TIPS #24: Mobile is the Weakest Link

Issue: Most companies have core security tools for desktop and laptop devices. However, much of modern business is done on mobile devices which often only have limited device management controls. This leaves companies at risk. 

Core security capabilities such as Endpoint Detection and Response (EDR) and Identity Access Management (IAM) are fairly common on desktop and laptop devices in many organizations. Much rarer is robust security for mobile devices.

This is a significant issue because much of modern business is done on mobile devices. From the boardroom to the meeting room, in-office or remote, mobile devices are inextricably tied to company systems and data.

For instance, executives tend to have high mobile utilization due to a significant amount of travel, meetings, and associated remote work. Their high level of access to business-critical resources makes executives a high-value target for attackers who use social engineering and other methods to target their mobile devices. The fast-paced nature of their business activities may also lead to lower adoption of security practices. Without sufficient mobile security controls, this group faces largely unmitigated risks.

Mobile threats compound

Mobile devices are targeted with a number of threats. Phishing (via SMS, email, and voice) and device and operating system vulnerabilities are common issues. Mobile devices are also at risk of insecure and malicious application downloads from app stores like Google Play and Apple’s App Store.

Mobile device incidents often facilitate higher order cybercrimes as well. Most employees use mobile devices for MFA to authenticate their identities when accessing company accounts and resources. When attackers compromise a mobile device, they can bypass MFA controls to conduct account takeovers (ATOs) and compromise company systems and data.

Consider two common and impactful threats to mobile devices: infostealers and SIM swapping attacks.

Infostealers

As discussed in TIPS #6, infostealers are a type of malware designed to steal sensitive data from devices. Many infostealers steal browser-based information and allow attackers to hijack user sessions to compromise applications and bypass MFA. Infostealers are particularly harmful on mobile devices because employees often synchronize browser profiles and logins across devices. A compromised mobile device can therefore give an attacker access to company accounts and systems.

For example, if an employee logs into a personal Google account on a work device and uses profile syncing, they may save company credentials in their browser password manager. If their mobile phone is then compromised with an infostealer, it can steal all of their credentials- personal and corporate alike.

SIM swapping

SIM swapping is a technique attackers use to take control of a victim’s phone number. It’s a preferred method for initial access brokers seeking to develop a catalogue of compromised company application services and systems which they sell to ransomware actors and other cybercriminals on the dark web.

First, an attacker acquires personal data such as a victim’s name, address, date of birth, and SSN, typically by purchasing them on the dark web (often, the data is initially stolen or leaked in data breaches). They contact the victim’s cellular provider and request a SIM swap to transfer the phone number to their burner phone, using the stolen information to impersonate the victim. They can then reset the victim’s bank and email passwords via text or email because they have access to MFA codes. With full access to the victim’s accounts, they can perpetrate other crimes like data theft, ransomware, and extortion.

The problem: MDM alone isn’t enough to secure mobile devices

It’s typical for mobile applications to fall outside of the purview of desktop-focused security controls in corporate settings. For instance, business-related mobile applications like Microsoft Outlook, LinkedIn, ChatGPT, and authenticators may not be tracked by existing tools.

Mobile-specific controls are often lacking as well. In many companies, there may only be a rudimentary Bring Your Own Device (BYOD) policy and Mobile Device Management (MDM) controls which enable administrators to patch, reset, or turn off mobile devices.

However, an employee’s mobile device is just the physical system which supports applications that abstract the device and user to organizational information resources. MDM only secures the device- not the mobile applications which provide access to information resources. The lack of mobile security controls puts corporate data and systems at risk.

Impact: A significant unaddressed mobile attack surface and escalating effects from breaches and compromises. 

Companies without strong mobile security are at risk of compromised accounts and systems along with data breaches that impact sensitive resources. SIM swapping incidents can lead to corporate ATOs which attackers leverage to steal data, plant ransomware, and disrupt operations; victims may also have their identities, private data, and financial resources stolen. Infostealer incidents that target mobile devices can lead to confidential data leaks, loss of IP, ransomware breaches, reputational damages, and high recovery costs; victimized employees can also face severe ramifications.

The following case studies demonstrate how mobile threats escalate and harm companies.

Lapsus$ group SIM swapping campaign

From 2021 to 2022, extortion group Lapsus$ perpetrated a number of high-profile SIM swapping attacks which impacted companies including Microsoft, Okta, Samsung, and Cisco. Lapsus$ often used social engineering to gather information (including phone numbers) on employees in targeted companies. They then convinced mobile carriers to swap phone numbers to SIM cards they controlled, in some cases exploiting vulnerabilities in carriers’ systems or filing fraudulent claims. Once the SIMs were swapped, they intercepted MFA codes to gain access to the victims’ email, social media, and cloud storage accounts, ultimately stealing sensitive company data including credentials and IP.

Pegasus spyware

Pegasus is highly advanced spyware which leverages zero-click exploits to enter mobile devices without detection and gain full access to victims’ data and applications. Developed by Israeli tech firm NSO Group, Pegasus is reportedly intended for use by the firm’s government clients for purposes of counterterrorism and law enforcement. However, Pegasus has infamously been used to target journalists, politicians, business executives, and human rights activists globally.

Attackers can install Pegasus on a victim’s mobile device by placing a WhatsApp call and delete the call record. Alternatively, they can install the spyware by sending a message to the victim’s phone without creating a notification. Pegasus can harvest all data from the infected device including credentials, communications, photos, videos, and location records, and can even activate mobile microphones and cameras for real-time surveillance.

Action: Complement MDM with MAM and mobile identity security.

1) Mobile Device Management and Mobile EDR

MDM must be a baseline security measure for all mobile devices that are used for business. Leverage MDM capabilities including security policy enforcement, remote wipe and lock, device enrollment and provisioning, and automated updates to secure mobile devices.

2) Mobile Application Management

Layer MDM with Mobile Application Management (MAM) to manage and secure mobile applications. MAM tools offer control and security over enterprise applications. This is critical for applications containing or providing access to highly sensitive company data. MAM helps security teams protect these applications and implement corporate mobile application policies, distribute and deploy apps, perform remote app removal, and manage software licenses.

NowSecure offers mobile application security capabilities including automated mobile AppSec testing, third-party application risk management, and mobile application pen testing. NowSecure’s recently launched Mobile Application Risk Intelligence (MARI) provides third-party application risk scores, enabling risk managers to identify security and privacy risks in third-party apps.

3) Mobile Identity Security

Mobile threats also need to be mitigated with comprehensive identity security measures.

First, implement core IAM security controls. Leverage MFA and identity verification (IDV) solutions and avoid email and text-based authentication, verification, and password resets. Instead, opt for mobile authenticator apps and biometric-based solutions. In addition, add a unique PIN on cellular carrier accounts to defend against SIM swapping attacks.

1Kosmos BlockID provides advanced biometrics-based IDV and authentication for mobile devices. It detects SIM and user environment data, including how long the current SIM has been in use and if it has been recently changed, denying SIM use to prevent SIM swapping.

Finally, implement User Entity Behavior Analytics (UEBA) and Identity Threat Detection and Response (ITDR) controls to monitor user behavior, identify anomalies, and respond to threats.