Why address the security of mobile devices.
In most companies, large and small, employees work on computers that their internal IT typically manages using traditional Windows technologies – Active Directory, GPo, SCCM, etc. Computers are automatically updated, antivirus is running, firewall is activated, and other security functionalities are activated. Company computers are therefore relatively well protected and the company has an overview of what is happening on them.
In contrast, corporate mobile devices (phones, tablets and other wearables) are at best managed by the company using one of the Mobile Device Management (MDM) technologies, but what is happening on these mobile devices beyond MDM management is usually not visible. Today, every employee can use a mobile phone or tablet to send e-mails, use company applications, and access company data as conveniently as from a computer. Mobile devices are even the only work tool for some employees.
The number of mobile devices in companies is constantly growing, mostly at the expense of traditional computers. Mobile systems are evolving, their complexity is increasing, and vulnerabilities and bugs are appearing. Attackers are following these trends and shifting their attention to these mobile devices that companies are not protecting as much. Over the past few years, there has been a large increase in malware and attacks targeting mobile devices.
Several factors affect the security of mobile devices.
It is always necessary to say in advance what mobile devices will be used for in the company, what data and applications the user will work with. It is important to consider the capabilities of each mobile platform (Android/iOS) and choose the appropriate way to manage them (MDM). Here we can remember e.g. Samsung mobile devices and their security functionalities that go beyond the offerings of standard Android devices.
Companies usually get it wrong when buying mobile devices – they choose randomly, based on price, and only then put together the next steps. This inappropriate practice usually ends in a compromise that is detrimental to functionality and security.
But even with the right choice, the technology (MDM) alone may not be enough.
MDM functionality vs MTD
MDM is primarily a configuration and inventory tool and allows administrators to manage an entire fleet of corporate mobile devices from a single console. Using configuration profiles, you can set various restrictions on devices, force a password to unlock, set up Wi-Fi, VPN, or access the user’s mailbox. Using MDM, it is possible to automate the installation and configuration of corporate applications and ensure the separation of corporate data from private ones. The MDM client on the device is capable of basic root/jailbreak detection. The MDM further evaluates the conformance of the device by comparing the defined policy to reality. If everything is in order, the device is called. compliant. This information can then be used in MDM itself as well as in other systems.
Enterprise Mobility Management solutions also include the functionality of secure communication to the enterprise via a reverse proxy, which is tightly integrated with MDM and allows access only to managed devices.
MTD is a specialized tool for detecting and protecting against modern security threats.
The two tools are not mutually exclusive, but rather complement each other.
Use case: equipment fully under control
If the customer decides to have everything under control, then the device is typically activated in Android Enteprise Fully Managed mode, or in the case of iOS in the so-called. Supervised mode. These two activation methods allow maximum configuration and setup of the device. For example. You can restrict the use of the device to business applications, allow access to selected websites only, disable the addition of personal accounts, and disable specific device functionality. In the extreme case, the device is configured in kiosk mode with one application running permanently (Single-App mode). This setting can limit the potential attack vectors to a large extent, especially if the devices are running on a purely internal/dedicated network, e.g. on the production line.
However, if the devices are connected to the Internet, then a dedicated Mobile Threat Defense solution is a suitable complement to MDM.
Use case: BYOD / Business and personal devices
The risk increases substantially if employees are allowed to access company data from private devices (BYOD mode) or the company does not prevent the use of company devices for private purposes. In these cases, we are limited in what can be disabled on the devices and what information MDM collects about the devices. There is a high emphasis on protecting user privacy. A typical solution for these scenarios is to create a working container that houses the company’s data and applications, where MDM then manages only that container. The consequence is that, for example. does not see applications installed in the user’s personal space. The MDM administrator can only prohibit the installation of apps from unknown sources (the user can only install apps from Google Play in the personal space).
Modern security threats
These are device attacks, application attacks, network attacks. Phishing and social engineering is a big topic. In practice, it can be a combination of all of these attacks, where the attacker chains techniques to do as much damage and get as much data as possible. The weakest link in a security solution is usually the user, who will do anything to get e.g. accessed the Internet, downloaded the file. Users often do not behave according to internal guidelines and this should always be taken into account.
Attacks on equipment
These are attacks that exploit vulnerabilities in the operating system or chipset firmware. In the past, there have been several attacks exploiting vulnerabilities in Wi-Fi/BT chipset firmware (e.g. Broadpwn), where it took device manufacturers quite a long time to patch these vulnerabilities. These vulnerabilities could be exploited to escalate privileges to root level and take control of the device.
