Smartphones: A door to the corporate network
Smartphones: A door to the corporate network
Of the more than six billion people roaming the world today, five billion hold a mobile phone in their hands, underscoring the prevalence of mobile phones and smart phones in every person’s everyday life, including their life at work.
A few years ago still, smartphones were reserved to senior management to help them manage their daily tasks and be more easily reachable. Today, it has become a widespread communications tool for many employees, who use their smartphone as a mobile extension to their computers. Using them, employees can access the corporate network on the go, read their emails, answer to urgent messages, find directions to attend a meeting, store a boarding ticket, a presentation or a business report, etc.
Small, practical, useful, versatile − smartphones present many advantages but, as the security of mobile phones and their related infrastructure is not fully mature yet, they unfortunately may open up companies’ networks to many threats.
The lost battle between security and usability
Nowadays, companies often require their employees to use a VPN to access the corporate network from their laptops or remote PCs (which are increasingly equipped with anti-virus software). A VPN allows secure access to corporate networks by encapsulating data transfers, using a cryptographic method. Unfortunately, VPN solutions for mobile devices are not widespread yet. The main issue preventing their adoption is that VPNs require computing power that smartphones seldom have today. Tasks such as encryption or decryption on the fly heavily burden them, making remote access difficult to the end-user.
Facing those technical limitations, system administrators must choose between compromising the security of their networks to allow access to mobile phone users, and limiting their access or directing them to another less sensitive network. In practice, whenever there is a compromise between usability and security, security looses the battle. So today, we see that most employees can access corporate networks via their smartphone from anywhere, and with degraded protection. One can only imagine the damage that may result when those users are using a public access point to get mobile connection.
Malware propagation: From the mobile to the corporate network
The inevitable choice of usability over security makes smartphones an ideal vehicle for cybercriminals to attack corporate networks. Cybercriminals are like housebreakers: they search for the weak entry (from a remote PC or an infected mobile phone), find a way to make it yield, and then propagate malware, collect emails to spam, steal confidential data or infect corporate hosts to have them join botnets.
A way to sneak in the corporate network consists of leveraging mobile phones’ synchronization. When the employee synchronizes his/her mobile phone at work, his/her infected device infects the computer during synchronization. The mobile phone acts as a Trojan horse, infects the PC and unwittingly provides access to the corporate network. Several years ago, this was how MSIL/Overcross.A used to spread from a Windows Mobile device to a Windows PC, via ActiveSync.
Attacking mobile phones from PCs
Reciprocally, mobile phones – or more exactly the data they carry – may be targeted through PCs (e.g infected computers on the intranet or at home, or malicious external hosts controlled by cybercriminals). This is how the recent SymbOS/Zitmo.A!tr malware operated: a computer infected with Zeus, one of the most nefarious and spread Trojan, managed to contaminate victims’ mobile phones. This attack was particularly interesting for cybercriminals because it provided them with an efficient way to defeat the two-factor authentication technique, used by organizations such as retail banks, through the interception of the one-time password sent to the user’s mobile phone by SMS.
A few years ago still, smartphones were reserved to senior management to help them manage their daily tasks and be more easily reachable. Today, it has become a widespread communications tool for many employees, who use their smartphone as a mobile extension to their computers. Using them, employees can access the corporate network on the go, read their emails, answer to urgent messages, find directions to attend a meeting, store a boarding ticket, a presentation or a business report, etc.
Small, practical, useful, versatile − smartphones present many advantages but, as the security of mobile phones and their related infrastructure is not fully mature yet, they unfortunately may open up companies’ networks to many threats.
The lost battle between security and usability
Nowadays, companies often require their employees to use a VPN to access the corporate network from their laptops or remote PCs (which are increasingly equipped with anti-virus software). A VPN allows secure access to corporate networks by encapsulating data transfers, using a cryptographic method. Unfortunately, VPN solutions for mobile devices are not widespread yet. The main issue preventing their adoption is that VPNs require computing power that smartphones seldom have today. Tasks such as encryption or decryption on the fly heavily burden them, making remote access difficult to the end-user.
Facing those technical limitations, system administrators must choose between compromising the security of their networks to allow access to mobile phone users, and limiting their access or directing them to another less sensitive network. In practice, whenever there is a compromise between usability and security, security looses the battle. So today, we see that most employees can access corporate networks via their smartphone from anywhere, and with degraded protection. One can only imagine the damage that may result when those users are using a public access point to get mobile connection.
Malware propagation: From the mobile to the corporate network
The inevitable choice of usability over security makes smartphones an ideal vehicle for cybercriminals to attack corporate networks. Cybercriminals are like housebreakers: they search for the weak entry (from a remote PC or an infected mobile phone), find a way to make it yield, and then propagate malware, collect emails to spam, steal confidential data or infect corporate hosts to have them join botnets.
A way to sneak in the corporate network consists of leveraging mobile phones’ synchronization. When the employee synchronizes his/her mobile phone at work, his/her infected device infects the computer during synchronization. The mobile phone acts as a Trojan horse, infects the PC and unwittingly provides access to the corporate network. Several years ago, this was how MSIL/Overcross.A used to spread from a Windows Mobile device to a Windows PC, via ActiveSync.
Attacking mobile phones from PCs
Reciprocally, mobile phones – or more exactly the data they carry – may be targeted through PCs (e.g infected computers on the intranet or at home, or malicious external hosts controlled by cybercriminals). This is how the recent SymbOS/Zitmo.A!tr malware operated: a computer infected with Zeus, one of the most nefarious and spread Trojan, managed to contaminate victims’ mobile phones. This attack was particularly interesting for cybercriminals because it provided them with an efficient way to defeat the two-factor authentication technique, used by organizations such as retail banks, through the interception of the one-time password sent to the user’s mobile phone by SMS.
