2015 was marked by a continuous stream of major incidents, with various security issues emerging one after another. As 2016 arrived, Min-Pyo Hong, founder of the security company SEWORKS, and his team continuously gathered data to forecast the trends in mobile security threats for the year. Min-Pyo Hong stated that their purpose in summarizing these security threats was not to sound an alarm or cause public panic, but rather to highlight the most severe security challenges we would face in 2016, hoping to inspire the entire mobile security industry to prepare for these threats. With appropriate defensive measures in place, most threats can be minimized or even completely prevented. Let us now take a closer look at the mobile security threats ahead.
1. Terrorism
The terrorist attacks in Paris, San Bernardino, and other parts of the world have made it clear that terrorism’s reach will extend into the realm of mobile security in the coming year. Messaging applications like Telegram and RedPhone are drawing increasing attention, as they employ end-to-end encryption to prevent eavesdropping on communications. Min-Pyo Hong’s team has also been tracking seemingly legitimate applications that criminals exploit for brief, often single-use, exchanges.
Looking ahead, terrorists may embed hidden data within videos, leveraging mainstream online media platforms such as YouTube to facilitate covert communications. For instance, specific audio frequencies embedded in the videos may be inaudible or imperceptible to humans, yet they can be decoded using specialized monitoring software.
2. Hackers Target Mobile Payment Services
Based on communications intercepted through secret channels used by black-hat hackers, leading mobile payment platforms such as Apple Pay and Samsung Pay are highly likely to suffer severe compromises in 2016. Rather than completely breaking the processing algorithms of these payment platforms, hackers may analyze the entire system to identify workarounds and exploit vulnerabilities, thereby enabling credit card fraud, extortion, and unauthorized illegal use. It has already been observed that stolen credit card information can be successfully added to Apple Pay accounts without bank verification, allowing fraudsters to make purchases at physical stores using the stolen data. Soon, online transactions may also become vulnerable to similar techniques.
Apple and Samsung are not the only targets of these hackers. Peer-to-peer mobile payment applications, such as Venmo, which utilize simple payment remittance processes, are more vulnerable to hacking attacks, enabling hackers to transfer funds from user accounts to virtual accounts under their control. (Min-Pyo Hong and his team are monitoring such underground activities, but it remains unclear whether any of these attacks have been successful.)
3. Rise in Hacker Activities via Mobile Web Browsers
Min-Pyo Hong predicts that in the coming months, core mobile browsers on platforms such as Google, Firefox, Safari, Android, and iPhone will frequently come under attack. Hacking via mobile browsers is one of the most effective ways to compromise an entire phone, as exploiting browser vulnerabilities allows hackers to bypass many system security measures. The following section explains how this is achieved:
Security vulnerabilities in WebKit enable hackers to bypass the browser sandbox or security measures implemented in modern browsers. This is likely achieved by exploiting operating system or kernel-level vulnerabilities to gain system access and achieve full control over the device.
Stagefright is an instance of an operating system or kernel-level vulnerability, specifically a flaw within the internal database of the Android operating system. Although Google released a patch to address this issue in the summer of 2015, Zimperium discovered a second-generation vulnerability, known as Stagefright 2.0, in October. When hackers leverage web browsers to carry out attacks, successful intrusion is highly likely.
We anticipate that more vulnerabilities of this nature will emerge in the coming months and will be widely exploited by hackers throughout 2016.
4. Remote Device Control/Eavesdropping
With the massive proliferation of Android devices, hundreds of millions of people worldwide will soon own their own smartphones. Most of these phones come with pre-installed applications; however, these apps are typically not analyzed or verified by Google’s security team, making them vulnerable to remote device control. The openness and customizability of Android smartphones produced by Original Equipment Manufacturers (OEMs) will persist, exacerbating the threat of remote device control. Consequently, we expect OEMs to continuously release security updates and patch fixes. In fact, I anticipate that the frequency of such security updates and patches will at least double.
Concurrently, the threat of man-in-the-middle (MitM) attacks is steadily increasing. New smartphone users often lack the awareness or habit of maintaining device security. For instance, they may automatically connect their phones to insecure wireless access points or Wi-Fi networks that do not encrypt data transmitted over the network. This can lead to insecure applications leaking user credentials, which hackers can intercept and view during data transmission.
Another concern is that hackers can eavesdrop on users’ calls or view the content of their sent and received text messages. Team members Daniel Komaromy and Nico Golde recently demonstrated how a simple man-in-the-middle attack could compromise Samsung’s Shannon baseband chip. As the system cannot detect such intrusions, this vulnerability allows hackers to monitor communications on these mobile devices.
5. The Continuous Evolution of DDoS Attacks
To date, most DDoS (Distributed Denial-of-Service) attacks have been one-off and short-lived, and most enterprises can handle them effectively. However, as smartphones and other internet-connected devices continue to evolve, so too do DDoS attacks. These devices are often compromised and recruited into DDoS botnets, making detection and prevention increasingly difficult. As new connected devices flood the market, we can expect a rise in such attacks and should prepare accordingly.
6. The IoT Crisis Is Severe
Recent cyberattacks on children’s smart toys and connected cars have raised awareness of the inherent risks associated with the Internet of Things (IoT). An increasing number of devices are now equipped with network drivers; however, without appropriate security configurations or protective mechanisms, these devices face an expanded attack surface, making their operating systems, drivers, and software more prone to errors. Any mobile application that connects to IoT devices via Bluetooth or Wi-Fi is potentially vulnerable to such attacks. When combined with mobile or smart trojans, attackers can leverage mobile or wireless network devices to launch distributed denial-of-service (DDoS) attacks, remotely control target mobile devices, and gain unauthorized access to private secure networks.
As we had feared, internet-connected medical devices are highly vulnerable to such attacks due to their weak security configurations, allowing hackers to access and remotely control these devices. For instance, networked ultrasound scanners and other medical equipment often rely on hard-coded default login credentials for remote access, which are relatively easy to guess. In 2013, Jay Radcliff, a colleague of Min-Pyo Hong, demonstrated how hackers could maliciously tamper with insulin pumps to deliver lethal overdoses of insulin to patients. It is deeply tragic that these devices, originally designed to save lives, can ironically be exploited by hackers as weapons to harm humans.
These developments indicate that we may face a relentless series of security threats in the future, which is deeply alarming. Therefore, it is imperative for relevant organizations to proactively implement countermeasures without delay. Security protocols and hacking trends can shift overnight; many current mobile security teams are still relying on strategies developed two years ago, which may well prove ineffective by 2016.
Compiled by: Mao Wanyi
Responsible Editor: Zhang Nan