The Mobile Business Guide to
Mobile Security
A whole mini-industry has developed around the threat of mobile phone viruses. An equally vocal set of critics say it’s all hype designed to sucker us into buying anti-virus products and services.
And how about Bluetooth – too useful to ignore, too risky for prime time? We’ve trawled through the perceived problems of mobile security to provide a crib sheet of the key issues that your customers might ask about.
The problem with technology is that the more successful it gets, the more seductive it becomes. And during a seduction, it’s all too easy to lose sight of the mundane, irritating details: the big picture is just too much fun to worry about the day-to-day stuff.
So we’re in love with our mobile phones, and the cleverer the phone the more desirable it is. We stuff it with important personal information, and maybe it holds our business life too. We love the way it can store dates, notes, perhaps spreadsheets and whole documents. Bluetooth is so cool, USB syncing is a breeze. How could we ever manage without it?
Well, it’s entirely possible that we may have to find out. Read on for a rundown of the risks ...
So we’re in love with our mobile phones, and the cleverer the phone the more desirable it is. We stuff it with important personal information, and maybe it holds our business life too. We love the way it can store dates, notes, perhaps spreadsheets and whole documents. Bluetooth is so cool, USB syncing is a breeze. How could we ever manage without it?
Well, it’s entirely possible that we may have to find out. Read on for a rundown of the risks ...
Bluetooth
When it’s set to discoverable mode, a Bluetooth phone sends a signal indicating that it’s available to pair with another Bluetooth gadget and transmit data back and forth. In theory an attacker who detects this signal could attempt to pair with you; at the least this might mean you receiving a few unsolicited messages (“Bluejacking”) but it could mean reading information stored on your device without you knowing (“Bluesnarfing”) . Beyond that, a Bluetooth attack could be used to install a virus, or to distribute a virus to contacts in your addressbook. Most Bluetooth attacks tend to be pretty jokey, largely because of the kind of information individuals keep on their phones, but business users would be well advised to keep Bluetooth set to “non-discoverable” when they’re not using it. A strong PIN code will also be harder to crack.
Cloning
Encryption (see below) is used to make sure that it is almost impossible to read the cell phone number and related information when sending information. It’s extremely difficult for anyone to ‘piggyback’ on your calls.
Eavesdropping
With modern digital-technology mobile phones it’s almost impossible for another person to listen into a call – not entirely impossible, but a lot of computing power and probably a good deal of luck would be needed to beat the encryption that digital phones use. The encryption works by automatically picking a key that is used in an equation which compresses the audio signal. The encrypted key is sent to the base station tower so the cell tower knows how to decode the conversation. Even if someone with a gismo like a police scanner can find the channel and the time slice you are using, they would need to find the encryption code to make sense of the signal.
Radiation
Mobile phones emit electromagnetic waves when establishing a connection, and it’s basically the same radiation as a microwave oven produces. Radiation can cause problems with cells in the body and lead to nasty things like cancer, though the danger of the problem is related to the amount of power and the frequency of the radio signal. Most scientific studies have not found any clear indication of short and medium term health hazards, though longer-term problems are suggested by adverse effects of weak microwave radiation on biological tissue in non-human lab testing. The health and safety standards required of handsets and cell towers are pretty stringent and will err on the conservative. So is a mobile phone likely to fry your brain? Probably not … But it still makes sense to play safe by minimising phone use, especially for the very young. And there are small clip-on or plug-in suppressors that effectively minimise electromagnetic emissions from the speaker and prevent them from reaching the head area. Well worth stocking.
Smishing
This is phishing via SMS. Phishing is masquerading as a trustworthy person or business in an electronic communication in order to fraudulently acquire sensitive information or to install viruses or spyware. It’s typically carried out using email or an instant message, although voicemails have been used as well – and now comes SMS, with messages along these lines: “We’re confirming you’ve signed up for our dating service. You will be charged $2/day unless you cancel your order: www.smishinglink.com”. Clicking on that link eventually installs the malware or the virus.
