The Perils of Owning a Smart Device in the Information Age
With the ever increasing popularity in Smart devices, such as a Smartphone and a tablet, people are becoming used to having the ability and the convenience of doing anything they need in the palm of their hand. Research has shown that with our desire to become more mobile in our lives, we are putting our finances and personal security at risk for the sake of convenience. Most smart devices are as powerful as a PC was just a few years ago. People need to start becoming aware of this fact and not look at it as a simple communication device. One of the biggest benefits is also its greatest dangers, using Bluetooth on a Smartphone can leave it open to be hacked. Even out in public it is not as safe as it may seem; using public Hotspots increases the chance of your mobile device to be hacked. Just because you are in a public place connecting to an unsecure Wi-Fi is opening you up for attacks, and the worst part is you do not need to accept an e-mail or click a link to be hacked. Just as a PC can be hacked or get a malicious software put on to it, so can today’s mobile devices. The public needs to be made aware of these dangers and how to protect themselves.
The mobile revolution continues to grow.
Most people today that own a cell phone own a Smartphone, Pew Research center states that 64% of American adults now own a Smartphone of some kind. While owning a Smartphone is in itself not a danger, what it can be used for as well as what can be done to it are. In the U.S., the average user has not been exposed to the threat of Malware at a rate as users around the world have been. But that is no reason to become complacent in the way we protect these devices. Just as the PC industry started out in the U.S. without very many problems, so has the mobile market. So what we need to do is look at the PC industry to realize how it has evolved over the past decades to where it is now. It will show what the smart device user can expect to happen to the mobile industry in the next few years.
Even as the mobile industry increases by leaps and bounds there is an underlying need for education on how to protect these devices from malicious individuals. Just as the Titanic did not see the iceberg until it was too late, so is the chance of people of the mobile revolution will not see the dangers that are just under the surface. With every new application that comes out for a Smartphone or a tablet that makes it easier for a user to do a task without having to travel to a specific place or use it as a form of payment, it opens up the device to be hacked or exploited by a malevolent individual. In some instances, the owner of the device is unaware it is happening to their newly purchased electronic apparatus.
The associated dangers continue to grow too.
That is why the need for proper training on how to protect the device is ever so important. While the first mobile virus that was released on the world known as Cabir was relatively harmless and caused no real threat to the devices, it opened the door and paved the way for more malicious code to be written. (Hypponen, 2007) This started the mobile device owner down the same path the PC user has traveled in the past. Unless the user begins to understand the nature of the equipment they are using in their hand, it will become as the PC has; drowning in malicious software and needing constant updates and patches to prevent it from become exploited in some way. Owners need to understand that the little apparatus they are holding in their hands that they text, send e-mail, and play games on is a palm sized PC. The average Smartphone has as much processing capabilities as a high end PC from the past ten years.
Most viruses or malware for smart, mobile devices can infect the device in many ways.
- Some use trickery by disguising themselves as an application a user would want; this mode is called a Trojan Horse Attack. The malicious software is actually embedded into the application and installs itself after being downloaded.
- The next type of attack exploits the Bluetooth capabilities of the device. This is the way that a worm travels and is exchanged through the device because it does not require any actions from the owner.
- The last is a virus which can be transmitted by e-mail or a malicious site. It is activated when the user either clicks a link in an e-mail or an executable file downloaded from a site. (Aubrey-Derrick Schmidt, 2008)
- There is also the threat of losing the device and all the information stored on the phone or tablet being stolen and used for someone else’s personal gain.
So many people today, for the simple fact of convenience, keep their e-mail passwords, banking information, as well as other accounts stored in their mobile device just so they can pull it up at the swipe of a finger. This is the main reason for the rise in the act of attacking mobile devices. While at the start they were not malicious in nature, today they have become a very devastating threat to the mobile user. The viruses that are out today have the capability of completely disabling the device, deleting the data stored on it, or sending messages to premium numbers that could rack up a small fortune. (Hypponen, 2007) This is why people need to made aware of the iceberg looming ahead.
Specific ways your smart device can be attacked.
