I read an article recently on Dark Matters, by Bob Monroe, that talked about smartphones from the perspective on an attacker – just how good of an attack surface is your average smartphone? Pretty good, as it turns out, which is not so good for you and me.
The first problem is that these little computers are very chatty. If they are turned on, they are talking to the nearest cell phone tower or two, reporting it’s status and your location. Many, in fact almost all of the apps are collecting information on you and reporting it to some server on the web. Like why does my Solitaire app need to know my location and contacts? A lot of this data collection is fairly egregious, and is conducted for marketing purposes, which means some of this information is being resold. I have noticed that items I have looked for on Amazon are now appearing in the ads between solitaire hands, so there is a monetary relationship there between the app developer and Amazon. Hopefully, all of the data collection is this innocuous.
If you are having problems keeping malware off your computer, which has one or two communication ports (Ethernet and Wi-Fi), this may be a bigger problem for your phone. A smartphone can communicate on Edge, 2G, 3G, 4G, Bluetooth, NFC (near filed communications like Apple Pay), Wi-Fi, and via wired USB connections. That is eight different ways an attacker could compromise your phone. The police use the Stingray device, which uses 2G, to eavesdrop on cellular phone calls. You can ask your cell phone provider to turn off the ability to roam on 2G networks. Maybe you should. Installing some sort of security app on your phone is also advisable, and nearly every security product you could use in a computer has a smartphone app companion.
The SIM card in your phone also contains an amazing amount of personal data about you, such as your name, phone number, cellphone account information, and contacts. When you lose your phone, all this data goes with it. A security product with remote wiping capability can protect you from this eventually. And remember to remove and destroy your SIM when you sell your phone.
Most of us, include yours truly, are fairly addicted to our phones, but it is important to understand just how leaky these things are from an information standpoint. Since we can’t avoid the risks associated with them, we at least need to understand what they are. And now, you do.
And this presentation from the FBI was given recently at a Milwuakee cybersecurity conference. If you are looking to secure your phone, this document covers an pretty extensive list of considerations.