A sneak preview of 2017's security challenges
By Ajith Ram December 14, 2016
- IoT will pose a major security challenge
- Fragmentation of Android will continue
IT is likely that 2016 will be remembered as the year when mobile hacking and security became a mainstream talking point. According to Trend Micro, 2017 will include an increased breadth and depth of attacks, with malicious threat actors differentiating their tactics to capitalise on the changing technology landscape.
In 2016, there was a large increase in Apple vulnerabilities, with 50 disclosed, along with 135 Adobe bugs and 76 affecting Microsoft. This apparent shift in exploits against vulnerable software will continue in 2017 as Microsoft’s mitigations continue to improve and Apple is seen as a more prominent operating system.
Trend Micro predicts that the Internet of Things (IoT) and Industrial Internet of Things (IIoT) will play a larger role in targeted attacks in 2017. The increasing use of mobile devices to monitor control systems in manufacturing and industrial environments will be combined with the significant number of vulnerabilities found in these systems to pose threats to organisations.
It is against this background that the recent announcement by the Tor project should be seen. The Tor Project recently announced the release of a prototype for a Tor-enabled smartphone - an Android phone beefed up with privacy and security in mind.
Tor is a free software for enabling anonymous communication. The name is derived from an acronym for the original software project name 'The Onion Router'. Tor directs internet traffic through a free, worldwide, volunteer network consisting of more than seven thousand relays to conceal a user's location and usage from anyone conducting network surveillance.
One of the problems in the Android ecosystem is fragmentation. Multiple OEMs distribute their own versions of the operating system. Without financial incentives to push security updates to users' phones, OEMs by and large abandon users to their fate. This is not expected to change in 2017.
Using Tor makes it more difficult for internet activity to be traced back to the user. Therefore, Tor is used by many journalists in countries where persecution of the media is rife.
The new phone, designed by Tor developer, Mike Perry, is based on Copperhead OS, a variant of Android. "The prototype is meant to show a possible direction for Tor on mobile," Perry wrote in a blog. "We are trying to demonstrate that it is possible to build a phone that respects user choice and freedom, vastly reduces vulnerability surface, and sets a direction for the ecosystem with respect to how to meet the needs of high-security users."
Perry also stressed that the phone is aimed at provoking discussion about what he described as "Google's increasing hostility towards Android as a fully Open Source platform." According to him, although it is currently more secure, a closed source platform such as Apple's iOS is at much greater risk of enabling software backdoors.
This debate around emerging security threats and mobile security is guaranteed to continue into 2017. DNA recently interviewed David Freer, Vice President, Consumer, APAC, Intel Security on these issues.
David Freer is responsible for leading and developing Intel Security’s Consumer business in the Asia Pacific region. Freer has worked across a number of industries for over 30 years and has more than 21 years of experience in the IT industry.
DNA: What is your opinion of security on Android? Is Google taking it seriously?
All companies operating in the tech sphere will pay attention to security, especially in this day and age. Intel Security’s McAfee Labs recently predicted that in 2017, threats such as mobile ransomware, remote access tools (RAT) and compromised apps in marketplaces will surge.
These threats will affect all consumers, and owning a non-Android device does not provide you with immunity from threats. Just as there are threats affecting Android, such as a malware that asks for a selfie with your credit card, there are threats such as a smishing campaign targeting iOS devices too.
All tech companies need to ensure that they continue to invest in technology to thwart cyber threats and educate consumers on cyber threats. That way, they can build a holistic and robust cyberspace for all who rely on it.
DNA: Do you feel that the public in South East Asia is educated enough about privacy and security issues?
A survey by Intel Security revealed that 40% of Singapore travellers would risk using an unsecured Wi-Fi while travelling. The same study also revealed that business travellers would access secure financial data and presentations on public networks.
While this shows that we are not clueless about cyberthreats, it does indicate that consumers may not know what to do or how they can secure their devices and their data.
In addition to offering holistic solutions that can keep consumers digitally safe, cyber security vendors also need to educate consumers and even businesses on the dangers that lurk in cyberspace, their tell-tale signs and how not to fall victims to such threats.
Many cybersecurity vendors, like us, conduct classes and organise trainings to bring students, consumers and budding cybersecurity practitioners up to speed on the latest happenings in the world of cybercrime and cyber defence.
DNA: Does Tor offer sufficient protection against invasions of privacy on mobile devices?
Just using Tor isn't enough to keep one safe in all cases. Browser exploits, large-scale surveillance, and general user security are all challenging topics for the average internet user. Attacks make it clear that the broader internet community need to keep working on better security for browsers and other internet-facing applications.
Consumers should consider protecting all their devices with holistic security solutions, which come with add ons that protect your privacy with encryption and use biometrics to manage all your passwords.
DNA: In your opinion, what steps should Google take to improve security on Android?
It’s not just Google, but all companies that operate in the technology sphere that should take steps to improve their security. Cybercriminals are constantly evolving their means of attack, and finding ways to bypass existing countermeasures.
Similarly, all tech companies should continue to advance and improve their mechanisms to keep attackers at bay. Companies should continue investing in retaining and improving talent, educating the masses and improving their offerings.
Some cybersecurity vendors have solutions that specifically cater to Android devices. These mobile security solutions also come with password management services and privacy tools that selective share access to your apps by setting up different profiles.