There are many different ways the smart device can be attacked; some are as simple as connecting to a mobile Wi-Fi hotspot. Malevolent people have learned how to exploit this aspect of the device; malicious activity can range from creating a rogue hotspot to selling hotspot devices with corrupted firmware installed on them. So the place providing the hotspot is unaware they are helping to steal information from the patrons connected to the network. These corrupted routers are usually purchased on online auctions where the business owner is trying to conserve money on the overall purchase of the hardware. (Tsow, 2006) The reason this can be so hard to detect is that most businesses do not have the means to verify whether or not the firmware of the device has been corrupted. Nor would they even wonder about it at all because there have not been too many reports of such things happening to raise awareness to the point that the average consumer would be made known of the situation.
Another form of this type of attack is even more malicious and dangerous not just to the owner of the device but to countries around the world. Terrorists have long known of the exploits of the modern mobile device and have started to use this to their advantage to spread their propaganda and fund their projects. They do this by exploiting major flaws in the cellular format, as well as social interaction of the users. The first is by using the cellular devices natural tendency to lock onto the strongest signal by setting up a mobile hot spot in a public area to get the user to connect in hopes of free internet service. The other is by creating a PAN (personal area network) using the Bluetooth left open in discovery mode on the cellular device. (Gold, 2011) To some this may seem to be something straight out of a TV show or that it could only happen in the movies, but this is the mindset that the users need to overcome; they need to get past this Never-Happen-to-Me Syndrome.
Most of these devices, that cause these problems, are so small that they could be installed on a person’s laptop sitting next to you at Starbucks and you would never even know it. One such device is a router called the openPicus. It is small enough to run off a battery, but powerful enough to run a web server from its memory, creating a rogue unsecure network hoping someone will connect to it so it can transmit its information back to the hacker. It can even be turned off by a simple command sent remotely if anyone becomes suspicious. (Gunasekaran, 2009)
Another device that could be made is a mobile Bluetooth scanner. Research has uncovered data on how easy it would be to create such a device and use it in a populated area like an airport or coffee shop. It was called the Blue Bag Project and what the researchers did was to show what parts were needed to create such a device as well as test it. The results were astounding; they scanned three different locations for seven days and totaled 23 hours of scanning and were able to detect cell and Smartphones (1,312), PCs/notebooks (39), Palm pilots (21), GPS navigators (15), printers (5), and other devices. (Claudio Merloni, 2007 ) This is a very scary statistic to think about; how easy they were able to gather information from that many devices in that short of time.
There is already been research done that shows how far this exploit in the phones system can be taken. It was done by a group of researchers to see what could be exploited even more than what was already done. The experiment was called Soundcomber; it is a Trojan that is designed to open up the microphone as well as record and transmit what is being said during the call or while the microphone is active, all this without the owner being aware of anything happening to their device. They have also experimented with unlocking the video of the phone as well to transmit video as with the audio. (Roman Schlegel, 2004) They did install a safety device in the coding of the software to prevent it from harming anyone. But just as Cabir was not malicious on deployment it turned into a major problem once people started re-writing parts of its code. So could Soundcomber become a serious privacy and security concern?
Why do malevolent people want your information?
The main driving force behind this entire problem is no longer maliciousness code writers but pure greed. There is money that can be made from the exploitation of users who are unwary to what interactions they have on their mobile devices. Millions if not billions of dollars are lost to hackers every year, and the rate is growing now that they have a new opportunity to exploit in the smart device market place. With the ever growing population of younger and older people who never owned a PC and know how easy it is to become a victim of malicious coding. This leaves a great big hole in the uneducated operator of these types of devices. This would be like grizzly bear falling into an aquarium of breeding salmon. Everyone can see the danger but are unwilling to step in and stop it from happening. For fear of getting the attention of the bear and having to take the brunt of the attack and fight it off, such is the fear of hackers. If somebody does something to stop them, they believe they will become the new target of the hacker.
As a prime example,the cost that businesses and users need to spend to prevent the fraud known as Phishing and Pharming is astronomical. In 2002, the cost was $202 million by the time it reached 2008 the cost was over $880 million and ever increasing. (Knight, 2005) In comparison, in the first half of 2012 the cost is over 600 million. Showing the increase of the amount of attacks on businesses as well as personal users, this should be a serious red flag to security professionals everywhere, as well as the general public. Even though this is only one example, the cost to companies is a serious threat, and it should be included in employee training to prevent network problems on an already established and secured network.
