“If you have built castles in the air, your work need not be lost; that is where they should be.
Now put the foundations under them.”
– Henry David Thoreau
900 Million Android Devices Now At Risk
A startling research report by Check Point Software Technologies Ltd presented recently has highlighted severe security flaws with the data security of millions of Android devices that utilize U.S.-based Qualcomm chipsets. These processors supplied by Qualcomm can be found in 900 million mobile phones. And, if you know anything about IT security, you know it would only take one hacked device to put your business to the wall. At present, there is no evidence to suggest that cyber-thieves are attempting to hack and attack such devices; however, Check Point’s head of mobility product management, Michael Shaulov, predicts problems within “the next three or four months.”
The reverse engineering of Qualcomm’s code by Check Point researchers revealed security issues with graphics-handling software, as well as communication code that runs between the various processes occurring within the phone. Check Point duly handed over these startling results and proof of concept code to Qualcomm earlier this year, who reportedly have now created patches for the bugs and are using the new versions in their chipset manufacturing. Operators and phone manufacturers have received these patches, but it is very unclear how many have actually passed them on to the phone users themselves. Additionally, Check Point has created a free app to identify whether or not your device is at risk. Called the QuadRooter Scanner, it scans your phone to see if the all-important security patches have been installed.
In case you’re wondering, here’s a list of the affected phones:
- BlackBerry Priv
- Blackphone 1 and Blackphone 2
- Google Nexus 5X, Nexus 6 and Nexus 6P
- HTC One, HTC M9 and HTC 10
- LG G4, LG G5, and LG V10
- New Moto X by Motorola
- OnePlus One, OnePlus 2 and OnePlus 3
- U.S. versions of the Samsung Galaxy S7 and Samsung S7 Edge
- Sony Xperia Z Ultra
As Mr. Shaulov of Check Point says, “People should call whoever sold them their phone, their operator or the manufacturer, and beg them for the patches.” However, Qualcomm is, so far, saying nothing.
Gambling With Your Business
Notorious for a lack or disregard of your device’s data security, let’s not forget the troublesome gambling app. U.S. application security firm Veracode has previously highlighted the potential flaws of such apps within the business network environment. Their study found a plethora of gambling apps installed by employees on business phones, jeopardizing any corporate data that may be stored on the device. Veracode literally scanned hundreds of thousands of phones and their findings were incredible, with some companies actually having up to 35 gambling apps on their “secure” network. They didn’t stop there. Veracode looked into the apps themselves and found several examples of critical vulnerability. One such gambling app would actually scan the phone to see if it was rooted or jailbroken, giving the app completely unrestricted access to any data contained thereon. Your business data…
The Wonderful World of Pokémon Hunting
You must have heard of it. Maybe your kids do it. Maybe even you do it.
But have you heard of this?
If your employees use iOS devices, if they like to do a spot of Pokémon hunting during office hours, and if your business uses Google’s Gmail as its business email platform, you are possibly allowing unfettered access by Niantic Labs to of all your business data.
The Final “if.” If Niantic Labs gets hacked, your data is available to any cyber-thief that comes across it. Worrying? Surely.
In fact, very worrying in terms of the IT security of your business.
Soon after the release of the cult Pokémon GO mobile game app, a Tumblr blogger by the name of Adam Reeve (who also works for a security analytics company) posted about how iOS-based players unwittingly grant access to all of their account data to Niantic Labs when they sign in using their Gmail account. iOS users are unable to edit such permissions – there is no other way to play.
Think of all the capabilities and features that your Gmail account offers and provides for you.
Now, think this. Anyone at Niantic or anyone who hacks Niantic could potentially:
- Read all of your mail
- Send email as you
- Access all of your Google Drive documents
- Access your Google Search history
- Access your Google Maps history
- Change your passwords
- Look at and download any of your photos… to name but a few
Clearly, any IT manager worth their salt will be ensuring in the future that no employee accesses the Pokémon GO game app via their Gmail work account. However, the examples provided in this article highlight this very important message:
Installing an app from an untrustworthy source could potentially install code on your device that could compromise any data stored there.