In Which a Smartphone is Pwnt, Thoroughly and Without Reason

Does your phone have a firewall?  Does it have antivirus?  Should it?  I’ll wager your laptop does.  That’s because your laptop faces the looming threat of attackers from the internet every time to connect to a network.  Additionally, any time you use a network, you expose yourself to the potential for a network level attack.  Everyone knows that an unprotected computer is pwnage waiting to happen.   So what about your phone? Your phone is connected to the internet 24/7.  What’s more, it lacks a lot of the controls that would normally be applied to a network computing device.  It has no firewall, no antivirus, and most users can’t even kill processes or modify the file system without voiding their warranty.  The user has to rely on the closed nature of the device, and hope there are no exploits roaming the wild.  This is paper-thin security at best, especially when you consider the trends in modern phone usage are pushing for more devices containing more sensitive data. So how does an attacker target a mobile device?  They don’t have to: given some recent developments in the Metasploit framework, they can initiate wide ranging automated attacks against anyone they can connect to.  Consider the open Wi-Fi network, such as at a coffee shop.  As customers sit down, and link up laptops and phones, an attacker keeps track of hosts joining the network.  Then, leveraging the power of the autopwn feature of Metasploit, an attacker can attempt any number of exploits against any number of hosts, smartphone or not.   Your laptop might withstand automated attacks because it has a firewall and antivirus.  Your phone doesn’t.  There is no “Do you want to allow this app to run?” There is no “Would you like Windows Firewall to allow access to this program?” That’s it.  An attacker now has access to your phone’s audio, camera, data access, and any stored credentials or other sensitive data.  Metasploit has payloads in development for both the iPhone and Android platforms that will give root access to the phone, pending a successful exploit.  Finding more exploits is only a matter of time.  So this brings me to my point: Should your phone have a firewall?

Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.