5G is set to deliver higher data transfer rates for mission-critical communications and will allow massive broadband capacities, enabling high-speed communication across various applications such as the Internet of Things (IoT), robotics, advanced analytics and artificial intelligence.
According to a study from CommScope, only 46% of respondents feel their current network infrastructure is capable of supporting 5G, but 68% think 5G will have a significant impact on their agency operations within one to four years.
Of the respondents who do not feel their current infrastructure is capable of supporting 5G, none have deployed 5G, 19% are piloting, 43% are planning to pilot, and 52% are not planning or evaluating whether to pilot 5G.
Costs reported as top barriers to 5G implementation
According to the report, ongoing and initial costs are reported as top barriers for federal agencies wishing to implement 5G – 44% believe initial/up-front costs will be the biggest barrier and 49% are concerned about ongoing costs.
“This study indicates that federal agencies are at the beginning stages of 5G evaluation and deployment. As they are looking to finalize their strategy for connectivity, agencies should also consider private networks, whether those are private LTE networks, private 5G networks, or a migration from one to the other to ensure flexibility and scalability.”
Desired outcomes for federal agencies
Remote employee productivity (40%) is one of the top desired outcomes for federal agencies looking to implement 5G, along with introducing high bandwidth (39%), higher throughput (39%) and better connectivity (38%).
Additional findings from the study include:
- 32% hope that 5G will make it easier to share information securely and 32% would like to see easier access to data
- 82% plan to or have already adopted 5G with 6% having already deployed 5G, 14% piloting 5G and 62% evaluating/planning to pilot 5G
- 71% are looking at hardware, software or endpoint upgrades to support 5G
- 83% believe it is very/somewhat important for mission-critical traffic on the agency network to remain onsite while 64% feel it is very/somewhat important
There are clear benefits of 5G SIM capabilities to protect the most prominent personal data involved in mobile communications, according to the Trusted Connectivity Alliance.
Addressing privacy risks
The IMSI, known as a Subscription Permanent Identifier (SUPI) in 5G, is the unique identifier allocated to an individual SIM by an MNO. Despite representing highly personal information, the IMSI is exposed to significant security vulnerabilities as it is sent unencrypted over-the-air in 2G, 3G and 4G technologies.
Most notably, ‘IMSI catchers’ are readily and inexpensively available and can be used to illegally monitor a subscriber’s location, calls and messages.
“To address the significant privacy risks posed by IMSI catchers, the 5G standards introduced the possibility for MNOs to encrypt the IMSI before it is sent over-the-air,” comments Claus Dietze, Chair of Trusted Connectivity Alliance.
“But as the standards state that encryption can be performed either by the SIM or by the device, and even be deactivated, there is potential for significant variability in terms of implementation. This creates scenarios where the IMSI is not sufficiently protected and the subscriber’s personal data is potentially exposed.”
Managing IMSI encryption within the 5G SIM
Given these scenarios, the white paper recommends that MNOs consider limiting the available implementation options to rely on proven, certified solutions. Of the available options, executing IMSI encryption within the 5G SIM, which refers to both the SIM or eSIM as defined by Trusted Connectivity Alliance as the Recommended 5G SIM, emerges as a comprehensive solution when examined against a range of key criteria. This includes ownership and control, the security of the SIM and its production process, and certification and interoperability.
“Eurosmart fully supports the Trusted Connectivity Alliance position on subscriber privacy encryption, and agrees it should be managed within the 5G SIM. If we consider the direct impact on the security and resilience of critical infrastructures and essential services, and the requirements of the NIS directives, it is also apparent that a robust regulatory response is warranted to support these recommendations,” adds Philippe Proust, President of Eurosmart.
“We therefore contend that regulatory measures should be implemented to define an ad hoc security certification scheme addressing IMSI encryption within the 5G SIM under the EU Cybersecurity Act. In addition, it should be a requirement for the IMSI to be encrypted within the 5G SIM, and for the 5G SIM to be mandatorily security certified to demonstrate its capabilities.”
Claus concludes: “Managing IMSI encryption within the 5G SIM delivers control, best-in-class security and interoperability to prevent malicious and unlawful interception. And with 5G creating a vast array of new use-cases, SIM-based encryption is the only viable way to establish interoperability across emerging consumer and industrial IoT use-cases and, ultimately, enable a secure connected future.”
Where there’s money, there’s also an opportunity for fraudulent actors to leverage security flaws and weak entry-points to access sensitive, personal consumer information.
This has caused a sizeable percentage of consumers to avoid adopting mobile banking completely and has become an issue for financial institutions who must figure out how to provide a full range of financial services through the mobile channel in a safe and secure way. However, with indisputable demand for a mobile-first experience, the pressure to adapt has become unavoidable.
In order to offer that seamless, omnichannel experience consumers crave, financial institutions have to understand the malicious actors and fraudulent tactics they are up against. Here are a few that have to be on the mobile banking channel’s radar.
1. Increased device usage sparks surge in mobile malware
Banking malware has become a very common mobile threat, even more so now as fraudsters leverage fear and uncertainty surrounding the global pandemic. According to a recent report by Malwarebytes, mobile banking malware has surged over recent months, focused on stealing personal information and using weakened remote connections and mobile devices in a work-from-home environment to gain access to more valuable corporate networks.
The financial burden of a data breach resulting from mobile malware could potentially set organizations back millions of dollars, as well as do some serious damage to customer trust and loyalty.
2. Sacrificing software quality and security by effecting premature product rollouts
Securing mobile is a laborious task that requires mobile app developers to factor in several entities, including device manufacturers, mobile operating system developers, app developers, mobile carriers, and service providers. No platform nor device can be secured in the same way, meaning developers are constantly having to overcome a unique set of challenges in order to reduce the risk of fraudulent activity.
