Why the WhatsApp Security Flaw Should Make Enterprise IT Nervous
The vulnerability is a reminder that apps on your employee’s phones represent a huge attack surface for your enterprise network.
July 24, 2019
The vulnerability in Facebook’s popular messaging app WhatsApp that was revealed in May gave potential attackers a dangerous level of access to mobile devices.
"It was a zero-day flaw that allowed people to go and install spyware by exploiting the buffer overflow attack," Avinash Ramineni, CTO at the Arizona-based cybersecurity company Kogni, said.
Which, outside of Facebook and WhatsApp, is not an enterprise security problem… Unless a company’s employee has the app installed on their company-owned smartphone, or on a personal one they use to access their employer’s enterprise systems.
WhatsApp may have been the most recent popular mobile app to suffer a breach, but enterprise networks are at risk from many others as well. "There are other tools like iMessage, Signal, and Slack that are used a lot within the enterprises for communication or collaboration,” Ramineni said.
In fact, according to the 2019 Egress Data Privacy survey, these types of apps, along with email and file sharing, are some of the most common technologies that lead to breaches.
Attackers can use vulnerabilities in third-party mobile apps to gain access to employee devices, have them communicate back with command-and-control servers, or exfiltrate data.
Compounding the problem, many of them are end-to-end encrypted, so enterprise IT or security staff don’t have visibility into what a rogue app on an employee device may be doing, Ramieni said. “You are completely blocked out.”
Turning back to WhatsApp, its use in the enterprise is widespread.
"The app is used officially and unofficially for customer service, employee collaboration, sales, and recruitment, and even some marketing teams," Otavio Freire, co-founder and CTO of Virginia-based SafeGuard Cyber, said. "Employees will always migrate to the channels that help them do their jobs more efficiently and effectively."
That means companies have to keep records of WhatsApp communications, he said, so that both security and compliance teams can audit them and detect potential attacks against employees. The records can show whether any content or messages have been modified by malicious actors.
An Open Channel for Phishing Attacks
An unauthorized messaging app can also be yet another unmonitored channel for phishing attacks.
"Enterprise messaging and email systems are monitored and filtered to identify and stop attacks, but third-party messaging tools are not subject to the same monitoring," said Joshua Wright, senior instructor at SANS Institute. "Attackers who wish to succeed at phishing attacks target WhatsApp and other applications to avoid security monitoring tools."
The WhatsApp vulnerability is a reminder that data center security managers should treat mobile device security as a “current and significant threat, ” Israel Barak, chief information security officer at Boston-based Cybereason.
"Mobile device threats are transitioning from 'at some point in the future we'll need to do something about it' to 'we need to do something about it here and now'," he said.
If it isn’t already, data center security strategy needs to expand beyond workstations and servers to encompass every device, including mobile devices, especially as it relates to better prevention, better detection, and better visibility.
Unfortunately, security technology isn't fully there yet, Barak said. There's a limit to what companies can do to lock down employee-owned devices used to access corporate systems.
For example, a company can ask employees to install software that performs a security check before allowing access.
"The challenge is that the attackers know about these checks as well," he said. "They take actions to evade any types of detection that these apps perform, and the more sophisticated apps are likely to go unnoticed."
Security needs to go beyond simple compliance checks to more advanced, behavior-based analytics, he said.
"I think we'll see a progression in the market where endpoint protection vendors extend their coverage to these devices as well," he said. "Some have already started on this route, [Cybereason] included."
Meanwhile, companies should be checking whether mobile devices are running the latest, fully patched versions of Android or iOS before allowing access to enterprise systems or networks, said Morey Haber, CTO at BeyondTrust, a Phoenix-based security company.
They should also make sure that the device hasn't been rooted or jailbroken, and that key applications like Microsoft Mobile Outlook are isolated with policies that prevent hijacking.
"If the risks are too high for the type of data and a BYOD device, consider issuing corporate devices for full control," he added.
Enterprises can also implement policies restricting which apps their employees are allowed to use, said Dana Simberkoff, chief risk, privacy, and information security officer at AvePoint, a New Jersey-based technology consulting firm.
For example, she said, the vendor may offer an enterprise-grade version of the same app, which allows for enterprises to implement security controls.
"Or maybe there's an alternative that we can offer that has the same functionality but is more secure," she added.
Companies can also implement additional backend controls, such as two-factor authentication or least-privilege access permissions.
From WhatsApp to FaceApp
Even apps that at first glance seem completely harmless can pose problems for an enterprise.
Users often download apps and give them data-access permission without knowing where the apps may send their data.
"It might be a bit of fun, but companies should maintain an awareness of what applications are installed on company devices as a general precaution," saidJames Chappell, co-founder and chief innovation officer at Digital Shadows, a London-based security firm.
Even an app that just lets employees make their photos look prettier could be problematic, he said. "Applications often combine images with contextual data, such as mobile phone records or device identities, and this is when this data becomes particularly concerning."
About the Author
You May Also Like