Corporate spying is a real threat in the world of cyber war. Employees traveling on behalf of their company could create opportunities for sophisticated adversaries to take sensitive corporate data. This is especially true if they are not careful with their mobile devices.
The targeted malware attack
It may sound like something out of a spy novel, but there are pieces of mobile malware that directly target individuals, turning their smartphones into spying devices.
For example, Lookout and Citizen Lab recently discovered Pegasus, a very mature and concerning piece of mobile spyware that specifically targets iOS devices, jailbreaking them and using them to monitor a victim and exfiltrate data from the phone.
A simple phishing text message is all it takes to infect an iOS device in this way.
The network attack
International roaming can be mighty expensive. The temptation to leech off an open Wi-Fi network is often hard to resist, but hacked Wi-Fi can ruin someone’s day. Malicious actors may specifically target business travelers by setting up spoofed networks that look like innocent connections, such as hotel Wi-Fi and local cafés, to snoop on the data an employee sends and receives.
In fact, some adversaries using spoofed Wi-Fi networks can change the data you send and receive. In some of the more concerning scenarios, attackers use this technique to install rogue app updates to a device, or patch the phone’s operating system. This gives hackers the “persistent” back-door access to devices that can cause significant data loss.
The “juice-jacking” attack
It’s always important not to plug your phone into anything that you can’t fully trust. The industry learned this about USB keys decades ago, but the same can be said for mobile devices. USB chargers can be constructed to be malicious. This is a technique called juice-jacking.
Juice-jacking may involve installing malicious software onto the device or exploiting vulnerabilities in the device’s operating system to gain escalated privileges or do other harm.
While relatively rare, international business travelers will want to err on the side of being overcautious. Tell employees to stick to using their own chargers.
Other mobile features need to be disabled when traveling through a risky spot. For example, it’s well-known that Bluetooth security is “comparatively weak.” Switch it off and keep it off.
Similarly, leaving a device unattended, such as in a hotel room, can open it up to tampering. There are some reports that even room safes are easy for a rogue employee to crack. Advise employees to keep their devices on them, if possible.
Even the best-run app stores can occasionally host data-stealing malware. Your employees should have a mobile security app on their device that will alert them to the presence of malware as soon as they encounter it, allowing them to self-remediate the problem on the go.
There’s no doubt these risks are real. Before the recent G20 Summit in Hangzhou, China, several governments’ security services warned staff about suspect phone chargers, and other technological dangers.
These warnings were focused on possible state-sponsored hacking, but it doesn’t take a state’s resources for a hacker to do the same. As the EU Institute for Security Studies points out, some industrial espionage is state sponsored.
The bottom line
Employee education is an important part of a layered defense strategy, but it’s not practical to avoid risk while being connected to the modern world.
Ultimately, you need to be able to mitigate the situation, if attackers break into an employee’s mobile device. Using your current security infrastructure, could you detect unusual activity on a mobile device and shut it down without delay?
Make sure you can remotely:
- Detect and remediate mobile malware
- Detect and remediate compromised operating systems
- Detect and remediate network-based man-in-the-middle attacks.