Malware

The Ultimate Jailbreaker, Part 3

Part 1 of this three-part series discusses the “positive feedback loop” tying the evolution of mobile device technologies to the evolution of cloud computing. Part 2 addresses the cloud’s role in shifting the balance of power among from carriers and manufacturers to end-users.

While the cloud appears to be the ultimate jailbreaker, it is prudent to remember that a freed device is a mixed blessing. On the one hand, the phone becomes a truer handheld computer, fully enabled to exceed native carrier and device restrictions. On the other hand, the phone becomes a miniature computer prone to mega security problems.

“For most enterprises and consumers today, mobile and cloud security are viewed in a pretty straightforward way — don’t assume there is any,” Russ Dietz, CTO of SafeNet, told TechNewsWorld.

The Rise of the Cloud Stalkers

The cloud has blown in a paradigm shift that gives rise to a new set of vulnerabilities and a new class of bad guys who will stalk them.

“Historically, consumers have been able to unplug their computers from the network and turn them off in order to protect their data,” Ryan Smith, principal research scientist for Accuvant Labs, told TechNewsWorld.

“With cloud computing, there is a server out there with available data 24 hours a day, seven days a week,” he said. “As mobile rising from cloud adoption begins to take hold, it will no longer matter what steps the consumer takes to protect their data.”

Indeed, each consumer becomes vulnerable to the actions of all other phone users.

“Although getting into cloud-based computing servers will be a more difficult task, the reward will be greater,” explained Smith. “Compromising a single entity will lead to the exfiltration of a large number of consumers’ personal information.”

Given the large number of privately owned phones that are now in use in the enterprise sphere, the threat expands to enterprise data as well. Standard enterprise vulnerabilities from the Open Web Application Security Project (OWASP) Top 10 to the low level buffer overflow still apply, but ownership of the problems — and the fixes — is up for grabs.

“The big change with mobile rising from cloud adoption is that vulnerabilities move from something the enterprise owns and controls to something a third party owns and controls,” explained Smith. “It raises the question about who owns the vulnerabilities and who is able to find the vulnerabilities and remediate them.”

The Call to Danger

There are many ways thieves mine consumer and enterprise data hidden in the cloud.

“Many of the newer mobile platforms have attack vectors that hackers can utilize to extract data off of devices,” Jacqueline Grimm, director of security solutions and strategic channel management at Diebold, told TechNewsWorld.

“These prevalent attack vectors, now combined with the use of mobile cloud computing, can lead to a new attack avenue that enables an even more significant data compromise,” she said.

Grimm cited two examples of these attack vectors: the PDF exploit used for the famous jailbreaking of the iPhone; and the installation of rootkits on mobile phones by researchers as a “proof of concept” that personal data could be extracted from even the latest and greatest of mobile operating systems.

If you think a single device attack is no threat to data in the cloud, think again.

“You already know physically where users congregate, say near the company’s building,” John Bambenek, incident handler with SANS Internet Storm Center, told TechNewsWorld. “You can target a specific organization by attacking those mobile devices in that area via a Bluetooth virus/compromise, snooping, or even cloning a device. Then use that information to compromise enterprise resources in the cloud.”

The malware needed to accomplish such tasks already exists. A considerable chunk of it is delivered via app stores.

“App stores and mobile apps are the greatest hostile code and malware delivery mechanism ever created,” Winn Schwartau, chairman of MobileActiveDefense.com, told TechNewsWorld. “An estimated 20 percent of Android and Apple apps are already infected, and the iPhone/iPad have been rooted.”

The number of reported attacks is low, not because mobile phones are impenetrable fortresses, but because potential attackers have yet to figure out how to monetize their spoils. Cloud access solves that monetization problem. Preventive measures are in order now.

“Today, mobile malware is real and in the wild, and that’s why people should be aware of it,” Denis Maslennikov, mobile research group manager at Kaspersky Lab, told TechNewsWorld. “A lack of information and ignorance only helps the bad guys.”

The Developer Dilemma

Application programming interfaces (APIs) aid third-party partners and developers with application development and data integration between services. They are very significant to mobile, as they power features such as location services, mobile payments and app integration.

Many APIs are woefully vulnerable to attack — partly because APIs are exploding, and developers must deploy them quickly in order to grab market share and increase visibility of the app.

“The time to implement security protocols or best practices often goes by the wayside,” Pete Soderling, founder of Stratus Security, told TechNewsWorld.

Soderling cited mobile banking as a prime example of how APIs create additional vulnerabilities — even among companies with highly protected websites and well-established security protocols.

“Because the application and APIs used for mobile banking might be different than the banks main Web application infrastructure, the mobile app plumbing can fall outside the realm of the typical best practices of security the bank has in place for their main application development projects,” he said.

Application security experts typically take a mobile banking site and load it in a full Web browser — not on the mobile device, but on a regular computer — for testing, Soderling explained. They commonly find a truckload of vulnerabilities by using traditional Web-based penetration testing tools and techniques proving that the mobile sites have basic vulnerabilities that a bank would never release in its main Web application.

“Just because a mobile site is meant to be viewed on a mobile browser with limited functionality doesn’t mean an attacker can’t load it in a normal browser and have full use of their powerful tools to bypass authentication, find vulnerabilities in non-standard encryption, and ultimately crack the site — and the main data store behind it,” he explained.

Because mobile app development is often done outside an organization’s normal security guidelines, problems almost immediately fall through the cracks.

“It’s like having two doors to your bank vault,” said Soderling.

“Web applications of today are like the highly guarded front door fortified by mature security practices and fully capable of stopping an intruder,” he observed. “Mobile APIs are like the unguarded back door — offering far easier access to would-be attackers.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels