As we fast approach 2016, my security team and I have been compiling a forecast of mobile security trends and vulnerabilities that concern us most. My goal in outlining these threats is not to raise alarm or panic, but to paint a picture of the gravest security concerns we face in the coming year, and hopefully, encourage the industry at large to prepare for them now.With the proper precautions, most of them can be minimized, or forestalled altogether.
The horrific attacks in Paris, San Bernardino, and other locales around the world ensure that terrorism will overshadow mobile security concerns next year. We will see growing concern over usage of Telegram and Redphone-type communication apps that use end-to-end encryption to avoid eavesdropping. My team has also been tracking the appearance of legitimate-looking apps that criminals are using to communicate with each other for a very temporary time period (sometimes only once).
Looking ahead, we should expect terrorists to leverage major online media services such as YouTube for covert communications by integrating hidden data in videos — for example, special audio frequencies that cannot be heard/understood by humans but are translatable through a special listening program.
2. Hackers Target Mobile Payment Services
Based on back channel murmurs among black hat hackers, it’s more likely than not that leading mobile payment platforms such as Apple Pay or Samsung Pay will be seriously compromised in 2016. This will probably happen not through outright breaking of their payment processing algorithms but via analysis of the entire system to identify bypass measures and vulnerabilities, leading to credit card information fraud, extortion, and unauthorized use. We have already seen how stolen credit card info has been successfully added to ApplePay accounts without bank verification, allowing fraudsters to use stolen card information at brick-and-mortar stores. Soon, a similar technique will likely be used for online transactions.
Apple and Samsung are not the only companies in these crosshairs. Peer-to-peer mobile payment apps such as Venmo that use simple payment remittance processes will become more vulnerable to hackers attempting to transfer funds from users’ accounts to dummy accounts they can then access. (We are monitoring underground activity of this kind, but it’s yet unclear whether any of these attacks have been successful.)
3. The Rise of Mobile Web Browser-Based Hacking
We expect mobile versions of Chrome, Firefox, Safari, and related kernels on Android and iPhone to be hacked frequently in coming months. Hacking via a mobile browser is one of the most efficient ways to compromise the entire phone, because exploiting a browser vulnerability can enable the hacker to bypass its many system-level security measures. The following will give you a sense of how this would work:
Webkit-based exploits allow hackers to bypass a browser’s sandbox, or the security measures built into modern browsers. This would most likely be followed by OS/kernel-level exploits to access the root of the system and gain total control over the device.
An example OS-level exploit is Stagefright, which was a weakness in a library inside the Android OS. Although Google released a patch to address this problem over the summer, Zimperium released a second set of vulnerability discoveries, dubbed Stagefright 2,0, in October. When such an exploit is executed via a web-browser, it becomes extremely reliable.
We expect more such vulnerabilities to surface in the coming months and to be exploited at a broad scale in the coming years.
4. Remote Device Hijacking/Eavesdropping
Thanks to the explosive growth of Android devices, billions of people around the world will soon own a smartphone. Most of these handsets include preloaded applications that are generally not analyzed or validated by Google’s security team, however, exposing them to remote device hijacking. The open, customizable nature of Android smartphones by OEMs will continue and worsen this threat, so we should also expect to see frequent OEM security updates/patches. In fact, I forecast them to at least double next year.
Related to this is the rising threat of man in the middle attacks (or MitM). New smartphone owners are often not aware of or practicing adequate security habits with their device. For instance, they may allow their device to automatically access unsecured AP/WiFi connections that don’t encrypt data communicated through the network. This can lead to insecure apps leaking user credentials, which hackers can “see” when the mobile device transmits data.
Another concern is the ability of a hacker to eavesdrop on conversations or view messages that a user sends or receives. My colleagues Daniel Komaromy and Nico Golde recently demonstrated how a simple MitM hack works against Samsung’s Shannon line of baseband chips. Left uncaught, this vulnerability would have enabled hackers to eavesdrop on calls made from these devices.
5. DDoS Attacks: Evolved
Up to now, most Denial of Service attacks have been an infrequent and short-lived annoyance, one that most businesses online are relatively well-equipped to deal with. However, the growth of mobile and other Internet-connected devices is allowing the DDoS to evolve. We are starting to see devices hijacked and turned into DDoS bots, thereby increasing the barrier to detect and prevent denial of service attempts. We should prepare for many such attacks, roughly growing at the rate in which new Internet-connected devices enter the market.
Which brings me to a related threat:
6. The Internet of (Vulnerable) Things
The recent hacking of children’s wireless toys, not to mention the hacking of an automated car, highlights the dangers inherent in what’s known as the Internet of Things. More and more devices are becoming Internet-enabled but without proper security configurations/measures, providing for an increased attack surface and more variables to go wrong among the proliferating operating systems, drivers, and software that run them. All mobile apps that connect to IoT devices through bluetooth or Wi-Fi are vulnerable. Hackers will be able to accomplish more and more of these exploits through mobile/wireless device-driven DDoS attacks as I outlined above, along with the use of mobile/smart trojans, which enable a hacker to gain control of a targeted device remotely, accessing a private, secure network.
Just as concerning, Internet-connected medical devices are notorious for having poor configurations from a security standpoint, allowing hackers to access and gain remote control of them. For instance, networked ultrasound scanners and other medical devices often have a hardcoded default login/password for remote login that is relative easy to guess. In 2013, my colleague Jay Radcliff demonstrated how an insulin pump could be tampered with to deliver an insulin overdose. It is a tragic irony that devices designed to save our lives can potentially be used to harm us.
All of this may suggest a dire future of constant security threats, but I said at the start, the good news is there are immediate, proactive steps to the vulnerabilities I’ve outlined here, which I dearly hope organizations take now. Security and hacking trends change overnight, and the measures security teams implemented two years ago may not be adequate now — and certainly not in 2016.
Min-Pyo Hong is CEO and founder of SEWORKS, based in San Francisco. He has advised corporations, NGOs, and governments on digital security issues for over 20 years, and led a team of five-time finalists at DEFCON.
Leave a Reply