Security Spotlight

Smart Phone Security: New Challenges for Road Warriors

Smart phones are the new kid on the block and open up new security challenges.  They are not your father's cell phone.  Think of these "cell phones on steroids"--as a computer with a microphone and headset connected to a worldwide radio system that in turn is connected to the worldwide Internet as well as the landline telephone system.  They present all sorts of technical opportunities for mischief.  

Smart Phones Are a New Challenge
So what are some of the new realities?

1. Smart phones are radio transmitters.  Don't let words like "wireless" hide the fact that smart phones transmit information in the clear on radio waves that can be monitored by anyone with the appropriate receiver.  There is no need to tap a wire or fiber; physical access to a facility isn't necessary.  

While radios capable of picking up cell phone transmissions are no longer available at Radio Shack and are generally illegal, the knowledge needed to build such devices is well known, and humans have a long history of ignoring the law.  In the case of analog systems, they are within easy reach of anyone skilled in electronics; digital phones are more challenging, but that will likely change as the hacker community becomes interested.  In short, people can listen in.

2. Smart phones are real computers.  Gone are the days when a cell phone was based on a proprietary computer chip running customized software designed for a specific purpose and device.  While those systems could be hacked, it was a lot of work without much payoff.  Now these devices run on commodity operating systems such as Symbian OS and Windows CE/Mobile.  That means well written malware can be used against any device running the target operating system.  Unfortunately mobile platform vendors are somewhat slow in releasing software patches, and users aren't accustomed to treating their phones the same way they treat their computers.  Miscreants, however, don't make a distinction between the two devices when they write malware.

And just like a computer, when you hit the delete key, what happens is that the markers for the beginning and end of the data are no longer retrievable.  The data is still there and can be retrieved by experts until it is overwritten.  Fortunately, because of limited memory, data is overwritten fairly often.  But that won't be the case for long.

3. Compromising smart phones is easy.  Most smart phones just become slave USB devices when plugged into a computer.  That means malware can be installed on a smart phone just as easily as on a computer.  Billed as a way to catch cheating spouses, FlexiSPY is typical of the creative applications that keep security folks awake at night.  After FlexiSPY is installed on a Symbian-, Windows Mobile-, or Blackberry-based smart phone, it allows you to use the phone to bug a room, and read SMS, e-mail, and call logs from the smart phone from anywhere in the world.  The Windows Mobile and Symbian versions even allow you to listen to actual phone calls being made with the smart phone and use the phone as a secret GPS tracker.  

4. Transmission encryption is an illusion.  While some smart phones encrypt the communications from the phone to the phone company or service provider, once the e-mail, instant messages, or file transfers reach the public Internet they are transmitted unencrypted by default.  In other words, the risk is about the same as the Internet.  Even the portion that is encrypted may be at risk.  There have been reports that some of the encryption algorithms used in popular phones have been compromised.  

5. Stored data may be at risk.  Smart phones now store a lot more than a short list of commonly called phone numbers.  And all of it can be retrieved by digital forensics.  Many smart phones such as the Blackberry now include not only data encryption options but also options for selecting the strength of the encryption.

What This Means to Higher Education
Hopefully by now we have educated our faculty and staff to the dangers of traveling with a laptop containing sensitive information--say Social Security numbers or a faculty member's latest patentable research.  But have we been educating them about the security risks of smart phones?  We need to teach users be as skeptical of e-mail attachments, unexpected connections, and update confirmations on their smart phones as they are on their computers. Some things that could be recommend include:

  • Enable any password protection features that the phone provides. Smart phones are small and easily lost.  Using a password gives the owner some protection from call charges and the lose of sensitive data.
  • Enable any data encryption features that the phone provides. If the device does not include data encryption options, consider add-on packages, such as Pointsec Mobile.  Some users may want to consider PGP (Pretty Good Privacy) schemes such as PGP Mobile.
  • If you lose a smart phone call the provider immediately to avoid call charges, record information about the call and get confirmation in writing that your phone has been disabled.  File a police report.  It probably won't help getting the phone back but it provides an official record.
  • Smart phones get viruses too. Vendors such as Kaspersky are now marketing anti-virus software for Symbian and Windows Mobile platforms.

Finally, some people may want to reconsider their use of the insecure e-mail typical of many mobile devices.  In a recent conversation with reporters President Bush said that he looked forward to using e-mail again. "I stayed in touch with all kinds of people around the country, firing off emails at all times of the day to stay in touch with my pals."  Eight years ago, shortly before becoming President, he is reported as saying "Since I do not want my private conversations looked at by those out to embarrass, the only course of action is not to correspond in cyberspace."

For most of us, this isn't an issue, as we aren't high value targets. (In fact, some of my friends claim that I never have anything important to say anyway.)  But senior university administrators should be forewarned.

About the Author

Doug Gale is president of Information Technology Associates, LLC (www.it associates.org) an IT consultancy specializing in higher education. He has more than 30 years of experience in higher education as a faculty member, CIO, and research administrator.

comments powered by Disqus