Shopping for a deal on a new tablet or laptop? Bargain prices on devices might come with a heavy security cost as more mobile apps and devices are going to market preloaded with malware and viruses. This year’s security news has been sprinkled with stories of a seemingly increasing trend of tech vendors embedding security holes in their products.
It’s a troubling symptom of the diminishing control users have over their own privacy and security on the devices they own and apps they use. For enterprises, it’s a troubling prospect to open a company’s network to newly issued laptops or tablets or smartphones that contain hard-coded security flaws.
Compromised by Design
In February this year, Lenovo got in a publicity kerfuffle after it was discovered the company had installed self-signed certificates on Lenovo brand laptops. The motivation, Lenovo said in a statement, was to help users find “interesting” sites, even if they were visiting HTTPS encrypted sites. Security analysts and the tech media that covered the news pointed out that the self-signed certs leave those same customers open for Man-in-the-Middle attacks.
Just this month, Dell was discovered doing pretty much the same thing, encoding an SSL certificate for “support purposes.” After a hasty outcry from the media, Dell responded in a matter of days, apologizing and stating the company would issue a software update to remove the certificate if it had not already been manually removed.
It isn’t new that personal devices contain preinstalled viruses or malware. In 2012, laptops from China were found to be loaded with viruses out of the box. And last year, Lookout discovered Android devices preloaded with a form of malware dubbed DeathRing.
Recently even trustworthy tech sources have been discovered vending compromised devices, like in the case of the Cloudsota Trojan. It was preinstalled on 17,000 Android tablets and sold through a number of selling platforms including Amazon Marketplace.
The issue is spreading beyond physical devices to the apps and software they use, sometimes through the very app stores that are supposed to vend legitimate software. In 2013, the Google Play Store was found hosting apps that leaked personal information about users and prompted Trojan virus installs.
Once mostly an Android issue, now even the Apple App Store is not entirely immune. In October, a mobile threat research team discovered a virus in nearly 500 iOS apps that potentially infected two million devices. Granted, XCodeHost — the name of the security flaw — was introduced in part due to developer negligence, and was limited to mostly East Asian countries. But the fact that it could happen on Apple devices is a startling new trend that will likely continue, considering Apple’s rising ownership of the mobile market.
How to Protect Yourself
For good consumer suggestions on mobile safety against embedded attacks, see Scott Matteson’s article in TechRepublic. For PCs (Macs included), it’s a good idea to set up an OS image to wipe and bootstrap a new laptop before using it. If the laptop has a rootkit, like in the Lenovo and Dell cases, it gets a little harder, but there are remediation options available.
For enterprises, the same rules apply, and mobile devices should be protected the same as any laptop. To do so means taking control of the network traffic for PCs and mobile devices, in the office and beyond. Even with a mobile device management (MDM) solution in place, DNS is in a perfect position to apply security on any devices that roam off an enterprise network.
It’s going to be a challenge for new app software and device hardware companies to maintain a trustworthy reputation if they purposefully undermine buyer security and privacy. How will consumers and enterprises know which software companies and device vendors to trust? And how should those vendors establish and maintain ongoing trust with their customers?