Mobile security

by Robert Earls

In 1985's "A View to a Kill" James Bond wears a ring with a built in camera to take covert pictures of suspects. I have no doubt that now, 23 years later, real-world technology is pretty close to making this a reality. But is there any need to hide a camera inside a ring when a surveillance camera can be hidden in plain view, in every-day items like a mobile phone?

A pretty standard smartphone can act as a conversation recorder, a still camera, a video camera and mass-storage device. A slightly more advanced smartphone can be used to scan for unprotected WiFi access points, and to log where in the world they were found, using GPS (wardriving), for later more intensive scanning where unprotected computers on the network can be identified and compromised.

The audio, images and video recorded can be stored on very high capacity memory card for later extraction, sent wirelessly to another gadget hidden in a briefcase or pocket, or, remotely to another computer anywhere in the world, possibly using 3G or HSDPA (High Speed Downlink Packet Access).

Industrial espionage may have been the concern of high end business at one time, but now the price of equipment has plummeted to the point where even your child may have had a higher spec gadget for Christmas than James Bond ever had during the cold war. If your kids have it, it's a safe bet that it's affordable technology for anyone who comes into your workplace - disgruntled employees, job candidates, third party technicians, window cleaners, the list goes on...

However ridiculous the idea of industrial espionage may seem to your organisation, the prospect of a disgruntled employee taking confidential information to a rival firm is far more likely. Would you allow a stranger to come into your company's premises with a laptop and plug it into your network? Would you allow a visitor to have access to all your company's accounting/salary information? Without proper security practices, your company secrets could be wide open for the world to see.

Visitors to your workplace

How can someone with a mobile device affect your business? Mobile phones, as discussed earlier, are no longer the benign communication devices they once were. For quite some time savvy business have stopped visitors from bringing camera phones into the building, and with current phones capable of snapping at 5 Mega pixels and higher, this is even more of a problem as entire A4 sheets and whiteboards can be recorded accurately.

Video has always been pretty poor on phones, but with HiDef recording on the horizon this could become more of a problem, especially as the storage capabilities of removable flash storage (like SD cards) and grown massively, while the price has fallen through the floor. For example, a 16GB card currently costs about £50.00 which is enough to record video and audio for an entire day.

• Cameras and video cameras
  • Is that person standing behind you simply texting, or is he videoing your fingers typing in a password, using the built-in video camera on his phone?
  • What about visitors or employees taking photos of a whiteboard with sensitive information, or the location of burglar alarms and motion sensors.
  • There's no need to use a tape recorder any more, your mobile phone can record a private conversation while out of a meeting attending nature.
  
  It's easy to become overly paranoid about recording devices and maybe small business need not worry about as much as larger organisation. However, it's best to be aware of the issues.

Of course, with the pervasive nature of WiFi networks, a visitor does not have to enter the building to be a threat.

• WiFi routers without encryption
  • By default, most, if not all, WiFi access points and routers come with no encryption enabled, meaning that if used without modification anyone with a wireless enabled phone can access your networks. It's possible that they may even be able to access the files on it, but definitely be able to monitor (sniff) the traffic on it.

• WEP weaknesses
  • Early wireless access points had only a very weak encryption method, WEP, which is easily hacked using readily available free tools, even from a hand held device. Avoid WEP where a better alternative is available. If your access point only has WEP, I'd recommend you upgrade to a current model as soon as possible. Up to date wireless access points and routers are available for under £50.

Employees

With the vast amount of data you can store on a smartphone, or even a portable USB hard drive, your data has never been more vulnerable to copying by a disgruntled employee. If someone really wants to get at your data it's almost impossible to stop them copying it, however it's best to make it as difficult as possible, to stop all bar the most persistent.

USB drives can also be used to store an entire operating system. This means a version of Windows XP can be installed onto one, and booted from, bypassing any passwords you may have to log you into the desktop PC.

But even the most dedicated and loyal employee could cause you problems. Even if you don't have wireless access in your business, or you have heavily secured all your wireless access points, what measures or policies do you have in place to stop an employee plugging a £20 USB WiFi stick into his PC, so that he can access the network from a laptop/PDA in part of the building without wired network coverage. Unless securely encrypted this is about as safe as having a network point on the outside of your building.

You can purchase locking devices which plug into any USB port and promise to stop employees from plugging in iPods, thumbdrives and portable hard drives.

I'd recommend you make sure that the PC cannot be booted from a USB device. This can be done by changing the BIOS - something only a system admin should do, and while they are at it, they can place a password on the BIOS so employees cannot change it.

Securing your Mobile Device

• Bluetooth exploits
  Bluetooth is like WiFi for mobile devices. It's fairly low range (about 10 meters) and low power so won't drain the battery on your handheld quickly. To initiate a connection between two devices, the users of both must agree to be "paired" with each other, via an on-screen warning. Bluetooth exploits were becoming more popular a few years ago, as mobile manufacturer allowed pairing without the users knowledge. Thankfully the problems seem to have been ironed out, but you can bet as soon as the manufacturers slip up, someone will be there to exploit any holes they leave.
  
  
  • BlueJacking - This the mildest form of irritation and is equivalent to receiving email spam on a desktop PC. Some companies sell boxes which will send out advertising messages to any mobiles which are in range. So you could be walking through your local shopping centre and suddenly get spam on your mobile.
  • BlueSnarfing - This is at the very least accessing the data held on a remote device without the user's knowledge. In it's most extreme form, it can be used to control all of the phones functions, such as using the camera, install programs, etc (you can see more by following the links at the end of this article)
  • BlueBugging - This is an extention of BlueSnarfing where the hacker takes control of the remote phone and uses it to dial another. This allows for conversations to be listened to and recorded.
  • BlueDialing - Like BlueBugging, this would make the exploited phone dial a difficult to trace premium rate number, possibly in some pacific island.
  • DOS or Denial Of Service - More mischief-making opportunities here. If the attacker can access your handheld device somehow they could do one of two things to disrupt your ability to use the phone. They could either remotely turn off your device, so you may miss calls, or run program which will keep the device extremely busy and the screen on, so that the battery will drain very quickly.
  
  Although security holes may have been plugged by manufacturers, you or your users, still have to be aware of so-called social engineering attacks. When wandering around a fictitious shopping centre, called "The Octant", if your mobile suddenly says "Welcome to Free Internet from Octant", or "Vodafone Reconnect, please press YES", you may press YES without thinking, as it sounds like a genuine service. However, these messages can be sent by an attacker, and your mobile may be asking you to pair up to another device, allowing all of the above attacks to take place.

• Storing passwords as plain text
  This potentially is a huge problem. With security experts telling you not to use the same password for everything, we now seem to have more passwords than we can comfortably remember - I have around 40 different passwords. Even the most basic mobile phones have a "Notepad" type application which allows you to type short notes. This has been used to conveniently store passwords, where anyone can pick up the phone and read them. People also store passwords in the address book section of mobiles. Think you don't store passwords as plain text? A lot of mobile phone have web browsers on them, which automatically store passwords to websites so you don't have to enter them every time you visit.

• Malware
  This is the generic name for applications which run and do something you do not want in the background without you knowing.
  
  
  • Trojans - Named after the original Trojan horse, these are applications which you can install on your handheld which are on the face of it fairly innocuous, like a game, or a screensaver. However, in addition to what you expect, they also perform some other task, such as lowering the security defences, deleting data, etc.
  • Viruses - No particular brand of mobile phone has achieved the market share that Microsoft Windows has in the desktop world, and thus the spread of viruses from mobile to mobile has so far been extremely limited, and is currently more of a proof-of-concept than a threat. However, if/when such a mobile phone achieves such a market share then you can be sure that virus writers will be gunning for it. Currently the hottest handheld on the block is the iPhone, which could achieve this level of popularity, although right now, it's my understanding that it will only run signed applications. You can guarantee, however, hackers are working their way around this as we speak.
  
  Manufacturers have attempted to stop malware from being installed, by only allowing the installation of "signed" applications. Signed applications are ones which are guaranteed to be created by reputable companies, who pay to have their software certified in this way. However, this can be bypassed by the user, and as the vast majority of software is not signed, users who install programs quickly get used to saying "Yes" to warnings like "The application being installed is not signed, are you sure (Y/N)"

• Lost/Stolen devices
  The 2005 Pointsec Mobile Usage Survey estimated that around 22% of PDA owners had lost their devices, and a staggering 81% of these devices had no protection, such as encryption. The survey goes onto show that 37% of PDAs have sensitive information on them, such as passwords, corporate data, and bank account details.

I doubt Daniel Craig will be using any high-tech surveillance equipment , in the next James Bond film, "Quantum of Solace", because surveillance equipment is no longer exciting and new, it's become common place. We now expect to be monitored wherever we go in our everyday lives, in shops, on motorways, car-parks, when speaking to insurance companies and banks on the phone, etc.

Monitoring equipment is everywhere. It's in your home, it's in your office and it's in your pocket. Use it wisely.

Useful Links:
www.lindy.co.uk/usb-port-blocker-pack-of-4-colour-code-blue/40452.html
www.youtube.com/watch?v=IgG6BqfTUc8 - Example of BlueSnarfing
us.trendmicro.com/us/products/mobile-security/index.html
http://www.symantec.com/en/uk/index.jsp

Send a comment about this article to editor@itwales.com