Risks of employees and BYOD
Today it is very common for employees to connect their devices to the company network to keep them from having to consume their minutes and have faster download speeds. The problem with this is if the mobile device has been compromised by a virus or malware, it will open a gateway for a hacker to breech the company network. The other problem with this situation is that when the mobile device is removed from the network, the access point is removed but the damage is already done. It also makes it harder for the IT professionals to find where the breech originated, because the device responsible for opening the hole in the firewall is now gone and no longer on the network.
Risks of Internet of Things
There is also an aspect to this security issue that has not even come into play yet. Most new appliances are coming out with Bluetooth capabilities so if you have items with RFID chips installed they can send you a text that the food is about to expire or that the quantity is low. The ability to start newer ovens is also available by using your phone. The home security systems are now able to be manipulated by Smartphone’s and tablets. Including the enabling and disabling of the alarms, turning off and on the security cameras. Even your new automobile communicates with your Smartphone. It will send you a text reminding you of required maintenance needed. What would happen to any devices if the smart device had been hacked without the user knowing and then sync with these devices?
- The oven could be turned on high before you get home; risking fires.
- The refrigerator temperature could be turned down, causing the food inside to spoil.
- The alarm system could be turned off, allowing an individual to enter the premises to rob the owner or worse.
- The automobile could have the doors unlocked and personal items stolen from the vehicle.
- And the most dangerous is a new device that allows a Smartphone to become a credit card reader. If the device with the reader should become infected it has the ability to steal account information from every card that is passed through it.
All this can theoretically happen from an unprotected smart device.
How do you protect yourself?
While all of this information may want to make a person take the mobile device and run down into the basement and cover all the windows with aluminum foil or build a fallout shelter that won’t allow radio waves in our out to keep it safe. There are ways to make the device more secure by using hardware or updated software to fix the glitches or holes that are in the OS of the device. Just as the PC needs virus protection and hardware security to protect itself so does today’s smart devices. There are software patches, firmware upgrades, and many different applications to help prevent these things from happening.
One simple way of doing this is by reducing the area of the can be attacked as much as possible. Even though the device is always on features of the phone can be turned off while it is being used; this is one advantage over a PC. Which means when a user makes a call or sends a message, the PC functions of the device do not need to be operating. (Chuanxiong Guo, 2011) Another simple way to strengthen the security of the mobile device would be to turn off discovery mode of the Bluetooth feature once the devices that are desired to be connected are. This will make the device invisible to scanning devices. One of the most important and simplest of things to do would be not to connect to any network that you do not know what it is. Is free internet worth losing all your personal data to a hacker?
The devices themselves also have built in security features. It is that most individuals do not realize it is there or how to make it work. The security feature is already installed in the software of the device. The features include making the device display any phone number that is calling into the device. Also making it turn on the display when the device is dialing out. This is process is called hardening the OS. (Chuanxiong Guo, 2011)
There is also a way to protect the device using the hardware. Smart phones come with a SIM card installed by default. This allows a security toolkit to be installed called STK it allows an API security app to be installed to the SIM. If you were to combine the STK with a TPM (trusted platform module) there would be no need for adding a security chip to the device. (Chuanxiong Guo, 2011)
There are many different applications that can be downloaded to the device that can protect it from malware. They range from virus protection such as Avast, McAffee, Norton, AVG, and Kaspersky. There are many more than this but these are considered some of the best applications to protect a smart device. There are even applications to protect the apps on the phone. Some of these are BitDefender, Eset, Sophos, Gadget Trak, Last Pass password protection, and SplashId. These are all designed to inspect applications as they are downloaded and installed. LastPass and Splash Id will store all passwords and account numbers and encrypt them to keep them protected. If the phone should be hacked, stolen or lost.
