In the last decade, the landscape has shifted from most people using desktop and laptop computers to one where a large portion of the population uses mobile devices exclusively or almost exclusively. These devices are seen as appliances like televisions or refrigerators where it can be bought and used with no upkeep necessary. This is unfortunately not the right attitude with these devices. Mobile phones, tablets, smart watches and other devices are all mini computers and must be treated as such, especially considering the interconnected and network centric nature of our lives. Technology such as browsers which are used on almost every device are the gateway to the internet that everyone uses and is one of the primary areas in which security matters.
So what’s at stake? Will your device just stop working? Will it be slow? Yes, but it is much more than that. These devices hold the keys to your email, text (or other) messages, access to your bank, your utilities, social media and much, much more. A malicious hacker getting into your device could drain your bank accounts, destroy your business, impersonate you to your family, friends or coworkers, and ruin your life. Mobile devices are extremely important in this day and age and protecting it from attack is vital.
One example in the news recently is from the company LastPass (a Password Manager software company) which got hacked a few times over the last year or so. The company got hacked in part due to one senior software engineer who was working from home. The engineer had a home computer which had Plex installed (cloud based software that is used to connect your legal personal movie collection for streaming and storage to your own devices). Plex had a vulnerability disclosed in its software in May of 2020 and the company had pushed an update for the software the very same day to fix the issue. However this engineer never updated the software and this vulnerability was used by attackers in order to install malicious software which enabled them to gain access to the LastPass corporate network, which in turn, led to the hack. While there were other issues at play such as a senior engineer who was allowed to use a personal device in order to access a sensitive private corporate network, this case still shows how an update with unrelated software can affect people, companies and much much more. The breach affected millions of people and all of their passwords and some other information are now available (passwords are in encrypted form while some other data are not) to hackers and others. As an aside, in my previous article regarding Password Managers, LastPass was not on my recommended list precisely because of this hack.
Popular platforms such as Apple’s iOS and Google’s Android as well as browser platforms such as Google Chrome, Apple Safari, Mozilla Firefox, and Brave are at the forefront of the cybersecurity battle of today. These popular platforms will get untold attention from hackers and other malicious actors because they represent the most widely used platforms in existence. Discovering a new flaw in any of these platforms that could be used to take over the system (known in the industry as a zero day) is the holy grail for hackers. With a zero day, they can attack the platform and do anything they want up to and including remote control over the device, sending or receiving messages or emails, being able to log into sensitive accounts even those that are protected with email or text message based 2 factor authentication. Your entire digital and real life could be at risk.
What can be done? It is impossible to protect yourself from zero day attacks because by definition, these are attack vectors that are not known yet, but most people can find solace in the fact that these vulnerabilities are usually reserved for important individuals, governments and those who have a lot to lose. When these attacks are seen and found by security research professionals, they are passed on to the teams that work on these popular platforms. They then release updates to the operating systems or browsers or other software that make up these vulnerable systems. This is the point at which everyone can help themselves stay safe. It is vitally important to update your operating system (anything from iOS or Android, Windows, Mac or Linux) as well as your browsers and other apps. Unfortunately updates sometimes come in quick succession and may break certain things or can have undesirable effects, but the best way to stay secure is to update your software right away.
Links/References:
https://www.androidpolice.com/lastpass-breach-plex-update/?newsletter_popup=1
https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/