In this News Insight, Ars Technica reveals the most common blind spots in mobile security. If you’re looking to strengthen your security plan, download our definitive guide to reassessing mobile security practices. —Samsung Insights editorial team
Mobile devices are built to instill a sense of confidence. Their weight, balance and aesthetic subconsciously communicate that we’re wielding tiny but extremely powerful computers—meticulously crafted to underpin our digital lives. Yet as security experts are quick to point out, elegant design doesn’t necessarily equate to security. Those holes tend to be invisible.
More than 80 percent of Americans now operate some portion of their lives through smartphones. Five years ago it was less than 40 percent. Any network growing that fast will open up avenues for breaches just as rapidly. Sniffing Wi-Fi, rogue hot spots, data leakage, unlocked devices, malicious downloads from the web or app store—the more communication points, the more attack points. And all usually with a simple goal in mind.
Karen Scarfone writes the federal guidelines for best practices in mobile device security. “Attackers are mainly looking for passwords,” she says. “A lot of email passwords still go back and forth in the clear. That’s a big problem.”
Security hawks constantly advise using different passwords across different accounts but even that measure can fall short. When an attacker gains access to someone’s inbox, they often have the keys to every other account. They just do a password reset. Now they can leaf through bank records, purchase history, private correspondence, work documents and anything else the target’s done online.
So how are attackers getting in?
The forensics, especially on consumer devices, can be very difficult to trace. So it’s tough to measure the most common pathways. Hackers often penetrate chips that don’t secure functionality down to root hardware. Chips need highly defined functions for each process—to prevent cross-functional breaches—and kill switches if they detect a hacking. The device dies but the data stays safe.
Often breaches involve installing rogue software called malware that logs or transmits what someone’s typing or sending. Or if an attacker’s able to intercept communication between a device and a webpage—a process known as “sniffing”—they can redirect traffic and collect data.
Janusz Jezowicz, CEO Optimal Software, says this trick is almost impossible if a website’s using HTTPS—but those that haven’t adopted SSL certificates (HTTP) will leave someone vulnerable. “In general, we see that increased HTTPS adoption will have big impact on improving Wi-Fi security,” he says. “Users will be able to use public Wi-Fi networks with more confidence.”
With insecure webpages, the attack might work as follows: You’re browsing http://www.helloworld.com and click the ‘Email us’. (Note the lack of S on HTTP.) This redirects to https://mail.helloworld.com. Since the first site wasn’t encrypted an attacker intercepting the traffic could modify the ‘Email us’ link to redirect somewhere else, like mail.helloworld1.com. (Note the 1)
The attacker could then provide their own SSL certificate (instead of HelloWorld’s SSL). The user’s browser would flag the certificate as incorrect but, Jezowicz says, the majority of users often just click “allow” or “OK” because they want to complete their task. That allows a “man in the middle” attack, where the attacker can change or intercept the information between the website and the user.
Explanations like these highlight why security researchers have trouble getting through to users. They’re complicated! And many people feel—not without reason—they’re unlikely to be a target. The number of attackers compared to the number of people accessing the Internet each day is a staggeringly small percentage. People still swim in the ocean despite the fright of shark attacks.
Though most digital sharks aren’t after swimmers, per se, but where the swimmers work. Data breaches in the workplace have become commonplace in the news. Precise forensics are rarely made public but corporate and government security teams bend over backwards trying to keep employees’ habits secure. One of the biggest measures they take is restricting downloadable applications.
App store managers have worked to weed out malicious applications—and while those downloads comprise a miniscule fraction of overall downloads, bad actors still get through. Often these are simple applications, like a game or even a flashlight, that ask for access to contacts or other personal information on the phone. The attackers count on users not realizing what they’re giving away.
While holes remain, there’s an overall sense that while “everything’s hackable” that “things are starting to improve.” It’s too important not to. The web and smartphones are too integral to corporate and personal lives and so manufacturers are motivated to build increasingly secure browsers, devices, routers and networks.
Jezowicz believes, for instance, that tools for sniffing Wi-Fi will soon be thing of the past. But then he’s quick to add, “Of course, new methods will appear,” he says.
Download our comprehensive guide to reassessing your mobile security practices.