The reality of such a complex ecosystem is that mobile app developers are not always qualified to understand all the risks at play, which leads to unsecured mobile data, connections, and transactions. Additionally, the speed at which the market moves thanks to emerging technologies and innovations creates an added layer of pressure for developers. Lacking the resources and time to properly protect consumers can lead to high-profile attacks where sensitive data is exploited.
3. Vulnerabilities in digital security protocols
At any given time, every entity in the ecosystem described above must have high confidence in the entity on the other side of the transaction to ensure its legitimacy. A lack of digital security protocols like secure sockets layer (SSL) and transport layer security (TLS) in mobile banking apps makes it difficult to establish encrypted links between every entity that ultimately help prevent phishing and man-in-the-middle attacks.
If we continue growing our ecosystem at the current rate, adding to its complexity and connecting more and more third-party services and networks, we can no longer avoid fixing the broken system we have for SSL certificate validation.
4. Unreliable mobile device identification
Another issue at play is device identification. The only way other entities in the ecosystem can recognize a unique device is through device fingerprinting. This is a process through which certain unique attributes of a device – operating system, type and version of web browser, the device’s IP address, etc. – are combined for identification. This information can then be pulled from a database for future fraud prevention purposes and a range of other use-cases.
Data privacy concerns and limited data sharing on devices, however, have weakened the process and reliability of identification. If we do not have enough discrete data points to establish a reliable digital fingerprint, the whole system becomes ineffective.
5. Time to update authentication techniques
Fraudsters are always on the lookout for ways to intercept confidential login information that grants them access to protected accounts. Two-factor authentication (2FA) has become banks’ preferred security method for reliably authenticating users trying to access the mobile channel and staying ahead of cybercriminals.
More often than not, 2FA relies on one-time-passwords (OTPs) delivered by SMS to the account holder upon attempted login. Unfortunately, with phishing – especially via SMS – on the rise, hackers can gain access to a mobile device and OTPs delivered via SMS, and gain access to accounts and authenticate fraudulent transactions.
There are also a number of other tactics – e.g., SIM-swapping – attackers use to gain access to sensitive information and accounts.
6. Lack of industry regulation and standards
Without the establishment of rigorous standards and guidance on online banking security and protecting the end-user, low consumer trust will inhibit mass market acceptance. The Federal Financial Institutions Examination Council (FFIEC) has yet to issue ample guidance on the topic of authentication and identification on mobile devices. Mobile security standards need to be a top priority for regulators, especially as new technologies and mobile malware continue to disrupt the market.
The underlying theme for banks to keep in mind is that trust is a currency they cannot afford to lose in such a competitive financial services market. In the race to provide seamless, omnichannel banking experiences, integrating better security protocols without compromising usability can feel like a constant balancing act. Researching the latest tools and technology as well as building trusted partner relationships with third-party service providers is the only way banks can differentiate themselves in a dynamic security landscape.
TEAMARES launched DeimosC2, addressing the market need for a cross-compatible, open source Command and Control (C2) tool for managing compromised machines that includes mobile support.
Offensive security teams often need access to a cost-effective, easy-to-use tool that can manage compromised machines after an exploitation. However, many of the options currently available in the market can be difficult to use, expensive, or lack the flexibility to expand features.
With this in mind, TEAMARES developed DeimosC2, a cross-platform and collaborative tool designed with a robust functionality that can be extended in any language. Teams can conduct post-exploitation on any major operating system, including Android devices, addressing the lack of defensive capabilities that are available on enterprise devices.
- A UI that offers ease of use and supports multiple users for collaboration.
- Multiple listener and agent communication methods such as TCP, HTTPS, DNS over HTTPS (DoH), and QUIC.
- Pivot capabilities over TCP.
- Extendable functionality that can be written in multiple languages.
- API over WebSockets allowing for scriptable functionality.
- Written in Golang for cross compatibility on all major operating systems.
- Archive and replay functionality post-testing so users can restore listeners, loot, and other critical information to the database.
“Red teams usually have to choose between expensive C2 tools in the market or training for their teams on the current tools,” said Quentin Rhoads-Herrera, Director of Professional Services for TEAMARES and co-author of DeimosC2.
“Deimos is an open source, community-contributed tool that is designed for ease of use and cross OS compatibility without a large spend of budget or time.”
There’s a massive amount of complexity plaguing today’s enterprise endpoint environments. The number of agents piling up on enterprise endpoint devices – up on average – is hindering IT and security’s ability to maintain foundational security hygiene practices, such as patching critical vulnerabilities, which may actually weaken endpoint security defenses, Absolute reveals.
Also, critical endpoint controls like encryption and antivirus agents, or VPNs, are prone to decay, leaving them unable to protect vulnerable devices, data, and users – with more than one in four enterprise devices found to have at least one of these controls missing or out of compliance.
Increasing security spend does not guarantee security
In addition to heightening risk exposure, the failure of critical endpoint controls to deliver their maximum intended value is also resulting in security investments and, ultimately, wasted endpoint security spend.
According to Gartner, “Boards and senior executives are asking the wrong questions about cybersecurity, leading to poor investment decisions. It is well-known to most executives that cybersecurity is falling short. There is a consistent drumbeat directed at CIOs and CISOs to address the limitations, and this has driven a number of behaviors and investments that will also fall short.”
“What has become clear with the insights uncovered in this year’s report is that simply increasing security spend annually is not guaranteed to make us more secure,” said Christy Wyatt, President and CEO of Absolute.
