Businesses around the world are living in a precarious situation with little visibility and security, skimming the surface of their mobile attacks. While many organizations have implemented some level of control over the mobile devices connected to their systems, this is not the same as mobile security and leaves them unprepared for the growing threat. Attacks on mobile phones and tablets continue to grow, and there is a good chance that a devastating WannaCry-level attack is just around the corner.
The WannaCry ransomware attack took the world by surprise in 2017, infecting hundreds of thousands of computers in 150 countries. And it could have been worse if the British security research team hadn’t found a kill switch that stopped it from spreading within hours of the attack. But its impact has been significant nonetheless, wreaking havoc on systems, forcing several car manufacturers to shut down production and even forcing some hospitals in the UK to turn away patients. Damage was estimated in the billions of dollars.
By taking into account the lessons of this attack, businesses can now work to avoid “mobile WannaCry” before it hits, instead of fixing the damage after the fact. A mobile attack of this magnitude is possible and its impact could be much worse due to the ubiquity and usefulness of mobile phones and the fact that almost every device is vulnerable. As the US House Intelligence Committee recently learned, mobile spyware has infected even the phones of US diplomats around the world.
Devices Hold the Keys to the Kingdom—and They’re Everywhere
In the five years since WannaCry was launched, mobile devices have become even more important targets than laptops or desktops. Smartphones are with us every minute of the day and are loaded with personal and organizational data. They store passwords and email accounts, credit card and payment information, and biometric data often used in multi-factor authentication (MFA) for logical and physical access. They also have microphones, cameras, and location data, which can increase risks if the device is compromised.
But as much as we depend on them, businesses have not paid enough attention to the vulnerable surface for mobile devices that these devices present. In addition to changing the approach to security to include the mobile space, there are unique challenges associated with mobile endpoints. Bring Your Own Device (BYOD) is one of the biggest challenges in tackling mobile attack in an enterprise due to privacy needs and demands for personal devices. Due to privacy concerns, standard products such as mobile device management (MDM) are typically used only for corporate devices and are often insufficient to detect, report on, and protect mobile devices from today’s threats.
Mobile devices can provide attackers with virtual keys to the realm if they are compromised and used to bypass MFA. Email access is an important attack tool, but a mobile device can also provide access to accounting, finance, and customer relationship management tools such as Salesforce, Microsoft Office 365, or Google Workspace. And with these tools now available on personal devices, beyond the confines and visibility of a security infrastructure, businesses are putting their data and services at risk in the name of technological advances like BYOD.
Mobile ransomware will have a double impact
The risks of mobile ransomware essentially exist on two fronts.
- Mobile devices as a delivery mechanism for ransomware:
Compromise of a device, which can be carried out with or without the knowledge of the owner, can result in the sending of an email distributing ransomware that appears to be from a trusted employee or source. Mobile devices can be used to distribute traditional ransomware in ways that are very difficult to detect and stop.
- Current mobile ransomware: Early versions of mobile ransomware were somewhat artificial ransomware that used overlays to exploit accessibility features. But Apple and Google have effectively closed these holes by pushing attackers towards real mobile ransomware.
A mobile attack can block not only an organization’s data and systems, but also a user, threatening to erase their bank account, for example, if the ransom is not paid. An attacker who takes ownership of this device can leave its microphone and camera on all the time to eavesdrop on corporate meetings.
The bottom line is that mobile ransomware attacks can do what WannaCry can do and more.
It’s time to focus on safety
A future large-scale and effective ransomware attack on mobile devices is imminent. Every year we see how mobile malware becomes more complex, new features and opportunities for influencing the victim appear. These advanced malware techniques are just proof of concept for future attacks, paving the way for more serious threats to mobile endpoints. It’s only a matter of time before attackers deliver sophisticated mobile ransomware with significant impact on users and businesses.
Businesses are not paying enough attention to the security of mobile devices as devices have become indispensable in our personal and business lives. Mobile devices are ripe for an attack of WannaCry proportions, but whether it takes the form of ransomware or something else, now is the time to focus on mobile security before it’s too late.