Mobile phones: An unreliable sidekick

By Rajiv Singh | 15 Sep 2006

Smart crooks leave helpless newgen-handset owners smarting, even as software makers are devising appropriate responses.

Titillating aspects of the story aside, when Paris Hilton's Sidekick II got hacked into, mobile phone security stepped into the limelight along with her as an issue. With cell phones now providing a variety of functionalities, and storing greater amounts of information, they are also revealing vulnerabilities that can have disastrous consequences for their owners. Securing information stored in cell phones is now a major area of concern for service providers and consumers alike - particularly so, as wireless services are now a truly global sector.

Attaining the same functionality as credit cards and commuter passes, the increasing sophistication of these devices is increasing their grip on our daily lives, heightening our security and privacy concerns in the process. Cell phones are now an attractive target, both for physical theft as well as for sophisticated levels of hacking. Given the potential that they have to compromise critical details of their owners, the security threat that they pose is greater than ever before, more so, as the price of services and handsets dip and their numbers shoot up exponentially.

Breaking in…
The most common security breach begins with a simple theft. A snatched cell phone, or wallet, no longer provides the thief with just a certain amount of money or a device that would allow free calls. A stolen wallet can furnish credit cards that would drain a user's bank account while a stolen cell phone can throw up a lot of potentially damaging user information, intimate and financial, to a reasonably smart thief. The Paris Hilton hack-in, amongst other material, yielded embarrassing pictures, which were immediately circulating all over the Net!

A $50 program, FlexiSpy, offers to secretly install on mobile phones "…a remote activity logger for mobile phones that will silently retrieve and report all phone activity to an email address that you specify." The company markets the program as a way to snoop on spouses' and kids' phone conversations and text messaging.

Security firms say that the application installs itself without any kind of indication as to what it is, and when installed it completely hides itself from the user. They have dubbed it a trojan, though FlexiSpy would much rather call it a service. The company even provides an eavesdropping feature that would allow its customers to "listen in on what the mobile phone's user is doing from anywhere in the world!"

If FlexiSpy is offering to tap phones directly for you, there are other forms of attack that do it indirectly and are equally lethal. Consider the stunt that a security group called Flexilis pulled when it attacked the prestigious Academy Awards event this year. Armed with a laptop and an antenna hidden inside a backpack carried by one of its members, the Group successfully 'bluesnarfed' 50 to 100 of the celebrities attending the event.

'Bluesnarfing', 'bluejacking', 'bluebugging' are terms now being thrown up to describe different forms of attacks on Bluetooth-enabled devices. With technology extending the range of Bluetooth rifles, devices that catch signals, from about 33 feet to a full mile, the dangers of such tapping have increased dramatically. Of course, one needs to focus on the advantages that such services and devices offer us in our daily lives, but the dangers lurking underneath can be ignored only at one's peril. Till recently, a 'Bluetooth-enabled' cell was a status symbol, and the likes of the late Princess Diana were susceptible to such attacks — even low-end phones are beginning to support the feature now.

Though no malicious codes were attached to the worm Cabir, the world's first worm written for mobile phones using Bluetooth, it however ushered cell phone users into a world that PC users have been only too familiar with - a world of viruses and hackers. Cabir's emergence has raised questions about open software platforms, which are becoming popular with manufacturers. An open operating system, such as Symbian's, is already in use in more than 20 million mobile phones around the world. Security specialists now predict that new kinds of attacks, such as trojan horses loaded in games, screensavers and other applications could very easily trigger false billing, tap stored information and delete or steal data.

The enterprise
Possibly, the instrument most commonly associated with enterprises and government's around the world is the BlackBerry. In May this year, Research In Motion (RIM), the BlackBerry service provider, and Cheltenham-based, UK government security experts, CESG, announced that UK government employees had been granted approval to use BlackBerry devices even for "restricted" data. Come August, a California-based security researcher made a presentation at the Defcon hacker convention in Las Vegas, displaying how a hacking program, dubbed BBProxy, could be used to bypass gateway security controls, installed between the hacker and the inside of the victims' network, to access RIM's servers on the sly.

