Smartphone security and the phone hacking scandal

The "phone hacking" scandal unfolding in the UK has demonstrated how trivial it is to gain unauthorized access to voicemail and other information stored on smartphones. Ignoring basic security steps only makes it easier.

With the help of Kevin Mitnick, CNET reporter Elinor Mills demonstrated just how easy it can be to hack into someone's voicemail. This was done in the wake of the "phone hacking" scandal that has erupted in the UK in which employees for News of the World hacked into a murdered girl's phone and materially interfered with the then ongoing police investigation. It's now grown much larger even than that one terrible incident, and this is, of course, an extreme example of the harm that can be done to people with unsecured mobile phones.

Mills' story brings up several important points about smartphone security. The News of the World "reporters" apparently used the crudest method of accessing their victims' voicemail -- they simply took advantage of the fact that many people don't take the basic step of changing pins or passwords at all, much less creating strong ones. But as Mitnick was quoted in the article:

"Any 15-year-old that knows how to write a simple script can find a VoIP provider that spoofs caller ID and set this up in about 30 minutes," Mitnick said. "If you're not adept at programming, you could use a spoofing service and pay for it."

The second security problem that crops up is that mobile operators don't authenticate Caller ID so spoofing becomes a superficial matter to overcome if someone is bent on breaking in.

Obviously, there's no substitute for smartphone users simply taking advantage of the additional security steps that are available to them, forcing any would-be hacker to use at least more sophisticated methods. TechRepublic's Deb Shinder addressed these issues from the standpoint of an administrator dealing with smartphone users accessing the corporate network in her article, "Smartphone enterprise security risks and best practices." Note the first items in her list:

  1. Require users to enable PIN/password protection on their phones.
  2. Require users to use the strongest PINs/passwords on their phones.
  3. Require users to encrypt data stored on their phones.
  4. Require users to install mobile security software on their phones to protect against viruses and malware.
  5. Educate users to turn off the applications that aren't needed. This will not only reduce the attack surface, it will also increase battery life.
  6. Have users turn off Bluetooth, Wi-Fi, and GPS when not specifically in use.
  7. Have users connect to the corporate network through an SSL VPN.
  8. Consider deploying smartphone security, monitoring, and management software such as that offered by Juniper Networks for Windows Mobile, Symbian, iPhone, Android, and BlackBerry.
  9. Some smartphones can be configured to use your rights management system to prevent unauthorized persons from viewing data or to prevent authorized users from copying or forwarding it.
  10. Carefully consider a risk/benefits analysis when making the decision to allow employee-owned smartphones to connect to the corporate network.
Related TechRepublic posts: