Cell Phone Threats

1
Cell Phone Threats Safeguards

• Wayne Jansen NIST FISC

2
Background

• Cell phones have become an indispensable tool for
  the mobile workforce
• Each generation of cell phone brings with it new
  innovations and technologies, and this trend is
  expected to continue
• Smart phones appear to be gaining greater market
  share
• The capabilities of todays average phone greatly
  exceeds those of a few years ago
• As these devices evolve, their security
  implications have become a growing concern for
  many organizations

Commercial products and trade names are
identified in this presentation to illustrate
technical concepts it does not imply
recommendation or endorsement by NIST
3
Cell Phone Content

• Phonebook
• Calendar
• To do list
• Last dialed numbers
• Phone number log
• Text and multimedia messages
• Electronic mail
• Instant messages
• Web information

• Subscriber identifiers
• Equipment identifiers
• Service Provider
• Electronic documents
• Photos
• Audio and video files
• Organizational network clients
• Sensitive data applications (e.g., electronic
  payment, password management)

Caution Deleting data does not necessarily
remove it from memory
4
Current Threat Profile

• The lack of a sizeable monoculture complicates
  things for attackers and for security solution
  providers
• No single operating system dominates mobile
  phones, as in the case of desktop computers
• Compatibility between versions of an operating
  system is not ensured, nor is compatibility
  across different hardware
• SDKs are not available for all platforms
• Cellular carriers also take measures to protect
  their networks and devices, which helps to reduce
  incidents
• Full-fledged Web browsers are generally not the
  norm, nor are the richness of applications for
  exploitation
• Attacks and malware production for mobile
  handheld devices remain more in the hobbyist
  stage than in the profit-oriented criminal stage

5
Emerging Threat Profile

• The most worrisome trends in mobile device
  security are the rising amount of mobile malware
  reported each year and the continued
  incorporation of advanced Web capabilities
• The former indicates a growing malware
  development community, while the latter an
  increasing breadth of potential attack surfaces,
  particularly as desktop components are reused
• Movement towards open development platforms, such
  as Googles Android system, and away from
  walled-garden protection may spur innovation,
  but also malware production
• Other initiatives are also upping the ante
• Social networking applications for cell phones
• Electronic wallet payments via cell phones
• Cell phones as a second factor in authentication
• Organizational applications extended onto cell
  phones

6
Functionality-Security Relationship
Higher Functionality
Increasing Functionally Potentially Introduces
More Vulnerabilities
3rd Party Applications
BrowserExtensions
Bluetooth
Lower Functionality
Higher Security
Lower Security
7
Threat Countdown Device loss or theft

• Handheld devices have a propensity to become lost
  or misplaced, and are also an easy target for
  theft
• Over a million cell phones and PDAs are lost each
  year, and an estimated 1/3 are not recovered
• For example, in one study, an estimated 107,079
  cell phones and PDAs were left behind in a
  Chicago taxi firm's vehicles during a six-month
  period, compared with only 4,425 laptops
• Loss of physical control of a device potentially
  exposes any sensitive data on the device or
  accessible from it
• Loss or theft can also deny the user access to
  important data unavailable elsewhere
• Charges for toll and international calls may be
  incurred and the device could be reset, resold,
  and reused
• If unprepared to take action quickly, possible
  remedies to lessen the impact fade away

8
Threat Countdown Device disposal

• Correct disposal of older model phones is a
  related concern
• Manually resetting a device to clear out data and
  restore the original settings may only mark
  entries as unused
• A study by Trust Digital of McLean, Va. of 10
  different email capable phones bought on eBay
  revealed information from nearly every phone
• The recovered information included the following
• The racy exchanges between guarded lovers
• A company's plans to win a multimillion-dollar
  federal transportation contract
• Emails about another firm's 50,000 payment for a
  software license
• Bank accounts and passwords
• Details of prescriptions and receipts for one
  worker's utility payments
• The recovered information was equal to 27,000
  pages

9
Threat Countdown Poorly protected devices

• Anecdotal information indicates that most cell
  phone users seldom employ security mechanisms
  built into a device, and if employing them, often
  apply settings that can be easily determined or
  bypassed
• Even if security controls, such as passwords and
  PINS, are used correctly to protect contents,
  errors in their design or implementation can
  allow unauthorized access
• For example, the passcode lock on versions 2.0.1
  and 2.0.2 of the iPhone could be bypassed via an
  Emergency Call option
• Forensic tools and procedures also exist that can
  be used to bypass built-in security mechanisms
  and recover the contents of many devices