RIM discounted the 'vulnerability' as one that any mobile device, including smart phones, PDAs and laptops are susceptible to, and said that by administering various security tools available in its systems, IT administrators can reduce the potential for any attack.

Though RIM has ho-hummed the attack potential as demonstrated by the BBProxy, it has to be kept in mind that hacking attacks reappear with increasing levels of sophistication. If we consider the fact that RIM has by now shipped just under 1.3-million BlackBerry devices during the second quarter of 2006 alone (source: Gartner), and that it already has about 5.5-million 'high end' subscribers worldwide at the end of the same period, we can imagine the magnitude of the threat potential.

Devices and their vulnerabilities apart, there is also a wider aspect to the security issue that is leaving enterprises feeling somewhat helpless. No doubt, sophisticated devices and services, such as smart phones, digital music players and USB drives are helping galvanise productivity among workers, but these consumer gadgets also hold immense implications for enterprises with regard to security.

More capable than ever before, these gadgets are at a level of sophistication that will allow employees to walk off with large amounts of data if they should chose to. A innocuous looking, but USB connected, wristwatch can easily grab and store 1GB of information. A cell phone left on 'ghost mode,' for instance, can allow a temporarily 'absent' person to listen in on an ongoing conference, or a conversation.

So, for enterprises, it's a question of striking a balance — allowing employees to bring personal mobile hardware into the office, and risking security breaches, or banning them from the office space and risking employee displeasure. Blocking USB ports in PCs' to configuring IT systems with physical security tools to actively monitor people's behaviour or simply asking employees to keep their gadgets at home, may be one way of going about it. But analysts suggest that such an approach would also be counter-productive, as it would inevitably delay integration of the next generation of mobile devices into the corporate environment.

Security
The security problems afflicting mobile phones are now causing specialist firms to address the problem and respond to the potential threat. The Trusted Computing Group (TCG), an industry association has now created a set of security standards, similar to the standards it has already created for PCs, servers and networks. These standards will be formally announced this month at the CTIA Wireless show in Los Angeles. Called the Mobile Security Specification (MSS), it is expected that the standards will form the basis for a new generation of phones and mobile devices that will be more secure.

Backed by Nokia, Samsung and France Telecom, among others, the specifications have taken years to develop, and a person such as Janne Uusilehto, head of Nokia product security, is understandably pleased with the end result. The MSS, he says, marks the first time that a common security specification will have been created for all handheld devices.

Though some service providers could be early adopters of the MSS, industry experts feel that it could take years before mobile phone users would be able to reap any benefits, for all service providers will first have to come around to accepting the standards; right now they are still debating over the core aspects of the MSS.

Spansion Inc., a flash memory chip maker, says it will add a mobile security chip to the embedded flash memory chip package it offers to wireless handset makers, which will use a range of encryption, authentication, random number generation and other security features to ward off hackers, malware or thieves. The advantage with Spansion's chip is that it is hardware and not a layer of software added on to the handset, which makes it difficult for thieves to break into.

Spansion says that with time, and successful usage, the security chip could enable users to make more financial transactions with their handsets, allowing them to use their handset like a credit card. The chip will be available to handset developers in the first half of next year.

But should you be looking for a service which you can easily comprehend, and also, not have to wait years for it to become available, then you could consider the one made available this month by a firm called Synchronica. In case of theft, the firm will, of course, immediately lock the stolen phone and wipe data from it. But along with this facility, it also provides an interesting feature; the phone emits an annoying, high-pitched 'scream' when stolen, says the company.

Statistics from UK's Metropolitan Police suggest that a mobile phone is stolen every three minutes in the country, and also, that it takes on an average 30 seconds for someone to realise the loss of their handset. So, if you are patronising Synchronica's service, the sound of an outraged scream emanating from your stolen phone should help, as you pelt down the street after the thief - your shouts adding to the tumult already being caused by the screams that Synchronica is providing as part of its service….!