Cell Phone Threats - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

Cell Phone Threats

Description:

Cell phones have become an indispensable tool for the mobile workforce ... No single operating system dominates mobile phones, as in the case of desktop computers ... – PowerPoint PPT presentation

Number of Views:2096
Avg rating:3.0/5.0
Slides: 17
Provided by: jan50
Category:
Tags: cell | mobile | phone | phones | threats

less

Transcript and Presenter's Notes

Title: Cell Phone Threats


1
Cell Phone Threats Safeguards
  • Wayne Jansen NIST FISC

2
Background
  • Cell phones have become an indispensable tool for
    the mobile workforce
  • Each generation of cell phone brings with it new
    innovations and technologies, and this trend is
    expected to continue
  • Smart phones appear to be gaining greater market
    share
  • The capabilities of todays average phone greatly
    exceeds those of a few years ago
  • As these devices evolve, their security
    implications have become a growing concern for
    many organizations

Commercial products and trade names are
identified in this presentation to illustrate
technical concepts it does not imply
recommendation or endorsement by NIST
3
Cell Phone Content

  • Phonebook
  • Calendar
  • To do list
  • Last dialed numbers
  • Phone number log
  • Text and multimedia messages
  • Electronic mail
  • Instant messages
  • Web information
  • Subscriber identifiers
  • Equipment identifiers
  • Service Provider
  • Electronic documents
  • Photos
  • Audio and video files
  • Organizational network clients
  • Sensitive data applications (e.g., electronic
    payment, password management)

Caution Deleting data does not necessarily
remove it from memory
4
Current Threat Profile
  • The lack of a sizeable monoculture complicates
    things for attackers and for security solution
    providers
  • No single operating system dominates mobile
    phones, as in the case of desktop computers
  • Compatibility between versions of an operating
    system is not ensured, nor is compatibility
    across different hardware
  • SDKs are not available for all platforms
  • Cellular carriers also take measures to protect
    their networks and devices, which helps to reduce
    incidents
  • Full-fledged Web browsers are generally not the
    norm, nor are the richness of applications for
    exploitation
  • Attacks and malware production for mobile
    handheld devices remain more in the hobbyist
    stage than in the profit-oriented criminal stage

5
Emerging Threat Profile
  • The most worrisome trends in mobile device
    security are the rising amount of mobile malware
    reported each year and the continued
    incorporation of advanced Web capabilities
  • The former indicates a growing malware
    development community, while the latter an
    increasing breadth of potential attack surfaces,
    particularly as desktop components are reused
  • Movement towards open development platforms, such
    as Googles Android system, and away from
    walled-garden protection may spur innovation,
    but also malware production
  • Other initiatives are also upping the ante
  • Social networking applications for cell phones
  • Electronic wallet payments via cell phones
  • Cell phones as a second factor in authentication
  • Organizational applications extended onto cell
    phones

6
Functionality-Security Relationship
Higher Functionality
Increasing Functionally Potentially Introduces
More Vulnerabilities
3rd Party Applications
BrowserExtensions
Bluetooth
Lower Functionality
Higher Security
Lower Security
7
Threat Countdown Device loss or theft
  • Handheld devices have a propensity to become lost
    or misplaced, and are also an easy target for
    theft
  • Over a million cell phones and PDAs are lost each
    year, and an estimated 1/3 are not recovered
  • For example, in one study, an estimated 107,079
    cell phones and PDAs were left behind in a
    Chicago taxi firm's vehicles during a six-month
    period, compared with only 4,425 laptops
  • Loss of physical control of a device potentially
    exposes any sensitive data on the device or
    accessible from it
  • Loss or theft can also deny the user access to
    important data unavailable elsewhere
  • Charges for toll and international calls may be
    incurred and the device could be reset, resold,
    and reused
  • If unprepared to take action quickly, possible
    remedies to lessen the impact fade away

8
Threat Countdown Device disposal
  • Correct disposal of older model phones is a
    related concern
  • Manually resetting a device to clear out data and
    restore the original settings may only mark
    entries as unused
  • A study by Trust Digital of McLean, Va. of 10
    different email capable phones bought on eBay
    revealed information from nearly every phone
  • The recovered information included the following
  • The racy exchanges between guarded lovers
  • A company's plans to win a multimillion-dollar
    federal transportation contract
  • Emails about another firm's 50,000 payment for a
    software license
  • Bank accounts and passwords
  • Details of prescriptions and receipts for one
    worker's utility payments
  • The recovered information was equal to 27,000
    pages