“It is time for enterprises to increase the rigor around measuring the effectiveness of the investments they’ve made. By incorporating resilience as a key metric for endpoint health, and ensuring they have the ability to view and measure Endpoint Resilience, enterprise leaders can maximize their return on security investments.”
The challenges of maintaining resilience
Without the ability to self-heal, critical controls suffer from fragility and lack of resiliency. Also, endpoint resilience is dependent not just on the health of single endpoint applications, but also combinations of apps.
The massive amount of complexity uncovered means that even the most well-functioning endpoint agents are at risk of collision or failure once deployed across today’s enterprise endpoint environments.
IT and security teams need intelligence into whether individual endpoint controls, as well as various combinations of controls, are functioning effectively and maintaining resilience in their own unique endpoint environment.
Single vendor application pairings not guaranteed to work seamlessly together
In applying the criteria for application resilience to same-vendor pairings of leading endpoint protection and encryption apps, widely varied average health and compliance rates among these pairings were found.
The net-net here is that sourcing multiple endpoint agents from a single vendor does not guarantee that those apps will not ultimately collide or decay when deployed alongside one another.
Progress in Windows 10 migration
Much progress was made in Windows 10 migration, but fragmentation and patching delays leave organizations potentially exposed. Our data showed that while more than 75 percent of endpoints had made the migration to Windows 10 (up from 54 percent last year), the average Windows 10 enterprise device was more than three months behind in applying the latest security patches – perhaps unsurprisingly, as the data also identified more than 400 Windows 10 build releases across enterprise devices.
This delay in patching is especially concerning in light of a recent study that shows 60 percent of data breaches are the result of a known vulnerability with a patch available, but not applied.
Relying on fragile controls and unpatched devices
Fragile controls and unpatched devices are being relied on to protect remote work environments. With the rise of remote work environments in the wake of the COVID-19 outbreak, as of May 2020, one in three enterprise devices is now being used heavily (more than 8 hours per day).
The data also shows a 176 percent increase in the number of enterprise devices with collaboration apps installed as of May 2020, versus pre-COVID-19. This means the average attack surface, and potential vulnerabilities, has expanded significantly across enterprises.
The percentage of companies admitting to suffering a mobile-related compromise has grown, despite a higher percentage of organizations deciding not to sacrifice the security of mobile devices to meet business targets.
To make things worse, the C-suite is the most likely group within an organization to ask for relaxed mobile security protocols – despite also being highly targeted by cyberattacks.
In order to select a suitable mobile security solution for your business, you need to consider a lot of factors. We’ve talked to several industry professionals to get their insight on the topic.
Liviu Arsene, Global Cybersecurity Analyst, Bitdefender
A business mobile security solution needs to have a clear set of minimum abilities or features for securing devices and the information stored on them, and for enabling IT and security teams to remotely manage them easily.
For example, a mobile security solution for business needs to have excellent malware detection capabilities, as revealed by third-party independent testing organizations, with very few false positives, a high detection rate, and minimum performance impact on the device. It needs to allow IT and security teams to remotely manage the device by enabling policies such as device encryption, remote wipe, application whitelisting/blacklisting, and online content control.
These are key aspects for a business mobile security solution as it both allows employees to stay safe from online and physical threats, and enables IT and security teams to better control, manage, and secure devices remotely in order to minimize any risk associated with a compromised device. The mobile security solution should also be platform agnostic, easily deployable on any mobile OS, centrally managed, and allow users to switch from profiles covering connectivity and encryption (VPN) settings based on the services the user needs.
Fennel Aurora, Security Adviser at F-Secure
Making any choice of this kind starts from asking the right questions. What is your company’s threat model? What are your IT and security management capabilities? What do you already know today about your existing IT, shadow IT, and employees bring-your-own-devices?
If you are currently doing nothing and have little IT resources internally, you will not have the same requirements as a global corporation with whole departments handling this. As a farming supplies company, you will not face the same threats, and so have the same requirements, as an aeronautics company working on defense contracts.
In reality, even the biggest companies do not systematically do all of the 3 most basic steps. Firstly, you need to inventory your devices and IT, and be sure that the inventory is complete and up-to-date as you can’t protect what you don’t know about. You also need at minimum to protect your employees’ devices against basic phishing attacks, which means using some kind of AV with browsing protection. You need to be able to deploy and update this easily via a central tool. A good mobile AV product will also protect your devices against ransomware and banking trojans via behavioral detection.
Finally, you need to help people use better passwords, which means helping them install and start using a password manager on all their devices. It also means helping them get started with multi-factor authentication.
Jon Clay, Director of Global Threat Communications, Trend Micro
Many businesses secure their PC’s and servers from malicious code and cyber attacks as they know these devices are predominately what malicious actors will target. However, we are increasingly seeing threat actors target mobile devices, whether to install ransomware for quick profit, or to steal sensitive data to sell in the underground markets. This means is that organizations can no longer choose to forego including security on mobile devices – but there are a few challenges:
- Most mobile devices are owned by the employee
- Most of the data on the mobile device is likely to be personal to the owner
- There are many different device manufacturers and, as such, difficulties in maintaining support
- Employees access corporate data on their personal devices regularly
Here are a few key things that organizations should consider when looking to select a mobile security solution:
- Lost devices are one reason for lost data. Requiring users to encrypt their phones using a passcode or biometric option will help mitigate this risk.
- Malicious actors are looking for vulnerabilities in mobile devices to exploit, making regular update installs for OS and applications extremely important.
- Installing a security application can help with overall security of the device and protect against malicious attacks, including malicious apps that might already be installed on the device.
- Consider using some type of remote management to help monitor policy violations. Alerts can also help organizations track activities and attacks.
