Your Smartphone and Tablet Need Security Too

phone-thiefMobile smart devices have all the capabilities of a laptop or computer.  What this means from a cybersecurity perspective is that they are every bit as vulnerable as a laptop or desktop computer.  The fact that they are small makes them easy for a thief to slip in a pocket or backpack and carry away, along with your personal information, contacts, pictures, geo-location history, and a raft of critical and revealing information.

In addition to theft or loss, your smartphone is vulnerable to the following exploits:

  • Physical access – an attacker who has access to your phone can install software, malware, or copy information and pictures from your phone without your knowledge.
  • Social Engineering – someone posing as a cell carrier service agent, for instance, calls you and talks you into revealing information or providing remote access.
  • Email and SMS – email exploits are being crafted to target mobile phone users in the same ways as computer users.  These sorts of exploits are moving to SMS and MMS communications as well.  The link you click could get your phone a nasty infection.
  • Jail-breaking or rooting your phone – in an effort to change carriers, or install something that the carrier or manufacturer won’t allow, the owner takes administrative ownership of the phone.  This often removes any security built into the phone operating system, and makes you phone more vulnerable to other attacks.
  • Wireless access – Bluetooth, Wi-Fi, infra-red, and near-field communications (NFC) are communication channels that most smart phones support.  All of these channels are attack paths for cyber-criminals.  Leave these channels turned off when not actively using them.
  • 3rd party apps – if you can’t find it on the Apple Store or the Android Play Store, you take a risk that their may be malware embedded in the app but unscrupulous developers, or that the app is so poorly written that is creates exploitable security vulnerabilities.  Stick with trusted apps.
  • OS and MySQL – of course there are vulnerabilities being discovered in the operating systems all the time.  Timely patching is the answer, but this process is often controlled by your carrier or handset manufacturer, and may not be done in a timely way.  The FTC is looking into this currently.  Apple phones use the MySQL database in their OS and this makes them vulnerable to SQL exploits such as the SQL Slammer worm.
  • Geo-location – your phone (and mine) do an excellent job of keeping track of everywhere it has been, and since it has been with you, an attacker can learn a lot about you by analyzing this travel information.  Turning the phone off does not always prevent this information gathering either.  Big Brother or Evil Brother may be watching!
  • Microphone and camera – if I have control of your phone, I can use your mike and camera to spy on you and listen in on all conversations in range of the phone.
  • Credentials – often your phone will have saved user and password information (cached credentials) that an attacker or thief can use to gain access to online accounts and other resources.
  • Downloads – just as with full-sized computers, smartphones and tablets can be infected via downloads or file attachments.  Be sure you trust the source.

That’s the run-down on smart device vulnerabilities.  On Friday we will look at ways to mitigate or eliminate these risks.

 

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment