Mobile threat prevention tools can help with Stagefright MMS vulnerability
In July 2015, enterprise mobility and infosec professionals woke up to a nasty surprise – the so-called ‘Stagefright’ vulnerability.
In a nutshell, when a particular type of MMS message is sent to any Android phone released in the past five years, the devices security is seriously compromised. Knowing only the phone number, an attacker could silently gain control of an android handset or tablet. Remotely activate the camera, install malware….all kinds of fun. This is without any user error – they don’t have to breach policy by browsing inappropriately or opening an unexpected attachment.
How scary is all that? Answer: 1.6bn. That’s the number of Android devices in service in 2014. Or, if you prefer percentages, 75% of smartphones globally are vulnerable to an attack that leaves no trace.
In the interests of technical fairness, its true to say that later versions of Android are believed harder to exploit but hats of various colour have been aware of this vulnerability since at least April 2015 and several claims have been made as to its observation ‘in the wild’. Deutsche Telecom’s T-Mobile felt strongly enough to make a global network change to stop allMMSs from reaching their subscribers devices. One large tech company felt the issue so severe, they placed an immediate order for 1000 alternate devices to replace Androids for senior staff. (Hint – they didn’t move to Windows Phone).
This underscores the importance of what security professionals call ‘defence in depth’ – multiple layers of security that reinforce one another. Locking your front door doesn’t mean you leave cash on the kitchen table – you put it in a safe. And you don’t keep the safe in the garden, you keep it…well…you get the idea. Most medium and large mobile device deployments already have device management services deployed – that’s the safe but what’s protecting the front door? Any 3G/4G device is potentially exposed to any and all attacks that originate from the internet or side channel attacks like Stagefright. This places your front door key in a shared bucket with all the other subscribers that a carrier may have. And once a device is compromised, any over the top service like MDM or device container is undermined. Even if the attacker isn’t after your data, they can assemble botnets, send Spam all on your data plan’s dime.
This is where Moda from Asavie comes in – a private managed 3G/4G service that lives on your SIM. Not a new SIM, not a specialist SIM, your existing carrier SIM. Activate it and your front door key is now your own – apply security settings that suit your organisation rather than the one size fits all polices of a carrier.