It is no secret that the use of smartphones has risen exponentially over the last few years. The fact that smartphones are now an integral part of most people’s daily lives has been recognised with the emergence of the Bring Your Own Device (BYOD) phenomenon.
A typical smartphone bought in 2014 will most likely be more powerful than an average consumer laptop was in 2002. With this amount of portable power comes corporate responsibility, particularly when these devices are being constantly used inside and outside of workplaces.
What risks does bringing your own device to a workplace pose to an organisation?
Smartphones are now commonly being used to:
- Check corporate e-mails
- Upload/download corporate documents
- Receive voicemails
- Connect to office devices, such as corporate laptops, printers etc.
Naturally, mobile devices have become a target for attackers.
What security concerns exists for mobile devices?
There are a number of ways mobile devices are being attacked, including:
- SMS attacks
- Mobile malware
- Malicious apps
- Man in the Middle Attacks
- Bluetooth attacks
Attackers can examine the flow of data to and from devices, by assessing their typical protocols:
- USB – USB ports can be used for charging and for data transfer. If a device does not have any protection in the form of a screen lock, a malicious entity can quickly mount the device to a computer and siphon off available data. This protocol can also be used to root Android devices/jailbreak iOS devices (bypassing restrictions set in place by the manufacturer) and extract further data that is not readily accessible. This includes SMS/MMS databases, contacts, e-mail contents, historical GPS locations, screenshots, as an example
- Wireless – Mobile devices keep a history of wireless SSIDs that they have previously connected to and routinely probe for these. Attackers can assess these probes to compile a list of the owner’s potentially visited geographical locations. A typical Man-in-the-Middle attack can intercept any data going to and from the mobile device, including corporate remote mail access depending on how it is configured
- Bluetooth – Somewhat less popular, but still a target for attackers nonetheless
- Removable media – possibly the simplest of all attacks: removing the media card from a device. If the device does not support or enforce encryption, the attacker is free to extract all the data from the removable media.
What can be done to decrease the risks associated with BYOD?
- Implement an MDM (Mobile Device Management) solution – This can centrally administer corporate devices by enforcing security policies, with solutions for emergency situations, such as GPS tracking, and remote lock and wipe features. This can also enforce the use of security features that are available on stock mobile operating systems, such as passcode locks and data encryption
- Implement mobile anti-malware/anti-virus solutions –It is important to mention, however, popular mobile AV software has come under scrutiny recently for not detecting some of the malware that is in existence
- Security Awareness Training – Education on security and inherent risks is arguably the most important solution when it comes to security as a whole. It has been said that the human element of any system is the weakest link; many users have fallen victim to social engineering attacks, for instance, which continue to present one of the most significant risks facing organisations today
To contact Nettitude's editor, please email firstname.lastname@example.org.