Discuss these items with your prospective vendors to ensure they can provide coverage and protection for your employee’s devices. Check their research output to see if they understand and regularly identify new tactics and threats used by malicious actors in the mobile space. Ensure their offering can cover the tips listed above and if they can help you with more than just mobile.
Jake Moore, Cybersecurity Specialist, ESET
Companies need to understand that their data is effectively insecure when their devices are not properly managed. Employees will tend to use their company-supplied devices in personal time and vice versa.
This unintentionally compromises private corporate data, due to activities like storing documents in unsecure locations on their personal devices or online storage. Moreover, unmanaged functions like voice recognition also contribute to organizational risk by letting someone bypass the lock screen to send emails or access sensitive information – and many mobile security solutions are not fool proof. People will always find workarounds, which for many is the most significant problem.
In oder to select the best mobile security solution for your business you need to find a happy balance between security and speed of business. These two issues rarely go hand in hand.
As a security professional, I want protection and security to be at the forefront of everyone’s mind, with dedicated focus to managing it securely. As a manager, I would want the functionality of the solution to be the most effective when it comes to analyzing data. However, as a user, most people favor ease of use and convenience at the detriment of other more important factors.
Both users and security staff need to be cognizant of the fact that they’re operating in the same space and must work together to strike the same balance. It’s a shared responsibility but, importantly, companies need to decide how much risk they are willing to accept.
Anand Ramanathan, VP of Product Management, McAfee
The permanent impact of COVID-19 has heightened attacker focus on work-from-home exploits while increasing the need for remote access. Security professionals have less visibility and control over WFH environments where employees are accessing corporate applications and data, so any evaluation of mobile security should be based on several fundamental criteria:
- “In the wild security”: You don’t know if or how mobile devices are connecting to a network at any given time, so it’s important that the protection is on-device and not dependent on a connection to determine threats, vulnerabilities or attacks.
- Comprehensive security: Malicious applications are a single vector of attack. Mobile security should also protect against phishing, network-based attacks and device vulnerabilities. Security should protect the device against known and unknown threats.
- Integrated privacy protection: Given the nature of remote access from home environments, you should have the ability to protect privacy without sending any data off the device.
- Low operational overhead: Security professionals have enough to do in response to new demands of supporting business in a COVID world. They shouldn’t be obligated to manage mobile devices differently than other types of endpoint devices and they shouldn’t need a separate management console to do so.
Mobile service providers say they are making substantial progress toward ushering in a new generation of 5G networks that will enable ultra-high-speed mobile connectivity and a wide variety of new applications and smart infrastructure use cases.
Progress includes steady work toward virtualizing core network functions and a reexamination of the security investments they will need to protect their networks and customers.
COVID-19 is not expected to significantly delay the progress of 5G deployments, according to a global study report, developed by the Business Performance Innovation (BPI) Network, in partnership with A10 Networks.
The percentage of mobile service providers who say their companies are “moving rapidly toward commercial deployment” has increased significantly in the past year, climbing from 26 percent in a survey announced in early 2019 to 45 percent in the new survey. Virtually all respondents say improved security is a critical network requirement and top concern in the 5G era.
Adding standalone 5G
Early 5G networks are being designed in accordance with the already-approved non-standalone 5G standard. However, 30 percent of respondents say they are already proactively planning to add standalone 5G, and another 9 percent say their companies will move directly to standalone.
Standalone 5G will require a whole new network core utilizing a cloud-native, virtualized, service-based architecture. Many respondents, in fact, say they are making significant progress toward network virtualization.
“Our latest study indicates that major mobile carriers around the world are on track with their 5G plans, and more expect to begin commercial build-outs in the coming months,” said Dave Murray, director of thought leadership with the BPI Network.
“While COVID-19 may result in some short-term delays for operators, the pandemic ultimately demonstrates a global need for higher speed, higher capacity 5G networks and the applications and use case they enable.”
- 81% say industry progress toward 5G is moving rapidly, mostly in major markets, or is at least in line with expectations.
- 71% expect to begin 5G network build-outs within 18 months, including one-third who have already begun or will do so in 2020.
- 95% percent say virtualizing network functions is important to their 5G plans, and some three-quarters say their companies are either well on their way or making good progress toward virtualization.
- 99% view deployment of mobile edge clouds as an important aspect of 5G networks, with 65% saying they expect edge clouds on their 5G networks within 18 months.
“Mobile operators globally need to proactively prepare for the demands of a new virtualized and secure 5G world,” said Gunter Reiss, worldwide vice president of A10 Networks, a provider of secure application services for mobile operators worldwide.
“That means boosting security at key protection points like the mobile edge, deploying a cloud-native infrastructure, consolidating network functions, leveraging new CI/CD integrations and DevOps automation tools, and moving to an agile and hyperscale service-based architecture as much as possible.
“All of these improvements will pay dividends immediately with existing networks and move carriers closer to their ultimate goals for broader 5G adoption and the roll-out of new and innovative ultra-reliable low-latency use cases.”
Challenges: The security mandate
The industry’s top 5G challenges:
- Heavy cost of build-outs (59%)
- Security of network (57%)
- Need for new technical skills (55%)
- Lack of 5G enabled devices (42%)
Importance of security to 5G:
- 99% rate security as important to their 5G planning, higher than even network reach and coverage or network capacity and throughput
- 97% say increased traffic, connected devices and mission-critical use case significantly increase security and reliability concerns for 5G
- 93% say their security investments are already being affected (52%) or are under review (41%) due to 5G requirements
Top use cases expected to power 5G adoption
Next two years:
- Ultra-high-speed connectivity (81%)
- Industrial automation & smart manufacturing (62%)
- Smart cities (54%)
- Connected vehicles
Next 5 to 6 years:
- Smart cities (62%)
- Ultra-high-speed connectivity (59%)
- Connected Vehicles (57%)
- Industrial automation & smart manufacturing (42%)
“Mobile operators globally need to be proactively preparing for the demands of a new 5G world,” Reiss said.
