Yesterday, WikiLeaks published documents suggesting the CIA had access to, and developed, tools that can be used to hack smartphones and other Internet connected devices. This is not a surprise to anyone who is even remotely associated to the security industry. These kinds of tools have been in the wild for several years now, and are growing in number and sophistication every day. Hackers across the world, not just those affiliated with nation-state initiatives, have been developing tools for all kinds of noble and not-so-noble purposes. As an American citizen, I will continue believing, perhaps naively in some people’s mind, that all our intelligence agencies, including the CIA, FBI and NSA, use these tools exclusively to protect us and our loved ones.
However, this disclosure should be a wakeup call to all enterprise CEOs, CIOs and CISOs across the world. While the intentions of the CIA may be admirable, malicious perpetrators have developed similar tools and are using them to attack enterprises where they are most vulnerable and lack visibility – mobile devices! While all endpoints, inside and outside the corporate network have proven to be vulnerable, mobile devices are even more so because they connect to all kinds of public, unsecured networks, have a myriad of personal apps installed, and are often not controlled, monitored or even owned by the corporation. Once a hacker gets malicious code onto the device, it can not only be used to steal sensitive information from that device and the cloud / storage services the device has access to, but it can also be weaponized and used as a vehicle to attack other devices or services within a corporate network. This is not something that you just see in the movies or TV shows. It is happening every day across the globe, and most enterprises don’t have the tools to quantify or combat the threats.
Apple and Google are trying their very best to fix vulnerabilities in their respective OS as soon as they are discovered. That is why it is imperative for all mobile users to update to the latest versions of iOS or Android as soon as possible to mitigate reported vulnerabilities. However, that is not enough to protect the enterprise for 3 reasons:
- Even with the latest OS, devices are likely still vulnerable. Unreported exploits are leveraged by sophisticated attackers, often for several years before being identified and reported to OS vendors.
- Not every employee is running the latest OS version at any moment of time, either because they have not updated their OS, or because their device doesn’t support the latest versions. During the window of time between when OS security updates are released and users actually install them, the bad actors have a clear description of the nature of the vulnerabilities and how to exploit them.
- A huge percentage of mobile attacks are network based, such as Man-in-the-Middle and Rogue Access Points, and do not rely on just OS vulnerabilities.
There is no practical way of completely securing any OS – that is the very nature of software development. But there is a solution. At Zimperium, our research team, which has been tracking exploits like this for several years, is actively investigating the tools and the threats announced by WikiLeaks.
If you would like to learn more about Zimperium’s Mobile Threat Defense, please Contact Us.