As organizations continue to adapt to life in the age of COVID-19, smartphones are set to take on additional responsibilities – even as the security limitations of these devices become ever more evident. Below, I’ve highlighted five key trends that are set to shape mobile security in 2021.
Trend 1: Continuous authentication via smartphone will emerge as a viable option.
For many organizations, the push to remote work in response to the pandemic added greater urgency to their plans to implement a zero-trust cybersecurity posture, of which digital identity is an important piece. But solving the identity piece at scale involves tradeoffs. Solutions that leverage users’ smartphones are relatively easy to roll out, but one-time passwords delivered via authenticator apps or SMS messages have shown themselves to be easy prey for hackers. Security keys and biometric readers offer more robust security but are generally more expensive and can be a pain for IT staff and users alike.
For these reasons, I believe we’ll see a greater push for continuous multifactor authentication (CMFA) via smartphones. CMFA involves validating in real time that a user is who they say they are, using a number of different behavioral and identity traits to determine access to enterprise systems. As such, CMFA promises to provide strong identity assurance while remaining largely invisible to users. Though this concept is still in its early stages of maturity, with much of the work focusing on the public sector, I expect that to change in 2021 and beyond.
Trend 2: Smartphones will be relied upon heavily for COVID-19 compliance.
It’s fair to say that contract tracing via smartphone has largely been a flop. There are several reasons for this, not the least of which is a lack of buy-in from a critical mass of the general population. Such efforts also create false positives resulting from not just location inaccuracies but from the inability to take into consideration real-world conditions like the presence of physical barriers between individuals.
But in an office environment, some of these issues can be mitigated, as companies have greater visibility and control of the environment and can mandate buy-in from employees. The accounting and finance firm PwC rolled out such a system for one of its workplaces to make sure that employees didn’t get too close to one another while on company property.
Beyond tracking distance, smartphones can serve as hubs for employees’ health passes, with vaccine status, recent COVID-19 test results and even self-reported symptom checks used to clear employees before allowing entry into their places of work. Besides minimizing company liability and sick days, such systems will enable organizations to lure remote workers back into the office. For these reasons, I expect smartphones to be used heavily for COVID-19 compliance in 2021.
Trend 3: The smartphones of those in the national security community will be heavily targeted.
Between the 2014 cyberattack of the US Office of Personnel Management and the more recent SolarWinds hack, it’s clear that our biggest adversaries have an interest in learning as much as they can about our national security apparatus and the people in it. With a new presidential administration in 2021, foreign nation-states will no doubt be looking for as much intel as possible in order to figure out how to play their hands.
Because smartphones serve as digital witnesses to users’ locations, conversations and other highly personal information, it follows that our adversaries will heavily target smartphones at many levels of government. We know, based on China’s likely involvement in a massive smartphone spying program targeting Uyghur Muslims within the Chinese state of Xinjiang, that the country is more than capable of finding rare zero-day smartphone vulnerabilities and then weaponizing them at scale. I wouldn’t be surprised to see such a campaign targeting the national security community in the coming months.
Trend 4: Threat actors will use deepfake voice in vishing attempts targeting remote workers.
The massive work-from-anywhere push of 2020 was a field day for threat actors, who took advantage of operating environments beset by security shortcuts, organizational confusion and worker distraction to launch social engineering attacks against employees. One such attack type, vishing (voice phishing), gained prominence in the now-infamous Twitter hack in July, when hackers posing as IT staff called up customer service reps and tricked some of them into giving up access to an important internal tool. Vishing has subsequently been used to target dozens of companies, including banks, cryptocurrency exchanges and web hosting firms.
For 2021, I see this trend not just ramping up but getting more sophisticated, specifically with threat actors using deepfake voice – synthetic voice created using machine learning – to fool targets in real time. This technique was apparently used in 2019, when a scammer posing as the chief executive of a parent company successfully convinced the CEO of a subsidiary company to send funds to a purported supplier. As the tools for creating deepfake voice get further democratized by the day, it’s only a matter of time before threat actors adopt this technique against remote workers, who by definition can’t easily walk down the hall to verify requests for funds, credentials or sensitive information.
Trend 5: There will be a renewed debate around smartphone security.
Apple’s iOS, which has long been considered the most secure of the major smartphone platforms, has started to show its cracks. In 2020 alone, we’ve seen at least two sets of iOS zero-day vulnerabilities that were used or believed to have been used in the wild, including one set of three bugs that allowed attackers to remotely compromise iPhones. We’ve also seen reduced bounties for most iOS exploits, indicating a glut of these types of bugs. And each major iOS release seems to be rockier than the last, likely due to a focus on delivering features at the expense of stability and security.
As we are set to pour even more of our lives into our smartphones in the year ahead, it’s worth asking if these devices are up to the task of keeping our information safe. I believe this is a debate that will come to the forefront in 2021.
Given the dominance of iOS and Android, and given the many failed attempts by upstart competitors to build secure smartphones, I believe that security innovation will necessarily have to work in tandem with the major players. Today, this means security keys and audio masking devices. Tomorrow, this may mean bifurcated sensing and compute capabilities. Whatever the case may be, the current trajectory of mobile security is due for a course correction.