Android Vulnerability Highlights Two Basic Security Principles
When addressing mobile security, enterprise security teams typically focus on defending the internal organization from attack, both because mobile devices have access to applications and data and because mobile devices can introduce vulnerabilities aimed at exfiltrating data. Yes, many MDM and mobile AV products defend the device itself, but most organizations focus on defending the infrastructure from the mobile device.
But an alarming new vulnerability of Android phones highlights the need for organizations to widen their security focus. Zimperium, which will reveal details of the vulnerability at next week’s BlackHat conference, has named the vulnerability after the Google media player, ironically named StageFright.
Zimperium discovered that the standard Android OS texting code allows for a bad actor to take over the phone data, camera and microphone without users doing anything but having the phone on and receiving a text (MMS). They don’t have to click on anything, watch the media or take any actions. The ramifications are extraordinary. (Google has released a patch. What you need to know is here.)
Many organizations will cover the potential threats created by the StageFright vulnerability through exfiltration and monitoring. They should also apply two basic security principles that this vulnerability brings to the forefront.
Principle No. 1: Back up your data. Bad actors can do many things once they are in the user’s phone, and one of them is deleting data. The only way to defend against this risk is to make sure that phone data is replicated somewhere or backed up. Unfortunately, most ways to back-up data–e.g., DropBox, iCloud, and similar syncing programs—are viewed as a threat, not a tool, by security teams, and for good reason.
What should be considered are programs that do not send corporate or federal agency data to external resources. There are several ways to do it. A proven method uses a sandbox like VMware’s Horizon or Good Technology that requires all data that is important to be in the sandbox and remotely copied or moved to the internal infrastructure in a secure portion of the phone and in a secure way.
Principle No. 2: Implement patch management for mobile devices. Mobile Device Management (MDM) like VMware’s AirWatch and some Network Access Controls (NAC) like ForeScout allow administrators to force patches as soon as there is a known solution. One or the other is good but not bullet proof on its own. The combination of the two hits both managed and unmanaged devices that physically enter an environment. This is important because of the camera and microphone vulnerabilities in a StageFright hack. You don’t want someone listening in on conversations and taking pictures or videos of your facility.
Currently, Zimperium does not believe hackers have exploited this vulnerability, but when details of the entire vulnerability are released at BlackHat next week, bad actors will be ready to pounce. That means that any Android devices not yet patched need to be patched before the details are revealed. Here is that “what you need to know” link again.