Mobile Security 2011
The mobile phone industry is a fascinating example of marketing gone mad. Cutting edge technology is no longer the domain of the geeks and nerds; it’s been pimped and accessorised.
A consumer-driven marketplace such as the smartphone industry has created new dynamics and expanded the reach of the internet, delivering social networking, business and entertainment to the user anytime, anywhere. The limitless technological potential and sparkling aesthetics can be captivating at times, however it also serves as a platform to launch some of the most damaging and sophisticated attacks emerging today. The cunning militant will always know that the best time to strike is when their adversary’s attention is diverted elsewhere. While the world is busy choosing a smartphone to suit their guise, the criminals are effortlessly filling their pockets.
If you’ve ever had your phone lost or stolen, I share your frustration. Especially when that taxi driver bribes you to bring it back and later you look through the media archive, you find pictures of an unknown middle-aged woman you can only assume was his wife. Lucky for me, this was in a time when the worst case scenario is a lost contact list that I had not backed up.
The smartphones of today don’t just make calls and take pictures. They serve as handheld PC’s and can potentially provide a thief with enough information about your online presence so that further theft of finances and identity can occur. If you haven’t already configured your phone to use password locking, encryption and remote wiping functionality – you should. It’s an absolute necessity to have these features if you store documents, emails or use financial and social networking applications. But this only protects you from physical theft. If your phone is stolen, you know about it. Like a stolen card you can begin to take preventative measures such as cancelling numbers, changing passwords and notifying contacts. The great risk is the clandestine threat, when you do not realise you are being watched, and go about your business.
It should be no surprise by now that merely using a phone has its risks. Enabling Bluetooth on a device has led to many problems in the past that have enabled full compromise, as demonstrated by security researchers Kevin Finistere and Thierry Zoller, in their Bluetooth hacking revisited presentation . One encryption cipher used to provide privacy for GSM telephones, known as A5/1, has been successfully cracked. The result is that hackers can not only record your telephone conversations, but crack and tap your calls in real-time. The scary thing is that this can be done from anywhere in the cell radius, meaning they can potentially listen in to a conversation kilometres away using cheap Motorola phones and open-source software.
The dangers of using public Wi-Fi networks for social networking was demonstrated by Eric Butler’s Firefox web browser extension called Firesheep. This extension exploited the fact that some sites only encrypt the actual login process, namely the username and password you provide. The website needs to remember who you are, and provides you with an authentication cookie which your browser uses therein. The problem is that public Wi-Fi networks are unencrypted a lot of the time, and the remainder of your Facebook connection is also unencrypted. This means that someone can easily read the cookie from your HTTP traffic and use it to authenticate to the site, as you.
The common fraudster typically needs your identity and financial information to steal funds from you. Social networking websites provide criminals with a platform for identity theft without breaking a sweat. A basic understanding of social engineering techniques will reveal full names, birthdays, phone numbers, family members and addresses in little time. These can often be obtained passively, without the knowledge of the target or their friends.
The next step is to get access to your smartphone. Malicious software, referred to as malware, needs to be planted on the phone and executed. This is a surprisingly easy step – anyone who jail-broke their iPod or iPhone did so using a vulnerability in the phone. It is a method similar to this that has led many computers and smartphones in to the hands of the bad guys. The malware could be injected using a PDF document, an image on a website, an e-mail or even embedded in webpage code. While the PC and notebook fall victim to the same attacks, the smartphone is even more vulnerable due to sluggish software development and user naivety. Mobile phone application development is focused on functionality, and not security development. The hype surrounding the app-race gives attackers another means of entry – App Stores. Cyber criminals can code apps which include malware with the aim of gaining anonymous and complete access to the data residing on the phone. This will become very popular as consumers move to jail break phones so that unsigned and unverified applications can be run.
Furthermore, simple security tasks such as patch management are commonly overlooked. I know a lot of users who may click to update an application on their notebook, but do not update the firmware on their phones. The lack of security awareness makes the mobile world a playground for those criminally motivated.
There is no solution to the current malware crisis in personal computers, so we won’t be stamping out problems in the smartphone realm in a hurry. What we can do is attempt to slow the growth of criminal networks by adhering to the same security practices as those applied to your notebook:
- Install firmware updates that resolve security issues.
- Always use strong passwords and stay vigilant with your email and web browsing.
- Always be extremely careful what information you provide on social networking sites
- Configure websites containing personal or financial information to be encrypted for the entire session, if the site provides this functionality.
The onus is also on the manufacturers to provide a security process that allows users to easily respond to threats as they arise.
The security industry has been fighting an uphill battle tracking and dissolving malware powered botnets. Hundreds of thousands of machines in Australia have been linked to many large criminal networks while the computer owners remain completely unaware. The smartphone market doesn’t just provide the soil by which criminal networks flourish, it fertilises them.
CSO Whitepapers on Mobile security
Sign up now »
Clearswift SECURE Email Gateway is an effective and resilient email gateway for 50 to 50,000 users.
Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).
- Have an incident response plan.
- Pre-define your incident response team
- Define your approach: watch and learn or contain and recover.
- Pre-distribute call cards.
- Forensic and incident response data capture.
- Get your users on-side.
- Know how to report crimes and engage law enforcement.
- Practice makes perfect.
I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.