Mobile Devices: The Dark Side's New Playground
The laptop in your bag is probably as secure as it can get, but the smartphone in your pocket is about as secure as your voicemail. The scariest thing? No one really seems to care.
Last October, a story made the rounds that raised more than a few eyebrows: If you had an iPhone running the latest version of the OS, you could tap Emergency Call, dial ###, then hit the lock button. Boom: Your iPhone would zip straight to the home screen.
Though it took about a month, Apple eventually fixed the flaw, but the hack itself wasnt all that alarming. Why? Because this wasnt the first time the iPhone had been found to have a security flaw that let anyone who knew the secret bypass its sad security. Only a few months earlier the password lock had been broken Just as it had been broken in January of the same year.
Thats three password hacks in 2010 none requiring special software or any special knowledge not available through the most cursory of Google searches. Tens of millions of users were potentially impacted by the problem, and most of them probably never even knew it.
Im an iPhone user and Im fully aware that the only real value my four-digit password has is keeping my kids from playing Plants vs. Zombies when theyre supposed to be doing their homework. It just isnt a serious security system, and it isnt intended to be one.
But, well, why isnt it? More and more of our computing lives is moving from the desktop to the smartphone, in keeping with their very promise. The whole idea of the smartphone is that it would replace our computers, giving us access to email, the web, and documents at the office, all without having to lug a heavy laptop around. Today most of us can comfortably leave on a three-day journey with nothing but a new phone in our pocket and never feel out of touch or really away from the office at all.
Now take a look at your laptop. If you work for a company of any size, its probably decked out with security features. Of course your password is at least 8 or 10 characters long, including numbers, uppercase letters, and an asterisk or two. You have a fingerprint reader, smartcard slot, or a SecurID token. And your IT department has probably installed a LoJack system so they can track down the computer if it falls into the wrong hands.
Put it another way: The laptop in your bag is probably as secure as it can get. The phone in your pocket is about as secure as your voicemail.
Stats are hard to come by (because the numbers are so large), but the number of cell phones lost or stolen every year in the U.S. is about 30 million. Compared to the number of laptops that go missing annually probably less than a million that number is gargantuan. It implies that 10 percent of us will lose a phone this year. Who will end up with them?
Its unclear to what extent lost and stolen cell phones have contributed to the issues of identity theft and credit card fraud, but its certainly a problem thats getting bigger. Have you ever accessed your bank account via your cell phone? Did you select the option to store the password in the phones memory? Everything from your Facebook and Twitter accounts to your email to your Amazon.com shopping records are likely here and at the ready, all precariously secured by a four-digit PIN.
Of course, none of this even touches on the issue of cell phone malware. The good news is that, contrary to expectations, virus-like attacks on cell phones have still failed to materialize in any meaningful way. The bad news is that hackers have found a far simpler and more lucrative way in: Through the creation of rogue apps installed on these devices. Why bother trying to trick mobile users into clicking on an infected website or email when you can convince them to willingly download and install your app, which will then happily go about its business of collecting personal and financial information or will make a bunch of international phone calls for you in the middle of the night?
This is far from a theoretical problem. Last year, Apple found dozens of applications zooming to the top of the iTunes App Store sales charts, fueled by phishing and raking in cash via phony sales. Androids close ties with your Google account make that problem potentially far worse: Crack a Google password and you can not only run wild in the Android Market, you have access to many users entire online lives.
The scariest thing of all is that no one really seems to care about any of this. Cell phone security isnt being taken seriously by any manufacturer or third-party software vendor. (Norton Mobile Security, for the Android platform, is one of the few exceptions, though it was launched in June 2010 and still remains in beta.) If youre serious about cell phone security, there arent a whole lot of options for you.
So what now? Sadly, cell phone security is still largely up to you, either as an individual or as an IT department. If a four-digit PIN is the best your phone can muster, well, its better than nothing, and if you should also turn on any lock-and-wipe features that scrub the phone clean if a wrong password is input too many times.
Encryption? Absolutely turn it on if its an option (as it will be in Android 3.0), and look into GPS tracking or LoJack-like apps if your phone is used for even remotely sensitive purposes. Until more advanced security fingerprint readers, perhaps? come to cell phones, this is likely as good as its going to get.
Ultimately the best advice is, as with computers, simply to be mindful of your phone at all times. Phones may be cheap, but that doesnt mean theyre disposable. Think about it this way: Your phone should receive the same level of foresight as your wallet, which is a little funny. The way things are going, youll be rid of that hunk of leather pretty soon, anyway.
Christopher Null writes about technology extensively for Wired, PC World, and Maximum PC. He was the founder and Editor-in-Chief of Mobile PC magazine and spent four years blogging about tech daily for Yahoo! You can find his running commentary at chrisnull.com.
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.