That (faked) example came from anti-virus specialist McAfee, which has reported a real-life example from Spain called VBS/Eliles.A. It sends smish messages free of charge through the SMS Gateways run by the mobile phone operator and attempts to trick the victim into downloading what purports to be free anti-virus software.
Spyware
Since Windows is highly susceptible to spyware, it’s highly likely that Windows Mobile too will be attacked. A spyware app isn’t a virus; it’s a program which arrives sneakily (usually via an email attachment or as a result of a website visit) and silently tracks your surfing behaviour to create a marketing profile for you that is transmitted without your knowledge to the compilers and sold to advertising companies. With more web work being done from smartphones, it’s only a matter of time before Windows Mobile is targeted. One solution is SpyBot-S&D; this specialist anti-spyware tool has been one of our favourites on the PC for years, and for Windows Mobile it also detects and removes some viruses as well. There’s also a Spybot-S&D for Symbian; that covers UIQ phones, with Symbian Series 60 and 90 promised soon. More info and free download (you’re invited to make a donation) at www.safer-networking.org. You may have to hunt around on the ‘downloads’ page to find the mobile phone versions, or try reading all about them under ‘news’.
Theft
The biggest single issue with mobiles is the number stolen – around 10,000 every month, with two thirds of the victims aged between 13 and 16 (the peak age for offenders is also 16). Practical measures to recommend include …
• registering the phone with the police database at www.immobilise.com
• using the security lock if the phone has one (most do – show the purchaser where it is)
• changing the SIM PIN code. Unlike many other PINs – credit and debit cards, for instance – there will be a simple default code that is set by the service provider … and it’s often turned off by default.
• recording details of the electronic serial number (ESN) and the IMEI number (type *#06# to find it)
• buying phone insurance, or at least checking that their normal home contents insurance would cover a phone away from the premises.
As we report on p10, the Mobile Industry Crime Action Forum (MICAF) and mobile phone industry leaders have just launched an industry charter detailing objectives and initiatives to help reduce mobile phone crime. The five networks have pledged that 80% of stolen handsets will be blocked within 48 hours of being reported stolen to their home network.
Some interesting options are appearing for business users. Take Synchronica’s Mobile Manager mobile phone management software for Windows Mobile smartphones; as soon as their owners report the loss, a signal can be sent from a central location to remotely lock and wipe data from the phone. And if the phone has been stolen, companies can also turn on the Synchronica Scream Feature, causing an annoying and embarrassing high pitched wail to be emitted from the stolen device. It’s available direct, or Orange is offering this to business customers at £10 per month.
Used phones
The memory in discarded or resold smartphones can easily still be loaded with sensitive personal or corporate information-a sample of ten used phones bought on eBay by the US mobile security software provider Trust Digital produced nearly 27,000 pages of data. The problem is that flash memory (which is ubiquitous because it’s cheap) isn’t completely wiped until the user performs a hard reset, and that’s not necessarily easy or obvious to do. If you are going to resell a phone, though, it might be worth the effort.
When it’s set to discoverable mode, a Bluetooth phone sends a signal indicating that it’s available to pair with another Bluetooth gadget and transmit data back and forth. In theory an attacker who detects this signal could attempt to pair with you; at the least this might mean you receiving a few unsolicited messages (“Bluejacking”) but it could mean reading information stored on your device without you knowing (“Bluesnarfing”) . Beyond that, a Bluetooth attack could be used to install a virus, or to distribute a virus to contacts in your addressbook. Most Bluetooth attacks tend to be pretty jokey, largely because of the kind of information individuals keep on their phones, but business users would be well advised to keep Bluetooth set to “non-discoverable” when they’re not using it. A strong PIN code will also be harder to crack.
Cloning
Encryption (see below) is used to make sure that it is almost impossible to read the cell phone number and related information when sending information. It’s extremely difficult for anyone to ‘piggyback’ on your calls.
