CE Pro May 2023 - 56

SECURITY
Mobile Device Cybersecurity
What's Next in
New Age of Mobile
Device Security?
It is predicted that humans will eventually no longer use
smartphones but will be directly connected to the Internet
through advanced brain-to-computer interfaces. Even these
interfaces will have various security challenges and vulnerabilities
that can exploited by cyber criminals.
Until that time, expanded solutions include mobile device
intrusion detection and intrusion prevention similar to fixed
and wireless network components. Smartphones will have
machine intelligence that will automatically respond to security
breaches by shutting the phone down until remediation
or investigation has been performed.
Delivering this level of security is complex and requires
persistent access to vulnerability data feeds to provide information
at the operating system level of the phone. It will
export relevant digital forensic information such as how and
when the attack took place, what impact it has, and then
provide a log of events and actions taken.
Now consider new exploits that cyber attackers can perform
when they are within physical proximity to the smartphone.
We have known about man-in-the middle attacks
where the attacker relays the communication between
two parties to an outside third party, but now we can add
attacks. This is where the attacker receives the communication,
alters the communications being sent and received, and
modifies the message being relayed to outside parties.
If a criminal gets hold of a physical smartphone, they can
extract the SIM card, clone the phone using commercial
off-the-shelf mobile forensic kits, and generate SMS and
text messages to gain access to multifactor authentication
(2FA) to access corporate applications, email, and proprietary
third-party vendor apps. This is known as SIM swapping.
New Tools of the Trade
Regardless of the fact that hacking a smartphone violates
federal wiretapping laws and carries a maximum sentence of
20 years in prison and a $100,000 fine, people can purchase
cellphone hacking tools online.
Malicious USB and cellphone charging cables can be
purchased on the Internet that have similar functionality to
standard cables, except that prescripted malware is injected
into your phone. An example of this hack is listed at mitnicksecurity.com/blog/the-latest-malware-threat-the-usb-ninjacable.
There is even technical support for various products in
the event you have questions or issues configuring or using
these products!
56 | CE Pro May 2023
Don't forget the bad USB devices and " rubber ducky "
exploits, where all that is required is a powered-on machine
and an open USB port. Host devices are then infected with
malicious code to extract personal or corporate information.
This can also be done wirelessly, known as " Wi-Fi duck. " In
this case, a phone that has not been jailbroken using detectable
Wi-Fi can be injected from a remote location. Another
popular tool that can be used when a physical phone is
present is known as " MalDuino W, " which can plug and play
into a USB C port on an Android device.
GoodFirms reports that only 63% of mobile phone users
change their passwords, with the remainder using the same
password for multiple applications within their smartphone.
Over half reported that they share this password with family,
friends and colleagues.
What You Can Do
Until self-protecting smartphones are developed, we must
protect ourselves today. Password hygiene remains at the
top of the list along with reused credentials, and stored
passwords and cached credentials stored in browsers and applications.
These oversights continue to plague organizations
that succumb to cost pressures, allowing employees to continue
using BYOD laptops and mobile phones for corporate
use. Here are some best practice tips:
Use a separate smartphone for business. Isolate personal
data and business data on each device.
Do not use others' cables or cords.
Understand the configuration settings of your device
and customize permissions for each application.
Use a password manager for your mobile device.
Use a mobile phone VPN client if you connect you a
public Wi-Fi.
Avoid websites that are not owned specifically by a
product manufacturer or company. Cyber attackers will
divert and prompt you to download malicious APK files
and viruses on your phone by embedding them into text
applications. Once installed, the attacker gains access to
sensitive information stored on your device.
Avoid entertainment and social media applications like
TikTok that are owned by nation-state attackers that
can manipulate or collect important data from users.
Carefully read all terms/conditions of apps that store
medical and financial data.
Hire a qualified consultant to conduct a digital forensics
analysis on your current devices, and harden the security
baseline on your device.
As humans continue to be the weakest link in any physical
or digital security medium, we need to continue to educate
ourselves. Be vigilant and stop doing foolish stuff! CE Pro
DARNELL WASHINGTON (dwashington@securexperts.
com) is President and CEO of SecureXperts.
cepro.com

http://www.security.com/blog/the-latest-malware-threat-the-usb-ninja http://www.cepro.com

CE Pro May 2023

Table of Contents for the Digital Edition of CE Pro May 2023