Just a few days ago, iOS 11.1 fell victim to numerous hacks. The responsible party? Security Researchers at Pwn2Own, a hacking competition in which groups of industry experts are given the opportunity to try and infiltrate different devices. The event gives competitors the opportunity to show off their skills in order to win prizes, and allows vendors valuable insight into vulnerabilities in their devices.
In the case of 11.1, a group called Keen Labs exploited a handful of WiFi vulnerabilities in the iOS to install a “rogue application.” One of the vulnerabilities—but it hasn’t been revealed which one—was used the next day, by a different competitor, to hack 11.1 again. Apparently Apple has some glitches to work on. But iOS 11.1 was nowhere close to the only victim at Pwn: 11 successful attacks were leveled against multiple devices. In fact, only the Google Pixel emerged un-hacked.
And what does Pwn2Own serve to tell us about the security of our mobile devices? Zuk Avraham, the founder of mobile security company Zimperium Inc., says that the takeaway is this: “phones are totally insecure.” According to Avraham, just because a phone is brand new or recently updated does not mean that it is protected against attack. As Keen Labs demonstrated at Pwn2Own, even the newest update of Apple’s iOS possesses several vulnerabilities that leave it open to being hacked. And even once those vulnerabilities are patched, who’s to say that more aren’t lurking just out of sight? After all: even before Keen Labs’ WiFi exploit, Apple had already patched for a different WiFi flaw exploited by KRACK.
The answer? First of all, we need to start recognizing that mobile security, and the security of our phones’ operating systems, is an important facet of cyber safety. PCs are not the only victims; and while our phones may seem like a less likely or a less important target, that’s simply not the case. Hackers can get the same kinds of personal data by hacking our cell phones as they can by hacking our computers or laptops. Keen Labs’ infiltration of 11.1 may be done as a part of a competition, but it still could have done real damage. As Forbes explains, the exploit Keen ran installed actual malware on an iPhone 7, which it then could have used to gather information from the device. Given the fact that our devices hold untold amounts of data and information about us—including banking apps that carry our credit card information and account details—this is no small matter. And, as the success of competitors at Pwn2Own 2017 demonstrates, our devices may possess vulnerabilities that make them not only worthwhile to target, but also easy to target.
Once we’ve realized that, the next to step is to work toward better security for our devices. Forbessuggests that keeping our devices updated is key: “[Users] should update to the latest operating system, even if it won’t protect them from the weaknesses exposed at Pwn2Own. Apple patched a slew of weaknesses with iOS 11.1…” Even if updates aren’t 100% secure, they’re almost always more secure than earlier versions. Users can also take many of the same precautions with their phones that they would with their computer. Be wary when connecting to Wifi networks—as Keen Labs demonstrated, hackers can use those networks to gain access to devices…so watch which ones you choose to join. Additionally, protecting against phishing scams—especially voice and SMS phishing—is just as important on your mobile device as on your computer. Don’t open emails or texts that look suspicious. Don’t answer a phone call from a number you don’t recognize, and if you do, never give away personal information—even if the caller impersonates a legitimate party. A helpful tip to remember is that an actual representative from your wireless provider, your insurance company, or your bank would never solicit personal data over the phone.
The biggest threat of all isn’t a Wifi vulnerability or a brilliant hacker—it’s ignorance.Our phones may never be 100% secure, but being aware of the security risks they pose and how to deal with those risks is half the battle. To learn more about how to protect your phone and your data against hackers, ask for a demo of one of our Best Practices Modules on mobile security. Follow our blog to stay up-to-date with the latest hacks and strategies for preventing them. And don’t hesitate to touch base with one of our Solutions Architects about a training plan that will keep you and your employees secure against mobile security threats.