How to Improve Mobile Device Security on Campus
Hackers targeting mobile devices present a major security challenge to schools and healthcare facilities, as well as law enforcement.
Editor’s Note: For years now, Campus Safety has been covering the wide range of cyber attacks being waged by hackers against schools, colleges, and hospitals. Hackers often gain unauthorized access to a campus or other organization’s network via mobile devices.
Ransomware attacks are also affecting law enforcement. For example, earlier this month, the City of Dallas, which is the ninth largest city in the U.S., confirmed that Royal ransomware had compromised several of its servers, including Dallas PD’s website and the department’s computer assisted dispatch system (CAD), reports CBS News. In April, the police department in Camden County, New Jersey was hit with a ransomware attack, reports The Record.
Smartphones and other mobile devices are extremely vulnerable to hackers. Their unauthorized access to networks can result in private information being stolen and published, classes being cancelled, surgeries being postponed, and law enforcement activities being compromised.
That’s why Campus Safety is publishing the following article, which originally ran in our sister publication, Security Sales & Integration. The information below will help protect your organization and the mobile devices that most of your employees use every day. – Robin Hattersley, Editor-in-Chief, Campus Safety
More than 90% of U.S. citizens aged 16-60 years have smartphones. These aren’t the third generation of flip-phones but highly intuitive Apple, Samsung, Motorola, Nokia and other brands. These complex innovative, multipurpose and flexible mobile devices are irreplaceable in our business and personal lives, yet the risk to privacy, health, and national security has created critical consequences to our public safety like never before.
We now must adapt to new challenges that require us to have a greater level of understanding of how to ensure your mobile devices are safe and secure. Doing this will protect yourself, your family, and your campus or organization from being the victim of mobile device attack and exploitation.
Today’s smartphones are used for almost anything and everything. We use our phones for entertainment, games, taking photos and selfies, accessing our banking apps, texting and finding locations of interest using GPS systems. Organizations that still allow employees to use personal phones in work environments (Bring Your Own Device, or BYOD) expose themselves to a multitude of risks — including espionage, data exfiltration, and ransomware.
According to Paldesk, U.S. smartphone users send and receive five times more texts than they do making or receiving calls. This opens the door for increased human error in accepting malicious downloads, agreement of terms and conditions from malformed text hyperlinks, and manipulation of configuration settings on mobile phones. New legislation requiring cyber breach notification on a national level is expected later this year.
Meanwhile, recent legislation requiring federal agencies and corporations to report cyber breaches has created a new age of what must be done to protect mobile devices. Healthcare applications that are used within smartphone devices will likely require much more stringent regulations from the FDA as they begin to classify smartphones as “medical devices.”
The landscape is also changing as we evolve from talk, text, and web as the primary services offered by our smartphones and mobile devices. We now have integrated sensors that detect motion, environment (temperature, humidity) and position. We also have more complex integrations with applications used for medical diagnostics (blood pressure, diabetes treatments, treatment monitoring) further highlighting how the need for increased security on mobile devices has never been more critical.
Without greater education and focus on mobile device security, cyber attackers will continue to have myriad tools that capture exploitable data that will ultimately lead to cyberbreach and loss of personal information. That encompasses stored passwords, photos, emails, files, and account information. Also, network credentials that enable privileged access to your campus-owned and protected networks and systems will be compromised, exploited and used for financial gain.
While users may trust the manufacturers of the phones for providing appropriate security, what about the app developers? Those include downloads for everything from opening your garage door, turning on lights/fans, monitoring video surveillance, or tracking your heartbeat and steps at regular intervals.
Additional mobile device compromises consist of the monitoring of corporate email accounts by unauthorized users, leading to corporate espionage and loss of intellectual property, ransomware, fines, and diminished reputation by shareholders and stakeholders.
Mobile Device Security Is Essential
If you are using a smartphone for business and personal use, it is essential that you and your organization understand not only the security precautions but also assurances by third-party vendors that provide mobile access to legacy applications meet baseline cybersecurity requirements.
Mobile device security, or mobile device management (MDM), involves mostly remote administration using third-party vendors to companies that have a wide assortment of duties. With an increasingly diverse alternative work or work-from-home environment, protecting devices from anywhere, anytime, even in environmentally challenging conditions, is essential. The goal is to keep devices secure while keeping the workforce flexible and productive.
There are five primary tools used in MDM, providing the cybersecurity administrator (or even an IT administrator for a small office) to control the use of smartphones within an organization. Most small organizations are extremely lax in understanding the risks of BYOD — and personally owned smartphones within that type of environment. These MDM tools include:
- Device Tracking: Knowing where the devices are.
- Mobile Management: Maintaining lifecycle management and support of devices.
