We live in a 24/7/365 connected world. Cell phones have evolved into smartphones (more powerful than your desktop PC was five years ago) and are an essential part of our every day personal, work, and social lives. We use these devices all the time - talking, texting, emailing, listening to music and streaming video, updating social network profiles, and taking photos; mixing work with pleasure. Today’s mobile workforce relies on these devices as much as they do their PCs, potentially exposing sensitive information:
- Communications – emails, SMS and MMS, conversations, etc
- Applications – soft authentication tokens, VPN, Bluetooth, GPS, etc
- Data – user names and passwords, credit card numbers, PINs, contact lists, attachments, documents, spreadsheets, or anything stored on the device
- Copyrighted materials – music, video, e-books, and other documents
- Smartphones such as the Droid, BlackBerry, iPhone, and Palm, are not the only problems; there are other mobile devices which pose significant threats:
- Personal media devices (Archos, iPods, Zen, Zune, etc)
- Netbooks (a mini version of your laptop)
- PDAs (slowly being replaced by smartphones but many still in use)
- Enterprise digital assistants (integrated barcode and RFID)
- Personal navigation devices (GPS devices)
Most of these devices can utilize flash media in addition to built in hard drives, which can be easily attached to any PC and used to transfer data to and from the memory card (similar to USB thumb drives and external hard drives). If the device has Wi-Fi, the user can simply send the information to another party or device and delete the data, leaving no trace they ever had the data in their possession. Some devices now have a built in recorders, which can be used to record meetings, public conversations, and even telephone conversations with a cheap adapter.
The threats discussed above are only a few of the many issues the modern age of technology poses. There are other, potentially more serious threats.
Eavesdropping
Consider the private conversations and information you routinely share when using your cell phone. How would you feel if someone was listening to your every word?
In December 2009, the risk level was greatly elevated when a German encryption expert was able to successfully crack the GSM code (encryption algorithm) used by more than 80% of the world’s cell phones (approximately three billion devices). This vulnerability allows a malicious individual to intercept voice calls on affected devices using the hack (which is now readily available on the Internet) an existing PC, and a small investment in some network equipment. Communications providers are scrambling for a stopgap fix while planning or budgeting for upgrades to current systems to support a new encryption algorithm. As if just connecting a smartphone to a PC wasn’t already risky, now you have to worry about private conversations being intercepted. Now you can see just how vulnerable cell phone conversations can be!
Cellular Spying
Since smartphones and other devices are essentially hand-held PCs, they are also subject to the same threats your desktops and laptop are exposed to. Imagine someone reading every text message or viewing your pictures and videos. It could be happening. Technology has given spies the ultimate listening device that has permeated throughout every organization. Software secretly loaded on cell phones now enables this nightmare.
Independent Verification
This capability has been independently verified. A software package was purchased and installed on an individual’s cell phone. At that point the individual went about their normal daily activities. Within minutes information began being collected and forwarded to the monitoring point we defined. The GPS location of the device was also available to the monitoring device and several emails were also copied and transferred as well as text messages in near real-time.
These cell phone software applications enable unscrupulous people to spy on compromised cell phones. Nothing is logged and the spy software leaves absolutely no trace of its existence or activity on the targets’ phone. Some of these cellular spying applications are so well crafted that they allow specific text messages to be sent to the phone that will cause the spyware to erase itself in order to avoid detection. Cell phone users and security professionals concerned about cellular spyware should monitor their phones' battery usage/life as that is the only indicator we can find of the phone being compromised. The only sure way to find out if there's a bug is to conduct cellular forensic analysis.
The average price for cellular spying software package is around $90 USD and it is widely available over the Internet. Spying applications are available for most of the popular cell phones including the iPhone and Blackberry. Right now the cellular spyware can only be installed onto a phone if it is physically connected to a computer. However, experts say it won't be long before cyber spying software will be remotely sent. In fact, there are rumors of a remote exploitation cellular spying application already.
Be Proactive
More now than ever, it is imperative organizations take proactive steps to reduce risk and exposure presented by a technologically-armed workforce. How? By implementing a security program based on best practices:
- Require encryption and password protection
- Utilizing GPOs/EPOs
- Performing audits of devices
- Providing recurring user awareness training
- Publishing Acceptable Use Policies and requiring user agreements
Individuals can also help protect such devices:
- Secure devices from loss, theft, and shoulder surfing while in public
- Label or brand devices to make it difficult to remove
- Utilize the security settings (many new security features are available)
- Regularly review data on mobile devices and delete unneeded, sensitive data
Being reactive and responding only when (or if) you find out there’s been an incident is no longer an option and could be costly to your organization. You need to take steps at all levels to proactively ensure not only your company’s information but also your client’s information is protected.
November, 2010
