Security Issues in Smartphone Markets Are you buzzing about the new Verizon Blackberry Storm or the T Mobile G1? They are the new crave and everyone wants one right? What these owners many not know are the security risks that surround the raving technology. Most of the unawareness starts at companies and customers not placing more significance on security as smartphones get smarter. Although a smartphone may not be at greater risk than a PC, some security issues and risks are still present with PDA’s and smartphones. In the United Kingdom, a whooping 800,000 people were the victim of mobile phone theft in 2006.
Even though 90 percent of these phones deactivated within 48 hours, what happened to the other 10% of users that lost data to the crime. Smartphones are linked to the corporate network and are as vital as a laptop on the company network. Also, you cannot stop your employees from having accidents by underestimating these devices. Mobile phone operators can stop SIM cards and stop expensive calls from being made. However, a smartphone differs from regular mobile phones. Executives carry all kinds of information on the device, from confidential announcements, to financial results and business in progress.
If any of these were ever lost, it could result in the lost of business and trust within company IT infrastructures. It is important to recognize the dangers before permitting a full mobile device network within the company. When sending emails, texts, and using smartphone applications may seem harmless, however your phone could be very vulnerable to hijacker attacks. We will explore some security issues that surround some of the primary smartphones leading the markets today and address how to mitigate users’ risk of being attacked.
Some of the issues that smartphones are having problems with securing encryption keys that can unlock cell phone holders’ private information. Digital signatures are also being compromised through man in the middle and proxy attacks. While these may not seem to affect every user, surely the danger of having your password captured due to spyware may catch your attention. On the other hand, many Symbian Operating System security flaws that smartphones use to operate have proven to be the source of some application hijacks.
Since smartphones such as Blackberry do not require an application code signature, network access is permitted attackers access to owners’ applications. This could cause third parties to send messages, edit, delete, and add contracts and PIM (Product Information Management) data, read and call phone numbers. Simple functions such as sending and receiving SMS (short message service) text messages can be intercepted by another application that could cause outgoing text messages to be picked up by an expensive application.
This causes confusion to the smartphone owner who is oblivious that his or her messages have been negotiated leaving the customer to pay the bill. A problem for businessmen and/or businesswomen smartphone owners is opening certain files from their smartphone application can contain this malicious code causing the data to be compromised. A hackers’ claim that they can pay one hundred dollars for an API key that can open backdoor to Blackberry’s RIM (Research in Motion) devices. If this is true than owners and companies have to worry about the data integrity of within application and software.
Some issues that are present are the talk about an API key that can be bought for one hundred dollars. It gives hackers the ability to allow unauthorized network access. Let’s take the iPhone developers. They have yet to incorporate Microsoft Exchange or Lotus Notes. This makes it easy for an Internet provider to expose private data due to unsecured connections to servers. The current iPhone user must forward their e-mail to an Internet service provider, potentially exposing data. Trust could be gained if communications were encrypted from start o finish and usage of a VPN.
Some devices like Blackberry and Sidekicks argue that there devices are encrypted from start to finish, but that is one on a phone service aspect. With growth in mobile networks full encryption should be implemented on both phone and web network sectors. VPN’s could mitigate the issues surrounding application data integrity. VPN’s use SSL (Secure Socket Layers). A SSL provide security and data integrity for communications over TCP/IP networks and are used in wide-spread use in applications like web browsing, electronic mail, instant messaging and voice-over-IP (VoIP).
With this connection a user can ensure that pictures, text messages, emails, and application data going out or coming in is kept private. Do users think spying on your smartphone is impossible or hard? Of course, spying through social engineering risk, but what about if users have no idea that they are being watched? When connected to a PC, smartphones no authentication. They are USB devices that can give up all data that is stored in them. If accessed by the wrong hacker, he or she could install malware that can store all of user events and upload them onto an Excel sheet.
Scary? The same is true with SMS text messaging. A hacker sends an SMS message to the user. When the message is opened it installs the spyware onto the smartphone. Now the hacker can read and access all of the user messages. So far, there is not an anti-malware that could scan smartphone devices and alert users. They only defense is to educate smartphone users and teach best policies and how to notice signs of malicious activity occurring within a device. One example is not to install updates that look specious or are unexpected.
Call the company’s customer service if there is something detected. So what about viruses, worms, and Trojans? Is a smartphone capable of contracting these? Of course, mobile web could be a great threat to their personal networks and company networks. It may not be a big issue now, but in the future one uninformed user/ employee could cause a disruption by cause an entire network to fail. Cabir was the first worm discovered in June 2004. By the end of the year, 11 new variants of Cabir were reported, and by February 2005 Cabir surfaced in the United States.
Trojans horses were soon announced to be present in mobile devices, some going by the name of Mos, Skulls, and CommWarrior. This was an unforeseen issue that can guarantee a resume update if damaged is caused by naive employees! To prevent this issue a company can do a couple of things, update and enforce security policy and install anti-virus software for smartphone strands of viruses. Before the problem because a disruption education employees of the security risks and the consequences if the newly update security policy is breached.
Also, system administrators should research what smartphone viruses are out there and roll out patched that include new anti-virus software. Symbian is the leading operating system in the smartphone today. With most PC operating system, Symbain has experienced some security flaws in the mobile devices. Along with the worm and Trojan horse outbreaks, Denial of Service (DoS) vulnerability was discovered. A DoS attack is an attempt to make a computer resource unavailable to its intended users. The DoS abuse can be activated by visiting a malicious webpage.