- Application Security: Whitelisting, blacklisting, and managing third-party application governance.
- Identity & Access Management: Protecting user controls from circumvention and ensuring trust between the user and the device from unauthorized activity.
- Endpoint Security: Protection of the device from perimeter and location-based threats.
Successful MDM within an enterprise requires a complete set of controls that identify and detect rogue devices that connect to wireless networks and scan the perimeter and environment.
Mobile device administrators must become cognizant and aware of privacy controls, device settings, and educate end users so that they may become intimately aware of the terms and conditions regarding what information is stored, processed, and collected. Company IT administrators must also ensure that legal requirements to install applications without consent of the owner are very restrictive and could lead to criminal investigation and prosecution.
Common Ways Smartphones Are Compromised
Cost pressures requiring organizations to allow BYOD reduces the ability from a legal perspective to monitor the activities of employee-owned smartphone devices. While password hacking remains at the top of the list, reused credentials, stored passwords, and cached credentials stored in browsers and applications continue to plague organizations with data loss, and copying, and sharing organization data.
The most common way to compromise a mobile phone is through downloading malware from an untrusted site or from a malicious link. This type of attack does not require the cyber attacker to be in physical proximity to the smartphone. This type of malware install requires a code injection or script injection.
Code injection is when malware is introduced to alter the way an application works or how the operating system behaves. This may include keyloggers, or other software that collects names, phone numbers and transmits them externally to remote locations. Script injections are known to perform specific tasks, such as opening a wireless port, and turning on or off specific security features on your mobile device.
Now consider new exploits that cyber attackers can perform when they are within physical proximity to the smartphone. We have known about “man-in-the middle” attacks where the attacker relays the communication between two parties to an outside third party, but now we can add “woman-in the-middle” attacks. This is where the attacker receives the communication, alters the communications being sent and received, and modifies the message being relayed to outside parties.
If a criminal gets hold of your physical smartphone, they can extract the SIM card, clone the phone using commercial off-the-shelf mobile forensic kits, and generate SMS and text messages to gain access to multifactor authentication (2FA) to access organization or department applications, email, and proprietary third-party vendor apps. This is known as SIM swapping.
New Hacker Tools Continue to Be Developed
Regardless of the fact that hacking a smartphone violates federal wiretapping laws and carries a maximum sentence of 20 years in prison and a $100,000 fine, you can purchase cellphone hacking tools directly from the web.
Malicious USB and cellphone charging cables can be purchased on the Internet that have similar functionality to standard cables, except that pre-scripted malware is injected into your phone. An example of this hack can be found here. There is even technical support for various products in the event you have questions or issues configuring or using these products!
Don’t forget the bad USB devices and “rubber ducky” exploits, where all that is required is a powered-on machine and an open USB port. Host devices are then infected with malicious code to extract personal or corporate information.
This can also be done wirelessly, known as “WiFi duck.” In this case, a phone that has not been jailbroken using detectable WiFi can be injected from a remote location.
Another popular tool that can be used when a physical phone is present is known as “MalDuino W,” which can plug and play into a USB C port on an Android device.
GoodFirms reports that only 63% of mobile phone users change their passwords, with the remainder using the same password for multiple applications within their smartphone. Over half reported that they share this password with family, friends and colleagues.
9 Steps You Can Take to Protect Your Mobile Devices
Until self-protecting smartphones are developed, we must protect ourselves today. Password hygiene remains at the top of the list along with reused credentials, and stored passwords and cached credentials stored in browsers and applications. These oversights continue to plague organizations that succumb to cost pressures, allowing employees to continue using BYOD laptops and mobile phones for corporate use. Here are some best practice tips:
- Use a separate smartphone for business. Isolate personal data and business data on each device.
- Do not use cables or cords that belong to others.
- Understand the configuration settings of your device and customize permissions for each application.
- Use a password manager for your mobile device.
- Use a mobile phone VPN client if you connect to a public WiFi.
- Avoid websites that are not owned specifically by a product manufacturer or company. Cyber attackers will divert you and prompt you to download malicious APK files and viruses on your phone by embedding them into text applications. Once installed, the attacker will continuously gain access to sensitive information stored on your device.
- Avoid entertainment and social media applications like TikTok that are owned by nation-state attackers that can manipulate or collect important data from users.
- Carefully read all the terms and conditions of applications that store medical and financial data.
- Hire a qualified consultant to conduct a digital forensics analysis on your current devices, and harden the security baseline on your device.
As humans continue to be the weakest link in any physical or digital security medium, we need to continue to educate ourselves. Be vigilant and stop doing foolish stuff!
Darnell Washington is President and CEO of SecureXperts. This article originally appeared in CS sister publication Security Sales & Integration and has been edited.
If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century
This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!