| According to the Verizon 2023 Mobile Security Index white paper, the number of diverse endpoints is increasing, especially those that are mobile or using mobile connectivity. Mobile devices offer users convenience, connection, control, and content, both personally and professionally. However, they transmit and store data and could be exploited by threat actors to compromise networks, devices, or accounts. Unpatched vulnerabilities in mobile devices increase the risk of compromised devices and cyberattacks. Additionally, mobile devices routinely connected to a home network can have further implications when subsequently connected to corporate networks and may introduce additional vulnerabilities and risks. Therefore, it is vital for users to employ cybersecurity best practices and ensure mobile devices currently in use are properly protected and secured. |
| The Open Web Application Security Project (OWASP) raises software security awareness and provides quality information regarding risks and vulnerabilities. OWASP posted an initial release of the top 10 mobile risks of 2023, including inadequate supply chain security, insecure authentication/authorization, insecure communication, inadequate privacy controls, and security misconfiguration. These risks are evident in the recent vulnerabilities highlighted below. |
| Security researchers discovered a credential-stealing vulnerability, dubbed AutoSpill, in the autofill functionality of Android mobile password manager apps. This vulnerability is a concern when both Android calls a login page via WebView and a password manager is used. Affected password managers include 1Password, LastPass, Enpass, Keeper, and Keepass2Android. DashLane and Google Smart Lock are also affected if the credentials are shared via a JavaScript injection method. This vulnerability does not require phishing or malicious in-app code. |
| Additionally, vulnerabilities in Qualcomm and MediaTek 5G modems, collectively dubbed 5Ghoul, impact many 5G Android and Apple smartphone models, routers, and USB modems. Threat actors do not need the target’s SIM card, as the attack can occur before the NAS authentication step. Therefore, they can impersonate a legitimate 5G base station using known Cell Tower connection parameters and cause temporary service disruptions and network downgrades to the 4G domain, potentially introducing more vulnerabilities. These vulnerabilities highlight the implications for mission-critical environments dependent on cellular service. |
| Furthermore, a Bluetooth authentication bypass vulnerability, CVE-2023-45866, was discovered in the Bluetooth protocol. Threat actors trick Bluetooth devices into pairing with a fake keyboard to connect to Android, Apple, and Linux devices without user confirmation. They can then inject keystrokes to install apps, run malicious code, and more. |
| Zero-day exploits pose a significant security risk as threat actors take advantage of vulnerabilities in software or apps that may be unknown to the vendor. Threat actors exploit these vulnerabilities before the vendor can release security patches or updates. Zero-day exploits may bypass device security measures, potentially resulting in data theft and exfiltration or the installation of malware. |
| Threat actors may also employ zero-click attacks, which do not require user interaction, such as opening malicious attachments or links. Instead, zero-click attacks rely on unpatched vulnerabilities in messaging, SMS text messaging, or email apps. These apps allow threat actors to hide manipulated data in text or images to exploit vulnerabilities and execute malicious code without user knowledge. |
| A critical concern of unpatched vulnerabilities is data leakage, which refers to the unauthorized transmission of sensitive data from an organization to an external recipient. It is typically due to unencrypted connections, weak mobile security settings, or when apps have excessive permissions that permit access and share user data without consent. Data leakage exposes personal or corporate data, which leads to privacy breaches and regulatory implications. |