Mobile devices are often one of the most overlooked assets from a security perspective. Many people are under the false assumption that mobile devices “can’t get viruses”, “aren’t important”, or that they can ignore mobile updates, when in fact, these devices often store more critical data than people realize, yet statistically are barely more secure than the average desktop computer. Reported industry vulnerability counts for the year 2019 (CVEDetails, 2019) support this statement:
- Windows 10 (Microsoft) – 448
- Android (Google) – 491
- iOS (Apple) – 354
Now, think about how much critical, private and personal information is stored on your phone. If you’re like the typical mobile user there are saved passwords for personal accounts, personal photographs, and credit-card/identification data. In other words, everything you don’t want other people to ‘get their hands on’.
It is worth noting that both Google and Apple post regular security bulletins and are very quick to remediate and issue patches for most of these vulnerabilities. If users don’t update their devices, though, it really doesn’t matter how fast updates are made available. As of June 2021, an estimated 43.77% of iOS devices are at least two software versions out of date. Nearly half the Apple-toting population are walking around with potentially severe security flaws!
Mobile DOS Attacks Are More Relevant Now Than Ever
We must also take into account how critical mobile devices have become to both our personal and professional lives in the last decade. Most people are at a loss without their mobile devices, and many rely on them for everything from business communications (email, calls, texts, etc.), corporate banking/expenses, personal finances, and their social connection to their friends.
Taking all that into account, imagine that your mobile device was confiscated for an undiscernible amount of time, or remotely destroyed. One might not think this is feasible, but it is, especially when you consider Denial-of-Service (DOS) vulnerabilities. To give some context, as far back as 2015 an exploit coined the “Effective Power” bug existed. This attack involved sending a very specific string of Arabic characters and symbols to the target, and merely receiving the message would disable the target’s Messages app for an unknown period of time. Following in Effective Power’s footsteps, in 2018, a bug was found that allowed a single maliciously formatted link to freeze a device until it was forcibly reset. A string of other similar DOS attacks have been discovered and remediated over the years by Apple. It has become evident that even though software iterates, newer iterations of this attack will continue to pop up, and effective update-policies are the only effective mitigation.
Earlier this month, Security Researcher Carl Schou reported a vulnerability in iOS’s handling of Wi-Fi SSIDs. This attack involves using a very old, well known attack vector coined a “Format String Bug”, and naming a wireless access point “%secretclub%power”. Doing so will cause any iOS device that connects to it to semi-permanently lose all Wi-Fi capabilities. The only way to effectively fix the damage as of now is to fully wipe all user-data and restore the device to factory settings. Apple will likely issue a patch to remediate this in the coming days, but for now, it’s very scary that a single Wi-Fi access point can effectively confiscate your device.
Take Steps to Protect Yourself
Don’t wait for something to happen. For your personal devices, update them frequently, and whenever indicated by the manufacturer. Consider setting them to automatically update. The longer these are delayed, the more insecure you become. Help your loved ones who aren’t aware to update their devices and advocate the process.
From a corporate lens, whether your company owns its employee’s mobile devices, or employs BYOD policies, DirectDefense can help implement Mobile Device Management (MDM) and mobile device monitoring systems. MDM deployments can mitigate these worries by forcing users to update their devices or completing them during inactive hours. We offer services ranging from MDM implementation and monitoring solutions to full-on Mobile Device Audits/Security Architecture Plans, and hardware/PCB review on mobile products. Combined, our Connected Systems group has 15+ years of experience in mobile and IoT/IIoT device security, as well as managed security solutions for these devices.
Like it or not, these devices have become critical to our ability to function – both personally and in business – in the modern world, and they deserve the security measures to match.
Contact us today to improve the security of the devices that spend more time in your hand than anything else!