Some time ago I wrote an article about preventing virtual theft – theft of goods from a virtual world (such as a game) by compromising the machine from which you play the game – and loyal reader John Mello pointed out how it’s not only gamers who have to worry about virtual theft but also mobile phone users who are being increasingly targeted by malicious hackers.
The following series of articles will focus on a risk that is often neglected – having your company compromised through devices instead of its computers. In this first article we’ll focus on a device that is found in every company – the mobile phone.
Mobile phones are indeed an essential part of every worker’s life nowadays. With the improvement in technology mobile phones are now used as personal organizers and as such being used as a direct business tool that contains secrets that need to be closely guarded. Every modern mobile phone nowadays includes Bluetooth. Bluetooth is a useful wireless connection protocol that enables your phone to connect to devices without any cables. Unfortunately a number of issues in Bluetooth enabled hackers to exploit some implementations. Tools are available that can do a range of things from harvesting information about the phone to stealing confidential information such as the phone book. It doesn’t end there either.
How about going all out and turning a mobile phone into a 007 style gadget? In 2004, a German researcher named Herfurt discovered a bug in some Bluetooth implementation that, when exploited, allowed a PC to convince a vulnerable mobile phone that it is its legitimate wireless headset and thus give nearly total control of the phone to the program. This practice became known as BlueBugging and it provided some interesting options. For example, this exploit could be used to have a phone silently dial another phone effectively turning that phone into a mobile spying device, whereby the attacker could silently listen in on any conversation within reach of the phone. Other uses could be to set up call forwarding where calls intended for the victim are forwarded to the attacker. This can also be effectively used to steal money by having calls forwarded to premium numbers under the control of the attacker. The risk to the company here is that the victim’s mobile phone could be used to spy on meetings and steal the contact information of high profile clients / contacts.
Another insidious risk is a practice called bluesnarfing. Bluesnarfing involves the use of Bluetooth to hack into a mobile phone and copy information; this varies from the address book to stored emails, photos and text messages. If the mobile phone is used for business related activities, contacts and text messages might include sensitive information that a company would not want compromised.
High tech direct attacks on a mobile phone are not the only way to get access to sensitive information. Sometimes hackers target the phone company itself and convince an employee to give them access to the victim’s account. With some mobile phones storing information on the telecom company itself, this can be quite risky (as the very famous episode with Paris Hilton has shown). The Washington post article reports that the hack itself involved hackers phoning and using a social engineering attack on a sales rep of T-Mobile to give them the information needed to access Paris Hilton’s online storage and copy her pictures and contacts.
Physically tampering with the mobile phone
In cases where Bluetooth is not available and a social engineering attack on a telecom employee will not work, a malicious person has yet one last option available to him. There are spy applications for mobile phones that once installed lie there stealthily gathering information and uploading it whenever they have a chance (the mobile connects to an internet connection either via Wi-fi or GPRS). More advanced spy applications allow for access to the microphone, call interception and GPS location data. The only challenge for the attacker here would be to gain physical access to the mobile phone for around 3 minutes to install the spy application but after that he has access to all the mobile phone data from anywhere in the world.
How to protect oneself against such attacks
Bluetooth attacks can be mitigated by disabling Bluetooth if you do not really use it. If you use it for devices such as a hands free set then make sure you monitor and update your mobile firmware whenever a security update is released. Most of these attacks are generally patched when they go public but unfortunately not a lot of people update their mobile phone firmware because doing so generally wipes the mobile phone which can be a hassle for the customer.
Always keep your mobile phone with you. Leaving your mobile phone unattended can give a malicious person the time that he needs to compromise it. Don’t forget it only takes 3 minutes for a malicious person to compromise your phone and give him the ability to spy on you whenever he wants.
If your mobile phone stores information online at the telecom company site, keep in mind that your data is potentially at risk on two fronts, one of which you have no control over.