There will be 8.3 billion mobile broadband subscriptions by the end of 2024, which translates to 95 percent of all subscriptions by then, according to the SMU Office of Research & Tech Transfer.
Total mobile data traffic will reach 131 exabytes per month (1 exabyte = 1 billion gigabytes), with 35 percent carried by 5G networks.
While mobile phones will consume the bulk of the data, the sheer number and wide variety of devices that will be connected via 5G technology is likely to pose security threats not faced by previous generations of mobile networks, explains Professor Robert Deng at the SMU School of Information Systems.
“When 5G becomes pervasive, the majority of the devices connected to mobile networks will not be mobile devices anymore,” he says, referring to things such as household appliances, lightbulbs, or indeed something mobile like an autonomous car that is itself filled with smaller IoT devices such as sensors.
“Some of them will be as powerful as the mobile device we’re using today, while some will have minimal computational and communication capability. Given the variety of IoT devices, given their different capabilities and deployment environments, the security requirement of solutions will be very, very different.”
Solving cybersecurity concerns, in the mobile world and on the cloud
As he runs the research initiative aimed at building “a mobile system security and mobile cloud security technology pipeline for smart nation applications”, Professor Deng points out the main questions that need answering when designing security solutions:
- What is the application context?
- What is the threat model, i.e. who is going to attack you?
- What are the risks?
He elaborates: “When the IoT becomes pervasive, the requirements will be very different from those for today’s mobile applications. You have to come up with new security solutions for any particular type of IoT application, [which necessitates] differentiated security services.”
The resource constraint of some IoT devices also poses cybersecurity challenges. A lot of existing security solutions would not work on a surveillance camera mounted on a lamp post, which is much more limited in computational and storage capabilities.
“Given that kind of devices, how do you add in security?” Professor Deng points out. “I have the IoT devices but there’s no user interface. How do I perform user authentication? Those are the new requirements we are going to deal with.”
Cars and drones also demand attention
Bigger devices such as cars and drones also demand attention, Professor Deng says. With the advent of autonomous cars, vehicles need to have the capability to stop themselves in the event of emergencies even if they are infected by malware. Similarly, a drone must be able to execute critical operations such as returning to home base in the event it is hacked.
The other main concern of the NSoE MSS-CS is mobile cloud security, especially when “data records in real time monitoring system may contain sensitive information”.
“As a data owner, I upload my data to the cloud. How do I know that data is still under my control and not under the control of the service provider or my adversaries?” asks Professor Deng, who is also the AXA Chair Professor of Cybersecurity at SMU. That is the reason for cybersecurity experts’ continuing efforts to build stronger encryption capabilities, but which also leads to the difficulty in sharing critical data. He notes:
“My folder is encrypted and I want to share my folder with you, but you must have the decryption key. But how do I pass the key to you? We are designing a solution where I don’t even have to pass the key to you, but it automatically gives you all the permission to access my folder even if it’s encrypted. The other issue is how do you do the computation to process and access the data that is encrypted? Those are the things we do.”
EU Member States have identified risks and vulnerabilities at national level and published a joint EU risk assessment. Through the toolbox, the Member States are committing to move forward in a joint manner based on an objective assessment of identified risks and proportionate mitigating measures.
Toolbox measures and supporting actions
“Europe has everything it takes to lead the technology race. Be it developing or deploying 5G technology – our industry is already well off the starting blocks. Today we are equipping EU Member States, telecoms operators and users with the tools to build and protect a European infrastructure with the highest security standards so we all fully benefit from the potential that 5G has to offer,” said Thierry Breton, Commissioner for the Internal Market.
Coordinated implementation of the toolbox
While market players are largely responsible for the secure rollout of 5G, and Member States are responsible for national security, 5G network security is an issue of strategic importance for the entire Single Market and the EU’s technological sovereignty.
Closely coordinated implementation of the toolbox is indispensable to ensure EU businesses and citizens can make full use of all the benefits of the new technology in a secure way.
5G will play a key role in the future development of Europe’s digital economy and society. It will be a major enabler for future digital services in core areas of citizens’ lives and an important basis for the digital and green transformations.
With worldwide 5G revenues estimated at €225 billion in 2025, 5G is a key asset for Europe to compete in the global market and its cybersecurity is crucial for ensuring the strategic autonomy of the Union.
Billions of connected objects and systems are concerned, including in critical sectors such as energy, transport, banking, and health, as well as industrial control systems carrying sensitive information and supporting safety systems.
At the same time, due to a less centralized architecture, smart computing power at the edge, the need for more antennas, and increased dependency on software, 5G networks offer more potential entry points for attackers.
Cyber security threats are on the rise and become increasingly sophisticated. As many critical services will depend on 5G, ensuring the security of networks is of highest strategic importance for the entire EU.
Secure 5G networks: EU toolbox conclusions
The Member States, acting through the NIS Cooperation Group, have adopted the toolbox. The toolbox addresses all risks identified in the EU coordinated assessment, including risks related to non-technical factors, such as the risk of interference from non-EU state or state-backed actors through the 5G supply chain.
In the toolbox conclusions, Member States agreed to strengthen security requirements, to assess the risk profiles of suppliers, to apply relevant restrictions for suppliers considered to be high risk including necessary exclusions for key assets considered as critical and sensitive (such as the core network functions), and to have strategies in place to ensure the diversification of vendors.
