Basic vulnerabilities associated with most smartphones.

1. Smartphone
Necessity
or
Information Sieve
UNCLASSIFIED

2. The purpose of this brief is to raise awareness of the vulnerabilities associated with
smartphones. For the purpose of this brief, when the term smartphone is used, it also
includes iPhones and blackberries unless otherwise specified.
UNCLASSIFIED

3. Definitions
com·put·er
noun
1. An electronic device designed to accept data, perform prescribed mathematical
and logical operations at high speed, and display the results of these
operations.
tel·e·phone
noun
1. An apparatus, system, or process for transmission of sound or speech to a
distant point, especially by an electric device.
UNCLASSIFIED

4. Phone…..Really?
UNCLASSIFIED

5. The Future
Smartphone sales eclipsed standard cellular phone sales as well as PC
sales last year. According to Google, over 200,000 Android smartphones
are activated each day- Ellis Holman
UNCLASSIFIED

6. Hello?
We are talking about a phone …. Right?
UNCLASSIFIED

7. Computer health statistics
UNCLASSIFIED

8. Security Risk
What is the biggest security risk when it comes to Smartphones?
HINT: This risk most likely is the same as internet capable
computers or Wi-Fi laptop use.
Answer: You……. The user.
Like most people, when it comes to new technology, we want it
and we want it now. We usually start using this technology for
all the benefits promised without understanding the
vulnerabilities or the security features available.
UNCLASSIFIED

9. The Numbers
A study conducted by the Ponemon Institute in concert with AVG
Technologies;
•734 random US consumers over age 18 questioned regarding mobile
communications behavior.
• 89 percent respondents unaware smartphone applications can
transmit confidential payment information without the user’s
knowledge or consent.
• 91 percent respondents unaware financial applications for
smartphones can be infected with specialized malware designed to
steal credit card numbers and online banking credentials. 29 percent
report already storing credit and debit card information on their
devices. 35 percent report storing “confidential” work related
documents.
• 56 percent respondents unaware; failing to properly log off a social
network app could allow an imposter to post malicious details or
change personal settings. UNCLASSIFIED

10. U.K. National Statistics
• 45 percent of Internet users used a mobile phone to connect to the Internet
• 6 million people accessed the Internet over their mobile phone for the first time in the
previous 12 months
• The use of wireless hotspots almost doubled in the last 12 months to 4.9 million users
• 21 per cent of Internet users did not believe their skills were sufficient to protect their
personal data
• 77 per cent of households had Internet access
- Office of National Statistics “Internet Access - Households and Individuals, 2011 “
UNCLASSIFIED

11. Malware
• An average of 9 out of every 100 smartphones in
use is infected with malware of some type
UNCLASSIFIED

12. Definitions
Key Logger: A computer program that records every keystroke made by a
computer or Smartphone user. The “key-logger” will then send the
information to an outside server. This is often used in order to gain
fraudulent access to passwords and other confidential
information.
Worm: A computer worm is a self-replicating malware
computer program that can replicate to such an extent as to take up enough
bandwidth to cause a denial of service.
Virus: A Virus is a software program capable of reproducing itself
to corrupt and cause major damage to files or other programs.
They can spread quickly, infecting other computers or smartphones.
Trojan: A Trojan horse, or Trojan, is malware that appears to perform a
desirable function for the user prior to run or install instead facilitates
unauthorized access of the user‘s computer system.
UNCLASSIFIED

13. Spyware
Software that self-installs on a computer, enabling information to be gathered covertly
about a person's knowledge including
– inbound and outbound texts, emails, and phone calls
– Web browsing activity
– Information stored on phone
– Contacts
– Can even turn on the phone’s camera to capture images and video
UNCLASSIFIED

14. Information Hemorrhage on the
WWW
Web surfing is the primary source of new infections, with attackers relying more and
more on customized malicious code toolkits to develop and distribute their threats.
90 percent of all threats detected by Symantec, during a study period, attempted to
steal confidential information.
- Michael Dinan, TMCnet Editor
Web browsing is becoming a big threat, with 38 percent of Android owners encountering a
malicious link — 40 percent if you only consider the United States.
- Lookout’s chief technology officer Kevin Mahaffey
UNCLASSIFIED

15. Think Before You Click
UNCLASSIFIED

16. What’s on Your Phone
"Mobile phones are a huge source of vulnerability. We are definitely seeing an increase in
criminal activity.“ - Gordon Snow, assistant director of the Federal Bureau of Investigation's Cyber Division.
UNCLASSIFIED

17. Keeping in Touch
The “Bad Guy” is using the same tools and resources
that we (the recreational user) use, and a lot of the
time, they know more about the tool.
Across the U.S. and beyond, inmates are using social networks and smartphones smuggled
into prisons and jails to harass their victims or accusers and intimidate witnesses.
In California, home to the nation's largest inmate population, the corrections department
confiscated 12,625 phones in just 10 months this year. - DON THOMPSON, Associated Press November 2011
UNCLASSIFIED

18. Smart Phishing (Smishing) for
Smartphones
Emails or texts messages offering a free one-year warranty extension for a popular
smartphone, links to a company-branded web page. That web page asks for an email address
and then smartphone serial number, IMEI number, type of phone, and capacity of phone.
Cybercriminals use the information requested on the web page to clone the smartphone. –
markmonitor.com
UNCLASSIFIED

