UNCLASSIFIED Smartphone Necessity or Information Sieve
Jan 18, 2015
UNCLASSIFIED
Smartphone
Necessity or
Information Sieve
UNCLASSIFIED
The purpose of this brief is to raise awareness of the vulnerabilities associated with smartphones. For the purpose of this brief, when the term smartphone is used, it also includes iPhones and blackberries unless otherwise specified.
UNCLASSIFIED
com·put·ernoun 1. An electronic device designed to accept data, perform prescribed mathematical
and logical operations at high speed, and display the results of these operations.
tel·e·phonenoun 2. An apparatus, system, or process for transmission of sound or speech to a distant point, especially by an electric device.
Definitions
UNCLASSIFIED
Phone…..Really?
UNCLASSIFIED
Smartphone sales eclipsed standard cellular phone sales as well as PC sales last year. According to Google, over 200,000 Android smartphones are activated each day- Ellis Holman
The Future
UNCLASSIFIED
Hello?
We are talking about a phone …. Right?
UNCLASSIFIED
Computer health statistics
UNCLASSIFIED
HINT: This risk most likely is the same as internet capable computers or Wi-Fi laptop use.
Security Risk
What is the biggest security risk when it comes to Smartphones?
Answer: You……. The user.
Like most people, when it comes to new technology, we want it and we want it now. We usually start using this technology for all the benefits promised without understanding the vulnerabilities or the security features available.
UNCLASSIFIED
The Numbers
A study conducted by the Ponemon Institute in concert with AVG Technologies;
•734 random US consumers over age 18 questioned regarding mobile communications behavior.
• 89 percent respondents unaware smartphone applications can transmit confidential payment information without the user’s knowledge or consent.
• 91 percent respondents unaware financial applications for smartphones can be infected with specialized malware designed to steal credit card numbers and online banking credentials. 29 percent report already storing credit and debit card information on their devices. 35 percent report storing “confidential” work related documents. • 56 percent respondents unaware; failing to properly log off a social network app could allow an imposter to post malicious details or change personal settings.
UNCLASSIFIED
• 45 percent of Internet users used a mobile phone to connect to the Internet
• 6 million people accessed the Internet over their mobile phone for the first time in the previous 12 months
• The use of wireless hotspots almost doubled in the last 12 months to 4.9 million users
• 77 per cent of households had Internet access
- Office of National Statistics “Internet Access - Households and Individuals, 2011 “
• 21 per cent of Internet users did not believe their skills were sufficient to protect their personal data
U.K. National Statistics
UNCLASSIFIED
Malware
• An average of 9 out of every 100 smartphones in use is infected with malware of some type
UNCLASSIFIED
Definitions
Key Logger: A computer program that records every keystroke made by a computer or Smartphone user. The “key-logger” will then send the information to an outside server. This is often used in order to gain fraudulent access to passwords and other confidential information.
Worm: A computer worm is a self-replicating malware computer program that can replicate to such an extent as to take up enough bandwidth to cause a denial of service.
Virus: A Virus is a software program capable of reproducing itself to corrupt and cause major damage to files or other programs.
They can spread quickly, infecting other computers or smartphones.
Trojan: A Trojan horse, or Trojan, is malware that appears to perform a desirable function for the user prior to run or install instead facilitates unauthorized access of the user‘s computer system.
UNCLASSIFIED
Spyware
Software that self-installs on a computer, enabling information to be gathered covertly about a person's knowledge including– inbound and outbound texts, emails, and phone calls– Web browsing activity– Information stored on phone– Contacts– Can even turn on the phone’s camera to capture images and video
UNCLASSIFIED
Web browsing is becoming a big threat, with 38 percent of Android owners encountering a malicious link — 40 percent if you only consider the United States. - Lookout’s chief technology officer Kevin Mahaffey
Web surfing is the primary source of new infections, with attackers relying more and more on customized malicious code toolkits to develop and distribute their threats. 90 percent of all threats detected by Symantec, during a study period, attempted to steal confidential information. - Michael Dinan, TMCnet Editor
Information Hemorrhage on the WWW
UNCLASSIFIED
Think Before You Click
UNCLASSIFIED
"Mobile phones are a huge source of vulnerability. We are definitely seeing an increase in criminal activity.“ - Gordon Snow, assistant director of the Federal Bureau of Investigation's Cyber Division.
What’s on Your Phone
UNCLASSIFIEDUNCLASSIFIED
Across the U.S. and beyond, inmates are using social networks and smartphones smuggled into prisons and jails to harass their victims or accusers and intimidate witnesses.
In California, home to the nation's largest inmate population, the corrections department confiscated 12,625 phones in just 10 months this year. - DON THOMPSON, Associated Press November 2011
Keeping in Touch
The “Bad Guy” is using the same tools and resources that we (the recreational user) use, and a lot of the time, they know more about the tool.
UNCLASSIFIED
Emails or texts messages offering a free one-year warranty extension for a popular smartphone, links to a company-branded web page. That web page asks for an email address and then smartphone serial number, IMEI number, type of phone, and capacity of phone. Cybercriminals use the information requested on the web page to clone the smartphone. – markmonitor.com
Smart Phishing (Smishing) for Smartphones
UNCLASSIFIED
The attacker machine forces traffic between the victim’s machines to route through it by sending a false Address Resolution Protocol (ARP) reply to both machines. The attacker can than create new connections and kill existing connections, as well as view and replay anything that is private between the targets machines.