While the decision on specific security measures remains the responsibility of Member States, the collective work on the toolbox demonstrates a strong determination to jointly respond to the security challenges of 5G networks.
This is essential for a successful and credible EU approach to 5G security and to ensure the continued openness of the internal market provided risk-based EU security requirements are respected.
The Commission will support the implementation of an EU approach on 5G cybersecurity and will act, as requested by Member States, using, where appropriate, all the tools at its disposal to ensure the security of the 5G infrastructure and supply chain:
- Telecoms and cybersecurity rules
- Coordination on standardization as well as EU-wide certification
- Foreign direct investment screening framework to protect the European 5G supply chain
- Trade defense instruments
- Competition rules
- Public procurement, ensuring that due consideration is given to security aspects
- EU funding programs, ensuring that beneficiaries comply with relevant security requirements.
Extending beyond the traditional company network, mobile connectivity has become an extension of doing business and IT staff need to not just rethink how existing activities, operations, and business models can fit into mobile constructs, but rethink how mobility can fundamentally transform the business itself.
MDM solution components
A mobile device management (MDM) solution provides similar features that you would expect a systems management solution would use to manage PCs. However, mobile devices are not network-connected in the same manner as PCs, so a solution for mobile device management must rethink communications.
Mobile devices have the capabilities to communicate with each other in much more accessible and pervasive ways, and a good solution can harness this by utilizing diverse communication methods, such as communicating via the Internet.
The basic components of a mobile device management solution would consist of a server and an agent which would communicate with each other in order to complete commands and tasks. This allows the solution to gather inventory from the device, deploy apps, and set restrictions on the device greatly increasing the solutions’ security capabilities.
Things to take into consideration
If you’re thinking of taking advantage of a dedicated MDM solution or deploying MDM capabilities as part of a wider Unified Endpoint Management approach, there are a few things you need to take into consideration:
A good MDM solution must be accessible, which typically means it’s a cloud-based solution. This can reduce a lot of network and infrastructure issues that could occur with an on-premise solution. If your company has a footprint outside the main office, accessing the MDM solution from anywhere is of paramount importance.
It needs to be scalable and encompass the total number of devices that would be interacting with your company data and therefore need to be managed. It’s likely that some company staff may use personal devices for business as well as those issued by your organization. In the age of BYOD, it can be challenging to monitor every device that accesses your organization’s network. The feature set for a good MDM solution needs to be able to take into account multiple devices within its actions and not just be designed for a single-device focus.
Most importantly, it needs to be secure. From a platform perspective, all of your data needs to be encrypted both at rest and in transit. At the device level, restrictions should be available as part of the feature set so that lost or stolen devices can be handled effectively. Enforcement of policies that can occur perpetually is desired (as opposed to setting restrictions at a single instance).
While some MDM providers deliver on-premise solutions that require you to install and set them up, others provide cloud-based solutions that can be accessible from anywhere. That leaves just the enrolment of devices to complete before your mobile devices can be managed. Personal devices will need users to enroll their devices while company-owned devices could be managed through their respective business channels (e.g., Apple DEP, Android for Work, etc.).
What should you consider when choosing a mobile device management solution?
Identify your goals and requirements first. How will you use mobile devices within the work environment in the near term and in the future? Will you allow personal devices to be used, only provide company-issued devices to access company data, or have a mixture of both?
Ensure that all the stakeholders are on the same page. This means that IT, HR, executive leadership and even regular employees need to weigh in on the policies you will implement regarding mobile device management.
Try before you buy! Most MDM providers offer a free trial for their solution, so be sure to kick the tires and use its features to see if it meets your needs.
A solid MDM strategy is one that encompasses both the scope and the limitations of your company. Be sure to understand where the company can best utilize mobile devices to increase productivity and limit downtime.
With more and more employees bringing their own personal devices into a work environment, the attack surface for threats exploiting vulnerabilities in mobile devices is growing rapidly. Even vulnerabilities in consumer messaging apps such as WhatsApp are now becoming a concern for enterprises of all sizes, and with cybercriminals increasingly targeting human vulnerabilities, it is of paramount importance to secure the devices they are using.
You cannot secure what you don’t know about, which is why gaining visibility over all mobile devices interacting with your network through MDM is so crucial. With these tips, your business can implement this vital security step effectively and comprehensively.
The long-touted fifth generation of wireless communications is not magic. We’re sorry if unending hype over the world-changing possibilities of 5G has led you to expect otherwise. But the next generation in mobile broadband will still have to obey the current generation of the laws of physics that govern how far a signal can travel when sent in particular wavelengths of the radio spectrum and how much data it can carry.
For some of us, the results will yield the billions of bits per second in throughput that figure in many 5G sales pitches, going back to early specifications for this standard. For everybody else, 5G will more likely deliver a pleasant and appreciated upgrade rather than a bandwidth renaissance.
That doesn’t mean 5G won’t open up interesting possibilities in areas like home broadband and machine-to-machine connectivity. But in the form of wireless mobile device connectivity we know best, 5G marketing has been writing checks that actual 5G technology will have a lot of trouble cashing.
A feuding family of frequencies
The first thing to know about 5G is that it’s a family affair—and a sometimes-dysfunctional one.
Wireless carriers can deploy 5G over any of three different ranges of wireless frequencies, and one of them doesn’t work anything like today’s 4G frequencies. That’s also the one behind the most wild-eyed 5G forecasts.
Millimeter-wave 5G occupies bands much higher than any used for 4G LTE today—24 gigahertz and up, far above the 2.5 GHz frequency of Sprint, hitherto the highest-frequency band in use by the major US carriers.
