Mobile Security

World's Biggest Data Breaches

Selected losses greater than 30,000 records
(updated 5th Jan 2017)
 Agenda
Mobile Crime
Quick Overview of Mobile Devices
Mobile Threats and Attacks
Mobile Security
Live Demos
Mobile Crime
 Smart - Phone Definition
A cellular telephone with built-in applications and
Internet access.

Smartphones provide digital voice service as well as

text messaging, e-mail, Web browsing, still and video
cameras, MP3 player, video viewing and often video
calling. In addition to their built-in functions,
smartphones can run myriad applications, turning the
once single-minded cellphone into a mobile
computer.
Some Statistics
6.77 billion people
1.48 billion Internet enabled PCs
4.10 billion mobile phones
Mobile phone replacement rate o12-18 month average
o1.1 billion mobile phones are purchased per year
o13.5% of mobile phone sales are smartphones
The number of smartphones will soon compare with
the number of Internet enabled PCs
 What is the Need of Mobile Security
As cell phones are becoming more like pocket-sized
computers: Vulnerable to different forms of cyber
attacks

People want your data! This is a fact of life and it

applies to either: Android, BlackBerry, or iPhone
Smartphone
 What do they want ?
“Only carry one”

Anywhere access

Any device or os supported

Transparent Security
 Business
What does management want ?

Lower Cost

Low support overhead

Increased Productivity
Mobile Threats and Attacks
Sensitive Organizational info too

Built-in billing system : SMS/MMS (mobile operator),

in-app purchases (credit card), etc.

Many new devices have near field communications

(NFC), used for contactless payments, file transfer,
etc.
Mobile devices make
Attractive Targets
People store much personal info on them.
Can fit in pockets, easily lost / stolen
Mobile device become wallet
Hide Location Privacy ?
Hide Location Privacy ?
Smartphone Risks
Easily lost or stolen device, content, identity

Increase mobility → Increased exposure

Susceptible to threats and attacks Appbase & Web-

based
Susceptible to threats and attacks App-Store
App Based Risk
Mobile devices may contain malware. Consumers may
download applications that contain malware.

Consumers download malware unknowingly because it

can be disguised as a game, security patch, utility, or
other useful application.

Difficult for users to tell the difference between a

legitimate application and one containing malware.
SMS / Text Message Based
Attacks Based on Communication
 Attack based on SMS and MMS Some mobile phone models have
problems in managing binary SMS messages.
 It is possible, by sending an ill-formed block : Phone to restart
 Leading to denial of service attacks
 Distributed Denial of Service (DDos) Attacks

 Another potential attack could begin with a phone that sends an

MMS to other phones, with an attachment.

 A user installs the software, as received via MMS message. Then,

the virus began to send messages to recipients taken from the
address book
Attacks based on the GSM networks Try to Break the
encryption of the mobile network

Encryption algorithms belong to the family of

algorithms called A5.

Due to the policy of security through insignificance it

has not been possible to openly test the robustness of
these algorithms
Since the encryption algorithm was made public:
Possible to break the encryption in about 6 hours
Both algorithms are at the end of their life and will be
replaced by stronger public algorithms: the A5/3 and
A5/4
GSMA (GSM Association) mandated that GSM Mobile
Phones will not support the A5/2 Cipher any longer, due
to its weakness
3GPP has approved a change request to prohibit the
implementation of A5/2 in any new mobile phones
Tracing of mobile terminals is difficult

A new temporary identity (TMSI) is allocated to the

mobile terminal

Once the encryption algorithm of GSM is broken

Attacker can intercept all unencrypted data
 Attacks Based on Wi-Fi
Eavesdrop on Wi-Fi

Initially wireless networks were secured by WEP keys

Now, most wireless networks are protected by the

WPA security protocol
 Temporal Key Integrity Protocol
Designed to allow migration from WEP to WPA
Improvements in security are the dynamic encryption keys
For small networks, the WPA is a "pre-shared key" which is
based on a shared key
Encryption can be vulnerable if the length of the shared key
is short
As with GSM, if the attacker succeeds in breaking the
identification key, it will be possible to attack not only the
phone but also the entire network it is connected to
Lasco is a worm that initially infects a remote device
using the SIS file format

Can be executed by the system without user

interaction

Believes the file to come from a trusted source and

downloads it, infecting the machine.
 PRINCIPLE OF BLUETOOTH-BASED ATTACKS

Unregistered services do not require

authentication
Vulnerable applications have a virtual serial port
used to control the phone
The attacker sends a file via Bluetooth. If the
recipient accepts, a virus is transmitted
Worms that spreads via Bluetooth connection
Attacks Based on Vulnerabilities in Software Applications

Web browser The mobile web browser is an

emerging attack vector for mobile devices

Vulnerable Library

Phishing and Malicious Websites

 OPERATING SYSTEM
Manipulation of firmware and malicious signature
certificates
Smartphone's have an advantage over hard drives
since the OS files are in ROM
When an application is installed, the signing of this
application is verified by a series of certificates
 THE THREE PHASES OF MALWARE ATTACKS

The infection of a host,

The accomplishment of its goal, and
The spread of the malware to other systems
Often uses Resources offered by the infected
Smartphone's
Bluetooth or infrared
ACCOMPLISHMENT OF ITS GOAL
Monetary damage,

