Smart phones come with the functionality of mobile phones and PDAs. The use of these devices has been increased rapidly in last few years because of the integration of different networking technologies such as Wi-Fi, Bluetooth and GSM in one single device. They also support lots of functionalities that one needs in daily life. As a result, smart phones are now facing security problems those cannot be found elsewhere. These problems start growing directly from the integration process. Also some smart phone specific services require more complex infrastructure and software, which makes phones more vulnerable. (Colin Mulliner, 2006).
Vulnerability is an error or weakness in the design of the computer based system or in the implementation of software, hardware in the system which also includes security measures and controls related to the systems. Vulnerabilities can be exploited intentionally or unintentionally to affect an organization's operations, assets or personnel. (Dr. Henry B. Wolfe, February 2010)
This chapter explains several vulnerabilities related to mobile phones. Exploitation of the vulnerability will be discussed and examined. And finally, the risk factor - the probability of a concerted attack will be considered.
Also vulneribilities of mobile applications and preffered solutions are given.
3.1 Mobile phone vulnerabilities
In February 2010, Dr. Henry B. Wolfe has listed some mobile phone vulnerabilities which are as follows:
1) Interception of communications
As the communication is nothing more than radio technology, all communications can be intercepted. There is no such a tool that can prevent interception. Now the concern is about privacy of contents. This weakness can be avoided by providing strong encryption on every communication. However, service providers decide and choose the type of encryption algorithms and also decide when encryption needs to be used and when not.
For example, in some systems, communications between two mobile phones in one of the four countries presently designated as "State Sponsors of Terrorism" by the U.S. Department of State those are Syria, Cuba, Sudan, and Iran, automatically turns off the encryption feature (Dr. Henry B. Wolfe, February 2010). It has been shown that this fact can be exploited using the man in the middle attack (Justice Department, 2005) to turn off the encryption feature between users not in the seven countries as well.
The privacy and security of the mobile phones are not up to the mark according to the functionalities and applications offered by them. In the 1990s it was proven that various well know service providers was not able to offer strong protection to the privacy of users. For example encryption algorithms used by GSM were proven to be deliberately weakened (Biham & Dunkelman, 2000). The fact is that any conversation or text messages can be intercepted and cryptography methods or encryption provided by the service provider can be broke to listen and record mobile communication.
2) Loss, Theft or Seizure
If a mobile phone is lost or stolen, information or data stored in the device may become easily available to a person who finds it. There are many ways to gain access or retrieve the data stored in mobile phones. Some techniques for retrieve data are cheaper and some are expensive.
For example, The Cellebrite UFED (Universal Forensic Extraction Device) Forensic System is a mobile forensic device, which can be used in the lab or out in the field. According to Cellebrite Mobile Synchronization LTD, this tool helps to extract important information from 95% of all mobile phones on the market today, including smart phones and PDA devices such as windows phone, Android phones, iPhone, Symbian phones. It is a standalone device and simple to use even in the field. It can easily store phonebooks entry and content items on to USB flash drive and SD card.
The following picture shows the data capturing from different handsets by Cellebrite.
Fig 1: Cellebrite capturing data from Mobile handsets
This tool also supports all kind of mobile device interfaces, including serial interface, Bluetooth and infrared connectivity, and USB port. It allows extracting Contacts, SMS text messages, audio, video, call history and also deleted text messages and phone details like IMEI, phone number. There are many more tools available in market for viewing and analysing data stored in mobile phones.
One can use password facility to save or protect this information but it is not difficult to crack the password as well. So this can be compromised. New mobile devices have capability of storing more information rather than just storing messages and contacts. Many people use their mobile phones to store personal information like bank account numbers, PINs, credit card information; also some important email will be stored in the phone as well. So if phone becomes accessible to unauthorised person, this can lead to identity theft, breach of privacy, theft of personal information and misuse of stored data. (Dr. Henry B. Wolfe, February 2010).
Now issue is to protect this information from being disclosed to unauthorised person. One method is to use third party encryption products. So person, who wants to access the data in phone, would have to break the code. Thus, one can reduce or minimize the risk. And the second method is to use mobile phone only as a phone not as personal computer.
3) Location Logging and Tracking
Tracking mobile phones is not easy task for any individuals, but they can be easily tracked by service providers. It makes sense to track mobile phones by service providers in order to manage their service. Tracking information is used by network analysis to check overload of any particular cell station and to improve network capability. (Dr. Henry B. Wolfe, February 2010).
If this tracking information becomes available to third party outside the network provider then it becomes the question for the user's privacy. According to some jurisdictions, it is illegal to disclose this information without warrant. Although, spending some amount of money can lead to discloser of vital information.
The only way to prevent the mobile tracking is to turn off you mobile phone and remove the battery as well. On a few phones, turning it off only puts mobiles into 'sleep' mode and externally it can be reactivated. An overarching concept can be characterized by the phrase "if you don't have anything to hide, then you won't have anything to worry about". (Dr. Henry B. Wolfe, February 2010). This is a completely invalid argument by those who wants to steal identity and privacy.
This is why:
â€¢ It is a faulty assumption that privacy is about hiding "bad" things.
â€¢ The argument's premise is about "hiding a wrong".
â€¢ It is a faulty assumption about privacy and its value - that privacy has no value.
â€¢ Collection of random information about individuals is referred to as surveillance.
â€¢ Constant surveillance has a chilling effect on public discourse, freedom of thought, freedom of association, and freedom of action.
â€¢ It wrongly assumes that everyone is guilty of something. (Dr. Henry B. Wolfe, February 2010).
One can say that information security is not about hiding any things but it is purely about human right to privacy. On December 10, 1948 the General Assembly of the United Nations adopted and proclaimed the Universal Declaration of Human Rights (Universal Declaration of Human Rights, 1948). Article 12 enshrines every person's right to privacy.
"This is a Law enforcement has developed technology that enables the tracking of a targeted mobile phone, interception of its communications, and enables the mobile phone to become a listening device - a bug. This is known as Triggerfish." (Justice Department, 2005). Triggerfish is law enforcement's technical capability and the principals of this technology are freely available to anyone who wants to achieve same functionality. One method is to build or buy an IMSI (International Mobile Subscriber Identity) catcher (Strobel, 2007).This is used for capturing GSM mobile traffic in limited circumstances. Then the appropriate decision takes place whether the target is worth pursue. Like many other surveillance devices this may be illegal in some jurisdiction.
In some mobile phone brands, it is possible to call and answer the phone calls without causing it to ring. This is a big risk as well. If there is a confidential or important meeting or negotiations going on and a mobile phone is able to be silently activated, then the third party or person who wants to hear the conversation without notifying to anyone may leave his or her mobile phone in room and can activate their phone from outside the room. This kind of activity can cause wilful damage to company. So It is strongly recommended to be careful where mobile phones are present.
One method of preventing sensitive information discloser is Signal blocking. There are many devices available in market which can be used in meeting rooms or halls where private or sensitive meetings take place and mobile devices are present. Following picture shows the example of cell phone blocker which blocks the signal of Blackberry 8900 curve phone.
Fig 2: Cell phone blocker actual use example.
Source: The TSCM journal vol 1, no 2, February 2010.
These devices broadcast a strong jamming signal which interferes with the phones signal and makes it like phone without SIM card and stops the phone ability to connect to the mobile phone network. So a user thinks that there is no network coverage.
Law enforcement makes use of what has been termed a "roving bug" (McCullahgh, 2000). This technology helps attacker to remotely activate the microphone on the targeted mobile phone. This makes the mobile phone a listening device to hear what is going on nearby the targeted device. This capability is a part of Triggerfish technology (Justice Department, 2005). The best way to protect from this kind of surveillance is to remove the phone battery when phone is not in used.
5) Targeted Data Acquisition
Almost all new smart phones come with Bluetooth functionality. Bluetooth coonectivity allows users to communicate wirelessly with other phones or any computer with Bluetooth enabled. This functionality provides fastest and easy way to transfer and back up data to computer and other mobile phones.
There is a risk factor involved in this feature as well. If Bluetooth is left turned on, anyone can attack the phone with appropriate gear such as the BlueSniper Rifle as shown in following picture 3, can detect Bluetooth enabled device within a mile or may be beyond a mile. After that attacker can connect to the mobile phone and download the entire contents or data for their own use (Cheung, 2005).
