The Reality: Mobile Security is Broken, By Design
-
I realize that would make me an unpopular boss!
From the screen of my trusty Z10 using the exceptional BlackBerry VKB.11-20-19 08:57 AMLike 0 - You're 100% right. For companies serious about security I would have them check their personal devices at the door and access them only on breaks in designated areas.
I realize that would make me an unpopular boss!
From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
From the screen of my trusty Z10 using the exceptional BlackBerry VKB.11-20-19 08:58 AMLike 0 -
I still stand by my opinion that a properly managed EMM/BYOD solution is more than sufficient for the vast majority of cases.
The remaining edge cases would need something rather custom anyway.TgeekB likes this.11-20-19 09:00 AMLike 1 - And how do you think hackers get access to servers? 80% of hacks involve at least one element of social engineering, getting a user to perform a task or compromise their credentials. Websites, apps, and email are the first step in the kill chain.
From the screen of my trusty Z10 using the exceptional BlackBerry VKB.11-20-19 09:00 AMLike 0 -
As an example, one of our clients receives over 100,000 phishing attacks per year, some of which are from sophisticated organized crime syndicates. In one case, they established accounts as legitimate customers, then sent phishing emails to customer support agents with attached "screenshots" that contained a link to download a"viewer" containing a payload.
The attack relies on the fact that a professional CS team wants to go above and beyond the call of duty to take care of customers. Their hope is that the desire to take care of a customer will lead them to make a mistake. The best social engineering attacks exploit good people trying to do their jobs, not "idiots" surfing dangerous websites.
From the screen of my trusty Z10 using the exceptional BlackBerry VKB.11-20-19 09:14 AMLike 0 -
Approving apps for corporate use is nothing new. Nor is it an unusual expense.
Since the corporate data is segregated, it doesn't matter what people install on their personal side.
Yes, a fully-functioning, proper EMM solution is required, but again, that is not a big ask.
BYOD prompted Chen's recent comments about devices so I think it's clearly an attack vector that enterprise is starting to pay more attention to. Employees would probably prefer a second device from corporate than to have their personal device locked down even further outside of work.11-20-19 10:56 AMLike 0 - Data segregation wouldn't provide any protection against an attack like this because it gains access to the camera, microphone, and GPS data.
BYOD prompted Chen's recent comments about devices so I think it's clearly an attack vector that enterprise is starting to pay more attention to. Employees would probably prefer a second device from corporate than to have their personal device locked down even further outside of work.
99% of company security issues would be solved by implementing a proper EMM solution.11-20-19 11:06 AMLike 0 -
From the screen of my trusty Z10 using the exceptional BlackBerry VKB.11-20-19 12:29 PMLike 0 -
- I understand. I'm speaking terms of mobile phones as a security threat in general, due to an overly permissive security model that makes it comically easily to escalate privileges without a users' permission.
From the screen of my trusty Z10 using the exceptional BlackBerry VKB.11-20-19 01:25 PMLike 0 -
I think you are constraining the definition of information security way too much. In the real world, hackers use social engineering and other tactics to defeat simple controls like EMM. This is an example of how Android makes it easy.
From the screen of my trusty Z10 using the exceptional BlackBerry VKB.Jake2826 likes this.11-20-19 01:31 PMLike 1 - I understand. I'm speaking terms of mobile phones as a security threat in general, due to an overly permissive security model that makes it comically easily to escalate privileges without a users' permission.
From the screen of my trusty Z10 using the exceptional BlackBerry VKB.app_Developer likes this.11-20-19 01:34 PMLike 1 - What is your definition of corporate data? Would a confidential conference call qualify? What about a network admin's password? What about the geo-location of an executive when they are visiting a potential acquirer? These are the types of "data" at risk in this case.
I think you are constraining the definition of information security way too much. In the real world, hackers use social engineering and other tactics to defeat simple controls like EMM. This is an example of how Android makes it easy.
From the screen of my trusty Z10 using the exceptional BlackBerry VKB.Troy Tiscareno and TgeekB like this.11-20-19 01:35 PMLike 2 -
The reason that this is a big deal is that, unlike harder to exploit vulnerabilities, this one was easy and has not been patched on hundreds of millions of phones. There are huge state-sponsored and organized crime groups with hundreds of thousands of hackers targeting individuals and companies every day. It doesn't make the news because in many cases, the attacks go undetected for months or years, and, unless personal information is stolen that requires public disclosure, the information is never made public.
China, Russia, Iran and North Korea alone are expected to cost the world trillions of dollars over the next few years. And that's in the absence of a major conflict. There's a reason that many experts believe cyber insecurity to be more of a threat to human civilization than nuclear war.
It might not be pleasant to think that these neat gadgets that we enjoy are poorly designed and dangerous. Hopefully we'll stay ahead of the bad guys and fix the defective to before they cost us too much. But treating huge screw ups like this as "normal" is part of the problem.
