Smartphone analysis & stats: Personal use leaves work smartphones hackable

Feature by Chandu Gopalakrishnan

Smartphones, the devices most commonly used interchangeably for personal and work purposes, have opened doors for hackers

Companies, well aware of the risk of BYOD (bring your own device) policy, haves been giving smartphones, tablets and laptops to employees. This practice ensured effective data management and better security software updation.

However, these devices being used interchangeably for personal and work purposes has opened doors for hackers.

Wrong number

A recent report from the Royal Society of Arts, Manufactures and Commerce (RSA) puts smartphones on the top of the list as the main channel for hackers. The convenience offered by these devices has lead us to store a considerable amount of information in them, which includes log-in credentials of personal and office facilities.

Following the RSA report, Case24.com investigated the mobile phone brands and smartphone applications that are most likely to be targeted by hackers in the UK. The information was collected by analysing monthly Google search data on how many British users were searching for methods to hack different apps and phone brands.

iPhone stood first in the most targeted phone brand (10,040 searches) and Samsung came a distant second (700 searches), while Instagram (12,410), Snapchat (7,380) and Whatsapp (7,100) topped the app list.

Put differently, iPhone owners are 167 times more at risk of people trying to hack them than other phone brands, while an Instagram app is 16 times more at risk of getting hacked than a Netflix application.While it was safe to assume iPhone’s position in the list is due to its popularity, the nature of the top apps showed a predominant personal use of the devices.

Hackers have been taking note of the situation.

Threat calls

According to the Nexusguard threat report, more than 40 percent of DDoS attacks in  Q3 2019 came from mobile gateways, three-quarters of which was from Apple iOS devices. Overall, the number of distributed denial-of-service (DDoS) attacks went up 86 percent in the third quarter of 2019 compared to the previous year’s corresponding period.

Even though most users don't consider the possibility of their mobile device being hacked, the potential for the attackers is clear, said Tom Davison, EMEA technical director at Lookout.

"Device owners are regularly opening themselves up to risk by downloading and sideloading untrusted apps or by willingly jailbreaking or rooting their devices. Even worse, this type of compromise may be persistent and invisible. Telltale signs could be increased battery or data usage," he said. 

"To avoid being caught in the DDoS net, device owners should stick to trusted app stores and consider installing a mobile security solution to alert on any anomalies."

Things get complicated when the work devices are lost or stolen.

Phone gone

The UK Ministry of Justice (MoJ) lost 354 mobile phones, PCs, laptops and tablet devices in the financial year 2018/19, up from 229 in FY 2017/2018. The number of lost laptops alone, went up 400 percent, from 45 in 2016/17 to 201 in 2018/2019.

"Unfortunately, lost or stolen devices are problems that any large organisation will face. Endpoints boost user productivity, but they are also commonly used as an entry point into an organisation during a cyber-attack. When a device goes missing, so does the sensitive information which exists in its files, which could lead to a data breach if the device falls into the wrong hands," commented Saryu Nayyar, CEO of Gurucul.

Even riskier is the situation when employees leave work data in their personal devices that are resold.

A study by the University of Hertfordshire found out that 19 percent of secondhand phones sold on eBay still contain sensitive data -- private emails, contact lists, tax documents, bank account details, web browsing histories -- that could be used to identify the previous owner, reported Comparitech.

It is not a huge surprise that mobile devices are not wiped properly before being sold off, observed Davison.

"The important point here is the amount of personal and sensitive data we accumulate on our mobile devices. In day-to-day usage this is of high value to a potential attacker, and users should carefully consider how they secure their data and protect their mobile privacy." 

The potential consequences of data loss become even more severe when these devices frequently double-up as business tools, he added.

Dial C for caution

Microsoft recently called for a segregation of day-to-day email/internet access from access to sensitive corporate systems and data. It recommended providing a separate dedicated "privileged access workstation" (PAW) that is not mixed with other activities.

"Privileged Access Workstations (PAWs) provide a dedicated operating system for sensitive tasks that is protected from Internet attacks and threat vectors. Separating these sensitive tasks and accounts from the daily use workstations and devices provides very strong protection from phishing attacks, application and OS vulnerabilities, various impersonation attacks, and credential theft attacks such as keystroke logging, Pass-the-Hash, and Pass-The-Ticket," said a Microsoft statement.

"In simplest terms, a PAW is a hardened and locked down workstation designed to provide high security assurances for sensitive accounts and tasks. PAWs are recommended for administration of identity systems, cloud services, and private cloud fabric as well as sensitive business functions."

However, it adds that a PAW will not protect an environment from an adversary that has already gained administrative access.

The best way for organisations to reduce such risks is to have an incident response plan in place, Nayyar suggested. Apart from the regular precautions, putting the right cyber-security solution in place can help mitigate the risk, she added.

"Behaviour-based security analytics technology can identify unusual user or device behaviour that could be indicative of a cyber-attack or insider threat so that IT can intervene before a data breach occurs."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews