By Chris Penido
January 21, 2011
By roughly 2013, there will be more smart phones in people's hands than personal computers at home, a testament to their ever-increasing utility in today's fast-paced, always-connected world. Each of the popular smartphone platforms—iPhone, Android, and BlackBerry—offers a unique software repository whereby users can download and install applications to make greater use of the phone's capabilities. When coupled with advanced hardware components, smartphones enable their owners to do nearly everything they can on a full-sized computer, including video conferencing, instant messaging, sending emails and making phone calls, all in a small, portable package.
Most people wouldn't dream of going anywhere without their smart phone & it's become nearly as important as house keys. The cultural impact can be seen on the streets of New York; walk down Broadway and you'll be hard pressed to find anyone without one. And at the rate smart phones are evolving, with their multitude of apps and finger-friendly interfaces, you might not even need a full-sized computer in a few years. But, just as you wouldn't leave your house keys in your front door, you shouldn't leave your smart phone vulnerable to attackers. The increasing importance and presence of smart phones in our digital lives highlight the need to protect them and the information you access, store, and distribute using them. A few of the security vulnerabilities smart phone owners should be aware of are described below, along with some steps that can be taken to help protect your device.
There is a community of code developers that hacks iPhones and Androids in an effort to remove certain operating system restrictions imposed by the device manufacturer or cellphone carrier. That community creates tools that allow owners to "jailbreak" (or "root") smart phones, granting owners nearly unfettered control over what programs can be installed and how the device can be used. However, jailbreaking a smart phone often involves exploiting significant security vulnerabilities.
As a case in point, in July of last year the hacker community exploited a yet-undiscovered vulnerability in Apple's iOS that allowed users to install unauthorized, "homegrown" software. In this instance, the intent was not malicious, but the exploit itself revealed a serious security hole that affected every iPhone, iPod Touch, and iPad running the iOS operating system from version 2.0 through 4.0. If the exploit had been discovered first by a malicious group of attackers, the security impact to the iOS platform could have been much more serious. Attackers could have taken control of iOS devices by tricking smart phone owners into clicking a specially crafted URL or by emailing the victim a malicious PDF. Due to the severity of the threat, Apple quickly released a security patch that prevented the built-in PDF reader from being exploited. Regardless of Apple's response to that particular exploit, this incident reinforces the fact that mobile security is still in its infancy and that there are many more vulnerabilities that have yet to be discovered.
This past August, a Kapersky Labs analyst discovered the first SMS Trojan on the Android platform, which, when installed, allowed an attacker to send hidden SMS messages to a premium phone number at a rate of $5 per message. Disguised as a media player, victims were often unaware of the attack because the app ran as expected. The attack was discovered only after users received their staggeringly large cellphone statements.
Unlike devices using the iOS platform, Android devices have fewer application restrictions, allowing owners to install apps from the loosely curated Android Marketplace as well as arbitrary websites. In the Trojan attack described above, the hacker capitalized on the Android platform's lax software installation restrictions and created websites that purported to offer free media players for download. Before completing installation, the "media player" requested access to the smart phone's memory card as well as its built-in SMS application, which it then used to send out the costly secret text messages.
This default installation prompt, built into every Android device, is key in mitigating attacks; if victims had refused to allow access to the SMS app, the Trojan would have failed to execute. Unfortunately, much as is the case with traditional computer users, smart phone owners often grant apps access to many of the phone's resources and neglect to question why, for instance, a media player would need to access the SMS app in order to play a song. To help protect your device, it pays to be cautious about the source and reputation of the apps you install, and to think twice about what information you allow those apps to access.
Smart phones present new opportunities for attackers to exploit key smart phone features such as geolocation to render certain kinds of attacks more effective. Imagine a hypothetical situation in which you step out of your house to run an errand, only to return to find your place was burglarized. Panic-stricken, you wonder, "How could the burglars have known when I left my house?" Following the police investigation, you learn that the thieves tracked your movements by way of your smart phone. They were able to monitor your GPS coordinates because you use a social networking application on your smart phone (such as Facebook Social, Foursquare, or Twitter) to "check in" at various locations—telling not only your friends but also thieves where you are. They also pinpointed your location by inspecting the geolocation metadata that gets automatically embedded in the smart phone camera images you posted to your Twitpic or Facebook account.
Although this scenario may sound Orwellian, the reality is that it's already happening today, with attackers using real-time data from poorly configured smartphones to victimize their owners. Disabling geo-location when not in use or avoiding the "check-in" scene altogether can greatly mitigate these types of attacks. Taking additional steps to help secure your device, as described below, can also provide some protection against these and wider varieties of attacks.
Most smart phones, despite all their wonderful features, lack key security controls that are currently found on personal computers. However, there are some actions you can take to help protect your device and your personal data. (Specific instructions depend on the type of smart phone you have; see your device's instruction manual for details).
The expanding role of smart phones in everyday life is ushering in a new age of security risks. Although current smart phone security features are fairly limited when compared to those found on a personal computer, it still pays to keep up to date with the latest best practices to protect your device and data. For more information on smart phone security and additional steps you can take to help protect your smart phone, visit www.nyu.edu/its/mobile/security.
Chris Penido is a Network Security Analyst within ITS' Technology Security Services.