“I am pleased that Apple was able to quickly address this security breach, but it is clear that Congress must do more to address the issues of mobile security. I believe a congressional hearing is in order and plan to work with my colleagues to examine these critical security concerns.”
-Congressman Ted W. Lieu (D, Los Angeles County)
After news of the Trident vulnerabilities broke, Congressman Ted Lieu issued a statement urging the U.S. government to pay closer attention to mobile security.
Congressman Lieu’s comments follow a trend of individuals and agencies calling for attention on mobile security. The White House Digital Government Strategy, the DoD Mobile Device Strategy, and NIST’s Mobile Device Security for Enterprises Building Block document urge agencies to adopt and secure mobile technology to improve service and enhance effectiveness.
The “Trident” vulnerabilities are three previously unknown, or zero-day, flaws in Apple’s iOS that, when exploited together, could allow an attacker to silently jailbreak a victim’s device and spy on a wealth of communications. Lookout worked directly with Apple to fix the vulnerabilities, which resulted in the latest iOS update, 9.3.5.
Working with Citizen Lab, Lookout determined that this software is one of the most sophisticated mobile spyware attacks out there. Once it has jailbroken the device, the spyware can access all messages, calls, emails, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, and many others. It also appears to persist even when the device software is updated and can update itself to easily replace exploits if they become obsolete. If something goes awry or the spyware is detected, the software can trigger itself to self-destruct. This one of the most sophisticated attacks on mobile we’ve seen to date and should be considered a very serious threat to any organization or agency.
“The fact that over two thirds of adults in the United States own a smartphone makes the device a natural target for bad actors, and we as a nation have thus far failed to take the threat seriously,” Congressman Lieu explained in his statement.
Threats like these are very targeted. Adversaries are likely to use this kind of attack only when the individual has access to sensitive information. Likely victims include government officials, CEOs, other line of business leaders, and anyone else that could be considered either a person of interest or a person with access to information or who could act as an entry-point into a desired system.
Federal agencies and businesses alike need to consider their mobile security postures. Whether their environments are managed or not, these groups must assess whether the devices their employees are using are:
- Jailbroken or running compromised operating systems
- Running malicious software or processes
- Running “risky” or “non-compliant” applications (i.e. apps that are not inherently malicious, but may still leak data)
- Running vulnerable software
Concerned your agency or organization might be impacted by the Trident vulnerabilities? Contact us.
Read the full statement from Congressman Lieu here:
“As a computer science major, I am incredibly alarmed, but unfortunately not surprised, by the discovery of significant security vulnerabilities in one of our country’s most prolific smartphone operating systems. The fact that over two thirds of adults in the United States own a smartphone makes the device a natural target for bad actors, and we as a nation have thus far failed to take the threat seriously. From the SS7 network to iOS, vulnerabilities in our communications systems have made it possible for foreign governments, criminal syndicates and hackers to target individuals and have near-full access to everything we say or do on our smartphone. Today’s announcement follows news last week that an anonymous group had stolen a jackpot of hacking tools to exploit “zero-day” vulnerabilities from the National Security Agency and published them for all the world to use.
“I am pleased that Apple was able to quickly address this security breach, but it is clear that Congress must do more to address the issues of mobile security. I believe a congressional hearing is in order and plan to work with my colleagues to examine these critical security concerns. I also again urge the Administration to disclose the criteria used in determining whether to notify cyber vulnerabilities to private sector companies rather than hoard and conceal the vulnerabilities. Whatever our government may do in terms of using cyber malware, others will do to American citizens. The best protection for the United States and our people is to have secure systems.”