Damage data and/or device

Concealed damage

Spread to other systems

EXAMPLES OF MALWARE
CABIR Computer worm developed in 2004
It is believed to be the first computer worm
COMMWARRIOR infect many machines from MMS
attempts to connect to nearby devices by Bluetooth or
infrared under a random name
PHAGE: First Palm OS virus that was discovered
Embeds its own code to function without the user and
the system detecting it.
REDBROWSER Trojan based on Java
allows the user to visit WAP sites without a WAP
connection
if the user accepts, RedBrowser can send sms to paid
call centers
WinCE.PmCryptic malicious software on Windows
Mobile which aims to earn money for its authors

CardTrap Virus: which aims to deactivate the system

and third party applications
 COUNTERMEASURES
SECURITY IN OPERATING SYSTEMS first layer of
security

establish the protocols for introducing external

applications and data without introducing risk

Concept of Sandbox
FILE PERMISSIONS
process can not edit any files it wants

Method of locking memory permissions Not possible

to change the permissions of files installed on the SD
card from the phone
SECURITY SOFTWARE
Layer of security software

various vulnerabilities : prevent malware, intrusions,

the identification of a user as a human, and user
authentication.
ANTIVIRUS AND FIREWALL
To verify that it is not infected by a known threat: By
signature detection software that detects malicious
executable files

VISUAL NOTIFICATIONS If a call is triggered by a

malicious application, the user can see, and take
appropriate action
 RESOURCE MONITORING IN THE SMARTPHONE
 Battery Some malware is aimed at exhausting the energy
resources of the phone

 Memory usage Because of inherent applications

 Network traffic Many applications are bound to connect via the

network: Lot of bandwidth

 Services: One can monitor the activity of various services of a

Smartphone
USER AWARENESS
Being skeptical advisable to check the reputation of the
application

Permissions given to applications It is necessary to

clarify these permissions mechanisms to users,

As they differ from one system to another, and are not
always easy to understand
Be careful through simple gestures and precautions,
such as locking the Smartphone when it is not in use

Ensure data The user must be careful about what data

it carries and whether they should be protected
Business Implications/Questions
Is the organization willing to securely support a mix of
personal/business data and smartphones/tablets?

Remote access - to whom? how much?

Authority over data?

Is the value worth the cost?

 No Easy Answers
What are your organization’s security compliance
requirements ?

Which rewards does management want to balance

against risk and cost? Compliance

Strategic mobility

Employee productivity/ creativity/ retention

Is confidential data allowed on mobile devices ?
Are personally-owned mobile devices allowed access?
Who has authority/responsibility for… Who gets
company-issued smartphones
Who gets access from smartphones, and to what?
Purchasing smartphones
Provisioning smartphones
Securing/monitoring smart phones?
Support of Organization-owned (O)? Personally-owned
(P)?
What are Org mobile devices allowed access to? Is it
different for Personal?
Will you list specific devices & OS versions supported?
Who is going to test all the new devices & OS versions?
How often? What about application maintenance?
Do you wipe a Personal phone at employee
termination?
Best Security Practices

Password protect
Passcode protect
Pass swipe protect?
 Simple tips with help keep your phone protect
 Install Security Software
 Anti-virus and anti-malware available for mobile devices
 Keep your apps up-to-date
 Install a phone finder app
 Enroll in a backup program
 Set device to wipe contents after specified number of failed login
attempts
 Get apps from a trusted source
 Wi-Fi Network & Bluetooth devices
 Backup your data
When installing apps Take time to read the small
print What information does the app require
access to?

Where are you downloading the app from?

Is it the app store location set by default on the
phone?
Be mindful of how you use your device
Follow same guidelines as you do for your computer
Double check URLs for accuracy
Don’t open suspicious links
Make sure the Website is secure before giving any
personal data
Limit your activities when using public WiFi
Your cellular network connection is more secure than
WiFi
Check URL’s before making a purchase https:// is
secure; http:// is not
Use Security for Mobile device
Mobile Device Security
WWW is Major source of infection

Mobile Device Security help in protection against

known threats (80% - 90% threats).
Many web threats are device-agnostic making them
dangerous and extensible to all types of devices. To protect
against web threats, the MDS service ensures that all mobile
device traffic, including from native and mobile web
applications, is routed through a secure, encrypted VPN
tunnel to the MDS service. The service uses WebFilter
technology, to scan all transmissions, including encrypted
traffic.

By identifying and blocking malnets, the infrastructures

used to launch new malware attacks, web security
proactively stops attacks by blocking malware at the source.
How it Protects :
Encrypt all communication between end-point
Block traffic from Mobile device Mallicious Websites,
Infected websites
Block traffic from WWW to Mobile device if File is
found infected with malware
File risk rating is high
File type is not allowed as per Policy
What is Mobile Security
Protection from the networks they connect

Threats and vulnerabilities connected with wireless

computing

There are a variety of security threats that can affect

mobile devices
Challenges of Mobile Security
Threats Data

Integrity

Availability

A Smartphone user is exposed to various threats when

they use their phone
Consequences of an Attacker
When a Smartphone is infected by an attacker, the
attacker can attempt several things: Zombie machine
(used to send unsolicited messages (spam) via sms or
email)
Smartphone to make phone calls
Record conversations between the user and others
Steal a user's identity
The attacker can remove: Personal photos, music,
videos, etc.) or
Professional data (contacts, calendars, notes) of the
user.
Reduce the utility of the Smartphone, by discharging
the battery

Stops the operation and/or starting of the Smartphone

by making it unusable