Eavesdropping
With modern digital-technology mobile phones it’s almost impossible for another person to listen into a call – not entirely impossible, but a lot of computing power and probably a good deal of luck would be needed to beat the encryption that digital phones use. The encryption works by automatically picking a key that is used in an equation which compresses the audio signal. The encrypted key is sent to the base station tower so the cell tower knows how to decode the conversation. Even if someone with a gismo like a police scanner can find the channel and the time slice you are using, they would need to find the encryption code to make sense of the signal.
Radiation
Mobile phones emit electromagnetic waves when establishing a connection, and it’s basically the same radiation as a microwave oven produces. Radiation can cause problems with cells in the body and lead to nasty things like cancer, though the danger of the problem is related to the amount of power and the frequency of the radio signal. Most scientific studies have not found any clear indication of short and medium term health hazards, though longer-term problems are suggested by adverse effects of weak microwave radiation on biological tissue in non-human lab testing. The health and safety standards required of handsets and cell towers are pretty stringent and will err on the conservative. So is a mobile phone likely to fry your brain? Probably not … But it still makes sense to play safe by minimising phone use, especially for the very young. And there are small clip-on or plug-in suppressors that effectively minimise electromagnetic emissions from the speaker and prevent them from reaching the head area. Well worth stocking.
Smishing
This is phishing via SMS. Phishing is masquerading as a trustworthy person or business in an electronic communication in order to fraudulently acquire sensitive information or to install viruses or spyware. It’s typically carried out using email or an instant message, although voicemails have been used as well – and now comes SMS, with messages along these lines: “We’re confirming you’ve signed up for our dating service. You will be charged $2/day unless you cancel your order: www.smishinglink.com”. Clicking on that link eventually installs the malware or the virus.
That (faked) example came from anti-virus specialist McAfee, which has reported a real-life example from Spain called VBS/Eliles.A. It sends smish messages free of charge through the SMS Gateways run by the mobile phone operator and attempts to trick the victim into downloading what purports to be free anti-virus software.
Spyware
Since Windows is highly susceptible to spyware, it’s highly likely that Windows Mobile too will be attacked. A spyware app isn’t a virus; it’s a program which arrives sneakily (usually via an email attachment or as a result of a website visit) and silently tracks your surfing behaviour to create a marketing profile for you that is transmitted without your knowledge to the compilers and sold to advertising companies. With more web work being done from smartphones, it’s only a matter of time before Windows Mobile is targeted. One solution is SpyBot-S&D; this specialist anti-spyware tool has been one of our favourites on the PC for years, and for Windows Mobile it also detects and removes some viruses as well. There’s also a Spybot-S&D for Symbian; that covers UIQ phones, with Symbian Series 60 and 90 promised soon. More info and free download (you’re invited to make a donation) at www.safer-networking.org. You may have to hunt around on the ‘downloads’ page to find the mobile phone versions, or try reading all about them under ‘news’.
Theft
The biggest single issue with mobiles is the number stolen – around 10,000 every month, with two thirds of the victims aged between 13 and 16 (the peak age for offenders is also 16). Practical measures to recommend include …
• registering the phone with the police database at www.immobilise.com
• using the security lock if the phone has one (most do – show the purchaser where it is)
• changing the SIM PIN code. Unlike many other PINs – credit and debit cards, for instance – there will be a simple default code that is set by the service provider … and it’s often turned off by default.
• recording details of the electronic serial number (ESN) and the IMEI number (type *#06# to find it)
• buying phone insurance, or at least checking that their normal home contents insurance would cover a phone away from the premises.
As we report on p10, the Mobile Industry Crime Action Forum (MICAF) and mobile phone industry leaders have just launched an industry charter detailing objectives and initiatives to help reduce mobile phone crime. The five networks have pledged that 80% of stolen handsets will be blocked within 48 hours of being reported stolen to their home network.
