In-Depth
How to Mitigate Smartphone Threats to Your Corporate Network
These tips can help you minimize mobile threats.
By Axelle Apvrille, Senior Mobile Antivirus Analyst and Researcher, FortiGuard Labs
Five billion -- that’s the number of mobile subscribers worldwide according to the International Telecommunication Union (ITU). An impressive figure when you consider that there are 6.8 billion people on Earth. Smartphones are making their way to the corporate environment in greater numbers.
Today, no longer for managers only, smartphones have become a widespread communications tool -- as a mobile extension to their computers. Today’s smartphones allow employees to access their corporate network on the go, read their emails, answer urgent messages, and store boarding passes, presentations, business reports.
Small, practical, useful, and versatile, smartphones present many business advantages, but because the security of mobile phones and their related infrastructure is not fully mature, they have the potential to expose your company’s network to many threats.
The Lost Battle between Security and Usability
Today, companies often require their employees to use a VPN to access the corporate network from their laptops or remote PCs (which are increasingly equipped with anti-virus software). A VPN allows secure access to corporate networks by encapsulating data transfers using a cryptographic method. Unfortunately, VPN solutions for mobile devices are not widespread yet; VPNs require computing power that smartphones seldom have today. Tasks such as encryption or decryption on the fly heavily burden them, making remote access difficult to the end user.
Facing those technical limitations, system administrators must choose between compromising the security of their networks to allow access to smartphone users and limiting their access or directing them to another less-sensitive network. In practice, whenever there is a compromise between usability and security, security loses the battle. The result: most employees can access corporate networks via their smartphone from anywhere and with degraded protection. One can only imagine the damage that may result when those users are using a public access point to get mobile connection!
The inevitable choice of usability over security makes smartphones an ideal vehicle for cybercriminals to attack corporate networks. Cybercriminals are like housebreakers: they search for the weak entry (from a remote PC or an infected mobile phone), find a way to make it yield, and then propagate malware, collect e-mail addresses to spam, steal confidential data, and infect corporate hosts to have them join botnets.
One way to sneak onto a corporate network is by leveraging smartphone synchronization. When the employee synchronizes his/her smartphone at work, their infected device infects the computer during synchronization. The mobile phone acts as a Trojan horse, infects the PC and unwillingly provides access to the corporate network. Several years ago, MSIL/Overcross.A was spread via ActiveSync.
Reciprocally, smartphones -- or more specifically the data they carry -- may be targeted through PCs (e.g infected computers on the Intranet or at home or malicious external hosts controlled by cybercriminals). This is how the SymbOS/Zitmo.A!tr malware recently operated: a computer infected with Zeus, one of the most nefarious and spread Trojans, managed to contaminate victims’ mobile phones. This attack was particularly interesting for cybercriminals because it provided them with an efficient way to defeat the two-factor authentication technique, which is frequently used by banking organizations.
Direct Attacks on the Mobile Phone
Smartphones are light and easy to carry, enabling employees to easily transport essential company documents anywhere they go. Beyond its primary function, smartphones are used as an address book, a USB key, a notepad, or even a recording device. Whether it is a PowerPoint presentation, the specification details of a new product coming from R&D, the direct phone number of the company's CEO, a corporate mailing list or quarterly financial data, these are just a few document types found on today’s unsecured mobile phones.
Most employees feel secure when they lock their mobile phone (with a password or a secret gesture on the touch screen) as they think its content is consequently secured. The reality is different: German researchers of the Fraunhofer institute recently unlocked all secrets of an iPhone in less 6 minutes using standard equipment.
Some employees try to harden the security of their phone by using special anti-theft software or by encrypting their phone's memory card. Those solutions aim at making data more protected from physical attacks. However, those are done by pickpockets, who are less interested in the mobile phone content than in the possibility of reusing or reselling the device.
Cybercriminals do care about the sensitive information stored on smartphones but they do not need physical access to the phone to retrieve it. Rather, they will exploit a vulnerability, for instance a vulnerability in the phone's Web browser (such as the WebKit vulnerabilities on Android phones) or use a social engineering trick to install malware on the phone. Once the phone is infected, it is then easy for the cybercriminal to access any data on the device. In those cases, the locks are useless, and the memory card is usually dynamically decrypted when used.
Tips to Minimize Mobile Threats
Although the computing power of smartphones remains the biggest limitation for their protection, there are a few security measures IT departments should implement to minimize mobile threats from entering their corporate networks:
- Deploy anti-virus filters at the entry points of the corporate network used by mobile phones (WiFi access points, synchronization stations, etc.)
- Prefer mobile providers that filter mobile traffic to remove malware and try to provide a clean pipe to their customers
- Implement security solutions from vendors whose threat research includes the detection and protection against dedicated mobile threats
- Scan communication bills and raise alerts when fees seem abnormal for a given device. This is a frequent symptom of mobile infection
It’s also important to train your employees on simple precautionary practices to help harden smart devices. Those include:
- Apply any software updates to mobile platforms as soon as they become available.
- Do not open unknown SMS/MMS and don’t follow links from friends; delete those SMS or report them to your operator.
- Refrain from providing your phone number to Web sites unrelated to your professional activity. For example, there is usually no reason to provide your cell phone number on your personal Facebook account.
- Ask your system administrators for recommended applications you might need. As a general rule, never install applications you would not really need and download them from legitimate repositories only.
- Disable communication channels such as Bluetooth by default; only enable them when required. Such measure removes a possible attack avenue -- and saves on battery consumption.
- Make sure your private data can be remotely wiped should your phone be stolen. This recommendation is important to prevent being a victim of industrial espionage.
- Choose the TLS protocol for more privacy.
Axelle Apvrille is a senior mobile antivirus analyst and researcher at Fortinet’s FortiGuard Labs. Her fields of expertise include cryptology, security protocols, and operating systems, and she specializes in mobile malware, a growing field in the security industry.