Back in 2012, smartphones were exploited through their Google Wallet apps, letting a hacker remotely hack the phone to clear the phone's memory and create a new PIN so that the attacker could begin to use the wallet. In late September 2013, researchers presented a new hack which could block calls and messages to Motorola phones by responding to them before the recipient can. And phone hacking has been used for more than just stealing credentials. A British surveillance mission hacked into a Belgian phone network recently, as disclosed by Edward Snowden.
With the revelations from Snowden of the National Security Agency’s capabilities to listen in on calls as well as the increase of mobile devices in the office place, the danger that somebody could be intercepting your communications is only growing.
What’s at stake:
Stolen data. Compromised communications. Network-wide security leaks.
There’s more than one way an adversary could be intercepting your messages and calls: Whether it’s before, after, or during the transmission, any loss of data could be potentially disastrous.
“Surveillance is different from hacking,” says James C. Foster, CEO and co-founder of Riskive, a security startup based in Baltimore, MD. “If you don’t own the entire transmission communication path it’s going to be really difficult for you to control end to end security. You can be on your locked down corporate network, with all the right endpoint protection, but you don’t own the channel. It’s still going across a publicly available communication network.”
With surveillance, your transmission is intercepted by means of the radio waves it travels over. Though it’s technically illegal, it’s also extremely difficult to detect. And while your carrier may provide some form of encryption, most standard cell network cryptography has long since been cracked.
But there are other forms of attack that pursue your device so that surveillance can be enabled remotely. Take Trojans, a common form of malware, which installs itself on a system while under the appearance of a safe program, while actually creating a backdoor for the attacker to siphon information.
“The main thing we’re seeing are remote access Trojans,” says JD Sherry, VP of Technology and Solutions at Trend Micro, a security software vendor. “Once the app becomes a remote access Trojan calling out to command and control servers, you can’t discern the communications [to unexpected recipients] going out from that device.”
Such apps could be asking for, and receiving, access to contacts, calendars, microphones, video cameras, keystrokes, and stored content. The result can be that an unknown party could see that you have a board meeting at 2 p.m. on a Wednesday and trigger your phone to record the meeting at that time, without you ever noticing. And, of course, ordering the phone to attach the recording to an email and send it on, when done.
The digital intruders can read your emails, your text messages, listen to your voicemails.
So how do you make sure no one’s hiding in your phone?
Be safe or be sorry. Use layers of security to lock down your data and communications as tightly as possible.
“Files, messages, voice conversations, can be grabbed out of the air much more easily than people understand,” says Vic Hyder, COO at Silent Circle, a provider of encrypted communications software. “And it’s more prevalent --- we’re carrying so much information on these devices its a viable business to go and break into people’s information.”
Practice good mobile hygiene. “The best thing, the absolute best thing, and the first thing, is consider digital hygiene and making sure [employees are] keeping their devices clean,” says Hyder, as in clean of viruses or other forms of malicious code. “Once you break down in your digital hygiene and you get dirty you can’t get clean and that device basically becomes a throwaway,’’ he says
Take baby steps. Experts all stress that even before you move onto more sophisticated means of protection, such as encryption, following through on basic measures, such as using a passcode lock on your phone, are critical. Install antivirus software to keep detectable malware off your device. Make use of web reputation technology, which evaluates the safety of links and sites. Products fitting this bill are offered by Webroot and TrendMicro. Loaded into your phone, thesesoftware packages can help keep you from clicking on a suspect link (which might download malware to your phone) you could encounter on Facebook or Twitter.
Clean out the cupboard. Consider what needs to be on your phone, and what doesn’t. “Be smart about what you store and what you transmit, what you send and how you send it and whether it’s being stored,” says James Foster, CEO and co-founder of Riskive, a security startup based in Baltimore, MD. If data is so sensitive that losing it or having it compromised is no option, don’t put it on your phone.’’
Consider your OS. Though Blackberry was once considered to be the pinnacle of mobile security in the enterprise, that ship has since become a wreck at the bottom of the sea. Today, the two main options are devices that run on either Apple’s iOS or Google’s Android system. “In general, you have a more locked-down environment with Apple than Android,” says Foster. “It’s more difficult to run an app that will harm your underlying OS in iOS.” Unlike Android, apps that make it to Apple’s app store go through a fairly comprehensive screening process before approval. Still, neither is foolproof. “A lot of people hold Apple in higher esteem with regard to security because they have a quite a bit of vetting that is involved to ensure that applications are doing the right thing,” says Sean Ginevan, director of business development at Mobile Iron, a mobile IT vendor. “But there was recently some research where people successfully managed to create Trojan horse type attacks and have them go through legitimate apps on the app store.
