Mobile security has certainly seen its fair share of headlines in 2019 prompting individuals and enterprises to realize mobile devices are another endpoint – like laptops and computers – in need of protecting. I thought it would be fun to look back at some of those stories that helped propel mobile security into the forefront of the minds of CISOs and CIOs.
A couple of caveats. First, this is my list, based on those stories I felt made the most impact to our industry – – something I will explain as I go through my list. Second, I purposely did not include any of the breaches/attacks/vulnerabilities/exploits discovered by our incredible research team, because I didn’t want this to be self serving.
With that in mind, here’s my list of the top five mobile security stories of 2019 starting with number five:
Number five may be surprising to some. On May 13th, The Wall Street Journal reported on how Apple lost its bid to end the app antitrust case in the Supreme Court. According to the article, “Consumers can sue Apple Inc. for forcing them to buy apps exclusively from the tech giant, the Supreme Court ruled Monday, threatening billions of dollars in revenue that the company is counting on to make up for slowing iPhone sales.
“The antitrust suit alleges consumers pay inflated prices because Apple requires that all phone software be sold and purchased through the company’s App Store. Apps would be cheaper if software developers could sell them directly and bypass Apple as a middleman, the lawsuit alleges.”
An unintended consequence of the ruling – and the reason why the story is on the list – is the probable increase in malware finding its way onto iOS operated phones through third-party app stores that don’t vett apps and developers as well as Apple does. The vast majority of Android malware comes from third-party stores (not the official Google Play Store), and there is no structural reason to believe this will be different on iOS. Read our blog here.
Story number four was all over the news, in part because of the possible geopolitical roots. According to the BBC (and countless other outlets), hackers were able to remotely install surveillance software on phones and other devices using a major vulnerability in messaging app WhatsApp.
WhatsApp, which is owned by Facebook, said the attack targeted a “select number” of users and was orchestrated by “an advanced cyber-actor.” A fix was rolled out and WhatsApp urged all of its 1.5 billion users to update their apps as an added precaution.
This story is on the list for a variety of reasons, including the sheer number of users, the ability to exploit the app to achieve remote surveillance capabilities and the level of media attention it generated. Read our blog here.
Story number three made a ton of headlines, but maybe for the wrong reasons. It is a pretty amazing headline: “‘hacked Amazon boss’s phone’, says investigator,” however, for those of us dedicated to protecting mobile devices, we knew it was only a matter of time before a well-known device compromise became the proverbial tipping point for public awareness on the vulnerability of mobile devices.
We’ve seen millions of threats targeted at mobile devices. From zero day exploits targeting iOS or Android operating systems to bad WIFI to malicious apps to rogue profiles, we see the impact of mobile attacks every day. The apparent compromise of Bezos’ phone is no surprise to us.
Understanding the photos in the phone grabbed the headlines, there is a more profound question to ask – – what else was on the phone of the CEO of Amazon? An attachment with the latest forecasting figures? Expansion plans? Our mobile device is our most personal computer, holding information no other device likely contains, yet it is the most vulnerable to exposure to bad actors.
It is for this reason why this story made my list – not because of the blackmail; but the realization that any CEO’s phone…heck any employee’s phone is home to a ton of critical, competitive and private information. Read our blog here.
Number two is the combination of unpatchable checkm8 and checkra1n flaws. On September 27th, a security researcher known as @axi0mX publicly disclosed a vulnerability together with a working exploit called checkm8 (read “checkmate”). Since this exploit leverages a vulnerability in Apple’s BootROM (read-only code; SecureROM)– the initial and critical part in the secure boot chain– it is permanent and unpatchable. Checkra1n is a jailbreak that leverages the same permanent BootROM vulnerability.
The reason why this the second story on my list is because of the tremendous number of devices impacted. The vulnerability impacts virtually every iOS-based device from the iPhone 5 to iPhone 10. The only way to mitigate these threats is by upgrading devices to an iPhone XR or more recent which is not practical or immediately possible for most people.
I did not make these permanent and widespread threats number one on my list because they weren’t widely used for actual attacks. They are risks that will likely lead to attacks, but number one is an attack that actually occurred over many years. Read our checkm8 analysis here.
Number one is the malicious websites discovered by Google Project Zero. In an excellent and deep blog analysis, Ian Beer of Google’s Project Zero outlined five separate iOS exploit chains that were found on a small collection of hacked websites. The blog originally said that the hacked sites were being used in indiscriminate watering hole attacks using iOS 0-days, but subsequent analysis showed that it was in fact a geopolitical targeting attack that began with phishing.
By a victim simply visiting one of the malicious websites, attackers could silently hack a victim’s iOS device by exploiting a set of previously undisclosed software flaws. Per Zack Whittaker’s story in TechCrunch, researchers found five distinct exploit chains involving twelve separate security flaws, seven of which involve Safari, the built-in web browser on iOS devices.
It is number one on my list for at least three reasons. First, mobile phishing is quickly becoming one of the top ways to begin a mobile device exploit. Regardless of whether a user gives up credentials on a phishing site, an exploit can be delivered by leveraging the browser that is processing the page. Second, it reinforces the reality that all platforms are vulnerable–including iOS. (As a side note, Apple and Google produced over 1000 security patches in 2019, the majority of which were considered critical… so even the OS providers know that vulnerabilities exist in large numbers.) Third, having the two mobile OS vendors publicly (and vigorously) discussing the attacks resulted in a media storm that truly brought attention to mobile security. Read our blog here.
Each of these stories – all focusing on mobile apps – helped bring the importance of mobile security and privacy to the forefront:
The city of Los Angeles sued to stop the operator of The Weather Channel’s (TWC) mobile phone application from allegedly “covertly mining the private data of users and selling the information to third parties, including advertisers.” The complaint contends that “for years, TWC has deceptively used its Weather Channel APP to amass its users’ private, personal geolocation data — tracking minute details about its users’ locations throughout the day and night, all the while leading users to believe that their data will only be used to provide them with ‘personalized local weather data, alerts and forecasts.’
As many as 25 million Android phones were hit with malware that replaces installed apps like WhatsApp with evil versions that serve up advertisements. The malware abuses previously-known weaknesses in the Android operating system, making updating to the latest, patched version of Google’s operating system a priority. Most victims were based in India, where as many as 15 million were infected.
Lastly, a hacker in Canada was able to rack up more than $2,000 worth of meals at different McDonald’s in Montreal through the McDonald’s app. An unsuspecting Toronto tech writer got stuck with the bill.
I hope you have enjoyed my list and look back at 2020. With mobile usage and threats skyrocketing and major world events (e.g., U.S. Presidential elections, Summer Olympics) occurring, 2020 is shaping up to make next years’ list even more interesting… and the need for advanced enterprise class mobile security even more critical for companies and government organizations.