Yesterday, WikiLeaks published documents suggesting the CIA had access to, and developed, tools that can be used to hack smartphones and other Internet connected devices. This is not a surprise to anyone who is even remotely associated to the security industry. These kinds of tools have been in the wild for several years now, and are growing in number and sophistication every day. Hackers across the world, not just those affiliated with nation-state initiatives, have been developing tools for all kinds of noble and not-so-noble purposes.
However, this disclosure should be a wakeup call to all enterprise CEOs, CIOs and CISOs across the world. Malicious perpetrators have developed similar tools and are using them to attack enterprises where they are most vulnerable and lack visibility – mobile devices! While all endpoints, inside and outside the corporate network have proven to be vulnerable, mobile devices are even more so because they connect to all kinds of public, unsecured networks, have a myriad of personal apps installed, and are often not controlled, monitored or even owned by the corporation. Once a hacker gets malicious code onto the device, it can not only be used to steal sensitive information from that device and the cloud / storage services the device has access to, but it can also be weaponized and used as a vehicle to attack other devices or services within a corporate network. This is not something that you just see in the movies or TV shows. It is happening every day across the globe, and most enterprises don’t have the tools to quantify or combat the threats.
Apple and Google are trying their very best to fix vulnerabilities in their respective OS as soon as they are discovered. That is why it is imperative for all mobile users to update to the latest versions of iOS or Android as soon as possible to mitigate reported vulnerabilities. However, that is not enough to protect the enterprise for 3 reasons:
- Even with the latest OS, devices are likely still vulnerable. Unreported exploits are leveraged by sophisticated attackers, often for several years before being identified and reported to OS vendors.
- Not every employee is running the latest OS version at any moment of time, either because they have not updated their OS, or because their device doesn’t support the latest versions. During the window of time between when OS security updates are released and users actually install them, the bad actors have a clear description of the nature of the vulnerabilities and how to exploit them.
- Network based attacks are critical and can be carried through an infected mobile device to compromise other devices in various networks.
There is no practical way of completely securing any OS – that is the very nature of software development. At Zimperium, our mobile security engine -z9, which is powered by Machine Learning, was able to detect all the publicly available kernel exploits for Android and iOS in the last few years without requiring an update.
If you would like to learn more, please Contact Us.
The post “Vault 7”: Nation-states have the same tools as hackers-for-hire, so what? appeared first on Zimperium Mobile Security Blog.