Analyze apps. Mobile app reputation software, such as Appthority, can help analyze safety of programs your employees are using. And, although sophisticated malware can remain hidden from an antivirus program, advanced malware protection kits can analyze the patterns of network behavior, so that if a device seems to be connecting to an unusual or potentially malicious server, it can be flagged for review.
Be careful about Wi-Fi connections. Unless you turn it off, your smartphone is continually on the search for a Wi-Fi network to connect to. But not all networks are as secure as your in-office corporate network. SOME, such as the free public Wi-Fi you might find at a Starbucks, are open to any attackers who may be sniffing around for an easy attack. Experts warn that once you’ve connected to such a network, your phone will automatically connect to it again when it is detected. “If I were a relatively sophisticated attacker I’d create a honey pot an access point designed to look like AT&T that is really taking all your data and siphoning it off,” says Ginevan. The “honey pot” describes the false network, which under the guise of legitimacy, lures in victims. Software such as AnchorFree’s HotSpot Shield provides users with a secure virtual private network no matter where they’re browsing.
Encrypt the message. Even if you can’t stop, or detect, surveillance, you can encrypt your communications so that even if someone does manage to get hold of them, they won’t be able to understand what they say. Silent Circle provides encrypted phone and video calling as well as text messages for mobile phones that operates with VoIP. Keys are generated at the beginning of the call, one person dials, and the other person’s key meets with the dialer’s to exchange keys to open the channel up. At the end of the call, the keys are deleted, which new keys exchanged over the course of the call every 20 seconds to a minute to ensure the security of the line. “There’s nothing sitting out there where someone could grab that key and use it for the next call,” says Hyder. Silent Circle’s service also includes a “burn function” that allows the sender of the messages to delete them at any time.
Is your identity “strong”? You have to “err on the side of users doing something wrong,” according to Ginevan. Most users, no matter how careful they might be most of the time, are likely to slip up at some point by clicking the wrong link, failing to update their antivirus protection, or anything else. Strong device identity ensures that both sides in an online transaction are legitimate before allowing it to proceed. Man-in-the middle and phishing attacks are meant to decrypt a session and steal a user’s password, but with certificate-based authentication , some of these attacks can be more easily mitigated.
If methods of surveillance and attack are growing more sophisticated, they’re only following the lead of mobile devices and their users. A billion people will own a connected device in the next few years, according to Forrester. For malware manufacturers, that means millions more in potential revenue.
“The attack vectors through mobile phones are becoming quite easy for miscreants,” says JD Sherry, VP of Technology and Solutions at Trend Micro, a security software vendor, referring not only to novel methods of attack, but to the general ignorance many users have of such attacks when it comes to their phones, not their PCs. “And on average, many users in corporate America own nearly three devices, most often not protected with the core basics around antivirus or firewall or privacy settings.”
The problem isn’t simply that attacks are growing more numerous, and more advanced, but that as mobile devices become a more integral part of business operations, more and more sensitive corporate information becomes accessible through those devices.
“The shift we’re seeing with our customers is a desire to push towards building mobile apps that access lots of back end data, including personal identification data,” says Sean Ginevan, director of business development at MobileIron, a mobile IT vendor. “As the profile of smartphones and tablets rise in enterprise, without the right controls for data loss and prevention, we may see stories [of major data loss] more frequently.”
And hackers know that the best way to get someone to click on a piece of bad code is by making it look like something legitimate. Sometimes, even a site that is in fact, legitimate, can be compromised.
“One of the methods that bad actors are using to target mobile phones and all devices for that matter are waterhole attacks,” says Sherry.
In such attacks, code is injected into a website address that can redirect the visitor to another site. At that site, the visitor will pick up, unknowingly, code intended to perform malicious acts.
“If you’re an individual on a mobile phone and you go to nbc.com you think it’s a known, good site. But as end-users come with unprotected devices [the hackers] can inject malicious code into the browser on that phone,” Sherry says.
In the most sensitive cases, you may want to put the phone away altogether. You can never be sure that the data that it’s storing or sending isn’t being read or picked off.
“If you're carrying one of these devices, you’re accepting a certain amount of risk,” says Vic Hyder, COO at Silent Circle, a provider of encrypted communications software. “If there is information that you have that cannot be let out, you really shouldn’t put it on one of these devices that’s connecting to cell towers and wireless networks.”
Amy Lee is a business and technology reporter for CruxialCIO. She has written on technology for the Huffington Post and is a 2010 graduate of Yale University in English and writing.