Can the CEOs Cell Phone be Compromised? You Bezos Believe It.
Can the CEOs’ Cell Phone be Compromised? You Bezos Believe it.
By John Michelsen, Chief Technology Officer at Zimperium
It’s a pretty amazing headline: “‘hacked Amazon boss’s phone’, says investigator”
For those of us dedicated to protecting mobile devices, we knew it was only a matter of time before a well-known device compromise became the proverbial tipping point for public awareness on the vulnerability of mobile devices.
We’ve seen millions of threats targeted at mobile devices. From zero day exploits targeting iOS or Android operating systems to bad WIFI’s to malicious apps to rogue profiles, we see the impact of mobile attacks every day. The apparent compromise of Bezos’ phone is no surprise to us. But it is worth asking why his phone was potentially attacked. There is the obvious front-page reason we have all seen – – it was the source for blackmail material. Bezos, in an extraordinary move, preempted the story and recounted exactly how he was being blackmailed.
But there is a more profound question to ask – – why was his phone targeted and why are phones targeted in general? Our mobile device is our most personal computer, holding information no other device likely contains, yet most vulnerable to exposure to bad actors. A few data points:
- 60% of an organization’s endpoints (mobile devices) are unprotected1
- 70% of all financial fraud is perpetrated through mobile browsers or mobile apps2
- There were 700 iOS and Android security patches in 20183
In other words, if you’re an attacker, do you want to try and break into a place where billions have been spent protecting laptops and desktops? Where billions have been spent securing the network with firewalls and other security solutions? Or do you go the path of least resistance and largest return on your investment? Of course, it’s the latter.
In this case, as far as we know, the attackers were after dirt on an individual. But think for a minute about this. If you compromised the phone of the CEO of one of the largest and fastest growing companies in the world to obtain incriminating personal information, would you maybe also want to click around a little?
If you compromised the device, you essentially can do anything you want. For example, read the corporate email. Maybe check the calendar for upcoming meetings. Maybe look at the email attachments for earnings or M&A info. Have a look at the keychain to get access to usernames and passwords in clear text for use in other apps and web sites. The same phone that provided compelling personal information can and will provide potentially even more compelling corporate access and information.
But is there a solution?
There most definitely is. The first is acknowledging a mobile device (phone or tablet) is exactly like a laptop or desktop in what information it has on the device or has access to. You wouldn’t think of ignoring the security of a laptop or desktop. It’s malpractice to do so for mobile devices.
After that realization, you need a solution that was designed specifically for mobile security. A solution that does not rely on cloud analysis or the frequent updating of signatures (something shown to be ineffective at stopping zero day or morphing threats). A solution that has been trained to identify threats even when that threat has never been seen before. Sort of like your central nervous system telling you something is wrong by processing the signals of your nerves real time.
What you need is the machine-learning based, 100% on-device z9 technology from Zimperium. Zimperium has detected 100% of the zero-day threats in the wild without an update. It’s also built specifically to solve the related concerns enterprise organizations have in terms of management, scalability, compliance and others.
Don’t let you or your organization be a Prime target.
1 Zimperium customer surveys
2 RSA Quarterly Fraud Report, Q4 2018