From the screen of my trusty Z10 using the exceptional BlackBerry VKB.11-20-19 02:00 PMLike 0 -
From the screen of my trusty Z10 using the exceptional BlackBerry VKB.11-20-19 02:03 PMLike 0 - My point was and is that this particular set of vulnerabilities should have been rendered impossible when Android supposedly gave users control over individual permissions several versions ago. It's now likely that granular control of permissions is not very robust.
The reason that this is a big deal is that, unlike harder to exploit vulnerabilities, this one was easy and has not been patched on hundreds of millions of phones. There are huge state-sponsored and organized crime groups with hundreds of thousands of hackers targeting individuals and companies every day. It doesn't make the news because in many cases, the attacks go undetected for months or years, and, unless personal information is stolen that requires public disclosure, the information is never made public.
China, Russia, Iran and North Korea alone are expected to cost the world trillions of dollars over the next few years. And that's in the absence of a major conflict. There's a reason that many experts believe cyber insecurity to be more of a threat to human civilization than nuclear war.
It might not be pleasant to think that these neat gadgets that we enjoy are poorly designed and dangerous. Hopefully we'll stay ahead of the bad guys and fix the defective to before they cost us too much. But treating huge screw ups like this as "normal" is part of the problem.
From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
Just part of the continuous cat and mouse game.TgeekB likes this.11-20-19 02:06 PMLike 1 -
There was no escalation of privileges.TgeekB and app_Developer like this.11-20-19 02:07 PMLike 2 -
We live in a world of millions of bad apps developed by bad developers using bad security models. That's the design flaw. And pretty much any Android phone not made by Google or Pixel may still be vulnerable, including the KEY phones. Checkmarx gave OEMs time to respond, and only Google and Samsung bothered to do so.11-20-19 02:21 PMLike 0 - Here's the ars technica article from today: https://arstechnica.com/information-...be-vulnerable/11-20-19 02:24 PMLike 0
- Of course. There's always got to be a bad app or some other vector for malware. In this case, the bad app came from Google and Samsung. That pretty much demonstrates that the security model for building apps is broken. The security architecture itself should not have allowed such a mistake to be made.
We live in a world of millions of bad apps developed by bad developers using bad security models. That's the design flaw. And pretty much any Android phone not made by Google or Pixel may still be vulnerable, including the KEY phones. Checkmarx gave OEMs time to respond, and only Google and Samsung bothered to do so.
I'd be wary of any other model that touts they are better, but don't have that kind of scrutiny.11-20-19 02:41 PMLike 0 - At the very least, Android oversight (from within and without) is monumental, and the vast majority of vulnerabilities are caught long before they are ever exploited in the real world.
I'd be wary of any other model that touts they are better, but don't have that kind of scrutiny.
Second, I agree with you that scrutiny is good.
My main point here is that, in the race to win the OS market share war, Android has prioritized flexibility and features, with security added on later. The underlying architecture is simply not optimized for security.
From the screen of my trusty Z10 using the exceptional BlackBerry VKB.Last edited by bb10adopter111; 11-20-19 at 03:38 PM.
Jake2826 likes this.11-20-19 02:46 PMLike 1 -
Absolutely, and in this case it was a Google app. Those who sideloaded Gcam might have opened up an attack vector that their non Google OEM may never patch.11-20-19 05:13 PMLike 0 - From the website originally shared by OP:
“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”
As vulnerabilities are exposed they are patched. Is the overarching argument in this thread that Android is generally full of holes like this one that have yet to be discovered? VS BB10 vs iOS?TgeekB likes this.11-20-19 05:15 PMLike 1 - From the website originally shared by OP:
“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”
As vulnerabilities are exposed they are patched. Is the overarching argument in this thread that Android is generally full of holes like this one that have yet to be discovered? VS BB10 vs iOS?
This is always a cat and mouse game, as someone else mentioned. Someone can always find a way to break into your house even if you have a security system. It comes down to being smart and not making it too easy on the perpetrators.gebco likes this.11-20-19 05:20 PMLike 1
- Forum
- Popular at CrackBerry
- General BlackBerry News, Discussion & Rumors
The Reality: Mobile Security is Broken, By Design
Similar Threads
-
Issues pairing a WIFI enabled thermometer through the android app
By SBence in forum Ask a QuestionReplies: 5Last Post: 11-22-19, 03:04 AM -
Arrival's autonomous-ready vehicles will be powered by BlackBerry QNX
By CrackBerry News in forum CrackBerry.com News Discussion & ContestsReplies: 0Last Post: 11-19-19, 02:22 PM -
The $200 Kharbon IP67 Wireless Earbuds are just $67 today
By CrackBerry News in forum CrackBerry.com News Discussion & ContestsReplies: 0Last Post: 11-19-19, 10:40 AM
LINK TO POST COPIED TO CLIPBOARD