Remember the Mobile Devices

           There is probably no topic of contention that I encounter more as an IT security consultant and auditor than mobile device security. People and organizations just don’t want to secure themselves against mobile devices. The excuses are numerous:

·        Regulating employee mobile devices will lower morale.

·        Employees will think we are spying on them.

·        Other organizations allow their employees to use mobile devices freely.

·        No one worries about mobile device security anymore.

I have even heard many of these statements from other information security professionals, including the last statement.

DON’T BE FOOLED!

Mobile devices are a serious risk to your organization. I have appeared on the news three times in the last few years to speak about attacks and threats targeting mobile devices. Two of those times were specifically about attacks targeting iPhones and Apple devices. Perhaps, for this reason, I was particularly alarmed by a recent conversation that I had with a Chief Technology Officer (CTO) while auditing their environment.

The CTO revealed that the company issued mobile devices to employees that allowed employees to connect to their network. He also revealed that the company did not have any mobile device policy or Mobile Device Management (MDM) solution. However, he quickly justified this oversight with the explanation: "But, the phones are iPhones, so we don't need to secure them." While the statement is a testament to the success of iPhone marketing campaigns, as any mobile device penetration tester knows, the statement is far from true.

In fact, just yesterday, a group of researchers found that iPhones are susceptible to an attack that can install malware on the device without the user doing anything. The phone doesn't even need to be on. Furthermore, this flaw is present in the device's hardware, meaning it can't be fixed by a software update. The weakness is similar to the T2 Security Chip vulnerability that allows an attacker to gain full privileges on an iPhone simply by connecting the phone with a USB cord to a computer running the proper software. Both vulnerabilities are hardware flaws that cannot be fixed with a software patch.

Exploits against iPhone devices are becoming very common, as Apple has already had to release three emergency patches for remote code execution vulnerabilities in just the last five months. The growing flood of attacks against Apple devices recently forced the US Cybersecurity and Infrastructure Security Agency (CISA) to issue directives ordering all employees to patch their Apple devices against the surge of attacks.

What does this mean for you?

Cybercriminals know the easiest way to gain access to an organization and their data involves attacking the company indirectly. They have demonstrated that they are more than willing to hack the home networks of remote employees and CEOs to get around an organization's security controls. They will have no qualms about using compromised mobile devices, like cell phones, to achieve the same goal.

Organizations need to take steps to protect company-issued mobile devices against compromise. They also need to protect themselves against the dangers and risks of employee-owned mobile devices. If your organization is unsure if they are protected against these risks, hire a security consultant, penetration tester, or auditor to assess your environment and identify the risks present in your mobile device program.