By Aaron Oliver
Alright, I know that the subject of updating your phone for some people may seem arbitrary but it is actually very important. I can’t tell you how many people I know who absolutely loathe updating their mobile phones and tablets, and downright refuse to do so until something they need requires a certain OS version to work. Many have been effected by a bad update or their phone did not install one properly, leaving them with an expensive paperweight until they took it in to have it looked at. These experiences are less and less common as the manufactures have went to great lengths to prevent this after several botched updates a few years back. Today, I want to discuss why refusing to update is not a great idea!
How much sensitive data is stored on your phone? You may say not much, but after thinking about it, I would bet you would be surprised. Do you do any of the following?
- Keep notes with Passwords?
- Log into your Bank?
- Keep notes with your or your Children's Personal information?
- Store Insurance information?
- Shop online with Apps that save your passwords?
- Company or client sensitive information?
A lot could be gained if you phone was in the wrong hands. But right now it is not it is in your hands and you have a passcode, so even if stolen, your information is safe? Good for you! But what if an attacker did not have to steal your phone to take over it or access all of your data?
A recently patched exploit for phones and tablets called BroadPWN could give attackers just this capability. The exploit was patched by Google in July and Apple in version 10.3.3 this past month. BroadPWN was a bug in the wireless controller for all Apple devices as well as most Android based devices that allowed would be attackers to take control of your mobile device if they were simply within wifi range of your device. Once an attacker had control of your device they could even turn it into a mobile hotspot to infect other devices within wifi range of your own. An attacker with the right knowledge and resources could infect just one phone and now all phones within range of this device get exploited and access as well.
For the individual user this is scary enough, an attacker with remote code execution capabilities on your phone could gain access to all of the items I listed before that you may store on your device. If you take it a step further and move toward businesses and corporations, it could get even worse. If an attacker wanted to infiltrate a company, he could sit in the courtyard and infect just one device and let that device spread his malicious code to all devices in the area. With control of several devices within a single company, what could be accessed when they rejoin your companies wireless network?
Leadership in business understand that security for their network is important, but often look at their mobile device as something other than a computer. Fact of the matter is, smart phones have more processing power than the computers most people were using just 10-15 years ago. Just like traditional computers or laptops people are connecting these smart phones and tablets to your business's network and accessing the same resources as the computers that we strive to keep up-to-date for security reasons, yet no one thinks about ensuring that these devices are secure?
If you are in leadership, you should really think about having a mobile device acceptable use policy that includes keeping mobile devices up-to-date! There are also mobile device mgmt platforms that can be rollout to ensure that all company phones are forced to stay up-to-date. Some companies require this mobile device management to be installed on personal devices if a user wants to access corporate email, or company wireless connections. As a business leader, be smart, protect your business, update your phones!
Aaron Oliver is a Senior Engineer at ThrottleNet