Close to a billion smartphones could be a threat to the security of the confidential business and personal information of their user – Technology | #android | #mobilesecurity



Australia:

Close to a billion smartphones could be a threat to the security of the confidential business and personal information of their user


To print this article, all you need is to be registered or login on Mondaq.com.

Smartphone manufacturers are always pushing the envelope to
create new and innovative features for customers. As such,
third-parties are often involved to manufacture the hardware and
software to facilitate these features. A common example of this is
the ‘Digital Signal Processor’ or DSP. Found in
smartphones, TVs and other consumer devices, the silicon chip is
responsible for transmitting signals through the device to make it
possible to render features such as charging, watching and
capturing videos/ audio and making and receiving phone calls.

Qualcomm Technologies is a leading manufacturer of the chip
found in about 40% of smartphones. These Qualcomm chips are not
manufactured for iPhones but are found in Android phones such as
Samsung and Google. Over 400 vulnerabilities have been identified
with the Qualcomm DSP chips, turning otherwise secure devices into
remote spying devices capable of:

  • Eavesdropping on calls and acting as a remote listening
    device,

  • Exfiltrating photos, videos, contact details, GPS and location
    data


  • Making the phone unresponsive and unavailable to the user

The DSP vulnerabilities are not the only threat and aren’t
just limited to Android devices. This was proven by the phone virus
injected into the iPhone X of Amazon’s CEO Jeff Bezos. It is
speculated that by embedding a virus into an encrypted video sent
to the iPhone via WhatsApp, the virus gave actors remote access to
Bezos’ phone without his knowledge. This was done by slowly and
discretely transmitting data to a remote server over the subsequent
months after receiving the video. This ultimately caused the
irreversible transfer of a significant amount of Bezos’ private
personal data, transferring up to 4.6GB on one single day.

Forensic smartphone experts analysed Bezos’ phone using
analysis software. After an in-depth review involving running
malware scanners and reviewing historic network traffic, there was
still no concrete evidence that the device had been compromised.
However, it is known that some malware can implement techniques to
avoid detection by analysis software, which was assumed to be the
case here.

Despite the inability to identify any malicious software, the
increased outbound data transfer occurring on the device indicated
to the forensic experts that it was more than likely that the
iPhone was compromised by the video attachment received via
WhatsApp. It is clear the threats to your laptop are just as
prevalent as those to your phone, whether you use an Android or
iPhone. Businesses and users need to be vigilant to threats to
minimise the occurrence of a data breach.

For businesses, it is always recommended to implement Mobile
Device Management (MDM) software on smartphones when they have
access to or modify business data. The benefits of an MDM are
mainly that applications can be monitored and access restricted,
preventing unauthorised leakage of data. Although this can place
unwanted limitations on the devices, such as a 30-second screen
timeout and limiting applications that can be installed, it is well
worth the cost for the increased security.

For everyday users, activating where possible,
two-factor-authentication (2FA) significantly reduces the
likelihood of unauthorised access to any device or account.
Additionally, it can act as an alert whenever there is an attempt
to access any of your accounts. If you are not accessing your
account and you receive a 2FA code, your best course of action may
be to change your password as soon as possible.

A simple yet effective method to increase your phone security is
to increase the complexity of your phone access PIN. Some phones
can be ‘brute-forced’; a process where all possible
combinations of a PIN are attempted until the phone is unlocked.
The time required to brute-force a 6-digit PIN code compared to a
4-digit PIN code can be a difference of years, even more so when
using an alphanumeric code (a combination of letters and numbers).
In the case of Androids, it is recommended to steer clear of
‘Pattern’ or ‘face unlock’ methods, these Android
unlock methods are found to be insecure and easily bypassed.
Apple’s Face ID is more secure based on the facial recognition
technology utilised. An additional layer of protection offered on
iPhones is to select the option to wipe all data after 10 failed
unlock attempts – but be sure to have a regular backup in
place!

In some instances, despite best efforts, there may be a
suspected data leak. In these situations, devices can be
forensically analysed to search for malware and viruses, and
network traffic can be examined to look for large transfers of data
or any unusual or suspicious activity. By forensically analysing
devices, evidentiary information can be obtained about the series
of events during a given time, allowing the data leakage to be
controlled and then resolved.

Considering mobile phones play such an important role in
people’s lives, from personal and business communication to
entertainment and banking, phone security should be front of mind
for everyone. We should not rely on smartphone manufacturers to
take the necessary steps to ensure the security of our private
personal or confidential business data.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from Australia

Smart(er) contracts in 2020

McCullough Robertson

Current opportunities and challenges facing the adoption of blockchain technology, and in particular smart contracts.



Click here to go to the original author and source to this story.

_________________________________________________________________________________________________

Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.

.  .  .  .  .  .  . .  .  .  .  .  .  .  .  .  .   .   .   .    .    .   .   .   .   .   .  .   .   .   .  .  .   .  .

Leave a Reply