As the unrelenting game of attackers versus defenders continues in the world of information security, mobile cyber attacks are becoming a more desirable attack vector for hackers, criminal organizations, and nation-states to gain access to data. The past few years have started to see long-term, concerted campaigns targeting mobile devices, most notably the Red October malware that targeted multiple mobile platforms and dedicated hardware such as router, switch, and firewall operating systems. More recently, we also have the revelation of the NSA's alleged DROPOUT JEEP malware campaign to allow the agency to effectively "own" Apple iPhone devices. Mobile devices represent a rich attack vector for bad actors; I recommend the fantastic hands-on workshop that Larry Pesce of SANS presented at RSA Conference 2014 if you're interested in a deep-dive of mobile threats.
First and foremost, of course, mobile devices are. . . well, mobile. Unlike a corporate or home computer (or even a laptop), they are much more likely to be used on public networks, including both cellular and WiFi, on a near-constant basis. This usage makes their likelihood of susceptibility to man-in-the-middle (MTM) cyber attacks greater, as well as increases the possibility that they will connect to insecure or fake WiFi networks that can easily redirect legitimate URLs, be sniffed for credentials, and more. Their ubiquity, coupled with their small size, also means that they can easily be "borrowed" and returned to the unsuspecting owner—potentially with malware, keyloggers, or other modified content now included. Add to this the fact that many organizations adopt a BYOD approach to mobile—with little or no management layer of the device—and an attacker now has an access point inside of the corporate network.
Challenges to Upgrades
Another problem with mobile devices is the fact that many of the product features that can be exploited are located outside of user-manageable application space and are not easily upgradable. For example, many smartphones contain static, embedded versions of web browsers and runtime environments such as Java, all of which may be embedded within application-specific integrated circuits (ASICs) that lie below the application layer. In these cases, updates to patch exploitable vulnerabilities may not be as simple as just downloading a patch; it may require physically tethering the device to a host to update. Malware authors can write code that targets vulnerabilities in a specific version of a known release to manufacturing (RTM) version of a device, knowing that even if a patch exists, it's likely that a large number of users of the device have not bothered to update it.
Similarly, mobile devices also suffer from the potential insecurity of vendor "app stores," which all monitor for the presence of potential malware in downloadable content to varying degrees. One app store vendor may conduct detailed code-level scans of products provided in their store and maintain a developer program with strong validation requirements; another vendor's app store may be more like the Wild West, rife with malware posing as legitimate, well-known software using similar names (imagine "Angry Gulls," "Candy Cruise Saga," and "Instagraham," for example). Even legitimate mobile software, just like on traditional PCs and laptops, can have substantial vulnerabilities; the recent disclosure from popular time-limited photo-sharing app Snapchat is a prime example of this.
Together, these issues make these devices prime fodder for cyber attacks. So, what does the corporation trying to protect its intellectual property assets, or the individual simply trying to keep innocuous communications and contact private, do about all of this? Unfortunately, there are no easy answers. End-point protection software (such as anti-malware) is a good start, as is policy-based remote management for institutions, regardless of whether they use a BYOD approach to mobile devices or not. Of course, the best solution is one of improved user behavior: be cognizant of what you're connecting to, the apps you install, and the media you physically connect to your mobile devices. Stronger, more consistent cryptography of data, both at rest and in transmission, will help to alleviate attacks that seek to intercept traffic or collect stored data.