New vulnerabilities are constantly being discovered in the world of cyber security, as hackers continue to work tirelessly in an effort to capitalize on every exploit imaginable. This can make the task of cyber threat mitigation somewhat frustrating. With every new fix, comes a new risk.
However, even when a cyber threat is successfully addresses by the experts, there is no way to force technology companies, developers and consumers to take the recommended steps to safeguard their data and their devices. As a result, cyber exploits that were thought to have gone the way of the dinosaur rise up again and wreak havoc on systems.
This is precisely what happened with the recent discovery by Trend Micro of a mobile cyber threat thought to have been dealt with in 2012.
Portable SDK for UPnP Devices
According to mobile threats analyst Veo Zhang of Trend Micro, vulnerabilities associated with the Portable SDK for UPnP Devices, also called libupnp, were patched in 2012. Originally, applications that used the software development kits were at risk of being hijacked. This was the result of the way the libupnp library dealt with Simple Service Discovery Protocol (SSDP) packets. In this process, the User Datagram Protocol port 1900 is open. As a result, a custom-crafted packet can be run to overload the buffer, which causes the application to crash. However, Trend Micro noted that seasoned cyber criminals can also use this exploit to run arbitrary code and ultimately wrest control of a device. This can result to remote spying and creates the potential for data theft.
A patch for the problem was issues in 2012; however, many developers are still using older versions of the SDK, despite the known vulnerability. In fact, Trend Micro identified 547 applications that are still running the old SDK and noted that 326 of them are available on Google Play. Among the more well-known applications on the list are Netflix, nScreen Mirroring for Samsung, AirSmartPlayer and Tencent QQMusic.
Implications for the Internet of Things
Zhang notes that as a result of the vulnerable applications, more than 6.1 million devices may be at risk, including smartphones, routers, smart TVs and more. While any mention of "millions" warrants some hoopla, this number hardly skims the surface of the amount of devices that will soon comprise the Internet of Things. According to Gartner, there will be an estimated 6.4 billion devices in use globally in 2016, which represents a 30 percent increase from 2015. Even more significantly, the IDC forecast the total number of connected devices to reach over 28 billion by 2020.
The reason this is so important is because as more IoT vendors develop smart technology that can be remotely accessed and controlled by mobile devices, any and all vulnerable software developments kits must be weeded out. This is particularly true for smart home technology. A plethora of sensors, voice recording technology and cameras will be employed for use in smart TVs, smart security systems, baby monitors and other devices. As a result, cloud security and encryption have both been considered as vital to successfully securing smart home technology. The problem, however, is that cyber security measures are moot if known security flaws are being built into applications for IoT devices.
Highlighting the important of best practices
That having been said, it's more important now than it ever has been for mobile application developers to be dogmatic in their application of best cyber security practices. More specifically, this means using trusted SDKs that are obtained from verified sources.
An incident that is similar to the libupnp debacle unfolded in 2015, when an estimated 4,000 mobile applications were developed and sold on the Apple App Store with an infected SDK. According to PCWorld, a counterfeit version of Xcode – which is a legitimate SDK from Apple – was offered to developers. Called XcodeGhost, the SDK had been infected with malware capable of hijacking certain applications. Apple removed the infected applications from the store as soon as it became aware of the situation. Nevertheless, as of Nov. 4, dozens of U.S. organizations were still running apps that were infected with the malware, according to PCWorld. Many other individual users were also believed to have still been running the infected versions of the applications.
This scenario highlights two significant problems. Firstly, according to Computerworld contributor Greg Keizer, developers who fell for the scheme were essentially cutting corners. The fraudulent version was disseminated via a popular file-sharing service in China, and with significantly faster download speeds than the authentic SDK. As a result, developers built inherently non-secure software. Secondly, the fact that businesses in the U.S. continued to run these infected applications reflects a blatant lack of awareness regarding cyber security trends – or worse, complete negligence of known best practices.
In conclusion, as mobile applications become interconnected with the billions of IoT devices currently, and soon to be in circulation, development teams must not take any shortcuts. Likewise, users must be aware of new exploits, and take the recommended actions to mitigate ensuing damages. Failure on either end could result in old mobile vulnerabilities causing new problems, just as libupnp did.
As a precaution, end users – especially in organizations – must also protect mobile end points with the proper cyber security solutions. They can start by defending against cyber threats to mobile devices with Mobile Security Solutions from Trend Micro.