Fig 3: John Hering from Flexilis, with the new BlueSniper RifleÂ
To avoid this kind of attacks, the one and only way is that users must keep their mobile phone Bluetooth turned off when it is not in used.
6) Spam, Viruses, Malware, etc.
New mobile phones or smart phones are compatible with internet. Users can browse internet anytime and anywhere. This compatibility of mobile phone invites all types of malware and viruses found on the internet. There are many Anti-virus and Anti-malware applications available in market specifically for mobile phones. Users should start using these applications to protect themselves from spam and malwares. Many users are still not aware of these softwares. (Dr. Henry B. Wolfe, February 2010).
However, these softwares are not efficient enough and need more development in future.
3.2 Vulnerabilities of Mobile Applications
Lots of applications for mobile phones are available online for users. Most of users don't even know downloading applications from untrustworthy source can result into identity theft and privacy disclosure. Even from trustworthy sources this can be dangerous sometimes for mobile phones. One can say new era of mobile web browsing is not safe at all.
Modern mobile applications run on mobile OSes same as applications running on laptop or desktop and they have same functionality like general operating system has. So it is very clear that many of the risks will be similar as laptops have. Risks are such as traditional spyware, Trojan software, viruses and insecurely designed apps. Smart phones are not just small computers but they have both functionalities of cellular phones and computers. This makes mobile applications risks different from traditional computer risks.
Chris Wysopal( 2010) listed two main categories of mobile application risks.
Here, both categories have been explained in details.
A) Malicious Functionalities
This category explains a list of unwanted and dangerous behaviours of mobile applications. These types of behaviours are secretly merged into Trojan application. They get activated at the time of installing applications. Users are unaware of the fact that they are installing hidden spyware, unauthorised premium dialing, or phishing User interface instead of a game or utility.
These functionalities can be anything from the following categories according to Chris Wysopal.
1. Activity monitoring and data retrieval
2. Unauthorized premium number dialing, unwanted SMS, and payments
3. Unauthorized connectivity to any network. (exfiltration or command & control)
4. User Interface (UI) Impersonation
5. System modification (rootkit, APN proxy config)
6. Logic or Time bomb
All categories listed above are explained below.
1. Activity monitoring and data retrieval
Spyware core functionalities include activity monitoring and data retrieval. Spyware can intercept the data as it is real time data. For examples, sending an email to any party also sends an email to a hidden third party address; attacker can also listen to ongoing conversation or record the conversation. Stored private information or messages can also be retrieved.
There are many applications are available for each OSes which can make phone vulnerable. For example, Secret SMS Replicator for Android which once installed in someone's android phone will secretly forward their messages to another phone.
And another one is RbackupPro for Symbian which is commercial spyware application written for Symbian s60 3rd edition. It records all phone conversation, physical location, SMS contents and sends them to remote server. (F-secure Lab Corporation, 2009).
2. Unauthorized premium number dialling, unauthorised SMS, and payments
Some applications come with Trojan that includes premium number dialling functionality. By doing this attacker can increase the victim's phone bill and get the service providers to collect and distribute money to them. The other way is sending unauthorised text messages. Once device is infected with worm, it can send SMS text massages to all contacts listed in address book with link for downloading and installing the worm.
According to researchers from Kaspersky security lab, Tojan-SMS.Android.fakeplayer.a is a malware and fake media player which specifically targets Android phones. Once it is installed, it secretly sends SMSes to private rate number and costs victim a high amount of money. Another malware is Windows Mobile Troj/Terdial-A. According to Graham Cluley (2010), one of the window games called "3-D Anti terrorist Action" has got this malware and some of the users have reported that this malware is making expensive calls to abroad without their notification which appears on their phone bills.
3. Unauthorized connectivity to network (exportation or command & control)
Spyware and other malicious software require exportation of data using network channels. Since mobile device are built for communication purpose, there are possibilities of grabbing the data using malware applications using communication channels.
Here are some communications channels given which attackers can use for exportation of data or command and control at any particular time.
