Smartphones have made it a whole lot easier for hackers to exploit and steal personal information, without the user even knowing their smartphone has been compromised.
During today's ITWeb Security Summit, being held at the Sandton Convention Centre, Dr Charlie Miller, principal analyst for software security at Independent Security Evaluators, provided an overview of the past, present, and future trends around smartphone security.
Miller is a former researcher for the US National Security Agency, and was the first person to hack into the Apple iPhone and G1 Android smartphone.
“Mobile phones are no longer just phones anymore. They have evolved into small computers that have the capability to store lots of personal and corporate information.”
Miller explained that unlike laptops, smartphones have become an always-on, always-connected mobile device. However, he cautions that smartphones provide an easy access point for hackers to break into and steal valuable information.
“Users rely a lot on the mobile phone vendors to do the right thing when they design the smartphone. But the truth is there is not much a user can do to protect their mobile phone.”
Just about any personal information can be extracted from a user's smartphone, including contacts, phone numbers, voicemails, SMS messages, photographs, videos, Web credentials, passwords as well as cookies, which enable a criminal to view online banking details.
“It's easier to hack into a smartphone than to break into a PC or laptop,” Miller noted. “Smartphones float outside of corporate firewalls, away from the protection of network security systems and proxies. And most smartphones don't have anti-virus software built into them or have their operating systems updated frequently.”
Silent takeover
Miller pointed out that smartphone hacks are difficult to detect and it's more challenging to complete a forensics test on a smartphone than a PC. “Even somewhat technology-savvy users can look at the directory listings of their PC to detect irregularities, but with smartphones, unless you are a hardcore hacker, it's much harder to find out if your phone has been compromised.”
“In fact, with GPS built-in smartphones, attackers can track where the user is, where they've been and access the maps they've looked at. Another problem is that users are not trained to protect data on their phones and there are not a lot of security products available for mobile phones.”
Miller examined security vulnerabilities between the Apple iPhone and Google Android smartphone. He explained that both devices use sandbox technology, which is a security mechanism for separating running applications on the device. It provides a space to heavily restrict applications and also limits what applications are allowed to do.
According to Miller, Apple has enforced rules where all developers' code must be signed and approved by Apple and all applications for the iPhone and iPad needs to come from the Apple App Store.
Every iPhone application resides in the same sandbox and they all access the Internet. Where Android differs, explained Miller, is that applications reside in different sandboxes and allows the user to define browser permissions for the app.
Deadly SMS
During Miller's research, he found a Windows Mobile bug that allows attacks to take over and compromise the smartphone.
Miller added: “In 2009, myself and Collin Mulliner demonstrated a remote exploit over SMS. SMS is the perfect attack vector because unlike attacking a Web browser, no user interaction is required. The user cannot block or turn off an SMS. The attack is queued by the mobile operator while the phone is off, and when the phone is turned on again, the SMS enables the attacker to take over the phone.”
In the future, Miller predicted, mobile operating systems will automatically receive all the anti-exploitation protection systems found in desktop operating systems.
“It will become standard for mobile phones to have security products with features such as anti-virus, firewalls and anti-phishing. Encryption will become ubiquitous with encrypted storage devices and mandatory screen blocks.”
Miller concluded: “The way the iPhone is set up right now, there's no way for the big security vendors to develop anti-viruses for the iPhone. The only way is for Apple to work with the main security vendors; which in the near future, is unlikely.”
Share