Cell Phone Security 101

WXP News (May 11, 2009) Mobile phones have given us more freedom; we no longer have to stay close by a fixed landline when waiting for an important call. They've also given many people a sense of greater security; if your car breaks down or someone seems to be following you, you can call for help. But there's another, darker side to the security issue. Whether you have a fancy smart phone that's really a full-fledged hand-held computer or just the cheapie model that your cell phone carrier provides at no extra charge, the cell phone that you take with you everywhere you go could be posing a threat to your privacy.

Most people know that cell phone calls are really radio transmissions, and since they go out over the airwaves, they can be intercepted. Several years back, it wasn't uncommon for people with old style police scanners to pick up conversations that were occurring on analog phones in the 824.040 to 848.970 MHz range. It's now illegal to sell scanners that pick up cellular frequencies but many people still have them from the days when they were legal, and you can buy them now in many other countries.

Luckily, intercepting digital phone signals is more difficult. However, there are software packages you can buy that will let you listen in on mobile phones that have Bluetooth enabled (you can also use it to read text messages), and the software doesn't have to be installed on the phone that's being spied on. These programs are marketed as tools to check up on your children's behavior, catch cheating spouses, find out if employees are misbehaving on the job, and so forth. Of course, they can be bought and used by anyone to spy on anyone else for any reason. And a really motivated eavesdropper who's willing to invest in a few thousand dollars' worth of equipment may be able to break GSM (GPRS/Edge) algorithms and reconstruct conversations.

What about the sensitive data you carry with you on your phone? Many of us have contacts, email, and even documents stored on our phones. With many sophisticated smart phones, you can encrypt both the data stored in the phone's internal memory and data on the flash card you have inserted in the phone. If you have a Windows Mobile device that you use to connect to an Exchange 2007 Server, you (or your Exchange administrator) can send a command to the phone that will perform a remote wipe (delete all Exchange information stored on it). The 3G version of the iPhone also supports this feature. This comes in handy if your phone is lost or stolen. Some phones can also be set to automatically wipe the local data if the incorrect password is entered a certain number of times.

Speaking of password protection, do you habitually lock your phone when you aren't using it? If so, do you think that will prevent someone else from being able to use it? Keep in mind that most phones allow incoming calls to be answered even when the phone is locked. Once upon a time, IT departments routinely used callback to verify the identity of users, but that can't be relied upon now that mobile phones are in the picture.

Another important thing to remember is that your smart phone works much like a desktop PC in many ways. One of those is the fact that deleting a file may not truly erase that data at all, but just remove the markers so that area in storage is available to be written to. Until new data is written over it, it's still possible for someone with the right software to retrieve the "deleted" data.

Perhaps the scariest part of the video referenced at the beginning of this article is the idea that someone can activate the microphone on your cell phone from a distant location and listen to whatever you and those around you are saying - even though there is no active phone connection. And anyone who has watched modern thriller movies is probably aware that the GPS signals built into many cell phones can be tracked to show your every move. In fact, that technology is marketed to parents, to keep up with their children; the software can be installed on many RIM Blackberry phones, Windows Mobile phones, Android phones and others. You may also have to pay a monthly fee for the tracking service.

The only reliable way to be sure your GPS can't be tracked or your microphone can't be activated is to deactivate the phone completely. Some smart phones have a button to turn the screen off, but the phone itself stays on. Windows Mobile, for instance, isn't designed to be shut down completely. If you press the "on/off" button, you turn the display on or off. If you hold it in for a longer time, the phone merely reboots. Turning on "Flight Mode" will turn off the phone's radios (cellular, wi-fi and Bluetooth). Or if you want to be absolutely sure you're safe, remove the battery (assuming your phone has a user-removable battery).

Of course, many people leave their phones turned on and charging overnight. This provides an opportunity for attackers to exploit the vulnerabilities of an active phone; all they need to know is your mobile phone number, which you might have printed on your business card or even listed in your Facebook profile. Here's a demonstration of how it can be done.

Have you ever considered your cell phone a security threat? Do you leave it turned on when you're in a meeting or talking to a friend over lunch? Do you encrypt the data on your phone? Do you make sure Bluetooth stays turned off when you aren't using it, to prevent exploit?

Comments

Popular posts from this blog

EOQ Calculations in Excel

Reliability Calculations in Excel

“How Are We Doing?” Efficiency, Utilization, and Productivity