Are Zero-Day Software Vulnerabilities a Threat to Mobile Devices?
Five ways companies can get ahead of the cybersecurity threats affecting the software on their mobile devices.
Cybersecurity threats date back to the 1970s, when the threats were easily identifiable and generated by insiders that accessed private documents and other sensitive information. Fast-forward to today and the number of cyberattacks and data breaches have proliferated significantly over the last five decades, with over 37 billion records compromised and 4,000 breaches reported publicly in 2020 alone.
In 2021, high-profile attacks like the SolarWinds hack and Colonial Pipeline ransomware attacks—JBS ransomware disruption followed closely on their heels—brought further attention to the need to lock down, patch and prepare computer networks for the potential for more threats.
Among those threats, zero-day attacks are especially nefarious. Security flaws that software or operating systems developers know about but haven’t developed patches for yet, zero-day vulnerabilities can result from improper security configurations, programming errors or other flaws.
Patching Security Holes
Left unaddressed, zero-day vulnerabilities may create “security holes” for bad actors to exploit—and within the context of developers having “zero days” to remediate the problem that’s been exposed and/or exploited by cybercriminals.
In 2021, for example, global IT infrastructure provider Kaseya suffered a zero-day attack that used its software to deliver REvil ransomware to customers via an auto update. The attack impacted thousands of organizations before Kaseya could release a patch to address the vulnerabilities.
Zero-day attacks aren’t limited to desktops, laptops and servers; they’re also being squarely aimed at mobile devices. With more employees working remotely and service personnel needing reliable connectivity while out in the field, companies have to include mobile security in their broader cybersecurity strategies.
Not a New Concern
Mobile security is not a new issue, but Verizon says the stakes are getting higher. The problem is that many companies don’t think about it until something goes wrong. In its 2020 Mobile Security Index Report, the wireless carrier says 43% of companies that suffered a compromise were planning to significantly increase their mobile security spend in the coming year, compared to 17% of those that hadn’t been compromised.
In 2020, Verizon says 39% of the companies surveyed for the report suffered a mobile-related security compromise—up from 33% the prior year and 27% in 2018.
“Every year, we’ve seen the number of companies suffering mobile security compromises rise, and this year was no exception,” Verizon states in its report. “Despite everything that’s at stake, many businesses still sacrificed security—and those that did were more likely
to have been hit.”
5 Steps to Take Now
As attacks on mobile devices continue to rise, organizations need to find better ways to protect their workers, devices, networks and essential data. Brian Phelps, Group Manager, Consulting, Mobility Engineering at Panasonic, sees this becoming a bigger area of focus for many companies.
“The threat is increasing as bad actors exploit companies and governments and do anything they can to penetrate those organizations. They’re gaining access to data, installing ransomware and finding other ways to infiltrate networks,” says Phelps. As Verizon reported, mobile devices have become prime targets for these cybercriminals.
Panasonic maintains hardware standards that support a highly secure environment for its TOUGHBOOK devices. The manufacturer also has existing partnerships with software and solutions providers that ensure zero-day vulnerabilities are addressed before they become serious concerns. Phelps says these and other strategies help companies maintain a high level of security for their mobile devices, but there are also some important steps that individual organizations can take to further solidify their mobile security.
Here are five steps all companies can take now to protect their field associates and other employees who rely on mobile technology to do their jobs:
- Ask your hardware and software original equipment manufacturers (OEMs) about the proposed fixes and plan accordingly. A fairly complex process that can take several days to resolve from start to finish, patching zero-day vulnerabilities doesn’t happen overnight. Talk to your OEMs about the issue and get an idea of when the patches will be developed and released. “Don’t expect a patch to magically occur 24-48 hours after a zero-day vulnerability is discovered,” Phelps cautioned. “It’s often a tiered process where OEMs work with their partners to come up with a solution, test it, resolve the problem and get the patch out to customers.” Once that happens, be prepared to conduct your own testing, approve the software updates and get the patches installed as quickly as possible.
- Understand that effective mobile security requires a multifaceted approach. There isn’t a “one and done” solution to mobile security. In other words, you can’t just develop a plan for protecting one network, set of devices or operating system. Winning against the bad actors requires a holistic strategy. “Think about security from the hardware, software, application and user perspective,” Phelps advises. “Take the time to understand each of those components and then put the strategies and partners in place to help secure each of those areas.”
- Keep devices compliant and users on guard. If your organization is hit by a zero-day attack that can’t be immediately thwarted, you can lockdown and/or wipe the impacted devices to avoid having the problem spread to other devices, computers or the network as a whole. Panasonic, for example, maintains partnerships with multiple different mobile device management (MDM) providers that work to secure devices and isolate problems if and when they occur. “Think about how you can quickly identify and isolate the impacted devices,” says Phelps, “and what tools you can use or partners you can work with to prevent the zero-day attack from becoming a larger issue.”
- Don’t ignore cybersecurity basics. Taking basic precautions like making sure your field associates aren’t using default passwords on their mobile devices, that they’re only using secure wi-fi connections and that they’re using PINs to protect their devices can all help them avoid mobile-based cyberattacks.
- Look at both new and old threats. Put a strategy in place for patching both zero-day vulnerabilities and other problems that may have been unknowingly waiting in the wings for months or even years without anyone being aware of them. “We consistently see issues come up that aren’t necessarily zero-day,” says Phelps, “but that are known issues that have been out for years without anyone even realizing it.”
One Piece of a Larger Network
Now for some good news: zero-day attacks on mobile devices can often be thwarted by good security measures before they create a significant impact on an organization. Phelps says companies that limit their field workers to just a few critical applications on their devices stand an even better chance of cutting a zero-day attack off before it becomes a larger issue.
“A mobile user is one piece of a larger network and as such can be effectively shut down at the device level in case of a security incident,” he adds. “Many security issues can be avoided if the attacker never gets into the network and/or if the problem doesn’t propagate to other devices.”