Last July, Charlie Miller, a professional hacker, announced from the stage of an IT security conference that he could hack any iPhone in the world by text message. “That was a demonstration, it never really happened in the wild,” notes Jamie De Guerre, CTO of Cloudmark, which provides messaging security for mobile and fixed-line companies.
No actual iPhone users were harmed in making Charlie Miller’s point, and Apple patched the vulnerability shortly after he announced it. But other cell phone users have been less lucky. The Sexy View worm, so dubbed because it sends a text inviting users to look at sexy pictures, targets some Nokia phones. If a hapless user tries to look at the pictures, it will take over the phone much the way a botnet takes over a computer, and then send itself to the entire contact list.
So far, De Guerre says, Sexy View has been more of an issue in Asia than in the United States. But it seems only a matter of time until security issues begin affecting American cell phone users as well. “The thing to understand is that smart phones today have all the power of a full computer,” De Guerre says. “They can have a 1 gigahertz processor and hundreds of megabytes of RAM. So all the same types of attacks that could happen to a computer can happen to a smart phone.”
These attacks include intrusions (such as Charlie Miller’s hack); viruses and other malware; phishing for passwords and other information; theft of data stored on or sent to or from the phone; and spam. And the phones’ new capabilities bring their biggest vulnerabilities. “Social media is expanding to mobile devices,” notes Martha Vazquez, senior research analyst in the Network Security practice at consulting firm Frost & Sullivan. “While this is a great way to market your business, many threats are attacking these sites and it’s common to find a malicious URL link. SMS messages are another very common way to receive malware.”
What should a small business do? It’s obviously impractical to ask employees to give up their cell phones, or return to the quaint old days of using them only for phone calls or the occasional photo. But there are smart policies and practices that can help you keep cell phones out of harm’s way. Here are some steps to consider.
1. Insist on password protection. “The simple act of enabling a password or PIN number on a phone can save you a tremendous amount of hassle,” notes Randy Gross, CIO at CompTIA, a trade association for the IT industry. “You may be able to set security on the phone so that if someone tries the wrong password a certain number of times, the phone is automatically wiped. That can protect your data.”
2. Use encryption. While password protection is a good step encryption is even better, and a good way to secure data stored on cell phones. “A 16-gigabyte phone can contain a lot of information,” Gross notes. “With the right security software, you may be able to remotely wipe the phone if it is lost or stolen.”
3. Stay up to date on operating system patches. “Whenever the phone maker releases new patches or new versions of its operating system, make sure you have the latest version on your device,” Gross advises.
4. Use antivirus software. “Small businesses must treat mobile devices as they would their PCs by installing security software and keeping it up to date,” says Khoi Nguyen, group product manager, Mobile Security Group at Symantec. “This will protect the device from new variants of viruses and other malware.”
5. Warn users about malicious sites and phone numbers. Cell phone users can be their own worst enemies so make sure they know what not to do. First, if they receive an unsolicited SMS text, even if it appears to come from someone they know, they should avoid clicking on links contained in the message. These could lead them to malicious websites where the phone might be infected with malware. Second, and less obvious, users should never call a phone number that arrives in an unsolicited text message, even if the message appears to come from the user’s bank, employer, or cell phone company. Instead, users should find the bank or employer’s number independently to make the call, otherwise, they — or you — might wind up paying for a premium call.
6. Educate users about phishing. Some of the most successful phishing attacks in recent times have affected Twitter, often when users accessed the site with their smart phones. Make sure users know not to input their passwords or other personal information to any site or service unless they navigated there themselves, as opposed to following a link in an email or text. The same goes for any phone call where the user did not find the number independently, for instance by visiting a company’s website or looking it up using directory assistance.
7. Shut out unknown Bluetooth devices. Have you ever been in a public place and found that your phone’s Bluetooth was trying to connect to an unknown device nearby? Although many people think of Bluetooth as a neater alternative to a physical wire, in fact it creates a personal area network, and like any network, it will recognize appropriate devices within its range. This can let in malware, though, for example, a virus called CommWarrior that infects some phones via Bluetooth, as well as other ways. “A phone’s Bluetooth setting is on by default, so it needs to be turned off, or configured for a specific device or headset,” Nguyen says. “If not, it will look for other Bluetooth-enabled phones, which could result in malware being loaded on the device.”
8. Be wary of open Wi-Fi networks. It’s easy to forget, but many smart phones also work on regular WiFi networks. Users should be aware that when they join an open WiFi network, nearby eavesdroppers may be able to see the data they send and receive, such as email. “Make sure before you join that it’s a network you know and trust,” De Guerre advises.
