If computers themselves are relatively new in the grand scheme of things, then mobile devices are incredibly new. And likewise, just as we’ve spent the better part of the last two or three decades figuring out how to secure the traditional computer, there is probably a long road ahead for mobile security as well.
Smartphones and tablets have everything and more than the personal computer, which represents a security challenge in and of itself. More problematically though, these devices live in our pockets and purses and go nearly everywhere we go. Unlike the desktop computer that lives on a desk and is tethered to the wall by a power cord, mobile devices are very easily lost and left behind.
The threats we face on the PC are quite similar to those we face on mobile devices but there are key differences: PCs (and laptops to a lesser extent) are immobile. Smartphones and tablets go where we go. They are equipped with cameras and GPS systems. Their locations are constantly tracked by our mobile service providers. We email, make calls, and send SMS-based text messages through them, sometimes from unsecured wireless connections. We store vast amounts of payment and other sensitive data on them, and we often log into digital marketplaces and, on a whim, we download applications developed by people we know almost nothing about.
Like the traditional PC, all of this can be monitored or even stolen by existing or soon-to-be existing malware, and the attack surface on a smartphone (i.e. the number of ways an attacker can get in) is even larger than that of a traditional PC, which is saying a lot, because I am not even sure of all the ways you can compromise a traditional computer or laptop.
Shared threats aside, we face dangers on our mobile devices that just don’t exist on a computer.
Charging for example: most smartphones have some sort of USB connectable charging port. We charge and synchronize data through the same cord. In theory, it’s very possible to steal phone-data with a charger. I’m sure this sounds far-fetched until you think about that time you were desperate for a quick charge at the bar so you asked the bartender is you could juice up on her charger. Or how about that time your phone was dying at the airport? I get it. How is your wife supposed to pick you up if you have no way of telling her you landed? No one wants to get marooned at the airport. You had to plug into and, perhaps shamefully, pay that charging kiosk, but you have no idea who it belongs to and you could easily being paying some guy to steal all sorts of valuable data from your phone.
Device loss and theft are also relatively unique to the mobile environment. You could obviously lose a laptop, but it’s bigger and probably harder to forget about. A thief could definitely run off with your PC, but he’d probably have to do at least a little breaking and entering first.
The attack surface on a smartphone (i.e. the number of ways an attacker can get in) is even larger than that of a traditional PC.
Last year, I read an article in the DailyMail reporting on a malicious application proof-of-concept developed by the United States Military. The app is apparently capable of turning on the camera on your mobile phone and taking and sending images and videos back the app’s developers. The software that drives the app is also reportedly capable of using the images to map rooms. These capabilities could give an attacker the ability to spy, gather intelligence, or even case the joint (your house or office) before performing a robbery. Of course, most laptops have built in cameras as well, but, again, we don’t carry laptops around in our pockets.
Similarly, I’ve seen researchers remotely turn on smartphone microphones, creating an ever-present surveillance machine. They can also potentially monitor all of your movements by tapping a device’s GPS and location services as well.
It’s is very possible to install malware on a phone that has the capacity to record all device communications. An attacker could listen in on phone calls, read your emails and text messages, steal the passwords to all of your social media accounts, and, worst of all, get at those online banking credentials and cause all sorts of damage. For example: If I got my hands on your banking login credentials, depending on your bank, I could potentially change your password, transfer all the funds, send myself an eCheck, or even change the email or real address associated with the account and send a copy of your credit card to my house for a serious shopping spree. I wouldn’t do that, because I am nice and I like you, but there are a lot of people out there who would do that.
I coach a little youth swimming on the side, and when I look around I see a lot of kids carrying smartphones. Now, I’m no criminal, but I can’t help wondering if mommy and daddy’s credit card information is stored on these things. In other words, a lot of us are giving devices loaded with sensitive information to CHILDREN. Kids literally lose everything, and some of them, particularly the young ones, will believe anything an adult says. You don’t have to be smart to phish a kid.
There is no shortage of ways for the bad guys to get on your phone either. You might download a malicious application or open a phishing email or someone might fiddle with your phone while you aren’t looking. The list goes on and on to include any number of things I haven’t even thought of, but which criminals almost certainly have thought of.
The good news is that we are making better mobile security products than ever before. With every operating system, the big tech firms are introducing better security controls and safeguards like Apple’s find my iPhone and Activation Lock features. Nearly every device has a feature that lets users perform a remote data wipe in an emergency. Better yet, we are getting smarter too. A few years ago the average person knew nothing of security. Thanks to Stuxnet and other high-profile, media-grabbing security stories, consumers are thinking about security more than ever. It’s also comforting to know that all you can do is run a security product on your smartphone or tablet, keep it password protected, implement all security features its operating system offers, and, as always, stay informed about the threats that exist.
The threats represented by charging are easily remedied. Carry a spare charger that plugs into an electrical socket whenever possible. I keep one in my car and another in my backpack. When I charge my phone, I don’t leave it unattended in public places. Sometimes it’s inconvenient, but a dead battery, however useless, is better than infected, stolen, or otherwise compromised phone.
These new features like remote device wipe and find my iPhone and Activation Lock go a long way in protecting lost devices. Implement them if they aren’t default features and learn how to use them: losing a phone stinks, but giving a stranger complete access to all the information and every account on it is far worse. At the very least you need to turn on a password or passcode lock. These can be broken by skilled attackers, but even a four-character passcode will prevent most people from accessing your device, especially if you set it up so that repeated failed login attempts will wipe all device data.
If you’re extra-cautions or overly concerned about the data on your device, then use full memory-encryption (for Android) or encrypt your iCloud or local back-ups on iDevices.
I don’t have kids and can’t tell you what you should do with yours. Just try to stay on top of and regulate the information stored on their phones and tablets so that it’s not too big of a deal when they inevitably lose them.