If the Smartphone or tablet should be misplaced or stolen there are things that can be done that would protect it and keep the information from being used maliciously. There are applications that will lock the touch screen and the user would need a code or a sliding key to unlock the device. There are also applications that will hide other applications that have important personal information in them. These applications are usually named something innocuous and would seem like a default part of the systems OS. Until it is executed then it will say something like there is an error with the application and ask if you wish to report it. If yes is clicked then it asks for the password to send the information. If the password is correct then it will unlock the applications that are stored in it. It will also store videos, pictures and documents. A GPS application should be installed as well to track where the device is. It can be as simple as being under couch or left in a car. It might even help law enforcement track down where it may be.
If the device is in another person’s hands and there is no chance of getting the device returned there are applications that can be operated remotely to protect the device. These are applications that with a command from a computer will lock the device down from being used. In a worst case scenario if the information is too important or dangerous to be leaked to a malevolent individual or groups of individuals there is an application called a wipe program that will wipe all the data off of the device making it completely useless. This also can be activated remotely from a computer with a single command and it cannot be reversed once it has been activated.
Final Thoughts and Next Steps
So as you can see, while there is much that there can be done to corrupt a device for malicious gains, there are many productive ways to halt this from happening just by following some simple steps. All that needs to be done is for people who have already purchased these devices to be made aware of this ever increasing situation. This also needs to be shown to the people who are just purchasing these devices for the very first time; they need to be trained of the dangers that could befall them if they do not take any course of action to protect the device. While this may seem like a daunting task that can never be achieved, but if just the smallest steps are taken to secure the device, the outcome will be great in number. The amount of devices being purchased every year is on the climb, and if each owner only did one thing to make the device more secure that would mean one less avenue for the device to be corrupted, which in turn would lead to a smaller payout to people who benefit from another users gain.
In conclusion, this article shows the importance needing to make the public aware of all the ways their devices can come under attack from a malevolent individual trying to make a gain at another’s expense. It has been shown that our desire to become more mobile in our lives that we are putting our finances and personal security at risk for the sake of convenience. Whether it be from not setting up the Bluetooth properly or connecting to a public WI-FI, possibly even doing something as foolish as connecting to an unknown and unsecure network just to get free internet. It has also been proven that you can be hacked without having to except an e-mail or click a link. With proper knowledge and training on how to properly secure the device from attacks, the owner of the smart device has the chance of preventing a catastrophic event like that which has happened to owners of a PC, and the malicious individuals can be thwarted.
Aubrey-Derrick Schmidt, S. A. (2008). Malicious Software for Smartphones. Berlin: DAI-Labor, Technical University Berlin.
Chuanxiong Guo, H. J. (2011, November 11). Smart-Phone Attacks and Defenses. Retrieved from Microsoft Research: http://research.microsoft.com/en-us/um/people/helenw/papers/smartphone.pdf
Claudio Merloni, L. C. (2007, MARCH/APRIL ). Studying Bluetooth Malware Propagation: The BlueBag Project. THE IEEE COMPUTER SOCIETY, pp. 17-25 .
Dean McCullagh, A. B. (2006, December 1). FBI taps cell phone mic as eavesdropping tool. Retrieved from CNET NEWS: http://news.cnet.com/FBI-taps-cell-phone-mic-as-eavesdropping-tool/2100-1029_3-6140191.html?www.dailytech.com
Gold, S. (2011, July 11). Terrorism's invisible propaganda network. Engineering and Technology Magazine, pp. 58-63.
Gunasekaran, A. (2009). Hybrid Pharming Attack using Malicious Unsecure Wireless Router. Retrieved from mst.edu: http://web.mst.edu/~agbt4/project_reports/CpE349_Project_Report.pdf
Hypponen, M. (2007). Status of Cell Phone Malware 2007. Retrieved from Blackhat.com: https://www.blackhat.com/presentations/bh-usa-07/Hypponen/Whitepaper/bh-usa-07-hypponen-WP.pdf
Knight, W. (2005, July). Caught in the net. IEE Review, pp. 26-30.
Roman Schlegel, K. Z. (n.d.). Soundcomber: A Stealthy and Context-Aware Sound Trojan for ... Retrieved from Indiana.Edu: http://www.cs.indiana.edu/~kapadia/papers/soundcomber-ndss11.pdf
Tsow, A. (2006). Phishing with Consumer Electronics – Malicious Home Routers. Retrieved from I3s.de: http://www.l3s.de/~olmedilla/events/MTW06_papers/paper22.pdf