Another type of attack can be directed at the USB interface, where the user just needs to connect the device via USB to a charger at the airport, or plug the device into the system of a rental car. The attack can also be conducted via an SMS message that arrives on the device and is automatically processed by the system without the user viewing the message.
The goal of the attack is to take complete control of the device and then obtain corporate data.
Application attacks
It has already been mentioned above that MDM can disable the installation of applications from unofficial stores or downloaded .apk files. This will only allow apps to be installed from Google Play and Apple App Store, where the app goes through an approval process. Even so, there is no way to be 100% sure, and history has shown that unsafe apps repeatedly appear there as well.
Infected applications, e.g. use the assistive functionality on the device, overlay the application currently in use and capture everything the user types or displays on the device. This data is then forwarded to the attacker’s server.
The app can also exploit known vulnerabilities in the OS to gain root privileges or run a network scan to look for known vulnerabilities in the network to which the user is connected via a mobile device.
Application attack risk – obtaining sensitive data or controlling a device.
Network attacks
These are attacks that are conducted on network communications. Typical examples are attacks over public Wi-Fi networks. Again, an example from practice, when a user e.g. connect to a public Wi-Fi network at the airport, hotel or train. This network is usually not deleted in the settings of your device. The device constantly searches for stored Wi-Fi networks while broadcasting their SSIDs. The attacker captures this information and creates the same Wi-Fi network on his own Access Point (AP), which he controls – this is possible in a fully automated way, e.g. using the Pineapple WiFi device. If he manages to switch the device to his AP, then he typically proceeds with a Man in the Middle (MITM) attack to decrypt and eavesdrop on the communication, i.e. to obtain login credentials, sensitive company data.
Phishing and social engineering
This includes the well-known scam emails. But with new technologies, new types of attacks are emerging and the ingenuity of attackers is growing. This is also due to the technical characteristics of mobile devices. Let’s focus, for example. to QR codes, which are now popular for connecting to a Wi-Fi network or as a quick way to find information on the web. However, the user can easily get to the fraudulent page using the QR code. Mobile devices have a small screen and content is prioritised over controls. Therefore, the address bar in the web browser may not always be clearly legible. If an attacker combines these technologies together, i.e. makes a QR code linking to a web page with a domain name and content close to the real one, it is very easy to be fooled and enter on the fraudulent page e.g. login details.
So watch out for QR codes, watch out for URL shorteners, watch out for punctuation. International domain names have been supported for some time now, so it is possible to create a domain called for example “Mícrosoft.com, it is a valid domain, just one comma above the “i” and it is not a Microsoft site, but an attacker site. You also need to make sure that you have a valid certificate on the landing page you are visiting, but even this does not mean 100% security. Even the attacker’s site usually has a valid certificate.
The attack can also be conducted through a reverse proxy Modlishka, which on the way to the official page, e.g. the aforementioned Microsoft, intercepting communications.
In all of these cases, the attacker is again attacking to obtain login credentials and sensitive company data.
Attacks can be prevented with Mobile Threat Defense (MTD)
MTD can detect known and unknown types of attacks (Zero-Day) by advanced analysis of application and OS component behavior (e.g., detect privilege escalation). This analysis is usually performed directly on the device and often with the use of machine learning. Based on the assessed risk factor, a defined action can be taken.
The MTD solution can perform both static and dynamic analysis of applications. Applications are analysed in a sandboxed environment in the cloud and the output is a Risk Score of the application in terms of both security and privacy.
Protection against phishing is typically designed so that communication passes through a local VPN interface and analysis is performed there. You can also define a block list or a list of secure (internal) addresses for the VPN interface.
All this is complemented by a database of vulnerabilities and dangerous sites in the cloud, from which the MTD solution draws. Here, the anonymised data from the device is correlated and further evaluated, thus continuously improving the system.
MDM has limitations with respect to security threat assessment, as we mentioned at the beginning of this article, but in combination with MTD, the security is perfect. MTD immediately tells you that something dangerous is happening and MDM then automates the appropriate action, e.g. deletes corporate data from the device or disables certain functionality on the device.
Major players in the MTD solutions market include Check Point Harmony Mobile (formerly SandBlast Mobile), Lookout, MobileIron Threat Defende (Zimperium), Wandera.
System4u can deploy all of these solutions and has real experience with all of them, including the connection to MDM solutions.
To conclude, then, a summary:
- The weakest link in the security chain is the user.
- The primary role of MDM is bulk device configuration.
- MTD specializes in the detection of advanced security threats.
- Most MTD solutions can be tightly integrated with MDM.
- The combination of MDM and MTD provides the best protection for mobile devices and data.
- System4u can deploy all the above technologies according to the specific needs of the company.
Ladislav Blažek, Technical Support Director of System4u a.s.
