Smartphones

Smartphone security and the phone hacking scandal

The "phone hacking" scandal unfolding in the UK has demonstrated how trivial it is to gain unauthorized access to voicemail and other information stored on smartphones. Ignoring basic security steps only makes it easier.

With the help of Kevin Mitnick, CNET reporter Elinor Mills demonstrated just how easy it can be to hack into someone's voicemail. This was done in the wake of the "phone hacking" scandal that has erupted in the UK in which employees for News of the World hacked into a murdered girl's phone and materially interfered with the then ongoing police investigation. It's now grown much larger even than that one terrible incident, and this is, of course, an extreme example of the harm that can be done to people with unsecured mobile phones.

Mills' story brings up several important points about smartphone security. The News of the World "reporters" apparently used the crudest method of accessing their victims' voicemail -- they simply took advantage of the fact that many people don't take the basic step of changing pins or passwords at all, much less creating strong ones. But as Mitnick was quoted in the article:

"Any 15-year-old that knows how to write a simple script can find a VoIP provider that spoofs caller ID and set this up in about 30 minutes," Mitnick said. "If you're not adept at programming, you could use a spoofing service and pay for it."

The second security problem that crops up is that mobile operators don't authenticate Caller ID so spoofing becomes a superficial matter to overcome if someone is bent on breaking in.

Obviously, there's no substitute for smartphone users simply taking advantage of the additional security steps that are available to them, forcing any would-be hacker to use at least more sophisticated methods. TechRepublic's Deb Shinder addressed these issues from the standpoint of an administrator dealing with smartphone users accessing the corporate network in her article, "Smartphone enterprise security risks and best practices." Note the first items in her list:

  1. Require users to enable PIN/password protection on their phones.
  2. Require users to use the strongest PINs/passwords on their phones.
  3. Require users to encrypt data stored on their phones.
  4. Require users to install mobile security software on their phones to protect against viruses and malware.
  5. Educate users to turn off the applications that aren't needed. This will not only reduce the attack surface, it will also increase battery life.
  6. Have users turn off Bluetooth, Wi-Fi, and GPS when not specifically in use.
  7. Have users connect to the corporate network through an SSL VPN.
  8. Consider deploying smartphone security, monitoring, and management software such as that offered by Juniper Networks for Windows Mobile, Symbian, iPhone, Android, and BlackBerry.
  9. Some smartphones can be configured to use your rights management system to prevent unauthorized persons from viewing data or to prevent authorized users from copying or forwarding it.
  10. Carefully consider a risk/benefits analysis when making the decision to allow employee-owned smartphones to connect to the corporate network.

Related TechRepublic posts:

About

Selena has been at TechRepublic since 2002. She is currently a Senior Editor with a background in technical writing, editing, and research. She edits Data Center, Linux and Open Source, Apple in the Enterprise, The Enterprise Cloud, Web Designer, and...

7 comments
itadmin
itadmin

Look at the relatively few comments on this topic. From the newspapers, radio and TV news one would think this is foremost on everyone's minds. Not so. They're welcome to my very few, mundane telephone conversations and emails. But this is not the case for politicians and many others with equally shady dealings. In a way this is almost like Wikileaks.

robo_dev
robo_dev

The so called 'cell phone hacking' mentioned here has NOTHING to do with mobile phones. We are talking about VOICEMAIL. It's a server...you dial into it, you enter your four-digit pin and you get your voicemail. Doing some password guessing or doing a password reset is four-hundred-lightyears away from the concept of exploiting actual phones or monitoring live voice traffic. Even the caller-id spoofing 'hack' done by Mitnik to get voicemail is hardly 'owning' your phone. Murdoch's minions did not 'hack into the phone' of the missing girl, they got into her VOICEMAIL. If you steal the bank manager's wallet, it is NOT bank robbery. Is it so difficult for reporters to grasp these rather obvious technical concepts?

MacNewton
MacNewton

We have medical & personal data stored on some smartphone's used by doctors and lawyers, and I know some police personal have started to keep some data on there phones as well. They are using there smartphone apps without permission and out of frustration, that the companies they work for haven't provided them with the right tools. So they are doing this on their own. This type of deployment is going on around us and is getting out of hand.

ksimmons
ksimmons

"5.Educate users to turn off the applications that aren???t needed. This will not only reduce the attack surface, it will also increase battery life." What a hoot. Cell phone providers(Verizon, etc) put apps on our phones we don't want(Peep, etc) and tell us if we root it to get rid of them that we void our warranties. The cell phone providers are part of the problem. But they sold us out for the money and interests of other companies.

DadsPad
DadsPad

It is good to talk about phone security. But Google and Apple have rights to get/change things on your phone. So it still can be hacked, no matter. Also, most people do not use highly secure passwords, too hard to remember and very inconvienant

jfrankl1
jfrankl1

Just another reason "not" to use a GSM cellular phone

ZazieLavender
ZazieLavender

2 is questionable. You'll suffer usability issues, thus reducing the efficiency a smartphone can bring. Not everyone in buisiness is that intelligent. 3 is bad. It's just too clunky. Remote wipe is better. No phone allows for full encryption and it will always be physically weak. You can hack a phone, no phone can handle encryption without becoming an effectively dumb phone, reducing the point of a smartphone. 5 is bad. You're defeating the point of a smartphone. It's often difficult for typical users to discern the possible consequences of turning off apps that other, possibly mission critical, apps may rely upon. Not to mention that some apps tend to include unnecessary things which may affect phone performance or drain battery. 8 is VERY BAD. Monitoring is a gross invasion of privacy. Point blank. Management is bad, you'd be a dictator over the phones and break every other rule I say is "bad" Only company owned phones are exempt. 9 is VERY BAD. It's as intrusive as DRM and just as clunky and falsely intuitive. 10 is stupid. Especially if you require anything from the above rules that I just bashed on company issued and owned phones. Common sense dictates if that data is THAT SENSITIVE, then it should NEVER hit the airwaves anyway. Don't allow smartphone use at all. It's too damn dangerous if you must require all that much security. Now to praise what *would* work: 1 is common sense. This would alleviate most security woes. 2 is still questionable but it wouldn't be too bad if you don't have more employees than your IT department can support. And make sure it's easy to reset these passwords for IT 4 is common sense. It keeps users from installing malware. 6 is common sense. It saves battery and reduces risk for attack. 7 is smart. You're encrypting the data as it passes through the internet, it can then go through your own corporate network where you can do whatever you need to the data passing through it in order to keep the secret things secret and control usage accordingly.

Editor's Picks