Mobile Security Exploits: Surviving the BYOD Environment
November 19th, 2015 by admin
IT professionals are more concerned than ever about malicious software infections since smart mobile devices hit the mainstream. Many businesses have been relatively open to the idea of integrating smart devices into their workflow as a way to increase productivity. But news headlines have been quick to cover the many significant security exploits of the last few years. The most troubling part, perhaps, is the period of months or years that some of these security holes existed before anyone noticed.
BYOD, by nature, eliminates a level of control that IT departments are accustomed to having when protecting employee devices.
These devices often store saved passwords and even confidential company information—and, if compromised, can provoke an expensive disaster. Working with a managed service provider can help your business develop comprehensive best practices for mobile device security.
Stagefright
Android’s Stagefright is an example of an exploit affecting 900 million devices that can completely compromise security control. This particular hack uses Multimedia Messaging Service text messaging to upload malicious code and take over a device. A hacker that succeeds in controlling the device has access to everything on it—including confidential emails and financial accounts.
Google has put in the work to solve this issue, but it won’t do users any good unless they can install the patch. The three-tier Google to manufacturer to service provider patch approval and implementation process can delay updates for months.
You can confirm whether a specific device is vulnerable using one of the many Stagefright detector apps in the Play store, including this one by Lookout Mobile Security. If you find that your device is vulnerable to the hack, you can protect yourself by disabling MMS auto downloading in the Messaging app options. While it’s inconvenient to approve each MMS that comes through to your device, you can ignore messages from unrecognized numbers (which will make it very difficult to compromise the device).
Samsung SwiftKey
Fortunately, there’s an IT consulting tip that can minimize your exposure odds to the SwiftKey exploit: Do not update your device when connected to a public Wi-Fi network. The exploit actually requires that the hacker and the device be connected to the same compromised public Wi-Fi network to activate. Additionally, the device user would need to manually confirm that they want to apply the update for the hack to work, so simply refusing all updates while connected to public Wi-Fi at restaurants and stores will protect you.
Fortunately, there’s an IT consulting tip that can minimize your exposure odds to the SwiftKey exploit: Do not update your device when connected to a public Wi-Fi network. The exploit actually requires that the hacker and the device be connected to the same compromised public Wi-Fi network to activate. Additionally, the device user would need to manually confirm that they want to apply the update for the hack to work, so simply refusing all updates while connected to public Wi-Fi at restaurants and stores will protect you.
iOS Exploits Exist
While Google’s Android operating system seems to take most of the heat for mobile device exploits, iOS devices don’t get off scot-free. In May 2015, hackers discovered a text message code that could be used to force iOS devices to crash and reboot when reading the message. Some devices were stuck in an annoying reboot loop. While not a security issue, this exploit could be a major productivity killer, rendering the device temporarily unusable. Apple was able to quickly patch this exploit, and updating the iOS device eliminated the issue.
Apple’s strict app approval process has done a fantastic job of keeping malware out of the App Store. However, in September 2015, hackers were able to sneak malware past the App Store approval process by supplying unsuspecting app developers with compromised code. Fortunately, Apple was able to identify and remove the affected apps before they became a widespread issue.
Working with an MSP is a great way to help protect your employees’ BYOD devices. In an ideal world, every device would be impervious to malicious attacks. But the next best option is to learn best practices to protect you from common attacks.
Posted in: Hardware and Software