enterprisesecuritymag

The Threat in Your Pocket

By Veysel Erdag, Chief Information Security Officer at University of Arkansas at Little Rock

Veysel Erdag, Chief Information Security Officer at University of Arkansas at Little Rock

It was a long battle between security professionals and computer users. After countless hours of meetings and security awareness training and budget fights, computer users accustomed to following security policies and rules.

However, the story is very different for mobile devices and their users. Phones and tablets are generally seen or accepted as personal property, and they provide a lot of opportunities to communicate, collaborate, and share information.

"In addition to collecting and stealing information, these malicious codes can also perform cryptocurrency mining on the mobile device"

Anybody accepting and following organizational security policies and practices is not reflecting on their experience and knowledge while they are using their personal devices or systems. Mobile device users have a higher level of trust in their devices, and in general, believe that only computers (desktops or laptops) are susceptible to malware, or attackers only target these devices.

Mobile devices are handier than computers. They are always with us. They are with the owner wherever the owner goes. Most of the time, mobile devices contain more sensors or data collecting capabilities than computers. It is also possible to create more detailed information about the owner or user of these devices by combining data produced by these sensors or data collecting capabilities. For example, when you take a picture with your mobile device, your phone can add your location data to your images.

In this respect, one of the significant threats, when we use mobile devices, is the threat to our privacy. When we use our mobile devices, they insert a lot of information about the user without even knowing. In addition, applications used on these devices also collect various information about the owner and the device. Some of the applications ask for permission to collect the data. Yet, there is a considerable number of applications that do not ask for permission to collect the data. It is not easy to know how the collected information is used, but it can be said that mobile device users are helping companies to make more money. All the data can be used for marketing purposes or to improve products.

If somebody asks questions about our private life, we reject to answer these questions. If somebody asks you to send all the information about our friends or family, we will definitely say a big “NO.” However, applications we use on our mobile devices are collecting all these data without getting any consent or permission.

The second important threat is mobile malware. Since it is not an easy and preferred method to deliver infected files to mobile devices, infected websites are used. Attackers use traditional phishing emails or text messages (SMS) to infect mobile devices. When an infected site is visited, malicious code can be executed on mobile devices. In addition to collecting and stealing information, these malicious codes can also perform cryptocurrency mining on the mobile device. Since it is easier to infect mobile devices and not easy to detect, cryptocurrency mining is becoming more popular. While the mobile device is up and running, the malicious code infected this mobile device runs on the device, and uses computing power on the device, uses internet connection and consumes the power on the device. Therefore, the owner of the infected mobile device sees performance degradation, increasing internet usage, and very short battery life.

Some of the applications can also include malicious codes embedded into these applications. When these applications are installed on mobile devices, malicious codes will be activated, and the attacker will gain access to the mobile device.  The attacker can use integrated tools on the mobile device to listen to your conversations even the mobile device is not in use, take pictures, read your messages, send messages to your friends or your contacts in general, tap into personal and private information, or delete information on the device. If the mobile device is being used for both business and personal purposes, the attacker can access corporate data, and this mobile device will create a back door for the attacker to access to critical or sensitive data in an organization.

The third threat uses social engineering methods to scare the mobile device owners and try to convince the mobile device owner to share personal or organizational information. Scam calls or messages are also used by attackers to gain financial income. Attackers generally use names of government and law enforcement agencies' names when they call their victims. The most frequently used agencies are IRS (Internal Revenue Service), Sheriff’s office or police departments, ICE (Immigration and Customs Enforcement). In addition to official names, grandchildren and friends can also be used in these scam calls or messages. Friends are the most common subject in such an attack while grandchildren are mainly used to steal money from older people.

Everybody is cautious about the physical security of our homes and cars. However, connected and smart homes are helping attackers to bypass the physical security measures used to protect homes, buildings, and vehicles. Since mobile devices are used to manage homes, buildings, and cars, if the attacker gets control of a mobile device, he/she can also control everything in a building and even in a car. They can open doors, disable security systems, change the temperature, and watch our homes or buildings by using cameras.

Although there exist some threats listed and explained here, we need to continue to use our internet-connected mobile devices because they are helping us in our daily lives. We should be more careful, and we need to follow the recommended safeguards. It is essential to be sure that the applications we use are authentic (downloaded from approved application providers). Before installing any application, all the permissions must be checked, and if the application is asking for additional, unnecessary access to private information, simply do not install the application or change the permissions if it is possible.

Read Also

Implementing Software-Defined Everything in the Data Center

Implementing Software-Defined Everything in the Data Center

Jim Livingston, CTO, University of Utah Health
BYOD: How to Safeguard Your Company's Data with Policies and Procedures That Address Visual Security Threats

BYOD: How to Safeguard Your Company's Data with Policies and Procedures That Address Visual Security Threats

Rebecca Herold, President of SIMBUS LLC, CEO of the Privacy Professor and 3M Privacy Consultant
How Will Innovation Impact the Practice of Cybersecurity?

How Will Innovation Impact the Practice of Cybersecurity?

John Felker, Director, National Cybersecurity and Communications Integration Center, U.S. Department of Homeland Security
The Guardian of Electric Utilities

The Guardian of Electric Utilities

Bill Lawrence, NERC Vice President, Chief Security Officer, and Director of the Electricity Information Sharing and Analysis Center

Weekly Brief