19. Man In The Middle (MITM)
Attack
The attacker machine forces traffic between the victim’s machines to route through it by
sending a false Address Resolution Protocol (ARP) reply to both machines. The attacker can
than create new connections and kill existing connections, as well as view and replay
anything that is private between the targets machines.
A testing team has adequately shown that with a mobile laptop in a Wi‐Fi network, it is
possible to intercept communications between a smartphone and the Wi‐Fi hotspot.
- Smobile Systems
UNCLASSIFIED

20. “There’s an APP for that”
UNCLASSIFIED

21. Jailbreaking
• Gives the user root level access to the phone
• Strips away security measures designed to protect the smartphone
• A majority of smartphone malware comes from third party app stores
UNCLASSIFIED

22. “Trojanized” Apps
The malicious developer selects popular apps to “trojanize” and delivers malware
along with the clean content
UNCLASSIFIED

23. Which System is Better?
UNCLASSIFIED

24. How You are “Protected”
Google Bouncer iTunes App World
Scans all uploaded Apple authenticates Vets applications
Android its developers, before
Marketplace apps tests and digitally distribution and
40% decrease in signs each app allows user to
potential malicious before set permissions
apps in the distribution for each item
marketplace in making malware within an app
2011 occurrences rare separately to
give user control
UNCLASSIFIED

25. Defensive software
Malware
Anti Virus
March 2012
AV-TEST an independent
IT security institute, has
inspected 41 different
virus scanners for
Android with regard to
their detection
performance.
UNCLASSIFIED

26. What’s in Your App?
The most common malicious Android apps contain spyware and (SMS) Trojans that:
• collect and send GPS coordinates, contact lists, e-mail addresses etc. to third parties
• send Short Message Service (SMS) to premium-rate numbers
• subscribe infected phones to premium services
• record phone conversations and send them to attackers
• take control over the infected phone
• download other malware onto infected phones
- Cnet.com
UNCLASSIFIED

27. Some Android Apps Use
Personal Data Suspiciously
A study conducted (2010) by Penn State, Duke, and Intel Labs ;
Found that 358 apps in the Android Market require Internet permissions, as
well as permissions to access location, camera, or audio data. Of those 358,
researchers randomly selected 30 apps, including ones for The Weather
Channel and BBC News.
15 of the 30 apps reported user locations to remote advertising servers, and
seven apps collected the device ID, and sometimes the phone number and SIM
card serial number. One app even transmitted phone information every time
the phone booted – even if the app has not been used. Overall, two-thirds of
the apps used data suspiciously, researchers concluded.
- Pcmag.com
UNCLASSIFIED

28. App Security
• Despite increased security in legitimate app marketplaces, malware still comes
through
• Scrutinize apps before downloading
– Do you know the developer?
– How long has it been available?
– What are the permissions required?
UNCLASSIFIED

29. Mobile Banking
• Mobile banking has grown 129% in the last year alone
• Android users alone lost more than one million dollars to cyber-thieves in 2011
and the numbers are climbing
UNCLASSIFIED

30. Geo-tag
Most smartphones and some cameras made today are equipped with geo tags. Geo
tags are imbedded in the picture and use the same concept as GPS.
UNCLASSIFIED

31. Physical Consideration
If you leave your phone unattended, loose or have it stolen, depending on what security
features you have set, a Smudge attack can be conducted. The picture illustrates how easy it
would be to access this phone.
Maintain positive control of your phone and clean the screen after every use if you have a
touch screen keypad.
UNCLASSIFIED

32. Navy Networks
In October 2010, CTO 10-084 was released prohibiting the connection of unapproved USB
mass storage devices to government networks. This includes connecting a
smartphone to a DON computer “just to charge it”. Lack of compliance could result
in data exfiltration, spillage and the spread of malware
UNCLASSIFIED

33. Smartphone Headlines
HTC Smartphone Vulnerability Exposes Your Personal Data
Your Smartphone Is Spying on You
Smartphone pictures pose privacy risks
Report Reveals Data Loss as Primary Concern
for Smartphone Users
Tens of Millions of Smartphones Come With
Spyware Preinstalled, Security Analyst Says
Smartphones evidence a boon for divorce
lawyers
Android super smartphones: Too much of a
good thing?
Smartphones overtook PC shipments in 2011
Smartphone scams: Owners warned over
malware apps
UNCLASSIFIED

34. Recommendations for a More Secure
Smartphone
Never store sensitive data on smart phones
Do not leave phone unattended in public
Enable password protection
Activate the lock-out screen
Update your device regularly, to include
anti-virus software
Enable encryption where possible
Do not open suspicious email or click
unknown links from unsolicited texts or email
Take precautions to avoid theft and recover
from loss
Avoid using smartphones to conduct online
financial transactions
UNCLASSIFIED

35. Recommendations for a More Secure
Smartphone
Only purchase apps from legitimate marketplaces
Understand the apps you download/use
and what data the app accesses
Turn off GPS & Bluetooth when not in use
Disable Geo-tagging
Never “jailbreak” or “root” a smartphone
Keep phone screen clean if using touch
screen keypads
Enable “safe mode” to prevent applications
from running in the background without
permission
Data sanitize your device before
redistributing it
UNCLASSIFIED

36. Summary
• Computer health statistics
• The climb of smartphones
• Activities executed on smartphones
• Security issues involving smartphones
• Application uses and the vulnerabilities
• Physical issues involving smartphones
• Recommendations for smartphones
UNCLASSIFIED

37. YOU Decide!
UNCLASSIFIED