Some interesting options are appearing for business users. Take Synchronica’s Mobile Manager mobile phone management software for Windows Mobile smartphones; as soon as their owners report the loss, a signal can be sent from a central location to remotely lock and wipe data from the phone. And if the phone has been stolen, companies can also turn on the Synchronica Scream Feature, causing an annoying and embarrassing high pitched wail to be emitted from the stolen device. It’s available direct, or Orange is offering this to business customers at £10 per month.
Used phones
The memory in discarded or resold smartphones can easily still be loaded with sensitive personal or corporate information-a sample of ten used phones bought on eBay by the US mobile security software provider Trust Digital produced nearly 27,000 pages of data. The problem is that flash memory (which is ubiquitous because it’s cheap) isn’t completely wiped until the user performs a hard reset, and that’s not necessarily easy or obvious to do. If you are going to resell a phone, though, it might be worth the effort.
"As handsets have become more advanced and open to meet customer needs, both the sophistication and proliferation of the mobile viruses has become an issue"
Viruses
There are now a few hundred viruses out there (320 at the last count) and most target Symbian phones (312 of them). Sounds heavy, but in fact there have been very few reported infections. Most of them are Trojan horses (programs which appear to be something good, but actually conceals something bad) and they require a user to receive a file via Bluetooth and then run it; this usually requires the active complicity of the user and so is unlikely to happen.
So the anti-virus vendors are regularly accused of hyping the threats. F-Secure, for instance, has signed a deal with Orange UK to provide security for the operator’s smartphones; Phil Iley, head of product management at Orange, said “As handsets have become more advanced and open to meet customer needs, both the sophistication and proliferation of the mobile viruses has become an issue. Having witnessed a growing number of cases on our network we worked with F-Secure to be the first operator to proactively offer mobile virus protection – enabling our customers to protect information stored on their smartphones should they wish to do so.”
The announcement persuaded Simon Perry, European vice president of security for software and services company CA, to issue a very strong statement. “F-Secure is saying there’s a huge risk of malcode spreading, but they’ve built this up … They’ve consistently pushed this message. But it’s a theoretical, not a real, threat.”
“Let’s be clear; while there have been between 70 and 80 examples of malcode that will infect a smart phone platform, none have been found spreading wildly in the general population of phones. None are anything but ‘proof of concept’ viruses. None could ever spread as far nor as fast as an attack against the usual PC platform. None ever will.”
“Why? Because the mobile phone platform itself does not share the same characteristics with a PC that make the PC so vulnerable. The challenge for security professionals as well as the general computer user (professional and consumer) is to stay educated on the real security threats and risks we face as technology becomes more ubiquitous in our lives.”
Not strong enough? How about “Dig below the skin, and the message stops sounding pithy and starts smelling rather rotten. At the core of the rot is the mostly undeniable fact that there is no threat to protect against.”
CA’s view is that the risk of such attacks spreading around smartphones is minimal because of a lack of interoperability between platforms and phone models.
“While F-Secure’s bankers and owners may be pleased with the cash flowing into their coffers from the deal, every security professional should be appalled by the perception this creates of our market,” Perry concluded. “Industry and vendors are now more consultative and honest about risks, not just beating something up to sell it. F-Secure has done the industry a disservice.”
And finally: “My advice to any Orange customer is simple: Don’t believe the hype, and keep the £1.50 a month the ‘protection service’ will cost you in your pocket. It’ll be far more useful spent at the greengrocers than wasted with Orange.”
F-Secure agrees that there’s no “mass problem for all consumers” but is working on the better-safe-than-sorry principle. Kaspersky Labs, another well-known anti-virus company, agrees: “Malware for smartphones is now evolving, and seems likely to become a growing threat as smart phones gain popularity,” the company said in a statement announcing the launch of a beta anti-virus product for Symbian-powered cell phones.
Meanwhile there’s a lot of mutual back-scratching going on. Nokia is preloading Series 60-based smartphones with Symantec’s Mobile Security software. Sony Ericsson has a try-before-you-buy version of McAfee’s VirusScan Mobile on the P990i and M600i.
