It's interesting, because months ago, I was wondering if iPhones could be targeted from apps/programs installed on the computer, and vice versa. One could create malware that infects one via the other. The reason that I thought this was because I was reading an article about USB devices being trusted, completely, by a computer. If you really get down to it, isn't that what a mobile device is? A storage device with a little more capability?
The blog states this:
"It appears there are three ways Hacking Team could get its spyware onto iOS devices:
An OS X app sideloads an iOS app automatically to a device when it’s plugged in via USB. This also appears to be bundled with a jailbreak exploit that may work on older versions of iOS.
There is a Windows desktop app that appears to do the same.
By clicking on a link to download from a website, email, etc. on the mobile device"
Phones, and other mobile devices are an excellent avenue of attack. How many of us are running some sort of security suite on our mobile devices? Hardly anyone. What kind of things do many of us do on our mobile devices? Banking, Buying things, checking our healthcare status, etc.
Fortunately, according to the blog, this attack appears to require physical access. However, they also state:
"With this specific attack, we believe physical access to the device was required, but Hacking Team’s possession of an enterprise certificate means that there’s the potential for other flavors of this attack that could be delivered via a web browser (drive by download), phishing email or other remote means."
The blog also states that iOS devices prevent the password from being typed in, but in many cases passwords aren't that difficult to figure out once one has the user name. Since it can grab e-mails. Sometimes, the passwords are in the password reset notifications.
"It’s important to note that Apple does have some safeguards built into its third party keyboard support, which does not allow the keyboard to run in a field that is marked as a password field, so this tool won’t be able to steal passwords from properly implemented apps and websites, but it can be used to steal usernames, contents of emails, and other sensitive data."
I fear that if it hasn't been done already that malware creators will find a way to make these exploits persistent. What I mean by persistence is making sure that once it's on the phone, it stays there, regardless of user intervention. I'm not well-versed in how these work, but couldn't one simply uninstall the malware from the devices in this particular case? I guess that if they have the app/program on the computer that it could just re-install itself. Users could get rid of the app/or program on the computer, though, and then it shouldn't be a problem.
The blog has decent advice about mobile security best practices.
"And, here are some general tips for staying safe:
Keep a passcode on your phone. A lot of spyware sold on the market requires that the attacker have physical access to the target device to install the software. Putting a passcode on your phone makes it that much harder for them.
Don’t download apps from third party marketplaces or links online. Spyware is also distributed through these means. Only download from official and vetted marketplaces such as the Apple App Store and Google Play.
Don’t jailbreak your device unless you really know what you’re doing. Because jailbroken iOS devices are inherently less protected, they are more vulnerable to attack when security protection measures aren’t properly enabled.
Download a security app that can stop attacks before they do harm. Lookout does this, but if you’re not a Lookout user, ask your security provider if they detect Hacking Team and other forms of spyware."
I would also like to note that if you are using a device with a fingerprint reader on your phone, that you should make a long pin, and use the fingerprint reader for ease of logging in. The smudges on the phone make it easy to see what the numbers are, and people can see you entering the pin. If you're using a 4 digit pin, those pins are fairly trivial to guess if you know the numbers that they are using.
No comments:
Post a Comment