Last night I attended the Tech in Motion Mobile Security Panel Discussion in Chicago. The panelists consisted of Richard Rushing, the Chief Information Security Officer of Motorola Mobility; Andrew Hoog, CEO/co-founder of viaForensics; Amit Shah, the Co-Founder and CTO at Vaporstream; and John Storozuk, Senior Security Product Manager for Product Security at BlackBerry. The panel provided a great diversity in experiences, which made for a very informative panel.
The evening began with Andrew showing just how easy it was to hack an Android phone. The hack began with a phishing email. A phishing email is an email that looks like it comes from a trusted sender and includes a form or a link for the user is to click. Once they click this link, they are taken to the hacker’s web server where the damage begins. From there, the demonstration showed how a hacker could take advantage of known compromises and gain control of the user’s device.
This demonstrated one of the key aspects of mobile security: Mobile Security Begins with You! In the above demonstration, if the user had not clicked on the link, the hackers would not have gained access to the device. As Andrew says: “users need to be the front line of defence”. It is kind of like how home security has progressed. Your parents or grandparents probably didn’t even lock their doors. Security wasn’t an issue. Slowly, people realized they need to secure their homes and began locking their doors. Then they stepped up security again with alarm systems and home monitoring cameras. Your mobile device carries an incredible amount of information about you. It has business information, hundreds of contacts, documents, banking apps, etc. In the wrong hands, this information can be very damaging.
Clearly you can’t put a key lock on your device like you do with your home, but you can put a software lock. Step one in securing your mobile device is to put a power on/wake up password on the device. This does a couple of things for you. First, it makes it harder for thieves to get access to your device if it is lost or stolen. They have to get past the password. Second, if you are using encryption on your device, it enforces that encryption. If your device uses encryption and you do not have a password, you really aren’t using the encryption. Once the device is on and unlocked, the device is decrypted. If you don’t have a password, your device is always in a decrypted state.
Also, if your device allows, use a password that is more than four numbers. A four number password is very easy to hack via brute force (simply trying all combinations). Use at least six characters and, ideally, throw in some letters and symbols. Yes, it is a little more of a hassle to wake up your phone, but if you lose it or it is stolen, you will be much happier knowing the thieves can’t easily access your phone.
The second thing you should do is pay attention to the applications you install and what permissions they are requesting. Many free apps are free because they want access to your contacts or email. When you install the application, it will prompt you to grant these permissions. If you grant those permissions, the application can do what it wants. Say you install a flashlight app and it asks for contact information. If you agree, that company now has all your contacts information. All your friends’ names, email addresses, and phone numbers. Chances are they are going to sell that information or use it for marketing purposes. When installing apps and they ask for permissions, ask yourself why they need those permissions. If something seems wonky (like a flashlight app asking for contact access), don’t install the app.
A third thing you should keep in mind is your connection to the Internet. Wi-Fi® hotspots are popping up everywhere: airports; coffee shops; public parks; etc. But do you really know who is providing that hotspot? A potential security issue exists if you connect to an unknown hotspot. This hotspot could actually be capturing the information you sending. This could compromise your passwords and other vital information. Imagine you hook up to a hotspot while sitting at a park. You might even think how nice it is to have Wi-Fi access at the park. You proceed to log on to little Web Shopping. Bammo! The hacker who set up that Wi-Fi link now has your account information to the sites you logged into and maybe even your credit card information. Also, if you use the same password for all your log ins (which you shouldn’t do), they may have access to your bank account, credit card information, and other highly damaging sites that use the same login/password combination.
What can you do? Simple, never provide sensitive information over public Wi-Fi. This includes Wi-Fi hotspots you know. After all, you can’t be 100% certain their setup hasn’t be compromised. Never connect to unknown Wi-Fi hotspots just like you wouldn’t get into a stranger’s car. When connecting to any public hotspots, if you are asked to create an account, use a pseudonym and a nonsense password. Asking to create an account is a great way for hackers to get username and password information that you may use on other sites. So don’t give it to them. Your connection is going to be temporary, make your identity that way too.
Before you ditch your mobile device all together, remember that it can be simple to keep your device secure. Follow the steps outlined in this article and just keep your wits about you. Remember the age-old wisdom: if it seems too good to be true, it probably is. Mobile security starts with you.