Mobile smart devices have all the capabilities of a laptop or computer. What this means from a cybersecurity perspective is that they are every bit as vulnerable as a laptop or desktop computer. The fact that they are small makes them easy for a thief to slip in a pocket or backpack and carry away, along with your personal information, contacts, pictures, geo-location history, and a raft of critical and revealing information.
In addition to theft or loss, your smartphone is vulnerable to the following exploits:
- Physical access – an attacker who has access to your phone can install software, malware, or copy information and pictures from your phone without your knowledge.
- Social Engineering – someone posing as a cell carrier service agent, for instance, calls you and talks you into revealing information or providing remote access.
- Email and SMS – email exploits are being crafted to target mobile phone users in the same ways as computer users. These sorts of exploits are moving to SMS and MMS communications as well. The link you click could get your phone a nasty infection.
- Jail-breaking or rooting your phone – in an effort to change carriers, or install something that the carrier or manufacturer won’t allow, the owner takes administrative ownership of the phone. This often removes any security built into the phone operating system, and makes you phone more vulnerable to other attacks.
- Wireless access – Bluetooth, Wi-Fi, infra-red, and near-field communications (NFC) are communication channels that most smart phones support. All of these channels are attack paths for cyber-criminals. Leave these channels turned off when not actively using them.
- 3rd party apps – if you can’t find it on the Apple Store or the Android Play Store, you take a risk that their may be malware embedded in the app but unscrupulous developers, or that the app is so poorly written that is creates exploitable security vulnerabilities. Stick with trusted apps.
- OS and MySQL – of course there are vulnerabilities being discovered in the operating systems all the time. Timely patching is the answer, but this process is often controlled by your carrier or handset manufacturer, and may not be done in a timely way. The FTC is looking into this currently. Apple phones use the MySQL database in their OS and this makes them vulnerable to SQL exploits such as the SQL Slammer worm.
- Geo-location – your phone (and mine) do an excellent job of keeping track of everywhere it has been, and since it has been with you, an attacker can learn a lot about you by analyzing this travel information. Turning the phone off does not always prevent this information gathering either. Big Brother or Evil Brother may be watching!
- Microphone and camera – if I have control of your phone, I can use your mike and camera to spy on you and listen in on all conversations in range of the phone.
- Credentials – often your phone will have saved user and password information (cached credentials) that an attacker or thief can use to gain access to online accounts and other resources.
- Downloads – just as with full-sized computers, smartphones and tablets can be infected via downloads or file attachments. Be sure you trust the source.
That’s the run-down on smart device vulnerabilities. On Friday we will look at ways to mitigate or eliminate these risks.
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com