Mobile devices are an essential part of our lives and work. Laptops, for example, allow people to go online, access work resources, solve issues remotely, and do any task they would normally do at their desk almost anywhere on the planet.
The problem IT admins have with laptops is that securing these devices can be a bit of a headache. An organization might have a very good patch management and vulnerability assessment policy but this policy may be hard to enforce on devices like laptops because they may not be connected to the network when assessments are made. Laptops are great when you’re on the move but most people find work stations more comfortable to use. This means that unless they need to transfer data from their laptop to the office network, that laptop might not be connected to the corporate network for quite some time – missing out on important vulnerability assessments and critical patch updates.
Laptops are a great target for malicious attackers and some really sophisticated methods are being used. The DarkHotel story, which you can read on Wired, is really interesting. Kernel level keyloggers and properly signed malware are rare, as the article points out, however it does highlight an attack vector that is an obvious choice for an attacker.
What do I mean? Those of us who work in this industry, a job that requires us to be available at all times in case of emergencies, and regardless of where we are, will always try to connect to any open access point to get internet access. How many times have you been at an airport or in a hotel and have NOT tried to connect to a wireless access point? I’d say the majority will say ‘never’. Even if there are no emergencies we still feel we need to be proactive and be ready. Work apart, we still want to be connected: to stay up to date on what is happening, to communicate with family, co-workers and friends, to check email, update our social media profiles or simply to pass the time.
I am stating the obvious but that’s the point I’m trying to make. It’s also obvious to attackers that people are going to try and connect to open access points. That’s a nice target. If they can infect a company-owned laptop, they might hit the big jackpot. It’s not that hard to pull off; you don’t really need a kernel level module or a signed piece of malware to succeed. An attacker can mimic a genuine access point and once you’ve connected, redirect you to their malicious page. They can ask you to install a client to get access to the internet or try to exploit a browser vulnerability and install malware without user intervention. It’s not unusual for hotel / airport access points to redirect us to a gateway webpage. Signed or not, most people will not question an agent installation request and this is why it’s the perfect way in for an attacker.
It’s also a very good reason why business laptops should be properly secured and that they are checked for vulnerabilities and missing patches regularly. Security professionals are aware of this and a good patch and vulnerability management solution will have functionality to manage devices that are not always connected to the network. These devices need to be protected and that should not stop at the office door. An employee typing their credentials on a laptop with a key logger installed by someone on the other side of the world will bring your security efforts to nothing; the effect is just as bad as if it were a workstation in the building. No VPN and no encryption can protect you against that breach.