One of the world’s leading cybersecurity experts has just warned that the alarming new surge in malicious apps is a much more serious threat to iPhone users than you might think. iPhones, he says, have a surprising security vulnerability.
“We’re all wide open,” the billionaire founder of Check Point tells me. “And attackers are not missing that.” I last talked to Gil Shwed just before the world was struck down by Covid-19. Everything has changed, he tells me now. “The attack surface has greatly expanded. We’ve seen this huge surge in mobile and malicious apps.”
Android’s reputation for securing its fragmented ecosystem is not good—the widely held view is that iPhone’s are much safer. But you can buy an Android and lock it down fairly easily. Not so with an iPhone. Apple makes its devices harder to attack, but also harder to protect. You are reliant on Apple to do the work for you—and so, for users and companies now under attack, Shwed warns that this has become a serious issue, that the security risks between the two platforms are now “balanced.”
Before Covid-19, the world was relatively simple. “If you’re easy to attack,” Shwed told me then, you will be attacked. “So, just make your network and systems harder to penetrate than those around you.” But now, he says, “with half the companies in the world, there’s evidence that [at least one] employee has a malicious application and therefore may be susceptible to attack from the outside.”
A year ago, we talked nation state cyber, the threats from China, Russia and Iran. Now, despite Solar Winds, to say nothing of the Microsoft Exchange nightmare that hit just after our meeting, the security implications of the world’s companies throwing open their systems to newly remote workforces are even more front of mind.
Everything is mobile, remote, and we’re still not ready for that. “All our systems are now accessible by external entities—first and foremost, our employees, but then our suppliers, our vendors, they all do remote monitoring, remote work on our systems. The hackers didn’t lose sight of that and they are taking advantage of that.”
Shwed sells security software—his latest innovation is Harmony, a multi-platform solution to safeguard a whole person, not just a few of that person’s specific machines. “The security of the user wasn’t the number one [CISO] priority a year ago. Now it is. Because we all realized how that creates a huge vulnerability in our infrastructure. And the hackers are really taking advantage. There is no doubt—we see that every day.”
Shwed is fresh from his company’s annual flagship CPX 360 event—held virtually this year. “With the sudden shift to remote work,” the company said, promoting its event that included Chris Krebs amongst the speakers, “we learned the value of being able to adapt. Your cyber security strategies must also change.”
And this is Shwed’s theme as we speak now. Unsurprisingly, the man who sells security software wants to sell more security software. But he’s definitely got a point. Most of us know we should run software to protect our PCs and even our Macs. A well-run organization wouldn’t enable its myriad employee laptops to access its core systems without any protection. But with our phones, it’s all very different.
“On the PC side, that awareness level is quite high,” Shwed says. “On the mobile it’s still very low. What we are trying now to do with Harmony is actually address that by saying it’s all going to be together. So it’s not going to be the decision of saying our focus is now on the PC, because that’s what we know, or because that’s the highest priority. But rather saying your focus should be on the users.”
Today’s mobile security situation is a disaster. How many of the smartphones accessing core enterprise systems don’t currently carry security software? “95% of them don’t,” Shewd says, “or even 99% don’t.” And this is his key takeaway. There’s an urgent game of CISO catch-up to be played. If you want to use your smartphone to access enterprise systems, then you need to be secure. “And it’s very simple. I access the company portal, it tells me: ‘If you want to keep using that, download this software from here. Click here and use it.’ And that’s very simple.”
Back to those numbers. Maybe as few as 1% of cell phones carry security software, but 46% of companies found themselves infected by a malicious app brought into their ecosystem on an employee’s phone. The mobile threat vector has become much more critical in recent years. And that risk was catapulted by coronavirus.
And Shwed raises another parallel with Covid-19. “Looking at what we call a cyber pandemic is an important element,” he tells me. “We need to understand that cyber attacks can behave like a pandemic and do behave like pandemic, except that they are much, much faster than a biological pandemic. So, we need the tools to prevent them and stop them and these tools needs to be super-fast… AI based autonomous threat prevention that will see the attacks and stop them. Not see the attacks and do nothing or wait until next week, because it’s now Friday evening and nobody’s in. The system should move, it should run by itself because the hackers are working 24/7.”