At those frequencies, 5G can send data with fiber optic speeds and latency—1.2 Gbps of bandwidth and latency from 9 to 12 milliseconds, to cite figures from an early test by AT&T. But it can’t send them very far. That same 2018 demonstration involved a direct line of sight and only 900 feet of distance from the transmitter to the test site.
Those distance and line-of-sight hangups still persist, although the US carriers that have pioneered millimeter-wave 5G say they’re making progress in pushing them outward.
“Once you get enough density of cell sites, this is a very strong value proposition,” said Ashish Sharma, executive vice president for IoT and mobile solutions at the wireless-infrastructure firm Inseego. He pointed in particular to recent advances in solving longstanding issues with multipath reception, when signals bounce off buildings.
Reception inside those buildings, however, remains problematic. So does intervening foliage. That’s why fixed-wireless Internet providers using millimeter-wave technology like Starry have opted for externally placed antennas at customer sites. Verizon is also selling home broadband via 5G in a handful of cities.
Below millimeter-wave, wireless carriers can also serve up 5G on mid- and low-band frequencies that aren’t as fast or responsive but reach much farther. So far, 5G deployments outside the US have largely stuck to those slower, lower-frequency bands, although the industry expects millimeter-wave adoption overseas to accelerate in the next few years.
“5G is a little more spectrally efficient than 4G, but not dramatically so,” mailed Phil Kendall, director of the service provider group at Strategy Analytics. He added that these limits will be most profound on existing LTE spectrum turned over to 5G use: “You are not going to be able to suddenly give everyone 100Mbps by re-farming that spectrum to 5G.”
And even the American carriers preaching millimeter-wave 5G today also say they’ll rely on these lower bands to cover much of the States.
For example, T-Mobile and Verizon stated early this year that millimeter-wave won’t work outside of dense urban areas. And AT&T waited until it could launch low-band 5G in late November to start selling service to consumers at all; the low-resolution maps it posted then show that connectivity reaching into suburbs.
Sprint, meanwhile, elected to launch its 5G service on the same 2.5GHz frequencies as its LTE, with coverage that is far less diffuse than millimeter-wave 5G. Kendall suggested that this mid-band spectrum will offer a better compromise between speed and coverage: “Not the 1Gbps millimeter-wave experience but certainly something sustainable well in excess of 100Mbps.”
The Federal Communications Commission is working to make more mid-band spectrum available, but that won’t be lighting up any US smartphones for some time.
(Disclosure: I’ve done a lot of writing for Yahoo Finance, a news site Verizon owns.)
By Ecular Xu
Adware is bothersome, disruptive, and have been around for a long time, but they’re still around. In fact, we recently discovered an active adware family (detected by Trend Micro as AndroidOS_HidenAd) disguised as 85 game, TV, and remote control simulator apps on the Google Play store. This adware is capable of displaying full-screen ads, hiding itself, monitoring a device’s screen unlocking functionality, and running in the mobile device’s background. The 85 fake apps, which have been downloaded a total of 9 million times around the world. After verifying our report, Google swiftly suspended the fake apps from the Play store.
Figure 1. A screen capture of some of the adware-laden fake apps on Google Play
The “Easy Universal TV Remote,” which claims to allow users to use their smartphones to control their TV, is the most downloaded among the 85 adware-loaded apps.
Figure 2. A screen capture of the Easy Universal TV Remote app and its information
The fake app, which already has been downloaded more than 5 million times, has received multiple complaints on the comment section pertaining to its behaviors.
Figure 3. A screen capture of some of the negative reviews left by Easy Universal TV Remote users complaining about the app disappearing, not functioning as advertised, and ad pop-ups
We tested each of the fake apps related to the adware family and discovered that though they come from different makers and have different APK cert public keys, they exhibit similar behaviors and share the same code.
After the adware is downloaded and launched on a mobile device, a full-screen ad initially pops up.
Figure 4. Screenshots of the full-screen ads that pop up on an adware-infected mobile device
Upon closing the first ad, call to action buttons such as “start,” “open app,” or “next,” as well as a banner ad will appear on the mobile device’s screen. Tapping on the call to action button brings up another full-screen ad.
Figure 5. Screenshots of the call to action buttons appearing on the device’s screen
Figure 6. A screen capture of a full-screen ad that pops up after clicking the call to action button on one of the fake apps
After the user exits the full-screen ad, more buttons that provide app-related options for users appear on the screen. It also prompts the user to give the app a five-star rating on Google Play. If the user clicks on any of the buttons, a full-screen ad will pop up again.
Figure 7. Screenshots of app-related options a user can click on; all of them bring up more pop-up ads
Afterwards, the app informs the user that it is loading or buffering. However, after a few seconds, the app disappears from the user’s screen and hides its icon on the device. The fake app still runs in a device’s background after hiding itself. Though hidden, the adware is configured to show a full-screen ad every 15 or 30 minutes on the user’s device.
Figure 8. Screen captures of the fake apps taken before disappearing from a device’s screen
Figure 9. A screen capture of a code snippet that enables the app to hide itself on a user’s device
Some of the fake apps exhibit another type of ad-showing behavior that monitors user screen unlocking action and shows an ad each time the user unlocks the mobile device’s screen. A receiver module registers in AndroidManifest.xml so that each time a user unlocks the device it will then trigger a full-screen ad pop up.
Figure 10. A screen capture of an adware-infected device with a fake app that has already hidden itself but is still running in the device’s background
Figure 11. A screen capture of a register receiver in AndroidManifest.xml
Figure 12. Screen capture of a code snippet that enables the adware to display full-screen ads when a user unlocks the screen of an infected device
Figure 13. A screen capture of a full-screen ad displayed after unlocking an infected device’s screen
Trend Micro Solutions
While the fake apps can be removed manually via the phone’s app uninstall feature, it can be difficult to get there when full-screen ads show up every 15 or 30 minutes or each time a user unlocks the device’s screen.