Coming soon
A new set of security standards called the Mobile Security Specification has been agreed by major industry players. Billed as the basis for a new generation of secure phones and mobile devices that will be considerably more secure, the standards represent the first time that common security specifications for all handheld devices have been agreed. They require protected information to be stored in a secure area of the phone; this can be used to ensure that the phone’s operating system, applications and data have not been tampered with. The networks can also use it to kill off phones that have been stolen. The downside? It could be years before these standards become universal”if they ever do.
There are now a few hundred viruses out there (320 at the last count) and most target Symbian phones (312 of them). Sounds heavy, but in fact there have been very few reported infections. Most of them are Trojan horses (programs which appear to be something good, but actually conceals something bad) and they require a user to receive a file via Bluetooth and then run it; this usually requires the active complicity of the user and so is unlikely to happen.
So the anti-virus vendors are regularly accused of hyping the threats. F-Secure, for instance, has signed a deal with Orange UK to provide security for the operator’s smartphones; Phil Iley, head of product management at Orange, said “As handsets have become more advanced and open to meet customer needs, both the sophistication and proliferation of the mobile viruses has become an issue. Having witnessed a growing number of cases on our network we worked with F-Secure to be the first operator to proactively offer mobile virus protection – enabling our customers to protect information stored on their smartphones should they wish to do so.”
The announcement persuaded Simon Perry, European vice president of security for software and services company CA, to issue a very strong statement. “F-Secure is saying there’s a huge risk of malcode spreading, but they’ve built this up … They’ve consistently pushed this message. But it’s a theoretical, not a real, threat.”
“Let’s be clear; while there have been between 70 and 80 examples of malcode that will infect a smart phone platform, none have been found spreading wildly in the general population of phones. None are anything but ‘proof of concept’ viruses. None could ever spread as far nor as fast as an attack against the usual PC platform. None ever will.”
“Why? Because the mobile phone platform itself does not share the same characteristics with a PC that make the PC so vulnerable. The challenge for security professionals as well as the general computer user (professional and consumer) is to stay educated on the real security threats and risks we face as technology becomes more ubiquitous in our lives.”
Not strong enough? How about “Dig below the skin, and the message stops sounding pithy and starts smelling rather rotten. At the core of the rot is the mostly undeniable fact that there is no threat to protect against.”
CA’s view is that the risk of such attacks spreading around smartphones is minimal because of a lack of interoperability between platforms and phone models.
“While F-Secure’s bankers and owners may be pleased with the cash flowing into their coffers from the deal, every security professional should be appalled by the perception this creates of our market,” Perry concluded. “Industry and vendors are now more consultative and honest about risks, not just beating something up to sell it. F-Secure has done the industry a disservice.”
And finally: “My advice to any Orange customer is simple: Don’t believe the hype, and keep the £1.50 a month the ‘protection service’ will cost you in your pocket. It’ll be far more useful spent at the greengrocers than wasted with Orange.”
F-Secure agrees that there’s no “mass problem for all consumers” but is working on the better-safe-than-sorry principle. Kaspersky Labs, another well-known anti-virus company, agrees: “Malware for smartphones is now evolving, and seems likely to become a growing threat as smart phones gain popularity,” the company said in a statement announcing the launch of a beta anti-virus product for Symbian-powered cell phones.
Meanwhile there’s a lot of mutual back-scratching going on. Nokia is preloading Series 60-based smartphones with Symantec’s Mobile Security software. Sony Ericsson has a try-before-you-buy version of McAfee’s VirusScan Mobile on the P990i and M600i.
Coming soon
A new set of security standards called the Mobile Security Specification has been agreed by major industry players. Billed as the basis for a new generation of secure phones and mobile devices that will be considerably more secure, the standards represent the first time that common security specifications for all handheld devices have been agreed. They require protected information to be stored in a secure area of the phone; this can be used to ensure that the phone’s operating system, applications and data have not been tampered with. The networks can also use it to kill off phones that have been stolen. The downside? It could be years before these standards become universal”if they ever do.