Check Point’s 2021 security report warns that this mobile threat is now coming at us from every angle—banking trojans, mobile remote access trojans, deployed by both nation state threat actors and criminal enterprises, arms-length espionage by state intel agencies on overseas targets. All enabled by social engineering, our relative lack of security awareness when it comes to our phones, and no security software.
“Companies need to take very seriously the need to build a unified cyber architecture,” Shwed warns, “to consolidate as much as possible. The fact that you have one place that detect the virus or the pandemic in one side of the enterprise, but on the other side of the enterprise, nobody knows what to do with it, is not helpful enough… You see something bad, you stop it. If the damage remains outside, great. If there’s damage inside—let’s take SolarWinds—it’s a typical pandemic. You found the victim, you found the patient, in the Coronavirus world, you found somebody infected. Now quarantine them and the damage is going to be very, very limited. You don’t quarantine them, within a few minutes or few hours, your entire enterprise is not working.”
Check Point’s 2020 recap is bleak. “More than 400 weaknesses in a Qualcomm chip that affects a large portion of the entire mobile market… Weak points in Android phone hardware that can be exploited to result in a full takeover… Instagram reported to have an RCE zero-click vulnerability in its JPEG decoder. Apple’s ‘sign in’ system vulnerability can allow remote attackers to bypass authentication and take over targeted accounts. Additional vulnerabilities in WhatsApp, Facebook, and more.”
There have been many more mobile vulnerabilities targeting and exploiting Android devices than iPhones in the last year—unsurprisingly; iPhones are much more secure, right? No, Shwed, tells me. “I think the risks are for both. There are zero-day attacks and there are malware on both platforms. I think it’s actually very balanced.”
His point here is interesting. If you use an Android, then the onus is on you, the user, to secure your device. There are plenty of security platforms available from leading vendors. And they can wrapper the device. If you’re an enterprise user, then your company can do the same for you. This overcomes the issues with Android’s fragmented ecosystem, the lag in deploying security patches and general updates, the relative lack of security on the Play Store compared to Apple’s equivalent.
But with iPhone, the onus is on Apple to keep you safe. And two urgent OS updates in the last few weeks, with some admission of exploits being caught in the wild, clearly shows that the threat is real. “iPhone is a much more closed system,” Shwed says, “and Apple regulates much more what’s on the platform, which theoretically or practically make it a little bit more secure. On the other hand, there is also limitation about what security software can do an iOS. So the balance may be the same.”
The extent and severity of those risks are not balanced, though. “With Android, it’s much easier to develop software, to use software, and that software can be more malicious than on iOS. But at the same time, on Android, you can build much better security software because the same openness exists also towards security systems.”
All of which presents a dilemma for CISO’s handling the new normal, hybrid workforce, which will prevent reverting to walled garden, no external access, enterprise solutions anytime soon. “In the past, you can work remotely—in the past, it was fun to say that and we did it small part of the time. Today it’s 100% of the time.”
For Shwed, this means another new normal—no security software on your phone, no access to your company systems. “It’s not very difficult,” he says. “In Check Point, everybody using your own phone, you’re doing whatever you want. But once you want to access the corporate email or the corporate systems, it checks that you have our threat prevention software on your mobile phone. If you don’t have it, you can’t access the system. That’s very simple. Everybody installed that software. And if they don’t, they can’t access the system. And they don’t risk it.”
The risk of a cyber pandemic is real—you’ll see ever more warnings over the coming months. What we’ve seen recently with expansive attacks, allied to a still fragmented workforce and new supply chains has left huge vulnerabilities.
The need for cybersecurity “is now bigger than ever,’ Shwed warns. “That’s clearly something that we need to deal with… Before, security people were saying, ‘you can’t come in because it’s unsafe.’ Today, we’re all forced to say everything is open because that’s the only way we can work. So I think that the task that we have for next year, and then beyond that, is not to close these doors, but to secure them.”
Indeed. But with just 1% of phones secured and mobile malware surging at an unprecedented rate, that’s significantly easier said than done.