As more and more people become dependent on mobile devices, the need to keep mobile devices safe from a growing number of mobile threats — such as fake apps laced with adware — is all the more pertinent.
Trend Micro customers are protected with multilayered mobile security solutions via Trend Micro Mobile Security for Android (available on Google Play). Trend Micro Mobile Security for Enterprise solutions provide device, compliance, and application management, data protection, and configuration provisioning, as well as protect devices from attacks that exploit vulnerabilities, preventing unauthorized access to apps and detecting and blocking malware and fraudulent websites. Trend Micro Mobile App Reputation Service (MARS) covers threats to Android and iOS devices using leading sandbox and machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerabilities.
A comprehensive list of the indicators of compromise can be found here.
The post Adware Disguised as Game, TV, Remote Control Apps Infect 9 Million Google Play Users appeared first on .
by Ecular Xu and Grey Guo
We discovered a spyware (detected as ANDROIDOS_MOBSTSPY) which disguised itself as legitimate Android applications to gather information from users. The applications were available for download on Google Play in 2018, with some recorded to have already been downloaded over 100,000 times by users from all over the world.
One of the applications we initially investigated was the game called Flappy Birr Dog, as seen in Figure 1. Other applications included FlashLight, HZPermis Pro Arabe, Win7imulator, Win7Launcher and Flappy Bird. Five out of six of these apps have been suspended from Google Play since February 2018. And as of writing, Google has already removed all of these applications from Google Play.
Figure 1. Flappy Birr Dog download page
MobSTSPY is capable of stealing information like user location, SMS conversations, call logs and clipboard items. It uses Firebase Cloud Messaging to send information to its server.
Once the malicious application is launched, the malware will first check the device’s network availability. It then reads and parses an XML configure file from its C&C server.
Figure 2. Example of configure file being taken from a C&C server
The malware will then collect certain device information such as the language used, its registered country, package name, device manufacturer etc. Examples of all the information it steals can be seen in Figure 3.
Figure 3. Example of stolen information
It sends the gathered information to its C&C server, thus registering the device. Once done, the malware will wait for and perform commands sent from its C&C server through FCM.
Figure 4. Parse command from the C&C
Depending on the command the malware receives, it can steal SMS conversations, contact lists, files, and call logs, as seen from commands in the subsequent figures below.
Figure 5. Steal SMS conversations
Figure 6. Steal contact list
Figure 7. Steal call logs
The malware is even capable of stealing and uploading files found on the device, and will do so as long as it receives the commands as seen in Figures 8 and 9 respectively.
Figure 8. Steal files from target folds
Figure 9. Upload files
In addition to its info-stealing capabilities, the malware can also gather additional credentials through a phishing attack. It’s capable of displaying fake Facebook and Google pop-ups to phish for the user’s account details.
Figure 10. Phishing behavior
If the user inputs his/her credentials, the fake pop-up will only state that the log-in was unsuccessful. At which point the malware would already have stolen the user’s credentials.
Figure 11. Fake Facebook login pop-up
Part of what makes this case interesting is how widely its applications have been distributed. Through our back-end monitoring and deep research, we were able to see the general distribution of affected users and found that they hailed from a total of 196 different countries.
Figure 12. Top countries with the most number of affected users
Other countries affected include Mozambique, Poland, Iran, Vietnam, Algeria, Thailand, Romania, Italy, Morocco, Mexico, Malaysia, Germany, Iraq, South Africa, Sri Lanka, Saudi Arabia, Philippines, Argentina, Cambodia, Belarus, Kazakhstan, Tanzania, United Republic of Hungary, etc. As can be surmised, these applications were widely distributed around the globe.
Trend Micro Solutions
This case demonstrates that despite the prevalence and usefulness of apps, users must remain cautious when downloading them to their devices. The popularity of apps serves as an incentive for cybercriminals to continue developing campaigns that utilize them to steal information or perform other kinds of attacks. In addition, users can install a comprehensive cybersecurity solution to defend their mobile devices against mobile malware.
Trend Micro Mobile Security detects such attacks, while Trend Micro Mobile Security Personal Edition defends devices from all related threats. Trend MicroMobile Security for Android (available on Google Play) blocks malicious apps. End users can also benefit from its multilayered security capabilities that secure the device’s data and privacy, and safeguard them from ransomware, fraudulent websites, and identity theft.
For organizations, Trend MicroMobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies to protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.
Indicators of Compromise
|SHA256||Package Name||Label||Download Count|
|12fe6df56969070fd286b3a8e23418749b94ef47ea63ec420bdff29253a950a3||ma[.]coderoute[.]hzpermispro||HZPermis Pro Arabe||50 to 100|
|4593635ba742e49a64293338a383f482f0f1925871157b5c4b1222e79909e838||com[.]mobistartapp[.]windows7launcher||Win7Launcher||1,000 to 5,000|
|38d70644a2789fc16ca06c4c05c3e1959cb4bc3b068ae966870a599d574c9b24||com[.]mobistartapp[.]win7imulator||Win7imulator||100,000 to 500,000|
|0c477d3013ea8301145b38acd1c59969de50b7e2e7fc7c4d37fe0abc3d32d617||com[.]mobistartapp[.]flashlight||FlashLight||50 to 100|
|a645a3f886708e00d48aca7ca6747778c98f81765324322f858fc26271026945||com[.]tassaly[.]flappybirrdog||Flappy Birr Dog||10|
Command and Control Servers
The post Spyware Disguises as Android Applications on Google Play appeared first on .