There’s a growing consensus among security professionals here in Washington, DC that the single most likely spot for President Donald Trump to have had his phone tapped isn’t at Trump Tower. Instead it’s his unsecured Android phone that he uses to access Twitter.
In fact, due to the ease with which mobile devices can be breached through social media and communications apps such as What’s App, the President could have easily downloaded a Trojan that can record anything that is said near the phone or than can use the phone’s camera. Such a Trojan can be delivered in seconds, erase all traces of the infection and remain resident without detection.
The task, in the words of Georgia Weidman, founder and CTO of Shevirah, Inc. is “trivial.” Shevirah makes a penetration testing tool called Dagah that allow enterprises to test their mobile devices and their security environment for weaknesses.
As to who might unleash such a Trojan, the fact is that it could have been nearly anyone. The ease with which older models of Android phones, such as the President’s Samsung Galaxy, can be compromised has been known to security researchers and cyber-criminals for years. The leak of the Central Intelligence Agency’s mobile penetration tools confirmed this, but it’s been known for some time.
As serious as the potential for breaking into the President’s cell phone might be, for most organizations, the ease with which their own mobile devices can be penetrated is of even greater concern. That’s because in many organizations there are few controls that limit mobile device access, meaning that penetrating even one mobile device can give hackers the keys to the kingdom.
The news gets only worse. In addition to Trojans, mobile devices are as susceptible to phishing attacks just as any other devices that can receive email. But for mobile devices, the phishing can come from text messages, communications apps, social media and pretty much anywhere a mobile device can receive a message.
A favorite attack vector for mobile devices are social media apps, such as Twitter. Malware can arrive through a link in a Twitter message that’s indistinguishable from any other type of link. But the same thing can happen through messages in What’s App, Facebook Messenger or Skype.
While incoming email can be filtered by firewalls and other security methods, messaging arrives without a filter because it’s coming directly from another device, not through the corporate network. Weidman told me that she’s developed a series of messaging simulations that can test both the ability of the device to keep out malware and the ability of the device’s user to recognize phishing when it shows up.
Weidman has developed a suite of penetration testing tools that can get past the normal safeguards of iOS and recent versions of Android. “It allows you to simulate the same sort of attacks,” she said. “You can do it all in a controlled environment, and add it into your other security programs.”
Despite a wide belief that Apple’s iOS is immune to penetration, it’s not. “We can simulate a malicious application on iOS,” Weidman explained, noting that “Apple has done a fantastic job of using cryptography to make sure it can’t be penetrated.” But she said that she’s found a way to follow Apple’s guidance and rules and still install malware on an iOS device through using services designed for developers.
The situation with Android is even worse. “You may have devices born with malware,” Weidman said. And then she described a new means of attacking what’s normally a secure Android device. She said that Google has added a new feature that allows a company to post a Quick Response code in a common area as a way to set a secure profile for things like the company WiFi. Unfortunately, anyone can create a QR code and post it and the code can just as easily be one that leads to a malware infection or a phishing attack.
Both Google and Apple have made a big deal out of their end to end encryption. Apple’s is so effective that the FBI had to call in an outside contractor to gain access to the contents of an iPhone used by one of the San Bernardino terrorists. But Weidman said that the problem with end-to-end encryption is that it doesn’t allow checking by antivirus software. “It’s the universal bypass,” she said.
The obvious question this raises is what to do about your mobile devices. Unfortunately, the times are such that parting employees from their mobile phones is no an option. The answer is to test your organization’s susceptibility to penetration methods, both the ones that attack directly and the methods that depend on your staff making a mistake.
Penetration testing tools such as the ones from Shevirah can do both, by directly testing the vulnerability to direct attacks and testing the vulnerability of your employees.
But you can’t just depend on tools such as those that Weidman has developed. Your organization has to take the next step as well. That means doing boring things like training your staff on a continuing basis, setting up procedures for both reducing your vulnerability and improving your reporting of potential breaches so they can be stopped before they do damage.
But most of all, you can’t assume that your mobile device is somehow immune to security attacks just because the contents are encrypted. It’s crucial that you acknowledge the vulnerabilities of your organization and take constant steps to keep them from being exploited.