Corporate Smartphones in Danger!

When Barack Obama became president, he made it clear that he wanted to keep his Blackberry with him. However, the U.S. Secret Service knew his smartphone was not secure. So, the National Security Agency, the White House Communications Agency and private companies developed software to "withstand hacker attacks and thwart eavesdropping spies," according to PCWorld.

While the president may, in fact, be able to use his smartphone without fear of intrusion, the rest of us face significant security risks.

Simple cell phones and personal digital assistants are becoming dinosaurs as smartphones are becoming the preferred high-tech form of communication. A smartphone is "a cellular telephone with built-in applications and Internet access" according to PCMag, which provides "e-mail, web browsing, still and video cameras, MP3 player, video viewing and often video calling." According to comScore's July 2011 U.S. mobile subscriber market share report, "82.2 million people in the U.S. owned smartphones during the three months ending in July 2011, up 10 percent from the preceding three month period."

In addition to making phone calls, smartphones are most used to download applications (apps) and web browsing. According to marketing website ClickZ, "… smartphones make up less than 25 percent of the mobile phone market in the U.S., but their owners consume more than 60 percent of the app market and make up more than 55 percent of mobile browser use." ("Study confirms continued rise in smartphone app consumption," by Phil Hornshaw.)

The same vulnerabilities that have plagued personal computers now threaten smartphones. Imagine if a fraudster hijacked the smartphones that your organization issues to employees for business use. Perpetrators can steal proprietary and economic information that could cripple your operations.

These vulnerabilities will continue to grow with the smartphone market. "To date, around four hundred threats on mobiles have been identified. While this may appear minuscule as compared to the four million threats for computers, the dangers to users are very real," said Vishal Dhupar, Symantec's managing director for India, in the June 20, 2010, Hindustan Times article, "Mobile phones new turf for hackers: Symantec."

This article will focus on the most common threats and ways your organization can protect its business phones.

SMARTPHONE VULNERABILITIES 

Smartphones, indeed, all cellular phones, are extremely vulnerable to security attacks; the only thing a hacker needs is a phone number. In a Control Message Attack (CMA), a criminal can change the control settings of a device without the user having any knowledge, according to the online April 30, 2009, PCWorld article, "Simple Steps to Hack a Smartphone," by Jane Goodchild. Elinor Mills reported on the cnet website, that with a CMA, "An attacker with the right toolkits and skill could hijack your phone remotely just by sending SMS messages [text messages] to it, according to mobile security firm Trust Digital."

Mills writes, however, this method is most effective when used with another method, such as a Midnight Raid Attack (MRA), named as such because it is most effective when a victim is asleep:

"(A)n attacker could send a text message to a phone that would automatically start up a Web browser and direct the phone to a malicious Web site, said Dan Dearing, vice president of marketing at Trust Digital. The Web site could then download an executable file on the mobile phone that steals data off the phone, he said."

After a hacker disables a smartphone's Secure Sockets Layer in its browser via a CMA and a MRA, he can steal business credit card and banking information, business emails containing sensitive information, plus the users' personally identifiable information (PII), contacts' information and passwords and answers to security questions for entering secure websites.

Meir Machlin, director of product architecture with Trust Digital, showed in a video, accompanying another article by Joan Goodchild, "3 Simple Steps to Hack a Smartphone," from the April 29, 2009, CSOonline.com, how easy it is to take over a smartphone. Machlin's "hacker tool kit" included a laptop with WiFi connectivity and two phones. One phone acted as a global system for mobile communications (GSM) modem for the laptop (allowing the computer to connect to a mobile network), and the other phone was Machlin's personal device. He used his own phone to open a web browser in the phone he was attacking, sent a message to the phone's screen that it had been hacked using a CMA and then a MRA, stole the phone's INSI (the unique identification number for that phone) and completely wiped the device. He could have just as easily stolen the phone's personal or corporate contact list.

