During the recent Black Hat USA 2016 conference in Las Vegas, security researchers Josh Thomas and Shawn Moyer of Atredis Partners presented findings which documented flaws in the Android smartphone platform that could make it easier for criminals to hack directly into the device processor.
Less than a week after their presentation, new details have emerged which shows that the security vulnerabilities are a lot more significant than previously thought.
Check Point mobile security researchers have revealed that a Qualcomm chip, which powers nearly 900 million Android smartphones and tablet computers, has vulnerabilities they have named the “Quadrooter.”
Smart Phone Security Flaws Exposed
These security flaws could give an enterprising attacker root access to a device. This means that a criminal could take full control of the phone’s stored files and monitor personal use of features such as the microphone or camera.
Since the release of the Check Point report, Qualcomm has issued a statement claiming that they have issued patches for the chip vulnerabilities. Google has also announced that three of the four flaws found by the researchers have been fixed by security updates. The fourth is scheduled to be patched next month.
However, many experts in the security community believe that the recent news surrounding flaws in the Android-based smartphone are just the beginning of a new hacking wave about to engulf the mobile platform. “It’s the new normal,” says Alberto Yepez, a managing director at Trident Capital Cybersecurity. “Everyone should expect that their identity will be compromised.”
Yepez has lengthy experience in the cybersecurity industry, having previously consulted with the U.S. Department of Defense, served in senior management positions with Oracle and Apple, and been the top executive for security companies such as Entrust and Thor Technologies. He is currently the chairman of AlienVault, Mocana, and Neohapsis.
According to Yepez, the research presented at Black Hat in Las Vegas demonstrating how cars, lightbulbs, and chip card-enabled ATM machines could be routinely hacked, highlights an even bigger issue. “I feel like we’re seeing the beginning of a new wave of hacking,” says Yepez. “People who create these devices don’t know how to send information in the clear and security is an afterthought.”
Part of the problem is that most smart devices, like phones, are designed to communicate using Wi-Fi or Bluetooth technology that sends and receives unencrypted signals. During the Black Hat conference, Yepez received a demonstration (from a source he could not name) of technology that relates directly to recent smartphone security issues.
The technology he saw was able to send a signal to a smartphone through a public network that compromised the device. “I’m alarmed at how easy it was to take control of a phone,” says Yepez.
App Store Vulnerability to Identity Theft
Another critical point of vulnerability for smartphone users is the downloaded app, which is increasingly becoming an attractive delivery method for attackers who load innocent-looking games or phone tools with malware. Once a poisonous app is on the phone, a keylogging program can be activated which allows criminals to capture everything from phone numbers to credit card information and passwords as a user enters data on the device.
With the rise in malware threats on the mobile platform, the security industry is trying to respond with new tools to address increasing vulnerability. As evidenced by many of the companies demonstrating their technology at the Black Hat conference, the web security market is now moving more broadly into the mobile and IoT (Internet of Things) space. “We’re beginning to see a next wave of security innovation happening to plug the same holes,” says Yepez.
An interesting way that some companies are choosing to address mobile security issues can be found in Appthority, a San Francisco-based firm that was founded in 2011. Trident is an investor in the company, who has developed a technology to evaluate and rate the risk factors of mobile apps.
The security firm says they have evaluated over three million apps to-date and they issued a report just a few days ago that offered a look at the kinds of threats that businesses are facing when their employees download apps onto company-issued or personal smartphones. These malicious apps have the capability to raid the personal data of users and open the door for identity theft on a mass scale.
According to their “Enterprise Mobile Threat Update,” the malware known as “Godless” plus two others have recently been found inside apps that can be downloaded from the Google Play Store. “Godless” attacks the root programs inside an Android device, giving attackers significant control. Reports indicate that the malware has already infected 850,000 devices, with only a small fraction of those being inside the U.S. at this point.
Although Android has been plagued by multiple security problems, Apple products are not immune either. The Appthority report also found that Apple’s faster review times for new apps in their store have not necessarily led to safer downloads and confirmed that malware continues to surface in the Apple App Store as well.
Appthority’s research has also uncovered other vulnerabilities, including security weaknesses among IoT devices in the home. Appthority’s president – Domingo Guerra – recently described how smart refrigerators with Internet-connected calendars can expose the homeowner’s username and password. With these credentials in hand, a hacker could swiftly find their way into a person’s bank account and a whole lot more.
Users often wonder which apps are safe to download and which are not. While companies like Appthority can highlight danger factors on a risk scale, there are other studies which show where some attacks are more likely emerge based on customer experience.
One such company is MobileIron. They were recently named one of the “Top 20 Homeland Security Providers” by Government CIO Outlook Magazine and the firm demonstrated their technology tools at Black Hat.
In conjunction with the conference, MobileIron issued a report which documented the top ten apps which were most likely to be banned for use on a company-owned or work-related mobile device. This list included cloud storage sites such as Box, Dropbox, Google Drive, and One Drive, the popular game Angry Birds, and social media apps like Twitter and Facebook.
Also making the list were communications apps such as Skype, Line and Evernote. Despite the risks inherent in using these various apps, the report notes that many of these are still found on enterprise mobile devices around the globe, giving attackers a significant threat surface for stealing personally identifiable information.
Perhaps even more surprising is that companies remain slow to respond to growing evidence that criminals are increasingly turning to the mobile platform for attacks. MobileIron’s report shows that less than five percent of businesses are using any type of app reputation or mobile threat detection software in their enterprises.
Importance of cloud storage protection
The presence of cloud storage firms on a list of apps causing the most concern is another important security trend worth watching. As more users migrate their personal information and data files to the cloud, criminals are seeking ways to join the party on this particular highway because it can lead to a large and potentially lucrative trove of valuable information.
This is why technologist Dan Kaminsky told the Black Hat audience in his keynote address that he was pushing cloud storage companies to adopt container technology in order to safeguard private information. “I love Docker containers for this reason,” Kaminsky told the gathering.
Docker data storage containers are one of the fastest growing technology components in cloud architecture today. One reason is that they allow data managers to isolate an app inside a self-contained unit, with limited access to other ports and files inside the broader network.
Security experts are quick to point out that the use of Docker containers alone does not solve the problems of network or data security. Recognizing their own vulnerabilities, Docker released updated security tools earlier this year to bolster protections as more of the customers look to this technology as a way to guard again data theft and corruption.
With criminals increasingly seeking a conduit to the cloud, it’s a good sign that storage providers are actively embracing technology solutions that will better safeguard information. “Overall, I would say that Dockers are a good thing,” says Trident Capital’s Yepez.
Smartphone security issues will only glow in the future
Even the current craze surrounding Pokémon Go, where millions of smartphone users globally are playing the artificial reality-based game with a passion, raises a potentially serious security issue for future mobile threats. According to a security researcher at Sophos, so many people are downloading the app that distribution has spread to a number of third-party websites out of necessity to meet the overwhelming demand.
This has led to a much higher likelihood that additional malware is being distributed along with the enormously popular app. Sophos security researchers have identified one version – DroidJack – as being carried in the Pokémon downloads. This malware is especially adroit at gaining unauthorized access to email, phone contacts, and text messages.
A recently released report by the security firm Gemalto included a Breach Level Index which reported that nearly four billion records have been lost to data theft since 2013. It is also predicted that within the next three years, the number of mobiles devices globally will also reach six billion worldwide. As evidence presented from the Black Hat conference and recent events now indicate, the mobile threat is growing at a rapid pace and it will be a significant challenge for the security industry to keep up with the attacks on personal information that are guaranteed to come.