Does any of this sound familiar? A vulnerability or malware is discovered. A patch is released and the problem is fixed. But then a new threat pops up and the cat-and-mouse security cycle begins again with no winners in sight. And some security experts believe this approach will no longer be sustainable as more and more devices go online.
There is no doubt that the patching process whenever researchers discover new malware or software vulnerability is a lifesaver, not just for mobile devices, whose popularity makes them a prime target for hackers and criminals. But how much longer can this tug-of-war continue?
“This game of cat-and-mouse between hackers and device manufacturers is distracting us from the larger issue,” said prpl Foundation’s chief security strategist Cesare Garlati, co-chair of the Mobile Working Group at the Cloud Security Alliance.
“In a few years,” he warned, “the security issues we see with mobile will be seen as a small segment of catastrophic IoT security problems. Every connected device needs a clear path for receiving critical security updates—not just mobile.”
Barring that, every connected device could pose a threat. “And the hyper-focus on mobile security updates simply isn’t enough,” he added. …”Mobile is now just a small fraction of the devices that surround us.”
The threat landscape has changed “to be almost unrecognizable” over the last two years, said Garlati. And the situation is unlikely to improve as new unprotected devices hit the market and more vulnerabilities and malicious software emerge every day.
“We continue to see increases in banking malware and phishing schemes adapted to mobile devices,” said Kaspersky Lab’s Kurt Baumgartner, Principal Security Researcher, Global Research & Analysis Team, in an email.
Android, the world’s most popular mobile operating system, is a particularly desirable hacking target and one that “continues to be splintered globally.” Baumgartner said that will require major suppliers to “improve their update delivery model.”
Add to that the vulnerabilities that continue to emerge in crypto libraries – tools that are used to create encryption keys, manage secure certificates and perform other encryption-related functions. “The VPN market and the need for properly encrypted network communications continues to be a confusion for almost all mobile customers out there,” he said. That leaves their network communications exposed. “There seems to be no end in sight for this sort of problem.”
“Everything will remain to a certain extent insecure,” added Travis Witteveen, CEO of Avira, a maker of antivirus software, as criminals follow the money and the highest volume with the lowest chances for getting caught. “After all,” he noted, “banks are still being robbed today and houses broken into. To think that computing devices should be different is naive.”
While there is no such thing as perfect security, he said “users should take the responsibility and invest in solutions to match their usage on mobile OS platforms just as they do in the physical world too.”
It doesn’t help that a recent study found that people ignore security warnings 90 percent of the time. But Baumgartner said “general user gullibility” and an increase in ransomware and business email compromise will lead defenders to focus on stronger verification and protecting encrypted communications.
That might not be enough to address larger mobile security issues, particularly when manufacturers are often in a hurry to be first to market with their new products. Garlati believes cooperation between industry leaders and government regulators will be required to ensure that any forthcoming regulation encompasses technologies like Internet of Things devices that are redefining mobile security.