Today I was interviewed by Michael George of Tampa’s WFTS ABC Action News. He was interested in doing a piece on smartphone security; specifically what are the threats, how attacks occur, and what (if anything) users can do to protect themselves. Michael had a very good understanding of the current state of smartphone security: “Don’t run for the hills yet, but soon it will be just as messy as your home computer.”
I figured it was appropriate to cover my talking points on this blog post, so that others can reference the materials, and hopefully we can start a great dialogue in the comments on how to best tackle smartphone security. I will post an update with a link to the story once it airs (Anticipated 11PM on 1/7/11).
Why should people care about smartphone security?
The mobile phone is arguably the most personal technology device that we own. People have a real relationship with the phone, the data it holds and what they do with it. There are three primary reasons why people should care about smartphone security:
- Protecting the integrity of the device so that you continue doing what you want to do on your phone (texting, surfing, shopping, calling, etc.) without the threat of information being made public.
- Securing the data on the device so that if it is lost, someone else cannot retrieve all of your data, such as passwords, emails, pictures, etc.
- Safeguarding the device itself so that you don’t have to buy a new one if you lose it.
What are the risks associated with using a smartphone?
Generally speaking, the risks of using a smartphone are similar to those of using your home computer. Specifically, the following personal data may be compromised by poor smartphone security:
- Personal data (phone #s, email addresses, photos, etc.)
- Account credentials (Facebook, Twitter, Bank of America)
- Ability to use your device
GPS location data is unique to smartphones when compared to desktops and most laptops. This data can also be at risk if your phone was to be compromised by an attacker or rogue application.
How are smartphones attacked?
Much like how the risks of using a smartphone are similar to those of using your home computer, so are the ways in which smartphones are attacked. The following are examples of how smartphones are targeted by attackers:
- Trojans such as Gemini, which emerged in China, sends personal data from a user’s smartphone to remote servers. It can also potentially turn your phone into a zombie controlled by the attacker. Trojans are traditionally attacked to legitimate software (sometimes unknowingly) and are equitable to computer viruses.
- Rogue applications are applications that are supposed to be one thing, such as a game, but also include code that performs other actions. The TapSnake android game not only entertained its users, but also tracked their GPS locations every 15 minutes and allowed other people to pay to view this information.
- By “hacking” your own phone, you can actually make it less secure. “Jail-breaking” or “rooting” your phone can leave you exposed to hackers. For example, rooting the iPhone enables remote access via SSH and the default root password is commonly known. The iBontNet.A worm used this insecure configuration to steal online banking credentials from ING Direct account holders. Also a Dutch hacker in 2009 held “jailbroken” iPhones for ransom by charging €5 to provide instructions on how to secure the affected phones and remove the “hacked” wallpaper
What can you do to help secure your smartphone?
Following the checklist below will go a long way in helping to secure your smartphone. However, realize that no smartphone is 100% secure, and always practice caution when installing applications, visiting websites, or clicking on links.
- Only install applications from trusted sources, like Apple’s AppStore or Google’s Android Market
- Review the permissions that applications ask for, and when they don’t seem right, do some research online before installing
- Install a security suite such as Lookout Mobile (Android, BlackBerry, Win7) or Trend Micro for iPhone that looks for malicious applications and/or websites
- Install updates for applications and firmware
- Don’t click on links from unsolicited emails or text messages
- Set a strong password for your phone
- Install a remote location identification application like Lookout Mobile or MobileMe so that you can locate and/or wipe your lost phone
For more information on smartphone security, you can watch Trevor’s ShmooCon 2010 presentation entitled, The New World of SmartPhone Security.