George Orwell’s 1949 classic 1984 painted a dark picture of a dystopian society in which a malevolent government monitors everything its citizens say and do through a ubiquitous network of “telescreens.” What was science fiction In Orwell’s day is reality now, thanks to technology that billions of people carry around in their pockets.
Smartphone are capable of all the scary surveillance scenarios Orwell envisioned, and many more. With their built-in GPSs, cameras, microphones and connectivity to a world of cloud services, they are the best snooping devices ever invented. Knowing the scope of the threat they can pose can help you protect yourself.
Mobile devices haven’t been considered a major threat factor until recently because criminals could make more money breaching credit card and health care databases. But with the street price of those records plummeting, criminals are now turning more of their attention to attacking individuals. The explosion of ransomware attacks in 2016 is evidence of that.
While there have been few reported incidents of cyber attacks on individual smartphones so far, the threat is real. The issue gained prominence recently with the news that President Donald Trump was using an old, consumer-grade Android phone during his first week in the White House. Wired noted that a single click on a malicious link could have caused the phone to be “infected with malware that spies on the network the device is connected to, logs keystrokes, takes over the camera and microphone for surreptitious recording, and more.”
Andrew Hoog, CEO of NowSecure, a mobile security company, has been demonstrating for the past three years simple ways is to compromise a phone and download contacts, intercept and respond to text messages, activate the camera and microphone and track the device’s whereabouts to within a few feet – all without the owner’s knowledge.
“We always tell customers to assume that your mobile platform is exploitable,” Hoog noted in this webinar. He said iOS and Android are equally vulnerable.
Hacking phones still isn’t all that difficult. The BBC last year challenged two cyber security experts to rig up code that let them activate the microphone on a compromised Android phone and automatically transcribe overheard conversations. They met the challenge in less than two days.
Google and Apple have acted quickly to catch many of the most obvious vulnerabilities, but they can’t stop risky user behavior or third-party applications. NowSecure’s 2016 Mobile Security Report found that nearly one quarter of mobile apps it audited include at least one high-risk security flaw and 35% of communications sent by mobile devices are unencrypted, meaning that they can be intercepted by an intruder.
Phones present a variety of unique vulnerabilities that aren’t common to laptop or desktop computers, and new features create new tripwires. Last year a team of researchers figured out a way to embed garbled voice commands in YouTube videos that could command the phone to perform certain risky actions, such as downloading malware. With voice-enabled virtual assistants now ubiquitous, this is another scary new vulnerability point.
This video shows in frightening detail how simple it is for an attacker with root access to an Android device to use Metasploit, a popular brand of penetration testing software, to full control over the full set of phone functions, including sending text messages, capturing photos and initiating chat sessions. All in less than two minutes.
So is it time to ditch the phone, go off the grid and move to a cabin in Montana? Don’t panic yet. The cyber underworld hasn’t seemed very interested in exploiting these opportunities, at least not yet. But that could be changing. Ransomware attacks targeting Android phones grew 50% in 2016, according to ESET, LLC. There are some basic steps you can take to foil all but the most determined attackers.
Enable password security. This seems like a basic practice, but a recent survey of 1,000 mobile device users by Keeper Security found that 32% don’t enable password protection at all. Failing to take this basic step with a device that is easily pilfered from a pocket or purse is as bad as going on vacation and leaving your front door standing open. An even better practice is to enable two forms of security, such as a password accompanied by a PIN or fingerprint.
Don’t install applications from untrusted sources. This is particularly important for Android users, since protection can be turned off with a single switch. Limit downloads to known app stores or branded organizations that you know and trust.
Check permissions before installing an app. Some ask for a ludicrously high level of access compared to the functionality they provide. Should a flashlight app really have access to your phone? Think before you permit.
Don’t click links in texts unless you know the sender. Smartphones are uniquely vulnerable to phishing attacks because a sender can transmit a link by sending a text to the victim’s phone number, thus evading spam filters. Attackers may pretend to be trusted sources, such as your bank or pharmacy. If you aren’t certain of the source, don’t click the link.
Use Encrypted Messaging Services for Private Conversations – There are several free applications available for both iOS and Android that permit you and those close to you to send and receive text messages protected by powerful encryption. If your conversations may involve sensitive personal information, download and install one of these apps and ask your friends to do the same.
Don’t conduct sensitive transactions over an open Wi-Fi network. You have no way of guaranteeing that banking or credit card information is encrypted. Use public Wi-Fi only for browsing.
Don’t use public charging stations. Once you plug your phone into a USB port, an attacker can download files, install malware and monitor your keystrokes. A recently discovered threat called “video jacking” even enables them to get a peek at your phone’s display and to record everything you tap, type or view. You can avoid this risk by investing $30 in your own portable charging device.
Don’t make your Bluetooth connection discoverable. This opens you up to the risk of “bluesnarfing,” which enables the attacker to gain access to any information or service on the device without your permission.
Orwell envisioned 24X7 surveillance as something to be imposed from the top down. He probably never envisioned that we would make ourselves vulnerable to intrusion so willingly. That would have been too strange even for science fiction.