A person’s smartphone has become a token of his identity in today’s rapidly digitizing world. Right from their name and email id, people’s phones nowadays have become home to more sensitive information like their financial details, health records, etc.
With people having access to their smartphones for almost all of their day, using them as a tool to verify identity has imperatively become a trend.
In addition to traditional SMS based OTPs, many applications such as Google Authenticator, Microsoft Authenticator, etc. are now being used for secure 2nd factor authentication in many organizations.
Moreover, addition of advanced biometric sensors such as fingerprint, iris, face, etc. to smartphones has further made the process of identity verification safer and convenient.
However, looking at the alarming increase in cyberattacks in the last few years, rethinking the security vulnerabilities of smartphones has also become essential for the organizations while designing their cybersecurity framework.
In this guide, we have analysed smartphone vulnerabilities at 2 different levels viz, User level vulnerabilities and Software level vulnerabilities (which are caused due to user level vulnerabilities)
User level vulnerabilities
Amateurs hack systems, professionals hack people. With increasing system and network level security sophistication, attacking cloud-based servers and encrypted networks has become a challenging task for the hackers. Thus, hackers are heavily relying upon exploiting human vulnerabilities to break into organizations. We humans are creatures of emotions. With little or no effort, it is possible for hackers to use social engineering techniques and trick users into giving away sensitive information such as login credentials and 2-factor codes. Below are some of the phishing techniques that hackers use to socially engineer the users
1. Credential relay attack: In these attacks, hackers pose as authentic senders (e.g., system admin) of an email asking users to click on an authentic looking URL, (e.g., www.gmial.com instead of www.gmail.com) and enter their login credentials on the web page that loads. This webpage is often designed in exactly the same way as the webpage of the original URL so that the users do not suspect any malicious activity. Most of the time, users end up giving their actual login credentials. These credentials are then received by the hackers and entered on the original URL to gain the access. As a protective measure to the credential relay attacks, many organizations are now heavily relying upon the use of soft tokens such as TOTP (Time Based OTP) which is generated on the smartphone of the users. However, the credential relay attacks can be easily extended further by using the same technique as mentioned above to trick users into sharing their TOTP as well.
2. Magic Cable attack (Rubber Ducking): This is a novel attack technique involving use of a charging cable that is often sent to the users as a gift by hackers or is replaced by them in public spaces when the users leave their phone on a charging station. The cable, which looks exactly the same as that of a charging cable, has a tiny chip inside that runs a malicious script on the phone once connected to it and gives hackers remote access to all the information on users’ phones. This technique is also often referred to as “rubber ducking”
3. Biometric impersonation using pattern/passcode brute force attack: The method of rubber ducking can be used to record a pattern or passcode that a user is entering to unlock the phone. Alternatively, Different combinations of pattern or passcode can be tried on a stolen phone using a USB rubber ducky. Once the smartphone is unlocked, the hacker can enroll their fingerprints into the users’ smartphone and can operate all the accounts to which the user has associated his/her biometrics, as their own. The important takeaway here is that the smartphone biometrics are only meant to ease the user experience of unlocking the phone and that is the extent of that. Making use of smartphone biometrics for authentication of highly sensitive accounts may have serious repercussions.
4. Malware attack: This is the most traditional method of attacking which exploits both human as well as system level vulnerabilities. Through phishing emails, hackers send links to the users asking them to click on a link often in exchange for a reward. Upon clicking on the link, a malicious code is downloaded on the phone that exploits already present OS level vulnerabilities to grant hackers access to sensitive information of the users’ phone.
Software level vulnerabilities
Software level vulnerabilities are often caused as a result of exploitation of user level vulnerabilities by hackers and tricking them into downloading malicious code as described above.
Once a malicious code is installed on the phone, it can then try to attack OS level vulnerabilities which are based on code architecture flaws or are hardware based (e.g., Qualcomm’s implementation of ARM TrustZone).
With new security updates, these OS level vulnerabilities are being fixed but only at a rate slower than that of new ones getting found. Thus, it is difficult for us to say for sure, that smartphones cannot be breached and are most suited as identity verification devices.
On the other hand, there is no stopping to the human susceptibility to emotional manipulation. Despite huge efforts and heavy spending on creating awareness about social engineering among the people, the cases are still increasing day by day.
It is now time to take for us to take steps towards securing your organization from cyber attacks by switching to hard-token based authentication in order to be completely sure that the identities of people who work with your organization are safeguarded. Byteseal helps you to implement a strong hard token based authentication without requiring you to change your existing security infrastructure or paying heavy costs to your service providers for enabling multi-factor authentication