Threat, Vulnerabilities and Mitigations: Mobile Device Vulnerabilities

Question 1

What threats do mobile devices face?

Answer 1

Mobile devices–phones, laptops, pads, eReaders–anything you can “take with you” and that has internet connectivity can be a point of weakness.

Question 2

Why are patches so important?

Answer 2

Android and iOS are constantly being patched and updated due to security issues.

Malware proliferation is huge: check out the Malware Zoo at https://github.com/ytisf/theZoo/tree/master/malware/Binaries.

Question 3

What are the considerations of the bluetooth attack surfaces?

Answer 3

Bluetooth is an attack surface. Attacks include:

Bluejacking

Bluesnarfing

Bluebugging

Blueborne

Question 4

What other wireless methods you have to consider as an attacking point?

Answer 4

Wi-Fi

Question 5

What are the telco consideration in terms of attacks?

Answer 5

Telco: cellular signal uses SS7, short for Common Channel Signaling System No.7, is outdated but still in use to provide interoperability between providers and provide services:

SMS

Billing

Call waiting/forwarding

Attacker can tap into this network using a laptop and the SS7 SDK at https://github.com/openss7/openss7, and then eavesdrop on conversations.

Question 6

What is Side-loading, rooting and Jailbreaking?

Answer 6

Side-loading, rooting, and jailbreaking:

Installing software from web.

App stores and apps might contain this malware, and even official app stores have been infiltrated. Check out https://f-droid.org/en/.

Question 7

What other weaknesses you can consider?

Answer 7

Weak or no encryption.

Open Web Application Security Project (OWASP) has a Top 10 Mobile Risks list: https://owasp.org/www-project-mobile-top-10/.

Sandbox bypass/escape

SIM Hijacking – can be cloned

Mobile spam, including SMS phishing (SMShing) and voicemail phishing (Vishing).

NSO Group calls out Pegasus and Darknet Diaries.

Theft.