Recently there’s been a wave of mobile device hacks and assaults connected with SMS messages. Most mobile users are doing a considerable measure of texting and messaging on their personal devices, which is especially alarming since more and more organizations are developing a BYOD program.
Some Examples of Recent Mobility Hacks
An alliance of U.S.-based stock traders and computer hackers in Ukraine made as much as $100 million in illegal profits over five years after stealing confidential corporate data.
News of the World (NOTW) hacked the phones of several business personalities, politicians, celebrities, well-known public figures, and members of the British Royal family, among others. Prince Williams’ voicemails had been hacked by the NOTW’s private investigator. The police started their investigation and NOTW’s royal editor and private investigators were convicted and sentenced to jail.
The publisher of the Daily and Sunday Mirror has been ordered to pay £1.2m in compensation to eight phone-hacking victims, including the actor Sadie Frost and the former footballer Paul Gascoigne.
Programmers who are known for hacking through indirect access can come right in the front entryway with SMS attacks.
First there was “Stagefright” – a vulnerability particular to Android that allowed a programmer to take information by executing code on the device through a contaminated SMS message.
Recently, a major vendor in the mobility management space may be leaving thousands of customers at risk because of an SMS (text messaging) vulnerability. The vulnerability occurs when a signed SMS is sent from the management server to the device during the enrollment process and/or the general day to day management of the device, including locking, unlocking, and wiping. In this scenario, the signature is not secure, leaving the door open for impersonation and “man in the middle” attacks. It may sound hard to attack a device in this manner, but it’s really not. All a hacker would need to do is obtain a transmitter ID by attempting to connect to the management server (the transmitter ID is automatically returned) and the phone number of the targeted device.
Reducing the Risk of an SMS Vulnerability with Enterprise-grade Security and Encryption
Citrix XenMobile does not use SMS mechanisms from the management server to remotely wipe the phone data or manage the device, preventing the risk of vulnerability described above.
Recently, XenMobile introduced another declaration sticking component to further anticipate attacks. The software on the customer side is pinned with the public key of the server during enrollment and will reject server association demands if the server’s public key is different from the pinned one on the local client.
Authentication pinning aside, Citrix utilizes security algorithms that are considered best practice in the industry. For Example:
End-to-End FIPS-compliant solution for data at rest and in motion.
Regular cadence of internal penetration testing for each of the Citrix XenMobile EMM releases.
Successful external penetration test validations from industry leading firms including Gotham and Veracode.
HIPAA compliant solution including XenMobile, ShareFile and NetScaler.
The Citrix XenMobile EMM solution always receives high marks from industry analysts and experts when reviewed for security attributes. A recent Gartner study – Critical Capabilities for High-Security Mobility Management – shows the Citrix XenMobile EMM solution strength and leadership in the area of secure mobility.
Related blog posts: