Cyber Defense Magazine - Smartphones in the business environment: Trusted Tool or Trusted Threat?
When a business allows the regular use of cellular phones in the workplace, the first thought is that by doing so the business empowers the employee and boosts their productivity.
After all, today’s smartphones can provide a near-virtual office on the go. Constant connectivity via text and email, teleconferencing, the ability to upload and download documents easily, the list is endless of how many ways smartphones enable employees to stay on the job no matter where they are and at any time of day.
What most businesses don’t realize is that by allowing the regular use of cellular phones in the business environment, sensitive and critical information related to their operations is put at risk. Every major business will say that information security is a top priority, yet allowing the regular use of cellular phones in the business environment can severely undermine that priority without the proper security measures in place.
In fact, the microphone can be open virtually all time which enables eavesdropping on face-to-face conversations. One under-appreciated example of this would be in newer phones with a Droid OS; all that’s needed to wake up the phone is to speak “Ok, Google” into it. Bottom line, devices and facilities need to be secured from this threat.
Downloadable “cell phone spy-ware” is easily found on the internet and can be priced as low as twenty-dollars; more expensive programs can even be remotely installed. Using these programs, a phone spy can take over the phone and do whatever they want with the stored data in addition to using the phone’s microphone, GPS, camera and every other function on the device they attack. Information stored on smartphones can be retrieved, collected, transmitted and removed from the targeted device via any connection to it, whether it’s a cell tower, a radio connection or an internet connection.
Your cell phone can spy on you just because it’s in the same room with you, you don’t have to be using it. Cell phone spy-ware as well as downloaded applications installed on a smartphone can use the devices various sensors including the camera and microphone to perform surveillance; all of which can be recorded. These types of software packages are the lowest cost and simplest way to attack a phone; including more expensive versions which can be installed remotely. Common criminal use for this type of attack includes industrial espionage, identity and data theft, domestic violence and stalking.
This brings us to an important tip to immediately improve your security protocols:
If you or your organization lists cell phone numbers on your business cards, immediately stop using them. Dispose of them as you would other sensitive information and have them reprinted without the cell phone numbers on them. It’s time to acknowledge that your cell phone is a powerful computer that is loaded with sensors and strapped to a wireless router and a radio none of which you have much control over. Your cell phone number has really become your cell phone’s “network address” (think IP Address); it should be treated as such.
Office phone systems usually have a forwarding feature as a standard feature and it’s really time to put it to use; only give out your desk phone number and have the office phone forward your calls to your cell phone. This methodology for network address management should sound familiar to information security professionals.
We’re going to step the skill level and budget up a notch now and discuss how a person can access a smartphone, bypass encryption, track its movement and monitor its activity and data by using a piece of hardware called an “IMSI catcher”. IMSI stands for International Mobile Subscriber Identity and it is the primary identifier for the subscriber of cellular service; this number is typically tied directly to whoever pays the phone bill. The function of IMSI catchers is to appear to be the best cell phone tower in the area (known as cell tower spoofing) so that phones within range of the IMSI catcher attempt to connect to it.
Commercially available under names like “Stingray, “Hailstorm” and “Gossamer,” these units are extremely mobile and are typically used by law enforcement. Due to their compact size (Gossamer is as compact as a large walkie-talkie), the hardware can also be easily used from a vehicle to monitor phone location as well as intercept communication, eavesdrop, deny service to a phone and more. Stingray is the widest known of these and “stingray” has even entered the vernacular as an over-arching term to describe this type of hardware.
Law enforcement agencies using handheld models for “official use” (and anyone else “unofficially”) can walk among a group of people and harvest identifying information about every phone around them. A larger model could be put inside a delivery van, parked several miles from an office building and still have the ability to eavesdrop on the phones inside without anyone inside the building ever knowing it. This capability presents a challenge for every business that demands confidentiality in any of its operations. Costs of these units via the commercial market run between the low five figures to over one-hundred thousand dollars based on features and capabilities.
While the price tag and marketing regulations of commercially available IMSI catchers may put them out of reach for many, wireless security experts have demonstrated their own version, with near-equal capabilities of commercial units and produced for less than two-thousand dollars. At this point anyone with a smattering of technical skill and some internet search time can use off-the-shelf components to build an IMSI catcher powerful enough to rival commercial models.
Susceptibility of cell phones to this kind of attack begins with the technology the phones employ. Cell phones are network dependent so communication is done between cell phone and cell tower; it is not a phone to phone transaction. In order for your service provider to know what cell phone towers will have the best chance of sending your next call, email, etc. the cell phones themselves are actively seeking out new towers to connect to – they don’t differentiate. Because of this, the analogy of a naive child talking to strangers when illustrating how cell phones behave is fairly accurate. Imagine your child with you as you walk through a large crowd and the child says “hello” to every single individual you pass. Should any one of them ask, it will tell them everything you’ve been doing all day long without you ever knowing about it.
In addition, the network is designed so the cell phone towers themselves (real or simulated) control the parameters of the communications session not the phone, the tower (real or simulated) makes the determination to use encryption or not. So, if someone is pretending to be a cell phone tower, they can employ a command to any phone that connects to it to simply turn off session encryption.
The “man in the middle” attack with an IMSI catcher takes advantage of these flaws and inserts itself between the tower and the phones. Once a cellular phone is within range of and connected to an active IMSI catcher, the phone is essentially under the control of someone else. The attacker can access, remove, copy and send all the information on the phone, as well as installing surveillance software for later use when the phone moves out of range. The real benefit to this kind of attack is that there is little to no paper trail left; only the person performing the attack really knows that it’s happening. The attacker can be right next door or over a mile away and even act as a relay so that the phone still functions as normal, while monitoring all traffic sent to and from it and everything picked up by its microphone and camera.
Many of these kinds of attacks happen even when the phone is turned off. How? The off mode of most cell phones does not turn the phone entirely off; it’s not like the switch on a wall. The screen may go dark, but the motherboard inside is still energized and waiting for signals from the things attached to it, like the power button or the radio it uses for communications. “Off” in this instance is like your television set being “off” until you point the remote at it and send it a wireless command to turn on. So, whether on or off (again - off is not entirely “off”), infiltration of a phone can go on undetected by the user; unless the screen suddenly lights up, there is almost no clue the user would have to their phone being remotely accessed by another device.
The general public largely thinks of smartphones as a trustworthy life-enhancer relying mostly on false assumptions on how they operate and who has access to them. Depending on the brand, advertising for smartphones positions them somewhere between an always-dependable lifeline and a way to save and share life’s moments. They are welcomed into our lives like a trusted member of the family. While smartphones do have the power to make our lives easier and connect us to others in a myriad of ways, the inherent danger they pose should be recognized. Their microphones and cameras are essentially on all the time, gyroscopes and SIM cards can be infiltrated and used in ways you wouldn’t expect, sensitive documents and emails can be retrieved, copied and sent to anyone – and more – all without the user’s knowledge.
As powerful as smartphones are to help us, everything about them can be used just as easily for productive purposes as it can be for detrimental purposes. The microphone can just as easily facilitate a call as it can eavesdrop on a conversation in a room when you’re not on the phone. The phones camera can capture insurance images of storm damage to your facility as easily as it can the confidential slides shown during your next meeting. Its various network connections (cellular, wi-fi) can transmit information that can close your next business deal just as easily as it can close the doors to your business.
The dots to the full picture of how susceptible cell phones are to hacking have been painted; it’s time to connect them. The resulting picture is that cell phone usage is the most under-considered security threat to businesses today.
Original Article Can Be Found Here.