May 2021. A Moroccan newspaper publishes an article reproducing some of the WhatsApp conversations that journalist Ignacio Cembrero had conducted with Spanish authorities. It is something that "grabbed my attention straight away and I came to the conclusion that they had read or had access to my WhatsApp messages" explains the editor specialized in the Maghreb in 'A spy in your pocket', the new episode of the podcast 'Cuidado con las macros ocultas'. After that first suspicion, two months later, Cembrero receives a call from the international research group Forbidden Stories confirming that his phone is among the 50,000 numbers hacked by Pegasus, a spyware developed by the Israeli company NSO and purchased by governments and state security forces to remotely infiltrate mobile devices. It is the same spyware that was the protagonist of the recent cyber espionage scandal which would have infected the cell phones of the Spanish Prime Minister and the Minister of Defense and more than 60 Catalan and Basque pro-independence leaders.
«They had access to everything I had on my cell phone, from WhatsApp conversations and email, which is what most interested them, to all the private sections of photos and phonebook»
Since then, and following the advice of experts, Ignacio Cembrero has changed his cell phone and computer. Furthermore, he has protected them with different tools and has initiated a legal battle to identify those responsible for the espionage of which he has been a victim. Like him, heads of state, activists and other reporters have suffered this type of cyber-attacks. Even one of the richest people in the world, Amazon owner Jeff Bezos, has been the target of hacking allegedly also through spyware. These stories are an example of how mobile devices have become the main entry point for cyber threats.
First entry point for a cyberattack
Company-owned server
Corporate Cloud Server
Corporate website
Employee error
Company mobile device
Employee mobile device
Supplier asset
Internet of things owned by the company
Source: Hiscox 2021
Are companies protecting mobile devices sufficiently?
There are two types of threats with the cell phone as an entry point, as highlighted by Hispasec CEO Fernando Ramirez in the Cuatroochenta podcast. One is those that aim to steal information and the other are those that focus on a person's importance or money. And although not all people will be targeted by spy malware such as Pegasus, Ramírez stresses, there are other more widespread threats, such as a banking Trojan that would like to get hold of the double authentication factor.
«All the information we host on our mobile, from personal information to health or even access information to other platforms, such as the bank, is susceptible to being stolen through manipulation or a malicious virus.»
Ramírez feels that, large companies, which have been investing in cybersecurity for some time, do take mobile security into account, but there are other, smaller companies that are not as advanced and have put it on the back-burner. Although there is an increasing number of tools and controls to keep mobile devices safe, Ramírez reminds us that the first line of defense for any organization should be the security perimeter, since it is the gateway to cybercriminals. But what is that perimeter? Everything exposed, he points out, from public IPs to domains to email addresses.
«The user’s first response should be not to trust any technology, an attitude also known as 'Zero Trust’ “. This basically assumes that we are going to be breached and that there is going to be a malware inside our mobile capturing our information or visualizing what we have stored and, in that case, we take action about it.»