Fixing the Mobile Weak Links That Threaten Devices
The U.S. House of Representatives taps a mobile security firm to protect 8,000 devices.
Rep. Ted Lieu is no stranger to having his cellphone "hacked." Intruders recently were able to track his whereabouts, eavesdrop on conversations with staff members and access his text messages and email.
Fortunately for Lieu, the intrusion was part of a 60 Minutes segment last year that the TV news program did to highlight mobile device vulnerabilities. The California Democrat knew of the hackers who had successfully exploited his phone's Signaling System Seven, aka SS7, security flaw that compromises the global network that connects phone carriers. The same vulnerabilities still exist one year later, Lieu shared on Thursday during a Capitol Hill demonstration about mobile security, or lack thereof.
"Once someone hacks into my unprotected cellphone, they become me, and they are in the House of Representatives email network," said Lieu, who has been working with fellow lawmakers to draw attention to mobile security vulnerabilities. "We spend a lot of time and money protecting our desktops and our servers from being hacked. But then this phone—no protection. Nothing. [Hackers] can do all sorts of things as me before I or others figure out it’s not me anymore."
The U.S. House of Representatives recently contracted with California-based Lookout to install the firm’s security app on some 8,000 devices of members and staff, said John Ramsey, the House's chief information security officer. "We are constantly targeted," Ramsey said, adding that his office stops 3 million to 5 million penetration attempts every month. "Mobile security is that next level of cybersecurity posturing, and we know we need to improve upon that."
Nation-state-sponsored hackers for the last five years have aggressively targeted U.S. federal agencies, he said. Take the Office of Personnel Management breach discovered in 2015 and attributed to China, which exfiltrated the sensitive records of 22 million federal employees.
Phishing—when attackers disguise themselves as trustworthy entities in emails or texts to access sensitive information—remains the favorite scheme of criminals. Phishing emails carry out 95 percent of nation-state-sponsored activities, Ramsey said.
Last year, worldwide spending on IT security reached $81 billion, but virtually none of those dollars targeted mobile security, said Jim Dolce, CEO of the security firm Lookout. Today the IT world is "spending all of our money on the solutions that you don't spend [much] of your time on, and we're spending no money on the solutions that you now spend the vast majority of your time on,” Dolce said.
People mistakenly refer to mobile technology as emerging, but it is far beyond emerging, Dolce said. Roughly 70 percent of the world’s population—or some 5 billion people—will own a smartphone by 2019.
That is a lot of attack surface. Any phone connected to the Internet, either via Wi-Fi or a carrier’s long-term evolution (LTE) network, exposes microphones, cameras, emails, passwords, contacts and more to hackers seeking access to unsecured devices, Dolce offered.
Lookout recently studied 20 federal agencies and discovered that 110 of every 1,000 devices posed “some serious threat” to enterprise network security, he said. Additionally, the Lookout study showed that agency rules governing device use had no real impact on employee behaviors. “Forty percent of those employees basically told us that they don’t follow the rules,” Dolce shared.
Several federal cybersecurity action plans as well as directives from the White House and the Defense Department fail to address mobile vulnerabilities, Dolce said. Still, progress is happening. For example, the National Institute of Standards and Technology’s mobile threat guidance report can help public and private organizations protect devices.
“There is no getting away from embracing mobility,” Dolce offered. “The only way now to address this … is to recognize there are security risks.”
It is disconcerting that cyber attacks need not be technologically sophisticated to be effective, said Nate Lesser, CEO of Maryland-based Cypient. Good cyber hygiene will not end all attacks but certainly will make it harder for hackers to access data, he said. Making it too expensive to breach security will certainly deter some.
Mobile has become a target for every type of espionage and cyber crime, offered Mike Murray, vice president of security research and response for Lookout. The chances that someone’s computer might be up and running—and accessible to hackers—are relatively low compared with an Internet-connected mobile device. “It’s almost 100 percent guaranteed that you have your phone on and running,” Murray said to an audience of lawmakers and staff. The industry has noted a “radical spike in crimeware and espionage through mobile devices,” he added.
“I don’t think anybody … would build a computer that didn’t have antivirus protection on it, but you all walk around without protection against this every day,” said Murray, cellphone in hand.