Smart Phone Security
On April 17, 2016, the CBS show 60 Minutes presented a segment by Sharyn Alforsi on how hackable smart phones are. It’s a pretty alarming report and I’d highly recommend that you watch it first before you continue to read this post.
The purpose of this post is my attempt to put this report into perspective. The segment brought up significant issues, though the report itself was alarmist. Being alarmist will hopefully grab the attention of the purposely clueless but it does put the normal user into a quandary: Should I take a sledgehammer to my phone and only use a landline or how can I insure that my phone is reasonably secure?
In the report, they reported on basically two types of hacks:
- The ability to listen to phone calls and access call metadata via a bug in the SS7 protocol when using cellular.
- The ability to access a given phone’s data via social engineering techniques.
The social engineering hacks are easier for the user to defend against by following the same good hygiene that one should be following on regular computers, like not opening unknown attachments and staying away from sketchy websites.
The SS7 hack is the most troubling since there is no way to defend against it or even know it’s happening.
Let’s start with the SS7 hack. First some background.
SS7 is a very old protocol that was developed in the ’80s to allow telecom companies (telcos or carriers) to exchange landline billing data between the companies. When you start a phone call (either cell or landline), the caller’s telco enters a record into a data base with metadata including start date/time, caller’s location, etc. When the call is connected, there is another record created with the callee’s metadata. When any changes occur doing the call, a records are created. Finally, when the call terminates, records are created.
This data is passed between telcos and will be used to update billing data for their customers. In original landline calls, there usually are two records for a given customer, logging the start and end times with the number and where they called. You see the results of this on your phone bills. With cellular, there are several records created as the calls are handed off between cell towers, including location and roaming information.
Since this protocol should only be used by telcos, it should not be easy or possible for hackers to get into it, especially in real time. Now, I’m not surprised that the protocol might have issues given its age, the real issue in my option is that the network connections that pass this data around are so vulnerable. Also, that hackers can get the SS7 passed metadata and listen into phone calls, exposes another vulnerability since the SS7 data doesn’t actually capture what is discussed.
So given this, how alarmed should one be? At this point, not alarmed as much as concerned that this issue has existed for a long time (and has been reported on for a couple years), no one seems to be in a hurry to plug the leak. I suspect that is because traditionally it has been very difficult for even skilled hackers to access this vulnerability. Even in the CBS report, they noted that the white-hat hacker group they profiled was given access to the SS7 data by a local telco. That’s great for identifying the problem, but it doesn’t indicate how likely this vulnerability can be exploited in the wild.
A couple more notes on this hack:
- Tablets are not as vulnerable since the phone number of the device was used to identify the device to access. Though tablets are assigned and use phone numbers to communicate with their cellular service provider, one would need to obtain the number which is not public.
- I don’t know how or if landline phones are vulnerable to listening into calls. After all, SS7 is also used to pass around landline metadata. One could reasonably assume that they could be vulnerable.
- There is some belief that US carriers are more secure than some foreign carriers. In the story they noted that the hacked phone was on a US carrier. It might be harder to hack into US carriers, but once in, it doesn’t matter where the target phone is.
Social Engineering hacks
The other hack they profiled was the ability to access and control a user’s cell phone via social engineering hacks. The term “social engineering” is used to group together vulnerabilities that are exploited by enticing the user to take some action that will enable the exploit, usually by permitting malware to be installed on the device.
One method they used in the CBS report was a ghost public wifi connection. The hackers provided a public wifi that contained the name of the hotel, which looked real, but was really a ghost. By connecting onto this wifi, the hackers were able to access the data and control the phone.
Though it can be difficult to defend against this type of hack, there are actions one can take to minimize the risk:
- First and foremost, minimize the use of public wifi. However, for most of us, there are occasions we must use public wifi connections.
- Don’t use just anyone’s wifi. I know of folks who actively search for wifi signals that they can connect to without a password, some public and some private without security enabled. This is a bad idea.
- Insure that your wifi router is properly protected with WPA2 security and a robust password. If your router supports guest passwords, enable that with a different (but equality robust) password. Only give that account to guests which will limit who has access to your primary local network credentials. BTW: Guest wifi accounts have the added security that your guests can not snoop on your local network.
- Most public guest wifi networks require some form of authentication to use them (and don’t use one that doesn’t). In hotels, it will usually be some combination of your room number and last name. In other locations, there should be a method to get the proper credentials. In all cases, they will let you know the SSID (service set identifier or name of the network). Be sure to only connect to that network and be sure that you must use the provided credentials.
- If you connect to a wifi without the proper credentials, get off that network as quickly as possible.
- Laptops have firewalls included in the OS. Always insure that they are enabled if you are on any public network.
The other social engineering hack in the story was the attachment in the email trick. They provided an attachment, which downloaded malware when opened. Alternatively, there are websites that will attempt to download malware on your device.
Again, being alert is crucial:
- Don’t click on attachments in emails that either are not from a source you trust or ones that seem odd. For example, a friend or business associate says “click on this to see something funny.”
- Don’t browse to sketchy websites.
- If your device asks you if you want to install something, be sure that’s what you’re trying to do. Basically think before you click “Yes”.
- Only download apps from the appropriate on-line store, like the App Store for Apple devices.
Finally, the CBS report also profiled a company named Lookout (lookout.com). They provide an app for iPhones and Android phones to monitor your phone for malicious apps, ability to locate the phone and backup photos and contacts. There is a premium service that adds theft alerts. You can get it from your app store.
I downloaded and signed up for the free service. I decided not to use the location service or the backup service since I use Apple for those services. However it did inform me that my device was up-to-date (and not jail-broke) and that my apps were safe.
I hope this helps. CBS performed a service by increasing our awareness of yet one more vulnerability in our technological lives. I just wish it had provided a little more context.