Transmission Control Protocol (TCP) socket
User Datagram Protocol(UDP) socket
4. UI impersonation
Phishing attack is process of acquiring vital information such as credit card information by masquerading as trustworthy entity. This attack is performed by tricking the users to click on a link in their browser which gets them on fake website which impersonates the UI of their bank or online service. This UI asks users to enter their login credentials or passwords. Once users put their data on the UI, the attacker collects the credentials and uses them to impersonate the victim.
Proxy/MITM 09Droid Banking Apps are the example of these types of malware applications. According to Mikko Hypponen, chief research officer from F-secure, these applications were not developed by bank and they could not do real online banking on Android phones. They only open the fake web interface of the bank and users can end up with losing their credentials.
5. System modification (rootkit, APN, proxy config)
"Malicious applications will often attempt to modify the system configuration to hide their presence. This is often called rootkit behaviour" Chris Wysopal (2010). The changes in configuration device can also cause a malware attack. An example is modifying the device proxy configuration or APN (Access Point Name).
6. Logic or Time bomb [CWE-511]
Logic or time bombs are process of malware activity which based on a specific event, device usage or time.
CWE: Common weakness Enumeration
"CWEâ„¢ provides a unified, measurable set of software weaknesses that is enabling more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code and operational systems as well as better understanding and management of software weaknesses related to architecture and design." ( http://cwe.mitre.org/, last updated on 13th December, 2010)
This category explains errors in designing and implementation of applications which expose mobile device data to attackers. Vulnerability can also expose cloud applications used on mobile device to attackers. (Chris Wysopal, 2010)This includes
7. Sensitive data leakage (inadvertent or side channel) or information exposure
8. Unsafe sensitive data storage
9. Unsafe sensitive data transmission
10. Hardcoded password/keys
7. Sensitive data leakage [CWE-200]
Information exposure is leakage of sensitive data to an attacker which can be done intentional or unintentionally. Because of poor authentication credentials and poor implementations of applications, sensitive data can be leaked to 3rd parties. This may include information like location of device, Owner Identity, Authorization tokens and authentication credentials.
For example, iPhone game developer 'Storm8' opened an "electronic backdoor" to retrieve the phone numbers of users who download the game, according to a class action lawsuit filed in San Francisco in November,2009.
Filed on behalf of Lynnwood, WA resident Michael Turner, the suit claims that the activity is not supported and authorized by Apple and involves the execution of "malicious software code."
"Storm8 has written the software for all its games in such a way that it automatically accesses, collects, and transmits the wireless telephone number of each iPhone user who downloads any Storm8 game," the suit alleges in 2009.
8. Unsafe sensitive data storage [CWE-312]
Some Mobile applications store vital information in clear text within a resource like passwords, PINs and credit card information. This data or information should be strongly encrypted or protected. Because of clear text format of data stored, it can be potentially read by attackers.
There are few examples of such applications. First is banking application in iPhone from Citibank which has been fixed in newer version. This application used to store all sensitive information of users and it was possible to access this information by an attacker or an unauthorised person. (Tony Bradley from PCworld, July 2010).
The second app is Wells fargo mobile application 1.1 for Android which was disclosed in April 2010. This application contains security flaw which leads to an unauthorised data leakage like a username and passwords along with account balance in cleartext, and it can be easily available to physically present attacker.
9. Unsafe sensitive data transmission or Cleartext transmission of sensitive data[CWE-319]
Clear text transmission of sensitive data via communication channels can be easily sniffed by an attacker. Mobile devices are very vulnerable because they use Wi-Fi for data transmission which is not more secure. SSL (Secure Socket Layer) is the best way to secure data transmission.
10. Hardcoded password/keys [CWE-798]
Sometimes software or application developer uses hardcoded passwords to make implementation easy. This hard coded password will be the same for each installation of the applications. It cannot be changed without modifying the whole programme. So once a password is disclosed, it makes easy for attacker to gain access of device or resource. This also enables Hugh attacks like worms.
Smart phones are still in developing stage in respect of security concerned. Therefore, they are becoming consistently very vulnerable to attacks, both from a technical and a sociological point of view. On the other side, their technical stability will only improve with a constant stream of attacks and constant counter measures from the other side. This is just beginning of security issues which make PDAs and smartphones more vulnerable. The strong and effective security solution is almost yet undeveloped.