Smartphone information is also vulnerable to spam, malware and spyware attacks. When a phone user clicks on a malicious link in a spam email, code can then compromise the device's security because unlike laptops and desktops they do not contain antivirus programs. Zack Stern in PCWorld's "Put an End to Cell Phone Spam," Oct. 6, 2008, suggests that "… when you do receive spam, don't click any links inside (including any apparent ‘unsubscribe' links) or even load the images. Both can be ways to verify that your address is active, which will ensure that you get a whole lot more junk."

Spyware is probably the easiest type of available malware because it is legally marketed for monitoring children or helping catch a cheating spouse and only costs from $50 to $200. "Once installed, the software then secretly records all cell phone activity, giving you complete visibility of everything that occurs on the phone," according to the article, "Flexispy — How To Spy On a Cell Phone & Which Spy Phone is #1? Flexispy Spy Phone, Mobile Spy, or e-Stealth?" So, a fraudster who has complete access to this information could potentially learn credit card numbers, email passwords, banking passwords and almost any other PII and business data.

"Free" third-party downloaded applications such as games can contain malware. In the June 4, 2010, Reuters article, "Hackers plant viruses in Windows smartphone games," reporter Jim Finkle explains that some of "[t]he games are bundled with malicious software that automatically dials premium-rate telephone services in Somalia, Italy, and other countries, sometimes ringing up hundreds of dollars in charges within a single month."

PREVENTION IS ALWAYS THE KEY

We can only win the battle for PII by being proactive and not reactive. Common sense measures, of course, are the first steps. Do not put any information on a smartphone that does not need to be there. If possible, avoid storing sensitive information, such as passwords or pin numbers. Do not leave a phone lying around where criminals can access or steal it. Do not lend them to unknown individuals. If a smartphone is stolen or lost, report the theft immediately to the wireless service provider; if a thief did dial out, the provider will be able to look up the numbers that were dialed and possibly track down the phone. If PII was kept on the phone, immediately notify organizations, such as credit card companies or banks.

Users can back up or "sync" smartphones to their computers or other devices to protect their data and download security updates. Unfortunately, syncing a smartphone can be a threat in itself because it captures further information from the user's computer. Users must be careful not to upload any unnecessary PII by choosing default options; instead, they should select custom alternatives.

Lock all phones with passwords. An auto-wipe feature will delete all information after a set number of failed login attempts. Also, an auto-lock feature, much like locking the screensaver of a PC, prevents anybody from accessing it after a set amount of time or by the click of a button, and it stays locked until the password is entered.

Bluetooth can render smartphones insecure because devices with this technology are allowed to connect to one another without authentication. After these phones are connected, they do require authentication to access services such as a phonebook. However, security can be breached because some phone developers may fail to properly set up the authentication process, according to Marek Bialoglowy, in Symantec's "Bluetooth Security Review, Part 1." The easiest way to avoid this vulnerability is to keep the Bluetooth function off and undiscoverable whenever it is not being used. And it should not be used in public wireless venues because criminals target these areas.

To avoid being a victim of malware from applications, only download apps from known and trusted providers and sites. Ken Colburn, a data expert writing in the East Valley Tribune, said that Apple screens developers and their apps, and it regularly identifies security vulnerabilities in apps. A number of such vulnerabilities have been exploited in both the iPhone and Android. To avoid getting malware from SMS and MMS text messages or emails, do not open anything from unknown senders.

In a new variant of phishing, "smishing," a fraudster tells an intended victim through an SMS (text) message that he or she needs to call a toll-free number to resolve an urgent bank account issue. The victim then supplies account information via a fake voice-response system. Security experts expect smishing scams will increase, especially during the holiday season, according to the Jan. 17, 2011, article, "Smishing: scary new malware scam," by Matt Lebowitz on msnbc.com.

Smartphones can still be infected even through trusted sources, so breach, antivirus, antispyware and firewall software is a good investment. This software, available from such companies as Symantec and McAfee, does not completely guarantee all intrusions, but it does protect smartphones from known viruses and can quickly stop malware from completely breaking down or into a system.

Companies also offer software to remotely wipe stolen phones and track them using GPS. These features require that the smartphones have a continuous refresh capability, which allows them to "talk back remotely" without needing a user to manually call out to services.

Encryption software protects information by encoding it so only those with special algorithms and passwords can decipher it. Also, a user can send an encrypted email to another user who uses a password or other authentication method to be granted access to read the email.

Experts believe that either BlackBerry smartphones are the most secure or that iPhone and Droid smartphones are equally secure. There are no claims that any smartphone is better than BlackBerry. It all comes down to users' needs and the required levels of security for protection, according to reporter Marguerite Reardon, in the Oct. 14, 2010, cnet article "iPhone, Android give Rim insecurity complex."

Colburn writes in the East Valley Tribune, "[w]ith the popularity of smartphones on the rise, worldwide, be assured that this is an area that the malware coders are focusing on for future attacks."

IMPLEMENTATION

Several businesses, government laboratories and agencies are pioneers in addressing smartphone security issues. The Los Alamos National Laboratory (LANL), which recently gave secure BlackBerry smartphones to its employees, installed a BlackBerry Enterprise Server (BES) as the back-end technical configuration to keep the data secure. The BES sits behind a firewall, configures the settings based on Department of Defense Security Technical Implementation Guides for Wireless policy to harden (or tighten security on) the devices and distributes these settings wirelessly to each BlackBerry that is configured in the LANL environment.

Some of the settings on "hardened" BlackBerrys, which do not contain cameras, prohibit users from downloading apps, using media managers or Bluetooth and operating certain BlackBerry Desktop Manager options, according to "Enterprise Mobility: Finding the Right Balance; Mobile Computing at Los Alamos."

The Los Alamos BlackBerry smartphones use the Secure/Multipurpose Internet Mail Extension (S/MIME) service, which "is a version of MIME that adds RSA encryption for secure transmission," according to the PCMagazine online encylopedia. This allows users to encrypt, decrypt and digitally sign emails over an Internet connection.

If a LANL BlackBerry smartphone is lost, stolen or compromised, users can call a 24/7 service line that will immediately initiate a "wipe" command via the wireless network and render the device useless in LANL's environment, according to "Enterprise Mobility." This project led the U.S. Department of Energy to authorize LANL-issued BlackBerry smartphones in limited areas. It should be noted that any BlackBerry Enterprise Server handset can be erased remotely via the Erase Data and Disable Handheld IT administration command.

Few companies have the resources to administer smartphones like these government agencies. Thus, all of these security measures will not be part of most smartphones. Dan Cornell, principal of the Denim Group, a high-tech consultancy, advises companies to:

"… build your applications with security on your mind, have a plan to address vulnerabilities when they are discovered, make sure researchers know how to contact you to report potential vulnerabilities, take vulnerability reports seriously, respond in a timely manner, set expectations, and have a way to communicate with users when vulnerabilities surface." ("Smartphone Vulnerabilities on the Rise," June 21, 2010)

Cellphone manufacturers and software vendors are often conflicted about giving full disclosures after finding smartphone vulnerabilities. They certainly want to fix vulnerabilities, such as compromised address books and browser caches, as quickly as possible so they can avoid malicious exploitation of smartphones. However, providing complete information on vulnerabilities before software providers have been able to patch them increases the risk that fraudsters will have the ammunition to hack phones.

Many savvy users, often those who find ways to bypass security protections on devices, prefer to maintain full control of their smartphones, and so they do not often disclose identified vulnerabilities. This conflict of interest between control and safety is likely to continue.

Smartphones are quickly becoming as common as PCs, so we can expect the number of threats to become equivalent in time. Organizations must be cautious because their actions affect the lives of their stakeholders. The prevention techniques described here will help with the implementation of security. Your corporate smartphones are in danger — plan accordingly.

Richard G. Brody, Ph.D., CFE, is the Douglas Minge Brown professor of accounting at the University of New Mexico Anderson School of Management in Albuquerque.

Darrell Banward is a graduate student in the Information Assurance program at the University of New Mexico Anderson School of Management in Albuquerque. dbanward@unm.edu.

Kelley Hawthorne is a graduate student in the Information Assurance program at the University of New Mexico Anderson School of Management in Albuquerque.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.