By Peter Elmer, Principle Security Expert – EMEA, Member of the Office of the CTO, Distinguished Evangelist 2022, Check Point Software Technologies
What if you couldn’t speak to your family members when needed because your mobile phone isn’t working? What if you couldn’t access important data stored on it? Do you recall the panic rising the last time you tried purchasing a ticket for the train or a flight that you needed to catch and the first phone-based transaction failed?
We are lost without our smartphones
Think of all of the cases in which your phone is used as the second factor for authentication; all of the important personal data stored on it and the payments that you initiate and control with it. When was the last time that you actually printed a ticket for a train, a flight or other forms of public transport?
Why are we paying so little attention to the security component of mobile device use? We simply trust the device manufacture to deliver software updates on time, and fix security issues found by researchers. We may run an anti-malware software, trusting in the lack of intelligence of attackers through the use of methods that can be blocked by signature or heuristic approaches. But, unfortunately, since 2014, there has been proof of targeted attacks on mobile devices using zero-day vulnerabilities. They are used by attackers who aim to evade traditional anti-malware solutions.
In June of 2022, Google released Android updates closing five critical vulnerabilities that allowed remote code execution on vulnerable mobile devices. Apple published vulnerabilities closed in their May 2022 iOS update, making it hard to count their number and to understand their security impact at first sight. How long did you wait until you installed these updates on your Smartphone?
How bad are things these days?
In February of this year, 20% of enterprises suffered mobile device related attacks. In June, the number went down to 13%. In May, the top malware on mobile devices supported keylogging and harvesting of SMS messages used for two factor authentication. The second most common malware on mobile devices is used for phishing attacks, and simulating SMS messages used by delivery services. During the May timeframe, malware of this type was impacting nearly 9% of enterprise organizations.
How does this relate to me? Before COVID-19 I traveled a lot and installed apps for mobile transportation for nearly all European capitals on my smartphone. I used the apps a few times and left them on my device. They did receive some updates over time, but the COVID-19 lockdown made me question their real need. Effectively, they increased the attack surface of my phone so I deleted most of them.
How vulnerable is your smartphone?
How often do we click ‘yes’ when prompted to join a Wi-Fi network? In May of 2022, nearly 15% of all attacks were executed over the mobile network and 5% over Wi-Fi networks. How often are we downloading an app for experiencing a web service at greater convenience? In May of 2022, Check Point Research improved prevention against an Android Banking Trojan found inside 467 apps for restaurants and take away services.
In this context, Check Point Research wanted to achieve a better understanding of the magnitude of zero-day attacks on mobile devices and researched commonly used firmware controlling device chips. In June of 2022, they identified vulnerability CVE-2022-20210 within the UNISOC chip firmware used in about 11% of all Android mobile phones. Attackers could have blocked all communications attacking the baseband modem built into devices.
The US National Institute of Standards and Technologies assigned this vulnerability a value of 9.8 out of 10, acknowledging its critical impact. Smartphone users could have found themselves with a constantly rebooting device or even worse, having intruders controlling their phone or extracting data. The attack could have been executed while mobile devices registered to mobile LTE networks moving between different cells of the network.
How easy is it, attacking smartphones?
Such an attack is easier to conduct than you think. There is open source software available allowing anyone creating a mobile network for research and study. For example, srsRAN. Unfortunately, such software can be misused for attracting mobile devices joining a malicious network or simply for raising a denial of service attack against them.
Check Point Research investigated the protocol stack of the device modem used for management communications with the mobile LTE network. Management packets are sent by the network to the device when the device is moving between cells. These management packets are parsed and translated to internal control objects. This parsing process was investigated in detail using the open source LTE network software srsRAN. In this research, it was found that specific messages could cause Denial-of-Service attacks or remote control of the mobile device. After disclosing this vulnerability to the vendor the CVE-2022-20210 was published, once security fixes had been made available to customers.
How can we protect our smartphones?
Remember that you are in control of your mobile device. You decide on whether or not to install apps from trusted stores or from ‘fancy places’. Ask yourself if you really need that specific app right now. What is the impact on your smartphone when installing it? What is the impact on your day-to-day plans if your smartphone were to stop working, once you have installed the app?
What about using a security solution emulating apps in sandboxing environments, investigating their behavior? Such a solution provides data driven security – Machine learning powered by experienced researchers.
Consider the financial impact and the complexity of running your life without your smartphone for just one day. Give it some thought when deciding about the need to install the app that looks so attractive to you. Think twice when considering postponing a security update. Take your time when it comes to security.