COUNTERING A HIDDEN AND GROWING SECURITY THREAT
by Martin Clancy, Head of Marketing,Afilias Technologies
With an estimated annual cost of €45.3 billion in lost sales, counterfeit and non-standard devices pose a real threat to business, consumers, and regulators. Risks to data security, network quality of service, brand reputation, and health and safety have yet to be quantified. An estimated at 184 million fake mobile units enter the market every year according to European Union’s Intellectual Property Office.
In this article, I will show how serious this growing threat is, the wide range of potential security impacts, and propose some methods to counter it.
Fakes are hard to spot, easy to get
At Afilias, our research on counterfeit devices shows that highly convincing devices are an attack vector in their own right. They’re readily available via eCommerce sites that offer attractive pricing for both redistributors and individuals. Packaging and physical aspects of fake devices are note-perfect: all accessories are present and functional, making them virtually indistinguishable from the genuine item.
However with retail costs up to ten times less than the real devices, counterfeiters make savings in many different areas. Components such as the system on a chip, screen, camera, connectivity, Wi-Fi antenna, fingerprint sensor are below spec, completely faked or entirely missing. Fake fingerprint sensors that work with any fingerprint or touch, and counterfeit face ID implementations present a direct risk to user’s security and data.
Security concerns: unwanted extras
While the hardware on counterfeit devices falls short of the genuine article, software often comes with unwanted extras. Devices use heavily customized older versions of Android that get no security updates. Pre-installed, unremovable malware is routine, ranging from invasive adware to key loggers, DDoS hosts, and cryptolocker viruses. In many cases, with activation delayed for several weeks after the user is lulled into a false sense of security. During our testing, a counterfeit device contacted a command and control centre, downloaded instructions and attempted to infect our network drives with the cryptowall virus.
Malware is an intrinsic part of the business model used by counterfeiters to increase their margins above and beyond sales of the physical devices. Among other fake devices, I have an iPhone that runs Android, with a fake app store that simulates the real Apple App Store.
The Apps are of unknown provenance and are inherently unsafe. They pose a high risk of capturing authentication details. Everything that an app relies on in a counterfeit operating system must be assumed to be unsafe. Authentication details may leak, requests to back-end platforms can be intercepted. A Wi-Fi network can affect everybody in a corporate LAN on a cellular network. Everything the counterfeit device touches is impacted.
Identifying counterfeit and non-standard devices is complex. Afilias’ solution, called DeviceAssure, considers three distinct layers of functionality in smartphones:
- Hardware: the foundation of the device including the CPU, the GPU and the cellular radio.
- The operating system providing the platform to run applications.
- The apps that people interact with.
By performing a deep hardware inspection via a library that can be embedded in an app or website, data can quickly be gathered for analysis and sent to a back-end service for comparison with known good profiles of the device it is claiming to be. A determination can be made in near real-time and the results can be sent back to user or used to enforce a policy at server level.
The threat of counterfeit devices should be on every security professional’s radar. The scale of the problem has already hit the headlines. The potential security risk is that it only takes one counterfeit device to do serious harm.
In summary, consider these 3 takeaways:
- Counterfeit devices are here.
- They present a real security risk to users
- With the right tools, organizations can ensure the security of their networks and their customers data
Martin Clancy is Head of Marketing at Afilias where he leads marketing for Afilias’ mobile and internet products and services, including DeviceAssure and DeviceAtlas which is now the world’s leading provider of mobile device intelligence. Martin can be reached online (@device_atlas, @device_assure) and via https://deviceassure.comand https://deviceatlas.com