Mobile devices are no longer the future – they are the reigning kings of the present. October 2016 marked the tipping point, at which mobile devices accounted for a bigger share of Internet usage than desktop computers. Close to 2 billion people use mobile devices to access the Internet. Google has already reported mobile searches surpassing desktop ones by some 10 percentage points – and that its search algorithm will start favoring mobile sites. Not to mention that marketing and ad spending is already shifted towards mobile. But what does this brave new world mean for mobile security?
From a privacy perspective, smartphones and tablets are much different than desktop computers. Users have no incentive to ever turn off their smartphones – they are always on and always connected to a network. They also have built-in cameras, microphones and GPS tracking. When you come to think of it, today’s smartphone is not that different from the two-way telescreens in George Orwell’s 1984. Unfortunately, there are also a handful of ways this potential for surveillance could be abused. Here are some of the weaknesses in mobile security:
1. Baseband hacking
The common user may think their phone has just one operating system. And they are wrong. Besides your Android or equivalent, there are separate OS running every smartphone’s SIM card and baseband processor. The latter is basically what sets a smartphone apart from a laptop – it is what turns a computer into a telephone and manages sending and receiving radio signals to cell towers. The baseband processor is usually running a real-time operating system (RTOS) designed by the manufacturer. And these RTOS are proprietary closed-source software that features a lot of legacy code and protocols, which follow any order they receive from the carrier’s base station subsystem (BSS). However, setting a makeshift BSS is not hard. This opens the doors for hackers to gain elevated access to all communications conducted with a certain device.
This is the king of threats. Former NSA and CIA director Michael Hayden even once said US agencies “kill people based on metadata.” While you can encrypt the content of your communications, so it’d be of no use to anyone without a particular decryption key, you can’t do the same with metadata. The latter is often referred to as “data about data” – information such as who your chat or email message was sent to, at what time, from where, etc. It is not exactly private. Think of it as the writing on an envelope of a physical letter. Although the letter itself is sealed, your name and address and those of the recipient are visible to the postman handling it.
The postman in the case of mobile communications is your mobile service provider. They handle, see, and store metadata in order to offer their services. And that information is enough to make someone a suspect – if they communicate with people law enforcement is after. Or pin them to a crime – if they were detected near a certain cell tower at the time of a crime. What’s worrying is that service providers such as AT&T have designed systems to store and search through metadata and are monetizing on this by selling their clients’ data to law enforcement.
3. Silent SMS
The Short Messaging Service (SMS), or texting, provides another hole in security. When a message is sent, the recipient is supposed to be alerted about the text so they could read it, and the sender is sent back a receipt that the message was successfully sent. Only that it is just the latter part that is mandatory: a user can receive a SMS and not be notified, while the sender always gets a receipt. Mobile carriers use such Silent SMS messages to trigger and interact with hidden applications on users’ devices, while law enforcement may use this method to approximate the location of a phone (and suspect) by seeing what cell tower delivered the “message.” And so could do anyone – apps that send silent SMSs are available for Android in the Google Play store.
4. Mobile service providers
Providers are not exactly a security threat – it is just scary how much information they have about you and how secretive they are about how they handle it. A cellular network company can access pretty much anything on a user’s phone. This information is stored on the Subscriber Identification Module, often referred to as SIM card, which also has the user’s unique International Mobile Subscriber Identification (IMSI) number. The latter is the target of the so-called IMSI-catcher, or stingray devices – and is a key to monitoring a smartphone user’s whereabouts, and eavesdropping on their messages.
5. Man-in-the-middle attacks
The protocol used by all mobile phones requires every device to identify to a cell tower using its IMSI number, but the tower itself doesn’t have to authenticate. at the same time, the phone always automatically connects to the tower providing the strongest signal, which is usually the nearest one. This creates another loophole exploited by IMSI-catcher devices – anyone who can set up a fake cell tower and place it close enough to lure your device, can do pretty much the same thing your service provider can. This is just one example of a Man-in-the-middle (MiTM) attack. Similar things can be done over Wi-Fi as well.
The apps installed on a mobile device can access, and use, everything from contacts to GPS location tracking – as long as the user gives them certain permissions. The thing is that when you install apps, they just present you with a list of permissions that they need to work and you can either agree and install, or forget about the app. (Post-factum management of app permissions is available in Android 6 and up, but an app might not work if omitted certain permissions.) And there is a significant number of schemes to lure users to unlicensed app stores and trick them to download malicious apps designed to broadcast that sensitive information.
What was once called viruses is now mainly referred to as malware – short for malicious software. But the concept is the same. Once you get infected, your device becomes a breeding ground for all kinds of malicious activity. Your legit apps get infected through updates, other apps are downloaded and installed without the user’s consent, gaining access to the list of permissions and data without oversight. Attackers are increasingly inventive in ways to sneak malware on people’s phones: phishing schemes, hiding the installers in ads, infecting devices before they are even sold – it is almost impossible not to get infected.
8. Mobile security is compromised from the start: the device
Smartphones are sold pretty much ready to use out of the box – with a preinstalled OS, apps, everything. With Apple, everything is centralized and you know who put this software there. But with Android phones (and their open source OS– and due to the OS being open source – this could be anyone. For example, a brand of smartphones sold in the USA was recently revealed to come preloaded with some very Orwellian firmware. It sent copies of the users’ SMS messages, contact lists, call logs, and other data, to a server somewhere in China every 72 hours. It turned out the phones were never meant to be sold outside of China – and that in China this is just what users are subject to.
Seems like a lot of things to worry about, doesn’t it? Some of these threats are avoidable through exercising caution. You can stay away from shady app stores, manage app permissions, and dodge MiTM attacks by using only secure connections. But for the vulnerabilities brought by firmware, the phone’s OS, or the way the baseband processor works, you have little options but to buy a specialized device that has these things fixed. Read the below white paper to see what measures we at Secure Group took against all of the above threats when we designed Secure Phone.