A testing team has adequately shown that with a mobile laptop in a Wi Fi network, it is ‐possible to intercept communications between a smartphone and the Wi Fi hotspot.‐- Smobile Systems
Man In The Middle (MITM) Attack
UNCLASSIFIED
“There’s an APP for that”
UNCLASSIFIED
Jailbreaking
• Gives the user root level access to the phone• Strips away security measures designed to protect the smartphone• A majority of smartphone malware comes from third party app stores
UNCLASSIFIED
“Trojanized” Apps
The malicious developer selects popular apps to “trojanize” and delivers malware along with the clean content
UNCLASSIFIED
Which System is Better?
UNCLASSIFIED
How You are “Protected”
Google BouncerScans all uploaded
Android Marketplace apps 40% decrease in potential malicious apps in the marketplace in 2011
iTunesApple authenticates
its developers, tests and digitally signs each app before distribution making malware occurrences rare
App WorldVets applications
before distribution and allows user to set permissions for each item within an app separately to give user control
UNCLASSIFIED
Anti Virus
Malware
March 2012
AV-TEST an independent IT security institute, has
inspected 41 different virus scanners for
Android with regard to their detection performance.
Defensive software
UNCLASSIFIED
The most common malicious Android apps contain spyware and (SMS) Trojans that: • collect and send GPS coordinates, contact lists, e-mail addresses etc. to third parties
• send Short Message Service (SMS) to premium-rate numbers • subscribe infected phones to premium services
• record phone conversations and send them to attackers
• take control over the infected phone
• download other malware onto infected phones - Cnet.com
What’s in Your App?
UNCLASSIFIED
Some Android Apps Use Personal Data Suspiciously
A study conducted (2010) by Penn State, Duke, and Intel Labs ;
Found that 358 apps in the Android Market require Internet permissions, as well as permissions to access location, camera, or audio data. Of those 358, researchers randomly selected 30 apps, including ones for The Weather Channel and BBC News.
15 of the 30 apps reported user locations to remote advertising servers, and seven apps collected the device ID, and sometimes the phone number and SIM card serial number. One app even transmitted phone information every time the phone booted – even if the app has not been used. Overall, two-thirds of the apps used data suspiciously, researchers concluded.- Pcmag.com
UNCLASSIFIED
App Security
• Despite increased security in legitimate app marketplaces, malware still comes through
• Scrutinize apps before downloading– Do you know the developer?– How long has it been available?– What are the permissions required?
UNCLASSIFIED
Mobile Banking
• Mobile banking has grown 129% in the last year alone• Android users alone lost more than one million dollars to cyber-thieves in 2011
and the numbers are climbing
UNCLASSIFIED
Geo-tag
Most smartphones and some cameras made today are equipped with geo tags. Geo tags are imbedded in the picture and use the same concept as GPS.
UNCLASSIFIED
If you leave your phone unattended, loose or have it stolen, depending on what security features you have set, a Smudge attack can be conducted. The picture illustrates how easy it would be to access this phone.
Physical Consideration
Maintain positive control of your phone and clean the screen after every use if you have a touch screen keypad.
UNCLASSIFIED
Navy Networks
In October 2010, CTO 10-084 was released prohibiting the connection of unapproved USB mass storage devices to government networks. This includes connecting a smartphone to a DON computer “just to charge it”. Lack of compliance could result in data exfiltration, spillage and the spread of malware
DON’T D
O
IT
UNCLASSIFIED
HTC Smartphone Vulnerability Exposes Your Personal Data
Report Reveals Data Loss as Primary Concern for Smartphone Users
Tens of Millions of Smartphones Come With Spyware Preinstalled, Security Analyst Says
Your Smartphone Is Spying on You
Smartphones evidence a boon for divorce lawyers
Smartphone pictures pose privacy risks
Android super smartphones: Too much of a good thing?
Smartphones overtook PC shipments in 2011
Smartphone scams: Owners warned over malware apps
Smartphone Headlines
UNCLASSIFIED
Never store sensitive data on smart phones
Recommendations for a More Secure Smartphone
Do not leave phone unattended in public Enable password protection
Activate the lock-out screenUpdate your device regularly, to include anti-virus software
Enable encryption where possible Do not open suspicious email or click unknown links from unsolicited texts or email
Take precautions to avoid theft and recover from loss
Avoid using smartphones to conduct online financial transactions
UNCLASSIFIED
Only purchase apps from legitimate marketplaces
Recommendations for a More Secure Smartphone
Understand the apps you download/use and what data the app accesses
Turn off GPS & Bluetooth when not in use
Disable Geo-taggingNever “jailbreak” or “root” a smartphone
Keep phone screen clean if using touch screen keypads Enable “safe mode” to prevent applications
from running in the background without permission
Data sanitize your device before redistributing it
UNCLASSIFIED
Summary
• Computer health statistics
• The climb of smartphones
• Activities executed on smartphones
• Security issues involving smartphones
• Application uses and the vulnerabilities
• Physical issues involving smartphones
• Recommendations for smartphones
UNCLASSIFIED
YOU Decide!
VulnerabilitiesBenefits