by John Kulas, Software Security Analyst
It’s all but futile to resist mobile devices. They’re everywhere, and because of their convenience and portability they’ve become an integral part of how we live and work, becoming smaller and smaller as we approach the singularity where we ditch handheld computers for subcutaneous implants and access to our UI with the blink of an eye. Sadly, until that day comes, the very convenience and portability that make our mobile devices so, well… convenient, also create the greatest security risks.
The first rather obvious security issue is that these devices are in our hands, purses, and pockets when we’re out and about—which makes them droppable, snatchable, and even forgettable. You may have heard of smart phones being lifted from the purses and shopping bags of European tourists. In the USA, people are more likely to set the device on a counter or table for a moment, where it can be grabbed or forgotten. Or, someone might pickpocket the device in a crowded place, such as on a bus, train or the entrance to a theatre.
Let’s look at a few other possible security issues (some obvious, some you may not have thought of) with mobile devices, and a few of the clever security precautions now offered on the latest technology.
The first answer to someone else obtaining your handheld device is to have the screen lock activated and also install a “remote wipe” capability.
A screen lock on a mobile device is very similar to your desktop or laptop’s screen lock. In order to access the information within, the person must enter a code. A screen lock should also lock the screen after a few moments of no activity. On some devices, after a person tries and fails a few times to unlock it, the screen lock silently uses the device’s camera to email a picture of that person to the owner. A screen lock is a standard feature on most devices.
“Remote Wipe” is the capability to erase all the information on a device as soon as the device connects to the Internet. Some desktop and laptops also have this capability installed. When the device has gone missing, the owner can logon to a website to have the erasure action activated. There are free and fee-based “remote wipe” products available.
If your handheld was lost, and you performed a remote wipe, could you recover all of your data from backups? People sometimes do not realize how much information they are storing on their phones or tablets until they lose them. Most devices have some backup/synchronization process to a website for Name+Address contact lists, but not all to-do lists, notes or photographs are automatically backed up.
A slightly more subtle theft tactic issue is the use of “free” wireless. As you walk around, your handheld may alert you of available “free” unsecured wireless service, or it might automatically connect, depending on your device’s configuration. Hackers have been known to operate unsecured wireless access points, particularly in airports, coffee houses and other places where lots of people are passing through, just so they can capture the network activity and steal information. Your device should be configured to connect only when you explicitly want to, and you should be careful about what you connect to.
Another subtle tactic involves taking advantage of your device’s Bluetooth capability. If your device’s Bluetooth is always on, always searching for compatible devices in range, and automatically connecting to them, then a hacker could easily overhear your telephone conversations and also gain access to your phone’s information. Even you have not used Bluetooth on your handheld device, you should check the settings so you are not inadvertently exposed to this kind of hacking.
With the ubiquitous freedom to compute whenever and wherever you want comes the responsibility to protect your data and device. Luckily, the engineers who design these devices and their apps are pretty smart too. Stay on the lookout for new ways and applications to protect your smart phone or tablet, which are emerging and evolving almost as quickly as the devices themselves.
If there are other security topics or compliance standards that you are interested in having me write about, please let me know by leaving a comment here.