Mobile Security Guide 1/10 – Close the Doors
Whether it was nicked out of your bag by the office kleptomaniac, fell out of your pocket while climbing off the train, or was taken at gunpoint by a street thug, it doesn’t change the fact that losing a mobile phone really sucks. For some, the loss is financial, especially if the device was purchased on credit and not yet paid off. For others, losing the information that was stored on the phone is far more devastating than losing the device itself. This series of articles deals with mobile device and data security, identifying the types of threats that exist, the attack vectors that are used and vulnerabilities that are commonly exploited. It also highlights the various countermeasures and preventative measures that can be employed by any person who values their mobile device and the private information stored on, or accessible through, that device.
Close the doors (and the windows too)
The act of closing a door doesn’t provide as much protection as locking it, but it is a necessary first step. Locking a door while it is still open usually prevents the door from closing at all and that is arguably a worse position to be in. A closed door looks virtually the same as a locked door from the outside, and the perception that the door is locked is often a powerful enough deterrant. An open door, on the other hand, looks more like an open invitation to an opportunistic criminal. In cyberspace as in the real-world, it is only a matter of time before a vulnerability (open door) is discovered and exploited. In the real-world, someone would need to pass by or be in the vicinity to notice the open door, and would then need to stick around until an opportunity presents itself or return at a later time and seize the moment. In either case, the would-be-burglar is personally at risk of being detected and caught. In cyberspace, your adversary doesn’t need to be near you at all, not even on the same continent as you, to be able to detect open doors and windows, gain entry and steal whatever is available. Like his real-world counterpart, the cybercriminal cannot immediately differentiate between a closed door and a locked one without a closer inspection, and given the vast number of open doors to be found, by simply closing yours you stand a good chance of avoiding closer scrutiny. We call this security through obscurity and it is your first line of defense. Lets start closing those doors, shall we?
Turn off your device’s Wi-Fi facility when you’re not using it. Apart from the power saving benefits, this will reduce your exposure to a range of wireless threats. Cybercrooks can access your information relatively easily (and without your knowledge) if your connection is not secure. To ensure your connection is secure you should always connect to wireless networks using the highest level of security available (which is probably WPA2 on most modern devices). Connecting to unknown, open wireless networks is incredibly risky, and will increase your vulnerability to attack. By limiting your use of unsecured hotspots to web surfing or online activities that don’t involve you having to provide confidential information, you will probably evade any identity theft attempts, but you will still be vulnerable to a hoard of other malicious threats. You should definitely not make purchases, conduct online banking transactions or engage in any communication that conveys a password, account number or credit card number unless you are connnected to a secure network. This type of information is exactly what cybercriminals are after and they’ll be able to pick it out of the air on an unsecured connection. When you’re away from your home or work network, rather use your 3G or 4G data connection instead because the traffic is usually encrypted by the network operator and is far more complicated and costly for a cybercriminal to intercept.
It took me no longer than 30 minutes to find 24 Wi-Fi hacking and Wi-Fi password cracking apps from the internet – all of which were free, seem easy to use and at the time of writing they all seemed to do the trick. Here are screenshots of those apps:
As with wireless connectivity, your phone’s Bluetooth functionality should also be turned off when you’re not using it. Many devices are preset to use default settings that allow other users with a little knowledge to connect to your device, even without your knowledge. Cybercriminals could potentially access your device and copy files, or gain access to other devices that are attached to your Bluetooth device. Additionally, hackers could potentially identify what networks you’ve previously connected to, and with that information could quite easily spoof (masquerade as) those networks and fool your device into connecting to them. Once connected, your device is “pwned” – a hacker could deploy malware, steal your data or monitor your communications and location. You wouldn’t know.
NFC or near field communication is a relatively new technology that enables devices to communicate with one another (or transfer data and files) simply by having the two devices in close proximity to one another. According to McAfee “it’s possible for attackers to use technologies that allow them to eavesdrop on your payments or steal and transmit your credentials by extending the range of the wireless signal. Your data may also be manipulated or corrupted by an attacker” (for more see How to Keep Crooks Out of Your ‘Mobile Wallet’).
Downloading software to your device is a potentially dangerous exercise (from a device security point of view) unless you can ensure that the software in question is safe. How often have you been told about (or read about) a new app that you really want, and without further consideration you point your device’s web browser to the website mentioned and click on a download link? If the answer is ‘never’ then you’re on the right track. If ‘all the time’ comes to mind then you’re at great risk and your device may already be infected with some form of malicious software and you might want to consider debugging your device.
If you really think about it, which is more efficient…trying to remotely identify each individual target, bypass their security measures and hack their devices or create a number of basic websites featuring products or offering content that appeals to a wide range of users and sit back while those users click on links that download malicious software onto the host device and give a person remote access? To me, the latter seems preferable for many reasons. If you treat links with caution and check where they lead before clicking them then you’re that much more secure. It makes no difference whether they’re sent to you in an email, in an SMS message, or if you encounter them on a web page, think before you click. Many mobile antivirus and security apps can verify link destinations and will warn of potential threats. You should consider enabling any such feature if it exists. The next best thing is to manually check the link destination (try hover over the link and look in the status bar at the bottom of the page or change the mode of your browser to text-only so that you can see the actual link on screen).
Attachments to emails or other electronic messages can be used to send you malicious software with the hope that you will open the attachment and activate whatever payload was included. Reasonably safe attachments such as images, video, spreadsheets and documents one might expect from work colleagues, suppliers, customers, friends and family and are generally ok to open. I’ve used the words “reasonably” safe and “generally” ok to open because it is possilbe to include scripts or macros in documents, for example, that can exploit vulnerabilities in the applications that are commonly used to open such documents. Other methods of deploying malicious software as an attachment include compressing executable files into archives that typically have the file extension .zip or .rar. For a comprehensive list of file extensions see this page of archived file formats and executable file formats
Part 2 deals with Locking the doors and ensuring proper access control to your device and the data that is physically stored on it or in the cloud. Part 3 will look into guarding the doors and measures to deter, delay and detect attempted breaches. For now, keep safe and take care.