In many cases, they’ll just install them themselves when they download Trojaned or malicious apps from mobile app store. There have been several incidents in the last year in which malicious apps were found in the Android Market and Google has had to remove them and sometimes remotely remove the apps from victims’ devices.
Those kinds of simpler attacks also can serve to hand over large amounts of user data to attackers in a short amount of time. Some of the panelists said that restricting what apps users can download and taking away their ability to set permissions for those apps would be a good step in the right direction.
“Users should not be allowed to set their permissions on their apps. A sane set of restrictions that makes downloading an app from a site as safe as visiting a Web site I think is where mobile security needs to go,” said Dino Dai Zovi, an independent security researcher.
Enterprise security staffs trying to deal with the problem of users having access to corporate data on the same phones that they use to download apps freely and play games on are going to find it a hard one to solve.
“The application layer is one of the hardest to secure because everyone wants to be able to download whatever they want and I’ve found it’s very rare that a company won’t let people do that when they also have access to corporate data,” said Chris Wysopal, CTO of Veracode.