We hear constantly about devastating cyber attacks on government institutions, corporations and health care providers.
Last summer, an attack against the U.S. Office of Personal Management exposed personal information about millions of federal employees. Successful cyber assaults against major American corporations such as Target, Sony and J.P. Morgan Chase also attracted attention. And barely more than four months ago, a cyber attack on Washington, D.C.-area hospital chain MedStar, which services millions of patients annually, shut down the hospital’s entire IT system.
What we don’t hear much about, however, is the mind-numbing number of successful attacks against smartphones and tablets, whether in a corporate setting or in the consumer domain. These devices, wide-open to the unprotected Internet virtually 24x7, are protected with even fewer security measures. Last year’s PricewaterhouseCoopers Global State of Information Security Survey detected 53 percent more mobile device security compromises than the previous year.
Over the last three years, moreover, the number of survey respondents reporting compromised mobile devices almost doubled, soaring by 95 percent.
Why Is the Trend So Bad?
Why has the mobile security space been so underserved? Part of the problem in the enterprise segment is that companies have focused on network/data center security but not mobile security. In the consumer domain, many smartphone and tablet users don’t use malware or mobile application security software, research shows. In addition, people are more likely to click on phishing attacks when they're using a smartphone than they are when using PCs.
At least the trend, in part, appears to be shifting. The enterprise is starting to get a grasp on the mobile security problem, and timing couldn’t be better. Research shows that 80 percent of large companies have some flavor of BYOD (Bring Your Own Device) program in place. Even heavily regulated industries, such as healthcare and financial services, are being pressured to implement BYOD programs.
Companies, of course, aren't doing this will-nilly. Among the companies they are turning to for help is Appthority, a purveyor of a cloud-based services. Appthority assesses and manages enterprise mobile application risks by automating continuous scanning and analysis of employee mobile apps for risky behavior, hidden actions and mobile malware, providing continuous visibility and control over potential corporate security and privacy threats.
Mobile IT administrators or employees get the chance to see security ratings of their apps before the apps are downloaded to a mobile device an employee will use for work. The technology also scans mobile devices and spotlights risky applications that pose a threat to the corporate network. Appthority demand is such that growth in the first half of 2016 more than doubled over growth during the first half of 2015.
Consumer Mobile Security Outlook Is Not Upbeat
Unfortunately, the outlook in the consumer domain isn’t nearly as upbeat.
One negative sign, likely to be in the news again shortly, is that cyber criminals are seeing large-scale sporting events as a chance to take advantage of tourists accessing information on the web by tricking people into being trapped by malicious websites.
On the immediate horizon are the Rio Olympic Games, and mobile cyber, unfortunately, may steal some of the headlines. This isn’t merely conjecture: The just-ended Euro 2016 football tournament saw a sharp increase in the number of malicious websites accessed by smartphones. According to Promon, an app security provider, an overwhelming majority of most known malicious websites were detected on mobile devices in host-nation France. There is no reason not to expect a repeat in Rio.
Symantec has been experimenting with scanning Android apps for vulnerabilities and privacy issues and has found that almost a third of all apps scanned leaked SIM card information, such as address book details, mobile PIN numbers and call histories. Such actions are already taking a significant toll.
According to VMware’s Airwatch blog, more than 1 billion mobile phone records were breached in 2014, the latest figure available. And 25 percent of all mobile devices now encounter a threat monthly, Airwatch adds. Smartphone operating systems are built from scratch and generally have good security protection, particularly the iPhone, but cyber criminals have become far more sophisticated and, as mentioned, many smartphone and tablet users don’t use supplementary antivirus software.
Cyber Criminals Can Penetrate Phones without Phishing
Unfortunately, savvy hackers can easily penetrate smart phones without phishing, and increasingly they’re doing just that. Two years ago, Mathew Solnik, then a 28-year-old security consultant working with Fortune 500 companies and the U.S. government, made a presentation at a BlackHat security conference in Las Vegas at which he took over a smartphone from 30 feet away, He essentially used a fake cellphone tower, without alerting the user or the cellular service provider.
In the same vein, 15 months ago Reuben Paul, a nine-year-old third grader at Houston-based Harmony School of Science, took to the stage at a Security B-Sides conference in the city and stressed the importance of being extra careful when downloading apps. He showed how even seemingly safe software can be used by cyber criminals to access sensitive data and snoop on the target person’s location. Then Paul demonstrated this, masquerading as a cyber criminal, and successfully completed the hack in 15 minutes.
He claimed it can happen anywhere, to anyone and at any time, and could be perpetrated by any seasoned hacker.
Even Apple is Vulnerable
Even Apple and its highly secure iPhone are fallible.
Apple initially ignored a FBI directive in March to unlock the iPhone of a San Bernardino gunman who was killed by police after a terrorist incident in that city. Neither side would budge as the confrontation heated up. Then the FBI suddenly backed off. It managed to find an unidentified third party to unlock the iPhone—a feat many experts thought could not be done—and no longer needed the services of Apple.
The state of smartphone cyber protection is unequivocally a huge problem. Left largely unaddressed in the consumer domain, it is certain to get worse. Forecaster B1 Intelligence projects that there will be 1.75 billion smartphone shipments globally by the end of this year, up well over threefold from five years ago, and grow to about 2.1 billion by 2021.
Serious work needs to be done to help remedy this problem, and the sooner the better. As Appthority is demonstrating in the private sector, creative answers are out there.
Sean Cunningham is a managing director at Trident Capital Cybersecurity, an early stage venture capital firm that invests in cybersecurity.