Employees aren’t just bringing their devices into work — they’re living on them.
Checking one’s phone is the first and last thing many do every day. With smartphones becoming constant companions, hackers are seeking every avenue available to break into them. The nature and types of attacks are evolving rapidly, and mobile devices have become a critical part of enterprise cybersecurity efforts – with good reason.
“Using smartphones at a corporate enterprise might seem like the most routine habit in the world but sometimes these smartphones are being used as a way to gain access of the enterprise’s Wi-Fi and sensitive data” says Carey van Vlaanderen, CEO at ESET South Africa. In fact, today, corporates such as banks, prohibit the use of cell phones in their premises. Banks carry the most highly sensitive information and are prone to being thought of by hackers — but this applies to all corporates, from small to large.
Putting ourselves in the shoes of an attacker, the first thing we’d try to do would be to see if we could connect to any of the Wi-Fi networks that the organisation in all likelihood has. It would not be unusual to find a number of networks within range, and it’s probable that at least one of them would be identified as belonging to the organisation or as exclusively for staff.
What you’d be less likely to see these days would be if those networks did not require a password or if they were using an obsolete encryption system like Wired Equivalent Privacy (WEP) — it’s not 2010 anymore and most of the Wi-Fi networks we would have in range would use WPA2 encryption or better.
In these circumstances, the chances of being able to access this corporate network from our cell phone are considerably reduced, although there is still the possibility of the attacker succeeding if there is a guest network that is not configured correctly. Guest networks are precisely that: networks that provide connectivity to people visiting the place temporarily.
Depending on how the guest network was set up and whether it was segmented correctly or not, the attacker may succeed, or they may have to seek out alternatives. If the network was not isolated as it should be, they will be able to switch to the company’s critical systems and see whether they have robust security measures, or whether they are at the mercy of the attacker, who may be able to connect to them in order to carry out malicious activity
So, the possibility to launch an attack from a cell phone connected to a bank’s Wi-Fi network will depend largely on what security measures it has implemented. Generally, security tends to be robust. However, as we will see below, there are other methods of attack using cell phones and other devices.
Gathering information about the environment
Once the attacker has established that there is nothing they can do through the Wi-Fi network, they will probably use their smartphone for other purposes. One of the simplest ways, but which is very useful for gathering information, consists of using the cell phone’s camera to take photos and videos of anything that might be of interest to the attacker.
Capturing images showing which software is used by the employees, which ports are accessible on the PCs used when serving customers; any network outlets that might be accessible, identification plates, or even filming when and how the security guards change shift–all these actions can be very useful for someone planning a future attack.
Furthermore, if the device has Near Filed Communications (NFC) capabilities, the attacker can try their luck and see if they can capture the data from any staff ID card which might give them access to restricted areas used only by employees. This would be risky when it comes to actually entering the area, but it wouldn’t be the first time somebody tried it.
Moving on to more specialized types of devices, one kind available is known as a “WiFi Pineapple”, which the attacker can use to create a fake access point and see if any employees try to connect to it, monitoring their connections, and trying to capture passwords for accessing the bank’s internal systems.
Otherwise, they could try to pass themselves off as a customer and approach an employee with some kind of query, in order to then take advantage of a moment of carelessness when, if the employee’s computer has a USB port free, they can plug in a “Rubber Ducky” device, which then executes the commands necessary to steal as much information as possible.
They could also try to get the computer to download some malicious code from an online archive pre-configured by the attacker, using for such purposes either a ready-made payload or one they created themselves.
Remote attacks
All of the above involve one major hurdle for the attacker, and that is that they would have to go in person to the actual branch of the bank they want to attack. The security cameras could be used against them if the video recordings are analysed after discovering the attack, and for that reason, attacks that manage to infiltrate banks’ and other companies’ corporate networks tend to be executed remotely.
Let’s take as an example some of the cases discovered over the last few months. The attacks on Russian banks began with an email being sent–one that was very well prepared and aimed at bank employees. The apparently innocent Word document actually contained a malicious macro which performed a connection to an external server controlled by the attackers, from where additional modules were downloaded which were used to control and spy on the infected systems and enter the corporate network.
Another, more elaborate case was one that affected more than 20 Polish banks. On that occasion, the attackers managed to compromise the official website of the Polish financial regulatory agency, which is visited frequently by employees of various Polish banks, who were unwittingly infecting their work computers with malware.
Conclusion
The short answer for the user who asked us about the risk of enterprises allowing customers to use smartphones while inside their premises is that this risk depends largely on the corporate security policies implemented, especially those related to network security and segmentation.
On the question of whether we are going to see attacks of this style using cell phones as the main tool in the attack, we would not rule it out, but cybercriminals know they can get much greater benefits without needing to expose themselves so much by attacking banks remotely, and we don’t think that trend is likely to change any time soon.