The last few years have seen breaches of unprecedented scale as organizations like Sony and the government's Office of Personnel Management have found themselves under threat — but the cyber-war of 2016 will take place on smartphones, suggests a new report from HP Enterprise.
"Mobile devices and apps are the way in which users access the internet and web services," said HPE Security Products SVP Sue Barsamian in a phone interview with NBC News. "If you're an attacker and you're looking at places to go where people are likely to be participating in e-commerce, submitting personal information, that is a great category of apps to go after."
The hacking landscape historically relies on vulnerabilities that have been lurking for a long time but are still effective — the most popular exploit of 2015 was a variant of Stuxnet developed over 5 years ago. Mobiles, however, provide a wealth of opportunity in the form of hastily submitted apps downloaded by millions of people who only occasionally download even critical updates.
"A lot of times these apps are rushed out and not required to pass a security scan or standard before they go out," said Barsamian.
That's not a big problem when Candy Crush has a score-tracking bug, but if it's a banking or shopping app with a critical security oversight, it makes for a juicy target.
75 percent of mobile applications scanned by the researchers had at least one "critical or high-severity" vulnerability, and apps like these frequently include access to personal and sensitive information.
And while the bugs that make headlines — think "Heartbleed" and "Shellshock" — are serious indeed, they tend to be fixed in a hurry. More obscure bugs can linger for years because the process of patching them can be arduous and complicated.
"So there's a vulnerability in Samsung Exynos processors, right?" said HPE Security's Jewel Timpe. "Now you get into the fact that in mobile device patching, there are so many people involved in that, it gets so complicated."
The result is things quietly go unpatched for years — but not so quietly that hackers can't get at them now and then. It allows hackers not just to design malware for Android and iOS devices, but to make coordinated attacks on things like ATM networks.
But security at the app level is where the most improvement can be made, said Barsamian.
"Regardless of the path an attacker takes, at the end of the day they go through an application in almost all cases," she said. "Standards around apps, the security standards they adhere to, and standards around the protection and encryption of the processes and the data itself are really important."
Laws and regulations help, but paranoia about intercontinental cyberwar has begun to hamstring the "white hat" hackers who help companies and governments keep ahead of the bad guys. The Wassenaar Arrangement, by which dozens of countries restrict exports of certain products to combat terrorism, recently was adjusted to include security software.
"Security research is massively global, and this regulation massively complicates things," said Timpe. "It adds a layer of complexity to the point where people are opting out of participating."
A few broad but smart acts of regulation, the researchers suggested, could help establish useful security standards around the world — whether the app is developed in the U.S. and being used in Syria, or vice versa.