Skip to main content

Could Smartphones be the Unsuspected Entry Point for a Network Attack?

March 25, 2010

Last year, during the 2009 Black Hat event in Las Vegas, two security professionals presented research about the possibility of SMS attacks across a GSM network. Since that time, the frequency of inquires from our clients about how to protect the enterprise from mobile-based attacks has increased. Although we personally have not seen mobile malware attacks “in the wild” and think mobile attacks will be a relatively low priority for attackers for this year – we do believe that the concerns about enterprise management of cell phones in the corporate environment are legitimate for a couple of reasons.

Back in the late ‘90’s, many companies standardized on BlackBerrys. This meant that network and security folks only had to worry about one mobile operating system and a single enterprise management system to control device encryption, antivirus and malware detection. But things have changed. Employees are now buying (and using) Windows Mobile, Palm, Apple, Symbian, Android and whatever other types of phones and operating systems that they want. With the various operating systems, it can be extremely difficult for companies to manage and secure all of the disparate mobile devices found in their environment.  This has made the conditions ripe for a multitude of different mobile device attacks.

For instance, hackers sometimes impersonate carriers and send SMS and MMS messages to users’ phones. The hackers provide hyperlinks and ask for account information under the guise that they’re planning to activate new services. When victims click on the links, they can download malware that can expose personal data, including emails, contact lists and calendars.  Compounding this issue is the myriad of apps folks put on their phones, which makes the probability that they willingly download an infected file much greater because their ability to determine its validity is limited.

Bluetooth, because it offers a more open delivery system, also is being leveraged to attack smartphones. For example, a hacker could walk by or stand in close proximity to unsuspecting users (somewhere within 10 to 30 meters), and use Bluetooth to send viruses or browse any unencrypted personal data. Most phones and Bluetooth headsets are configured to use a default password - and many users never change this password. This type of attack is becoming increasingly common in hot spots such as restaurants, hotels and airports.

I know … it’s all very interesting, but why should you care? The reason: viruses on mobile devices provide an often-undetectable entry point into corporate networks. As soon as employees sync their phones with their laptops or desktops, they’re introducing viruses, malware and bots back into the corporate network.

Fortunately, there are measures you can take to protect your users and your company.  For example, you can install software on corporate mobile devices that detects when someone is trying to attack using an MMS message or Bluetooth and blocks the attack automatically. There also is software that encrypts mobile device data so that the information cannot be accessed when devices are lost or stolen. And, if the enterprise standardizes on RIM-based smart phones, they can easily enforce “kill pills” – which are designed to kill all the data on mobile devices when they are lost or stolen.

However, mobile security software isn’t a silver bullet. It is important for companies to enforce policies and implement processes for employee use of phones. And, user education is one of the most valuable steps a company can take. It is their responsibility to provide users with as much protection as possible, but it’s also up to the users to know what applications they are using on corporate owned mobile devices and what they’re clicking on, along with who’s contacting them and why.

Related Blogs

August 03, 2012

Three Areas of Change at Black Hat

Black Hat is changing. It is pretty evident when you walk the vendor floor and see some of the event and session attendees. A lot of folks are talking...

See Details

April 02, 2014

An Update on Mobile OS Updates

Many of the customers I meet with most often ask for a recommendation or guidelines on the application of mobile OS updates (Android, iOS, etc.). For ...

See Details

June 25, 2014

Three "E"s of Modern Email Security for Phishing: #1 Enhanced Technology

Every day, over a billion emails are sent containing malicious links and attachments, tempting users to take the bait and effectively launch an attack...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

May 05, 2011

Mobile Security Universal Issues | Optiv

It seems everywhere I go I’m having interesting conversations with senior level government officials regarding mobile security.  A lot of these conver...

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

February 19, 2010

Mitigate Risk, Prevent Attacks | Optiv

Yesterday, the Wall Street Journal published an article by Siobhan Gorman about hackers in Europe and China who successfully broke into computers at 2...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.