Tait, an outspoken researcher who has held stints at Google’s Project Zero and the U.K.’s GCHQ intelligence agency, said mobile platforms must immediately start providing improved “on-device observability” to help defenders cope with ongoing in-the-wild zero-day attacks.
There’s an enormous amount of exploited zero-day being detected in the wild and no device observability. This should be a wake-up call to all of the platform vendors. It’s deeply disturbing that we know that there’s massive amounts of zero-day being exploited against mobile platforms and we have no forensics on devices in order to collect this data
When you discover a new threat actor, one of the first things will do is they will go back and will look at an enormous pile of Windows binaries, and they will say, do any of these other binaries show similar artifacts because, maybe that’s malware that’s been used in the past.
Maybe there are other pieces of malware. This helps with attribution. It helps with detection. It helps with working out who the victims are, and it increases the cost of the attacker that these systems exist.
The problem at the moment is the platform vendors in the mobile space are actively obstructing some of the security features that we need. One of these is the ability to scan apps. We should be able to scan all applications in a given app store.
It should also be possible to install security agents on mobile devices and also do forensics. And this should be both post-compromise and also in anticipation of compromise
“Supply chain infections can only be fixed by platform vendors. The government is not coming to save you,” Tait declared, insisting that tech providers need to aggressively “de-privilege applications,” break permissions to entitlements, and impose auditing requirements on highly permissioned apps.
The supply chain attacks isn’t going to get fixed by a collection of international organizations. It’s not going to be fixed by a consortium of governments. The only way to tackle supply chain intrusions at the scale that’s needed is to fix the underlying technology.
The real fix, Tait insists, is for platform vendors to automate trust throughout computing but he acknowledges the problems will remain in place because technology changes sometimes conflict with “substantial business interests.”