10
Threat Countdown Malware

• Malware can be spread in a variety of ways,
  including the following common ones
• Internet Downloads A user may download an
  infected file disguised as a game, security
  patch, or useful application
• Messaging Services Malware attachments can be
  appended to email and MMS messages delivered to a
  device Instant Messaging (IM) services are
  another means of malware delivery
• Bluetooth Communications Malware can be
  delivered by engaging the available Bluetooth
  connectivity services supported
• With all of these delivery methods, the user
  usually has to give consent for the malware to
  install and execute
• Malware writers use social engineering techniques
  to get users to carry out the necessary actions
• Mobile malware is typically targeted more toward
  devices for which an SDK is available

11
Threat Countdown Malware

• Spoofing
• Eavesdropping
• Data Theft
• Backdoor

• Service Abuse
• Availability
• Network Access
• Wormable

• An interesting prediction by Patrick Traynor,
  Assistant Professor at School of Computer Science
  at Georgia Tech
• Malware will be injected onto cell phones to
  turn them into bots. Large cellular botnets
  could then be used to perpetrate a DoS attack
  against the core of the cellular network.
• Well start to see the botnet problem infiltrate
  the mobile world in 2009.

12
Threat Countdown Spam

• Unwanted SMS text messages, email, and voice
  messages from advertisers have begun to appear on
  mobile phones
• Besides the inconvenience of removing them,
  charges may apply for inbound activity, such as a
  per-message charge on SMS messages received or
  charges for those messages above the service plan
  limit
• Instant messaging and multimedia messages are
  other possible avenues for malware delivery
  through spamming
• Spam can also be used for phishing attempts that
  entice users into revealing passwords, financial
  details, or other private data via Web pages,
  email, or text messages, or to download malware
  attached to the message or via a Web page
• Social networking services, such as Twitter, are
  also being used for phishing

13
Threat Countdown Location tracking

• Cellular carriers have had for some time the
  ability to track device location with varying
  degrees of accuracy for internal use
• Other companies now offer location tracking
  services for registered cell phones to allow the
  whereabouts of the user to be known by friends
  and family
• The services are also used as a means to track
  employees whereabouts
• Some tracking services periodically send the
  phone a notification that monitoring is taking
  place, while others do not, once registration is
  complete
• Registration can be done quickly, making
  temporary misplaced or unattended devices a
  possible target

14
Addressing Risks

• Organizations need to extend existing security
  management practices and controls over mobile
  devices
• Establish a mobile device security policy
• Prepare deployment and operational plans
• Perform risk assessment and management
• Augment devices with additional security controls
• Perform configuration control and management over
  the lifecycle
• Instill security awareness in employees
• Employees also have an active role
• Maintain physical control of the device
• Reduce sensitive data content and back up data
  regularly
• Employ security features and capabilities
  correctly
• Enable wireless interfaces only when needed
• Avoid taking actions that are questionable and
  follow policy

15
Available Safeguards

• Device registration and compliance status
  reporting
• Installation of client software, policy rules,
  and control settings
• Remote password reset and remote update of client
  software, policy rules, and control settings
• Controls over password length and composition
• Controls to restrict restriction application
  access and use
• Controls over infrared, Bluetooth, WiFi, and
  other means of communication
• Controls over camera, microphone, and removable
  media use
• Controls over device content and removable media
  encryption
• VPN, firewall, anti-malware, intrusion detection,
  and anti-spam application settings
• Remote erasing or locking of the device
• Remote diagnostics and auditing
• Centralized security management and device
  oversight

16
Further Information

• Project Website
• Mobile Security and Forensicshttp//csrc.nist.gov
  /groups/SNS/mobile_security/index.html
• Related Publications
• Guidelines on Cell Phone and PDA
  Securityhttp//csrc.nist.gov/publications/nistpub
  s/800-124/SP800-124.pdf
• Guidelines on Cell Phone Forensics
  http//csrc.nist.gov/publications/nistpubs/800-101
  /SP800-101.pdf