A webpage will insert code into the device, which continually use up available system memory before causing a kernel fright. In effort to correct some of the system flaws, Symantec Corporation is announcing the Symantec Mobile Security 4. 0 for Symbian. The software provides integrated anti-virus and firewall technologies protecting Symbian OS-based Series 60 and Series 80 smartphones, from network interferences as well as from viruses, Trojan horses, and worms. Symantec Mobile Security 4. 0 for Symbian is available in both a consumer and enterprise versions. Consumers can purchase Symantec Mobile Security 4. for Symbian as a two-year downloadable service. Enterprise customers can obtain the product via Symantec’s enterprise licensing program. In addition, a free 60-day trial version of Symantec Mobile Security 4. 0 for Symbian is available for download from the Symantec website. Now, let’s evaluate some of the leading smartphones and compare the risk of encountering security issues. T-Mobile’s G1 (Google Phone) has a security flaw in its Android software. The web browser partion of the phone allows intruders to capture keystrokes that a user enters when surfing the Internet.
This makes it possible to steal the G1 users’ identify and passwords. The iPhone 3G has issues with encryption keys being compromised that unlocked the iPhone. In addition, when users report hack, iPhone developers rarely update the firmware. When asked why is firmware rarely updated their response was, “[User’s] don’t update the latest firmware because they’re afraid once they do, their iPhone becomes a very expensive paperweight or forced to restore everything. ” Also, the security constraints that iPhone has defaulted can easily be changed by users when the user taps the emergency call button.
The iPhone’s passcode entry screen appears and the dial pad for placing a call in an emergency situation is activated. When this happens the software enables the use of the iPhone’s “home” button as normal. By default, the home button is set to bring up the user’s “favorites” list making numbers accessible to unauthorized users. Awaiting the release of the new Blackberry Storm, we will address issues in current Blackberry devices. Hacking programs are being targeted to Blackberry devices, one of which is called BBProxy. It is installed on a BlackBerry or sent as an e-mail attachment to an unsuspecting user.
BBProxy opens a back channel bypassing the organizations gateway security mechanisms between the hacker and the inside of the users’ network. The communications channel between the BlackBerry server and mobile device is encrypted and a tunnel is opened by an administrator so encrypted communications can connect to the BlackBerry server inside the organizations network. A hacker will use this backdoor channel to move around inside of an organization unnoticed and remove confidential information undetected or install malware on the network. The Palm Treo security flaw existed in how data is accessed.
It can allow anyone in possession of the device the ability to find data even if the device is locked. With security threats, flaws, and risks discussed, why are smartphones targeted? Well, many store a lot of their personal and business information on smartphones. Users have the deception that their smartphone is immune to hackers or attackers. No anti-malware or anti-virus protection software is installed on smartphones. Also, policies are overlooked because the vision of a mobile device is not taken as serious as a computer on the network. This is why smartphone security is important.
With the smartphone market being so competitive, the first smartphone to have a major security breech will surely fade away. With major PC companies such as Microsoft, they have a market advantage. Security issues that are with the software may not as picked apart as the smartphone market. This is simply because a mobile device and easily be replaced. So smartphone companies do not have the same pull on the market as Microsoft. The most important thing to worry about with smartphones is emails and browsers that gateways to malicious activity.
Most risks that users face however are not setting a user password and losing their mobile device. Hopefully companies will be better prepared in preventing security threats that are overlooked in smartphones. Companies that are planning to give employees access to business applications on their company smartphones. First, a company should “Know the technology you’re getting into,” advises Shane Coursen, senior technology consultant at Kaspersky Lab. This simply means to understand the security risks before the company purchase a certain mobile device.
Educate employees on importance of smartphone security. Have training classes that teach employees on best security practices and make sure they understand company policies about smartphones. Addresses issues such as, using a Virtual Private Network (VPN). Hire a company that can manage the company’s smartphones. That is, find qualified companies to manage your smartphone network and updates. Have accountability of smartphones. Take inventory and have only one smartphone carrier. This helps pin point a problem easier if one was to ever arise.
Know the risks that the company can face. If data was lost or vulnerable how would it be recovered or protected? If smartphones are used as a thin client, have employees access applications through a Web browser so that nothing is stored locally, encryption is a great line of defense for data that’s transported between back-end systems and smartphones. Enforce passwords. This is a way of protecting mobile devices that have data stored on them even though spyware or back doors can be present. Firewalls also add to security to prevent penetration to data.
The most important is to buy anti-virus software that will protect your smartphones from malware and set standards so that updates will be ran routinely over the air. Bottom line is users must start treating smartphone like a laptop or desktop. The steps to hardening a smartphone network should become a necessity. REFERENCES John Edwards. “The iPhone Security Threat. ” 25June 2007. Submitted by Computers. “Smartphone Virus Threat? ” 30 June 2008 Symantec Corp. “Symantec Mobile Security 4. 0 for Symbian protects smartphones from viruses, hackers and other malicious threats. ” 2005 Secure Computing Corporation. Warning of a serious BlackBerry security threat. ” 09August 2006 Dawn Kawamoto. “Palm Treos ring up security flaws. ” 16 February 2007 Elena Malykhina. “Best Practices in Smartphone Security. ” 03November 2006 Symantec announces Anti-Virus and Firewall for Symbian smartphones 9 May 2005 John Markoff. “Security Flaw Is Revealed in T-Mobile’s Google Phone. ” 24October 2008 Davak. “The Unimportance of Smartphone Security — so far. ” 01 August 2007 Jon Espenschied. “Ten dangerous claims about smart phone security. ” 23 March 2007 Ryan Naraine. “Cracking the BlackBerry with a $100 Key. ” 30November 2006