Story highlights
Drive-by download attacks can come from mallicious emails or web pages
An Android app can turn a smart phone into a hacking device within minutes
Personal information can then be a risk
Information security experts say many don't see smart phones as at risk
All the talk of phone-hacking this summer has brought the thorny issue of mobile device security to the forefront of the news agenda.
But even the most scurrilous hack of Fleet Street would be amazed at the talents of the some of the dedicated hackers of cyberspace, who are now targeting mobile devices with great audacity.
iPhones, iPads, BlackBerrys, Windows 7 phones and Android users routinely use shared networks in public places, which leaves them all susceptible to infiltration. Unless these networks have been properly secured, freely available browser add-ons and apps can help hackers seize control of personal data at the touch of a button.
Meanwhile so-called “drive-by download” attacks lie invisibly in wait on web-pages or in malicious emails then compromise the machine of anyone unfortunate enough to visit.
It means that the person using a laptop in a coffee shop may look like they are just checking their Facebook page, but they might just as easily be accessing yours. They could also be flicking through your contacts book, copying your email, or seizing your online banking details.
At 44Con, a recent security conference in London, a talk by Josh Pennell, the founder of the computer security consultancy IOActive, carried the teaser: “They watch you sleep, they watch you work, they hold all your personal and professional data, and they sacrifice security for performance and usability. Your mobile devices present attackers with a 24/7 threat surface (and don’t think the hackers haven’t noticed).”
None of the most popular devices are immune. In 2009, for instance, a hack resulted in 145,000 BlackBerry users having their email forwarded to servers in the United Arab Emirates. Pennell also described an attack on the network of an airport in Israel, which threatened anyone using Bluetooth in the terminal.
Pennell showed a battery charger that had been modified to serve as a hacking device, and even spoke of an attack to iPhone and iPad users that came through malicious coding attached to bonus levels of Angry Birds.
According to a recent report, the success of Google’s Android operating system has resulted in a 400% increase in Android-specific malware since 2010.
Furthermore a commonly distributed app for Android called FaceNiff actually makes hacking possible through the handset itself.
After a simple download, a FaceNiff user can hijack any number of social media profiles over a Wi-Fi connection in a process that takes less than two minutes.
“Your Facebook or YouTube account could be hijacked with someone using little more than a cheap second-hand phone from eBay,” said information security professional Steve Lord.
For all the exceptional sophistication of attacks on mobile devices, however, sometimes the greatest risks to data leakage remain the most prosaic.
“We’ve seen executives leave laptops on buses or in the back of taxis,” said Matt Adams, a manager in Deloitte’s security and resilience team. “What they’re doing now is potentially leaving their mobile device behind, and those devices now can carry just as much data as the laptop did.”
Adams advises businesses on the specific challenges encountered when an executive buys a smart phone or an iPad and begins using it for business as well as pleasure.
Companies will usually have tightly managed internal networks, with firewalls, encryption, etc. for ensuring security of their data. But once executives begin using their own device, and accessing networks elsewhere, the threats multiply significantly.
A recent YouGov study, for instance, found that only around 6% of mobile devices have even basic anti-virus software installed.
“Typically users haven’t learned to regard their mobile devices as the same risk,” Adams said.
In addition to the simple education of users, Adams advises businesses to develop clear policies governing user-owned devices to avoid difficult confrontations with staff if a device is lost, stolen or compromised.
“If users use a device that contains their personal phone book and treasured photos, and that device also contains sensitive business data, who gets the call on whether the whole of that device is erased?” he said. “That’s quite a tricky question in hindsight unless you’ve addressed it.”
Security experts have touted the idea of “split personality” phones, with an inbuilt division between personal and business data. Adams also ran through the pros and cons of mobile device management software, such as Mobile Iron, which allow businesses to keep a permanent inventory and track their registered handsets.
Such systems can manage passwords and encryptions, and even cut down on expenses by finding the best roaming charges for devices overseas. However some employees may feel that their privacy is jeopardized by software that essentially tracks their movement across the globe.
“It is a significant but manageable problem,” said Adams, adding that businesses are slowly beginning to talk more seriously about the key issues.
“I just hope we don’t see too many major security breaches caused by a failure to manage or use mobile devices properly.”
