Apple is making a new change in the way it secures the code running in its mobile operating system. This signals – yet again – that threats to mobile devices are very real. The change is currently in the beta version of the next iOS version – 14.5. It makes it more difficult for hackers to take control of an iPhone with a technique known as a zero-click (or 0-click) exploit. Zero-click exploits allow a hacker to take over an iPhone with no interaction from the target.
In an article in Motherboard, we said that while we don’t believe this makes zero-click attacks entirely out of reach, “it certainly will have an impact.”
The reality is, this change is just going to raise the cost of 0-clicks. Hackers are resourceful – persistency is the name of the game, after all. They will probably find other ways to pull off a 0-click attack. And, unfortunately, 0-click attacks are just one quiver in an attacker’s arsenal. An arsenal aiming more and more at enterprises.
Major attack methods against mobile
Today, mobile is clearly the main endpoint in every enterprise. While security teams have defense-in-depth solutions protecting desktops and laptops, there is no such depth of protection for mobile devices. We do have management tools on them, such as access control tools and unified endpoint management (UEM) solutions. However, few organizations have true security tools from an endpoint protection standpoint. Even mobile device management (MDM) solutions offering jailbreak detections are woefully inadequate with the evolving threat landscapes.
Most cannot tell you if a device was compromised or attacked unless it was a user initiated jailbreak, and not a true attack scenario, much less how such a compromise was made with associated forensics – – whether by a malicious or risky app, from connecting to a compromised Wi-Fi network, or from a mobile phishing attack. This demands an approach that can detect and defend across the full spectrum of attack vectors mobile devices are increasingly exposed to.
For example, phishing detection and prevention is particularly important for mobile. Unlike desktops and laptops where security teams can install proxy services and route all traffic through gateways, such approaches do not translate well to mobile.
Additionally, mobile devices are designed for communication. As a result, they have more attack vectors for phishing than desktops. For example, you can phish through SMS text messaging on a mobile device, but not on a desktop. What’s more, traditional endpoint security tools have zero visibility into those attack vectors coming from non corporate controlled applications like WhatsApp, Wechat, and other personal messaging apps.
Attackers know this, and are increasingly targeting the corporate persona of a user using their personal communication channels.
Whether it is phishing, network attacks, malicious apps, risky apps, 0-click exploits or others, threats to all mobile devices are real.
Here to help
If you want to learn more about mobile attacks and how we can protect your enterprise, please contact us.