When news of the KRACK vulnerability in Wi-Fi networks protected by WPA2 hit the headlines a while back there was widespread concern that so many devices were affected, particularly those unloved, back room (internet of things) type devices that are often forgotten about and therefore rarely patched or managed. While KRACK (Key Reinstallation Attack) is not as much of a problem as at first reported (miscreants need to be within Wi-Fi distance to execute the attack, and it mainly only affects Android and Linux users due to peculiarities in the way that Windows and iOS use WPA2) it does serve to highlight just how complex our networks and technology stack have become.
A couple of weeks later we heard about Eavesdropper, a vulnerability caused by software developers hardcoding credentials into mobile apps, that could potentially result in large-scale exposure of data and metadata in about 700 mobile apps.
Mobile Security = Enterprise Cybersecurity
All of this brings me to the point that I made in my presentation at DSEI, with the escalation in complexity of technology, and the pervasive nature of wireless connectivity of all kinds, mobile devices are now a key part of enterprise cybersecurity. Mobility increases productivity, communication and collaboration, but it also increases risk. Smartphones and tablets are the new end point, handling increasing amounts of sensitive, corporate data – according to Gartner 27% of corporate data traffic will bypass perimeter security by 2021.
Data is Valuable
There is much more valuable data held on mobile phones than most users would credit. Documents, chat/messages, videos, voice calls and messages, address book, calendar and location are all data, all valuable and to the right criminal, it is well worth stealing.
For everyday users of Wi-Fi KRACK is unlikely to pose much of a threat, however, for those that may be actively targeted due to the work they do, government officials, journalists, law enforcement, covert opps, board level executives, high net worth individuals/royalty/celebrities, it could be an easy way to hijack sensitive and therefore valuable information.
For those holding security conscious positions, selecting the right apps and security solutions can make all the difference when a new vulnerability is uncovered. In the case of Armour Mobile users, even if Wi-Fi traffic is intercepted using KRACK, all that can be seen is encrypted data. The most that the hacker will be able to deduce is that the user has Armour, they certainly won’t be able to listen in.
Certified Apps, Additional Assurance
The WPA2 KRACK vulnerability is one of a myriad of ways that mobile data can be intercepted, but if users have end-to-end encryption, and apps are from a trusted, certified source, so that you know exactly who developed them and where the data sits/goes, most users will be protected from a lot of these issues. This also helps to minimize the likelihood of malware getting on your mobile device, because once a device is infected, even securely designed apps can be at risk of attack.
Knowing and trusting the provenance of your apps, and that the app developer employs industry best practice should be another key point. Software that has been certified by an independent third party (such as NCSC) provides additional assurance that you are buying exactly what you think you are buying. It also provides a level of assurance that the app is being carefully monitored and should any vulnerabilities be found, you will be notified in good time, and patches will be made available as soon as possible.
The mobile is the new end point, it has improved productivity immeasurably, but so too has the risk. Your data is too valuable to trust to ‘free’ security. Be smart with your users’ smartphones and ensure you only use certified apps.