9
Threat Countdown Poorly protected devices
  • Anecdotal information indicates that most cell
    phone users seldom employ security mechanisms
    built into a device, and if employing them, often
    apply settings that can be easily determined or
    bypassed
  • Even if security controls, such as passwords and
    PINS, are used correctly to protect contents,
    errors in their design or implementation can
    allow unauthorized access
  • For example, the passcode lock on versions 2.0.1
    and 2.0.2 of the iPhone could be bypassed via an
    Emergency Call option
  • Forensic tools and procedures also exist that can
    be used to bypass built-in security mechanisms
    and recover the contents of many devices

10
Threat Countdown Malware
  • Malware can be spread in a variety of ways,
    including the following common ones
  • Internet Downloads A user may download an
    infected file disguised as a game, security
    patch, or useful application
  • Messaging Services Malware attachments can be
    appended to email and MMS messages delivered to a
    device Instant Messaging (IM) services are
    another means of malware delivery
  • Bluetooth Communications Malware can be
    delivered by engaging the available Bluetooth
    connectivity services supported
  • With all of these delivery methods, the user
    usually has to give consent for the malware to
    install and execute
  • Malware writers use social engineering techniques
    to get users to carry out the necessary actions
  • Mobile malware is typically targeted more toward
    devices for which an SDK is available

11
Threat Countdown Malware
  • Spoofing
  • Eavesdropping
  • Data Theft
  • Backdoor
  • Service Abuse
  • Availability
  • Network Access
  • Wormable
  • An interesting prediction by Patrick Traynor,
    Assistant Professor at School of Computer Science
    at Georgia Tech
  • Malware will be injected onto cell phones to
    turn them into bots. Large cellular botnets
    could then be used to perpetrate a DoS attack
    against the core of the cellular network.
  • Well start to see the botnet problem infiltrate
    the mobile world in 2009.

12
Threat Countdown Spam
  • Unwanted SMS text messages, email, and voice
    messages from advertisers have begun to appear on
    mobile phones
  • Besides the inconvenience of removing them,
    charges may apply for inbound activity, such as a
    per-message charge on SMS messages received or
    charges for those messages above the service plan
    limit
  • Instant messaging and multimedia messages are
    other possible avenues for malware delivery
    through spamming
  • Spam can also be used for phishing attempts that
    entice users into revealing passwords, financial
    details, or other private data via Web pages,
    email, or text messages, or to download malware
    attached to the message or via a Web page
  • Social networking services, such as Twitter, are
    also being used for phishing

13
Threat Countdown Location tracking
  • Cellular carriers have had for some time the
    ability to track device location with varying
    degrees of accuracy for internal use
  • Other companies now offer location tracking
    services for registered cell phones to allow the
    whereabouts of the user to be known by friends
    and family
  • The services are also used as a means to track
    employees whereabouts
  • Some tracking services periodically send the
    phone a notification that monitoring is taking
    place, while others do not, once registration is
    complete
  • Registration can be done quickly, making
    temporary misplaced or unattended devices a
    possible target

14
Addressing Risks
  • Organizations need to extend existing security
    management practices and controls over mobile
    devices
  • Establish a mobile device security policy
  • Prepare deployment and operational plans
  • Perform risk assessment and management
  • Augment devices with additional security controls
  • Perform configuration control and management over
    the lifecycle
  • Instill security awareness in employees
  • Employees also have an active role
  • Maintain physical control of the device
  • Reduce sensitive data content and back up data
    regularly
  • Employ security features and capabilities
    correctly
  • Enable wireless interfaces only when needed
  • Avoid taking actions that are questionable and
    follow policy

15
Available Safeguards
  • Device registration and compliance status
    reporting
  • Installation of client software, policy rules,
    and control settings
  • Remote password reset and remote update of client
    software, policy rules, and control settings
  • Controls over password length and composition
  • Controls to restrict restriction application
    access and use
  • Controls over infrared, Bluetooth, WiFi, and
    other means of communication
  • Controls over camera, microphone, and removable
    media use
  • Controls over device content and removable media
    encryption
  • VPN, firewall, anti-malware, intrusion detection,
    and anti-spam application settings
  • Remote erasing or locking of the device
  • Remote diagnostics and auditing
  • Centralized security management and device
    oversight

16
Further Information
  • Project Website
  • Mobile Security and Forensicshttp//csrc.nist.gov
    /groups/SNS/mobile_security/index.html
  • Related Publications
  • Guidelines on Cell Phone and PDA
    Securityhttp//csrc.nist.gov/publications/nistpub
    s/800-124/SP800-124.pdf
  • Guidelines on Cell Phone Forensics
    http//csrc.nist.gov/publications/nistpubs/800-101
    /SP800-101.pdf
Write a Comment
User Comments (0)
About PowerShow.com