Tuesday, May 3, 2016

Secrets Your Phone Told Me

   You may remember that earlier this year we were all talking about the standoff between the FBI San Bernadino attack.  This specific problem was "solved" when the FBI said they were able to decrypt the phone and no longer needed Apple's help.  The assumption by many is that the FBI purchased an exploit used to break into the phone.
and Apple about the decryption of an iPhone used by one of the shooters in the

   This leads us to an important consideration and question... can any phone be hacked?  Is any information on your smartphone really private?

   We have become completely dependent upon our phones.  According to a 2015 Pew Research Center study, in the US over two-thirds of the population uses a smartphone.  We keep all of our personal information on there: passwords and accounts, photos and videos, credit card data, tax data; we shop and set many preferences (travel, food, dating, real estate); we track our workouts, our weight our food and all our movements.  Today's smartphone is the key to far more information about you than you can imagine!

   We can, of course, watch TV on our phone.  And on 4/17/2016, 60 Minutes aired a show about smartphone security and privacy.  You can view it here.

   In the episode, they talked about the SS7 (Signaling System 7) protocol and how it works.  SS7 was designed in 1975 and it is the protocol that allows phone systems to pass calls between them.  For mobile, it handles maintaining connections as you move between cell towers, for example as you are driving down the road (using hands-free calling of course! :-).  This particular exploit is not new at all.  In fact, this has been a topic at the Black Hat Briefings and other security conferences for years.

   But all this aside, there is no need for exploits or vulnerabilities to track people or glean personal information through their phones.  Disclosing this information is simply how phones and apps work!  Let me explain...

   There was once a time - though teens, 20-somethings and even some 30-somethings may not believe it - that phones were used for voice calls!

   Whether it is for voice or text, for your phone to get a signal it must be able to contact a cell tower.  As you move, your connection is handed off from one cell tower to another.  Your carrier (phone company), can see this data.

  Then we have apps.  According to Nielsen, the average smartphone user accesses 26.7 apps per month, but have far more installed.  Many, if not most, of these apps are tracking information from your phone.  I've written about this in the past.  Apps track your location, preferences, searches, likes, friends, contact, calls, pictures and more.  Facebook's varying privacy policies have been controversial for years.  Google tracks a great deal of information about each of us.  Then we add to this our "friends" Siri, Courtana and Alexa who are also tracking your requests, searches, location and preferences.

   And you approved all of it!  Apps have preferences and they need to be accepted.  You need to take a look at the preferences, both for the apps you already have installed and new apps.  You have a choice.  If an app's requested access seems unreasonable, choose a different app!  There are plenty!

   Another interesting phone vulnerability leads to what is commonly called "blue-jacking" or, more correctly, "blue-snarfing".  As the name implies, this exploits weaknesses in the bluetooth implementations.  Blue-jacking allows an attacker to send unsolicited text messages to the victim whereas through blue-snarfing the attacker can control other parts of the phone including bluetooth discovery and other phone functions.  This means that an attacker can potentially use your phone as a secret microphone to eavesdrop on conversations!

   Then there's the "evil twin" attack.  Have you ever connected to a wireless data connection at a coffee house?  How do you know that you actually connected to the right wireless network?  An attacker can easily set up a wireless access point and just give it the same name as a network you might expect to find.  Then when you connect to this "evil twin" network, all of your data including passwords, account numbers, etc. can be grabbed by the attacker.

   The bottom line with all of these attacks is that you typically need to be an active participant.  You need to have bluetooth pairing enabled, or connect to a named wireless network, or click on a link, or open an attachment, or side-load an app, or accept the extra permissions of an app, or not enable encryption on your mobile device, or not lock your phone.  Please note that I'm not blaming the victim here... but we all have to take some responsibility for our own security and privacy.  The phone manufacturers, mobile carriers and Facebooks of the world certainly won't do it for us!

   One more thing... have you ever sold or recycled a phone?  A few years ago I bought a phone on eBay for one of my kids.  When I received it and turned it on it had all kinds of contacts, photos, and text messages on it.  In the wrong hands, this could have been a problem.  Before you donate, sell or otherwise dispose of a smartphone be sure to first backup, then wipe your personal information off the device.  There are many ways to do this, particularly for Android.  One simple thing you can do is to do a factory reset of the phone.  Or, if you're extra paranoid, encrypt the phone first then do a factory reset!

   Do you have any tips or stories to share?  What secrets do you think your phone might be giving away?

No comments:

Post a Comment