Colorado Information Analysis Center Intelligence Bulletin
- 6 pages
- For Official Use Only
- November 23, 2010
(U) Security Risks Associated with Smartphones
(U//FOUO) The following is intended to provide a brief overview of the security risks associated with smartphones. By increasing awareness and changing user habits many potential threats can be mitigated. Some of these security risks are unique to specific smartphones. It is likely that security risks to smartphones will increase as the software used on smartphones becomes less diverse.
(U) Overview of Threats
(U//FOUO) Smartphones feature an diverse array of computer capabilities which expose them to many of the vulnerabilities previously confined to computers. These threats have evolved from targeting personal computers (PCs) to hitting smartphones much quicker than some security experts anticipated. It took almost fifteen years for these types of attacks to evolve for PCs, but these attacks have been adapted for smartphones much more quickly. The malicious software (malware) currently targeting smartphones attempts to gather personal information stored on the phone and sell it. Since users often store more of this type of information on smartphones than PCs, in some cases it has become more profitable for hackers to create malware for smartphones than PCs.
- (U) One of the biggest risks tied to smartphone use is that many employees use them to check their work email, download work-related documents, and correspond with colleagues. Theft of data off of these types of devices therefore presents not only a threat to loss of personal data, but also to confidential business data.
(U) The number of malware and spyware programs found on smartphones has more than doubled in the past six months. Smartphones are vulnerable to these malicious programs because:
- (U) Network access codes, usernames, and passwords are often unsecured or set for automatic login on these phones;
- (U) Smartphones can magnify malware distributions that employ email spam and phishing messages because users are more likely to interact with files masquerading as personal communications while they are on their smartphones rather than their PCs; and
- (U) Users cannot as easily detect cues that a website is fraudulent on smartphones because smartphone screens are small and the website cannot be seen in its entirety.
(U) Geolocation data on some smartphones can compromise undercover law enforcement and military personnel if those phones are hacked. Many of the applications that users download to their smartphones can transmit data that can help cyber criminals determine where that person is located. Additionally, undercover law enforcement and military personnel who send photos they have taken on their smartphones via SMS text messages may not realize that embedded global positioning system (GPS) data may also be transmitted, allowing recipients and possibly hackers to determine the longitude and latitude of where the picture was taken.
(U) It is possible for hackers to access and compromise BluetoothUSBUS headsets while they are in use or if the Bluetooth feature is enabled on a smartphone. Two different types of Bluetooth attacks include:
- (U) Bluesnarfing: Hackers can user a Bluetooth-enabled smartphone to compromise and gather data from the phone book, calendar, and pictures from the smartphone. It is possible for hackers to also gather the smartphone’s PIN and other codes.
- (U) Bluebugging: Hackers compromise a Bluetooth-enabled smartphone and secretly initiate phone calls without the users’ knowledge. Often the phone calls are to premium rate lines, usual international, thus making money for the attacker.
(U) Threats to Specific Smartphones and Their Software
(U//FOUO) The most common forms of smartphones are iPhones, Blackberries, and Droids.
- (U) Apple’sUSBUS iPhone is used by more than 70% of Fortune 100 companies and is the third most commonly employed smartphone by businesses in the world.
- (U) Last November a student in Australia breached iPhone security with a worm that spread between phones along wireless networks and could have been used to read text messages, emails, and other information stored on the device.
- (U) The Blackberry platform is much more secure than other smartphones, however, hackers often target this smartphone because of the challenge its platform presents and its abundance in business communities.
- (U) A significant issue for Blackberries is that the desktop software that syncs the phone with non-enterprise-server email accountsc encrypts the data, while the actual Blackberry does not encrypt data housed on the phone. This shortcoming means that the data is passed from the phone unencrypted to the computer, potentially exposing it to unauthorized persons.
- (U) When using an enterprise server, the data that is transferred between the device and the server is encrypted. Users can ensure that the data on the device is encrypted by enabling content protection. Content protection can be enabled for the phone’s address book; however, doing so will disable the caller ID function.
- (U) Hackers will likely use spyware to target Blackberries because of heavy corporate use of the smartphone. Spyware allows hackers to lift corporate data from the phones.
- (U) All Droid smartphones use Google’sUSBUS Android software. The Droid is the newest smartphone, and similar to the iPhone, relies heavily on the use of applications.
- (U) The Android operating system 2.0 onwards includes a design flaw that allows the users’ login credentials and cookies to be harvested. This flaw is associated with the phone’s settings which are configured to save passwords. It is dangerous to users who connect to unsecure Internet networks because these networks could allow hackers to gather the users’ passwords.
- (U) Android users are also at risk when they install applications onto their phones and grant them certain access rights because some rogue applications can allow other applications to download without the users’ knowledge. These applications can gather the users’ information and send it to a hacker, or they can include the right to send premium SMS messages from the phone which will incur charges on the users’ bill.
(U) Outlook
(U//FOUO) It is likely that attacks targeting smart phones will grow sophisticated enough that they will pose a threat to cellular networks via denial of service (DoS) or distributed denial of service (DDoS)e attacks:
- (U//FOUO) If hackers are able to compromise smartphones so that they are in control of the devices, it is possible that hackers could use the phones to send wireless data packages to the carrier’s network and overload it with the packages and eventually disable it, a DoS attack;
- (U//FOUO) Hackers could perpetrate a DDoS attack by using malicious software with high bandwidth applications on a large number of smartphones simultaneously; and
- (U//FOUO) Hackers could create a denial of service condition on a cellular provider’s network by spreading malware through SMS text messages via a worm.
(U//FOUO) However, the threat to cellular networks from malicious software spread through smartphones is likely to remain limited over the short term because, unlike desktop computers, of which 90% use the same operating systems software, smartphones use a diverse array of operating systems software and hardware. Consequently, a vulnerability affecting one type of device is unlikely to affect a majority of smartphones on a particular network. Additionally, since smartphones presently constitute only a small share of the devices using a given cellular network, any single piece of malicious software can target only a fraction of the users on the network. The vulnerability of cellular networks may grow as smartphone use increases or if smartphone technology becomes more standardized across devices and among carriers. The emergence of a common system architecture and software systems will greatly increase the opportunities for hackers to target smartphones in the future.
(U) Smartphone hackers will likely continue to use spear phishing attacks to target smartphone users because, due to the abundance of spear phishing attacks, there is little chance that anti-virus (AV) software will be written for many of the spear phishing attacks executed on smartphones since AV companies may never be aware of the existence of specific attacks.