McAfee Shows Security Flaws of Smartphones (Especially Android Devices)
- 26 October, 2012 15:02
This week at McAfee Focus the security vendor pounded home one point that it really didn't think attendees understood: Virtually every smartphone can compromise enterprise security. However, I walked away with a vastly bigger concern: enterprise security practices, short of confiscating smartphones entirely, may actually be making us more vulnerable.
One of the jobs I held at IBM was in the internal audit department, and one of the skills I seemed to be best at was finding ways to successfully breach security that others thought was bulletproof. My last audit-and this is likely why it was my last audit-took me into the secure safe of a top IBM executive and gave me access to files that only two or three people in the world had ever seen. After that, security was my specialty, and ever since I've been a security analyst or had security analysts report to me.
I've always had a knack for being able to look at a security practice and figure out how it could be successfully breached. That's why I was so interested in what McAfee had to say this week about operating system and smartphone security.
Scary Landscape: Boot Files All Too Easy to Access
McAfee CTO Mike Fey demonstrated a proof of concept attack tool the company has developed to showcase just how easy it is to compromise current platforms. Most companies have been penetrated already, he says, with data analytics tools secretly installed so attackers can get a general sense of which user has the most systems authority or, in the case of banking, who moves the most cash. That's who attackers target.
Tips: 5 Mobile Security Lessons From the Department of Defense
Typically, the attackers' goals are to do a lot of damage, get access to confidential information or transfer cash. As an example, McAFee showcased a man-in-the-middle attack in which the browser session is hijacked and the user's ID, password and challenge question answers are captured. From there, a cash transfer is executed, and the user is pointed to a false account screen that doesn't show the transfer. This way, the user can't stop the order until the cash is beyond retrieval.
A scarier demonstration followed. Starting with a Windows 7 PC, McAfee accessed the boot files and successfully reformatted the drive while the unsuspecting user was online. This, of course, would result in a recovery event-and if you can reformat the system, then there is little else you can't do with it, even if you're not in Admin mode.
The demo then moved to a Mac. This time, McAfee corrupted the firmware, which would not only destroy the data but require the machine be sent back to Apple for repair, since Apple doesn't let IT departments or users flash firmware themselves. The scariest scenario of, though, involved Android. While the Windows and Mac attacks seemed complex, the Android attack was comparatively easy, and McAfee got the hacked product to overheat and cook itself, destroying the hardware.
Analysis: Enterprise Version of Windows 8 Focuses on Security
McAfee also argued that attacks such as this are often associated with root kits. That makes it hard for security software that doesn't have a fixed hardware component to address this successfully. While this was clearly a pitch for Deep Defender, which McAFee co-developed with parent company Intel and which is only made available to Windows machines at large business, it is interesting to note that the attack would not have worked on Windows 8. That showcased (intentionally or otherwise) one of the more endearing aspects of the new operating system: secure boot partition.
Smartphone Security Leaves a Lot to Be Desired
However, there is no Deep Defender for smartphones, though McAfee has released mobile security software for Android devices. All you need is to install a vulnerability in a compelling free app. Get a target to install the app, then attack the vulnerability to access whatever's on the device (passwords, IDs, addresses, bank account numbers and so on) and/or activate camera and microphone functionality to essentially turn the device into a spy.
This is when I had my "A-ha!" moment. While you can protect, to some extent, a business phone, how many employees have personal phones on the corporate network that you don't know about? Let's say I wanted to bug a politician, executive, security officer, teacher, competitor, ex-spouse, rival&you get the point. I just need to get them to use a compromised phone; if they carry two, I can go after their personal phone. I could make the compromised app look like some sort of promotion and, once it's installed, turn that phone into a bug that's constantly taking pictures or recording every meeting and conversation, even if the phone isn't used for that particular call. I could try for a drive-by download, too.
Commentary: Why Android Phones Are a Major Security RiskNews: Intel Hopes Mcafee Security Features Will Differentiate Mobile Chips
While curated app stores like the Apple and Microsoft stores actively look for malware, they don't aggressively check for bugs and wouldn't know where to look for a creative exploit. If I build an app that is never widely sold or used, the chance of the exploit being found is low. If I root the phone, too, I can likely destroy the forensic data that would let an investigator figure out how this happened.
This makes me wonder how many people on the Mitt Romney and Barack Obama campaign teams have phones that are broadcasting confidential information. How many police departments have been compromised? How many IT departments, bankers and private citizens don't know they are broadcasting?
This goes beyond putting a security software and a security policy in place. This is making sure a device can't be rooted-or, failing that, this is preventing it from even going into any insecure area.
As another McAFee Focus attendees pointed out, it's probably wise to avoid banking on your smartphone and talking about anything sensitive in range of your phone. If someone sends you a free phone, check and double-check the authenticity of the source before you use it. It's something to keep in mind as holiday shopping season starts.
Rob Enderle is president and principal analyst of the Enderle Group. Previously, he was the Senior Research Fellow for Forrester Research and the Giga Information Group. Prior to that he worked for IBM and held positions in Internal Audit, Competitive Analysis, Marketing, Finance and Security. Currently, Enderle writes on emerging technology, security and Linux for a variety of publications and appears on national news TV shows that include CNBC, FOX, Bloomberg and NPR.
Follow everything from CIO.com on Twitter @CIOonline, on Facebook, and on Google +.
Read more about smartphones in CIO's Smartphones Drilldown.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
CIOs need to get their house in order, CFO panel says
Is Data Complexity Blinding Your IT Decision-Making?
Why IT projects really fail
CIOs say cost, complexity impede true mobile gains in enterprise
The enlightened CIO’s guide to running projects
Eight Simple Steps to Boost Campaign Results Using Predictive Modelling
Marketers today are consumed by big data, struggling to find meaning and under pressure to use that meaningful data in smart ways to boost results. But many organizations are reluctant to try and use predictive modelling in their campaigns, due to unfamiliarity and the dependence on complex tools – yet with modern, marketing-friendly modelling tools, integrated with campaign management, it is easier than you think. This whitepaper demonstrates how predictive modelling plays a critical role in streamlining the selection process.
5 Ways To Be More Productive At Work
Think back to the last time all your employees were in the office, at their desks, on the same day. It’s no surprise that you might struggle, between travel and off-site meetings, remote staff, flexible schedules and sick days. In today's competitive business climate, organisations need to maintain productivity and connectedness with their staff, despite not always being onsite. In this whitepaper, we look at five ways you can improve productivity, no matter where employees are.
The Power of Transformational Knowledge
Apple saves $5 million a year on case and email deflection, while its agents find information 47 per cent faster than before they invested in something called Transformational Knowledge. In today’s consumer-empowered marketplace, you cannot afford negative customer experiences. However many companies lack the tools and processes required to empower their employees to deliver great customer experiences. In this whitepaper, we look at how to breakdown silos and deliver great customer experiences.