It is not new that people are referring to Bring Your Own Device (BYOD) as Bring Your Own Malware (BYOM). In 2012 alone, Android malware encounters grew 2,577 percent (for details, see Cisco’s Annual Security Report). Many organizations are struggling to keep up with the BYOD trend by allowing employees to bring their favorite gadgets to the office to increase productivity and employee satisfaction. However, they are also struggling when trying to protect critical corporate assets, user’s data, and intellectual property in their employees’ mobile devices.
Stealing Your Banking Information and Your Corporate Intellectual Property Made Easy
The number of new mobile Trojans and malware is increasing every day. For example, the Carberp malware/Trojan can steal online banking credentials very easily from your phone or tablet. Carberp was first seen about three years ago, but now its source code is being sold in the underground scene at a very affordable price (US$5000 or less). Citmo.A (or Carberp-in-the-mobile) monitors incoming SMS to steal the mobile Transaction Authentication Number (mTAN) that financial institutions send to customers to validate online banking transactions.
Another example is the SpyEye-in-the-Mobile (SpitMo), which is a couple of years old, but it is still a successful tool for cybercriminals to make money.
Mobile versions of FinSpy/FinFisher can allow miscreants to log incoming and outgoing calls; conceal calls to eavesdrop on the user’s surroundings; and steal SMS messages, contact lists, and phone/tablet media (for example, photos and videos).
Even Your Music Could Trigger Mobile Malware
Recent research has revealed very clever and nontraditional ways to trigger malware and malicious behavior in mobile devices by using sound/music. Yes, that’s correct—music! Researchers at the University of Alabama at Birmingham (UAB) demonstrated this new “exploitation concept” in a paper titled Sensing-Enabled Channels for Hard-to-Detect Command and Control of Mobile Devices. This means that cybercriminals could become good DJs very soon. In all seriousness, this is the start of clever ways that malware could be triggered remotely in mobile devices (outside of Bluetooth, NFC, and over IP).
The UAB researchers demonstrated a terrifying potential attack vector by developing Android applications that monitor acoustic, visual, magnetic, and vibrational sensors built into modern mobile devices. The prototype applications listen for command and control messages on these channels, most of which would be indistinguishable for normal sounds or lights.
Mobile Botnets Are Here to Stay
Mobile botnets are becoming the new normal. Just like in traditional botnets, cybercriminals leverage mobile botnets with one main purpose—to make money. They make money through fraud by either pumping ads onto your mobile device or selling your information to other spammers and criminal organizations. Miscreants can also steal user’s financial data, usernames, passwords, contact lists, user’s schedules, emails, corporate intellectual property, etc.
Examples of mobile botnets are Rootstrap/Bmaster (also known as Android.Bmaster) and the MDK botnet (Android.Troj.mdk). The Cutwail and Kelihos botnets are also known to target mobile devices.
There are many different ways a mobile device can be compromised by a botnet or become part of a botnet:
- Cybercriminals can send SMS with malicious links to users
- Coordinating with PC/desktop botnets
- Emails with spam links
- Drive-by downloads
- All the traditional ways that malware is spread (of course).
Cybercriminals have been known to hide mobile malware in legitimate apps and games such as Temple Run, Fishing Joy, and others. This makes it hard for a user to detect a “bad app.”
BYOD Security Guidance at Cisco Live
Every BYOD implementation is unique and there is no one-size-fits-all solution because it requires a balance between technology, policy management, and employee outreach and education.
Most Common BYOD Questions
The following are the most common questions CISOs, IT security management, and engineers often ask about BYOD:
- How do regulatory compliance, industry, and corporate culture factor into BYOD decisions?
- What are the most critical steps to take during BYOD planning?
- How should policy planning relate to technology and tool of choice?
- What are the strengths and weaknesses of mobile device management, identity-based approaches, and mobile-enabled applications?
- What is the role of identity in a BYOD environment?
- How can I maintain a secure remote access VPN solution in a BYOD environment?
All of these questions and many more will be answered in detail this week at Cisco Live Orlando. BYOD security is one of the hottest topics this year. I am personally delivering an advanced troubleshooting session for remote access VPN in BYOD scenarios (BRKSEC-3050) and leading several discussions regarding BYOD. However, you may also want to review and attend the following sessions:
- BRKSEC-2045 Mobile Devices and BYOD Security—Deployment and Best Practices
- BRKSEC-3044 What’s accessing my BYOD network and how do I keep the bad guys out?
- COCEWN-3428 Inside Cisco IT: Beyond BYOD—The Post PC Era
- PSOSEC-2001 BYOD: Management and Control for the Use and Provisioning of Mobile Devices
- BRKSEC-3050 Troubleshooting Remote Access SSL VPN in BYOD Scenarios
I invite you to join me this week at Cisco Live and access detailed information about these sessions and many more at the Cisco Live 365 website. Choose Session Catalog, and then choose the appropriate tab (Sessions, Speakers, or Exhibitors) to search and learn more about Cisco Live. Session PDFs and videos are usually available within a week after a live event. For more information, check the home page announcements. While we do record a large number of sessions, not all sessions are recorded.
Security risks (lost devices, access to sensitive data) are definitely a part of BYOD. However, these risks can be reduced by keeping data and applications separate from personal devices. That means that there’s no sensitive data exposed if an employee’s device is lost or stolen.
This can be achieved with solutions like Ericom AccessNow, an HTML5 RDP client that enables users to connect from most types of devices to any RDP hosts (such as VDI virtual desktops or Windows Remote Desktop Services) and run full Windows desktops or applications in a browser tab.
There’s nothing to install on the end user devices, as you only need an HTML5-compatible browser so using AccessNow also reduces IT support costs, since IT staff don’t need to spend time installing software on so many different platforms. All they need to do is give employees a URL and login credentials.
Download this free white paper for some additional ideas on securely managing the mobile workforce:
http://www.ericom.com/WP-MobileAccessSecurity.asp?URL_ID=708
Please note that I work for Ericom