Security Issues With Smartphones
Tuesday, December 8, 2009 2:51The use of smartphones has led to a whole new set of security issues. Since there is no standard definition of a
smartphone, for the purpose of this article and for future reference, I will refer to them as a mobile phone which provides advanced capabilities similar to those found on a personal computer. These capabilities can include internet access, e-mail, downloadable applications and even e-book reading capabilities. As time goes by, as with all technology, the capabilities of smartphones will increase and change just as they do for computers.
Smartphones are basically becoming mini-computers which leads to the question of whether they should be secured like computers. In my opinion, the answer is “Yes.” Smartphones such as the Blackberry, the iPhone and now the Droid which allow users to access the web, check e-mail, download and install applications, etc. are attacked in the same way as computers.
Security Issues
How many of you use your smartphones to connect to the internet using a public hotspot (wireless internet connection)? Most of the public hotspots found in some cities, at restaurants, bookstores and other public locations are unencrypted. This means the information you are sending across the network connection can easily be gathered and read by a knowledgeable attacker. There are a variety of software tools on the internet that allow attackers to gather such information even if they do not have the programing skills to write the software themselves. The attacker just needs to have some technical knowledge and the ability to learn how to use the available tools.
By intercepting such information as username and password for your e-mail account, website accounts, on-line banking accounts or other bill-paying accounts, the attacker can do whatever you are capable of doing on those accounts. Even if you have an SSL connection to on-line banking, bill-paying and other accounts,an attack can be made using a method called man in the middle. An attacker basically sits (figuratively) between you and your internet connection forcing your information to go through the attacker’s computer before the attacker forwards it on to the public hotspot or internet connection. By doing this, the attacker can capture all the information before it actually makes the SSL connection with the site you are trying to log in to. Even with an SSL connection, especially in a public hotspot, your sensitive information can be captured and read.
Other security issues include the availability of applications that can be downloaded from the internet and installed on your cell or smartphone. These applications have a variety of capabilities but include remote access to the phone which allows the attacker to turn your phone into a remote listening device. Some even allow the attacker to have remote access to your e-mails, voicemail, text messages and other related information. Using GPS location to determine your location is also possible with some of the software. Currently, the software usually requires hands-on access to your phone but requires less than 10 minutes to install and set up. Be careful who uses or has access to your phone. For additional information regarding this issue, read “Security and Your Mobile Phone”.
Other threats to your smartphone parallel computer threats and include such things as viruses, worms and trojans which spread through e-mail attachments. I even read about one attack method that allowed the attacker to use bluetooth to attack phone users within a very limited distance of the attacker, usually less than 20 feet.
The ability to hijack “jailbroken” phones is even easier. Jailbreaking or jailbroken iPhone means that the phone has been modified so the phone user can download and install software that is not authorized by Apple. In order to install these unknown and untested applications means that a variety of security features had to be bypassed. By jailbreaking the iPhone, the user now is also running as Root which gives complete access to the operating system which gives an attacker access to everything on the iPhone. For additional details regarding the dangers of having administrative rights, refer to my article entitled “Reducing Security Holes in Administrative Rights”.
One threat that I have not mentioned that is different than you usually experience with your computer is that it is much easier to lose your phone than it is your computer. If you think it is easy to lose a laptop when traveling just think about the size difference between a laptop and smartphone and think how easy it will be to lose a smartphone. What information is on the phone that you would not want just anybody to gain access to?
The Good News
Currently attacks on most smartphones are what are called targeted attacks. Target attacks are basically attacks against one phone or one individual instead of virus and worm attacks that currently spread from computer to computer across a network with ease. Also, it appears from most research that attacking smartphones presents more problems for attackers than attacking regular computers. Of course in time, attackers will overcome these obstacles. It is best to start preparing now.
Protecting the Smartphone
Several things can be done right now to improve security on your smartphone. Password protect the phone, keep current on security updates for the operating system on the phone, be careful what applications you download and install on the phone, and most of all, enable security features that are on your smartphone.
The security features built into a smartphone vary but read the documentation and/or seek customer support to help you decide on and walk through how to enable such security measures. Less than a quarter of most users enable any of the security features that are on their smartphone.
Also, look at identifying encryption applications for your particular type of smartphone. Encryption applications for these devices should provide what is called end-to-end encryption which will encrypt the traffic from your phone to the server that you are trying to connect to. This type of encryption will protect against the threats when using public hotspots and man in the middle attacks. This type of encryption software is not readily available for all phones, but in time this will change. I will continue to research security applications for smartphones, and when I develop a good list of such security applications, I will write another article to highlight them for you.
For now, enable the security features on your phone and be careful what you use your smartphone for and what accounts you use it to access. If you have experience with any of the security features on your phone, leave a comment and share it with other readers.
Related posts: