If you stop and take a look at all the objects that sit within an arms length of where you are sitting the chances are that a mobile phone, in all its guises, is one of the first that you see. The reality is that the cell phone is the first piece of IT that we take with us wherever and whenever we go. If we forget our cell phones we feel naked, isolated and more than a little bit worried. Whilst few would take a fully-fledged PC to bed, the cell phone has pride of place next to the bedside lamp.
From an information security perspective this poses an interesting challenge.
Quite simply, if you can compromise a cell phone then you are more or less assured that you can collect the most relevant, current and possibly damaging data possible. The breadth and depth of current cell phone technology is staggering, with new models, features and innovations delivered weekly. Whilst few would doubt the huge appeal of interactive applications, the challenge these devices give information security professionals is overwhelming. After all, we now have presidents and prime ministers touting these devices as part of their need to be in touch. No doubt this appeals to a deep-seated and basic human need to be part of something at all times.
This series of articles will explore the reality of hacking attacks against cell phones and what we need to do to prevent them.
Aside from the risk of losing emails and SMS messages, few have considered that voice data is similarly at risk from being compromised. This risk is now a reality and we need to be considering how we deal with it sooner rather than later.
Consider these scenarios:
- Bob is attending a major trade show where the brightest and the best in his industry are negotiating deals worth millions. Bob has a meeting planned with a potential client to discuss pricing options. Eve works for a competitor. She pays a third party to install spyware on Bob's cell phone, turning it into a listening device. Eve listens into the negotiations and meets the potential client later that day with a bid that mysteriously undercuts Bobs by 1%. Eve wins the business.
- A CEO staying in a hotel room needs to take part in a conference call discussing end of year financial data, prior to a big announcement to the stock market. Fraudsters set up a fake cell phone base station and intercept the conversation, getting advanced notice on likely stock movements.
- A foreign government is keen to acquire as much hi-tech intellectual property as it can. It has targeted one company in particular that sells advanced missile systems and has information that a senior engineer from that company will be staying in a downtown hotel one weekend. Following a covert operation, it was established that the engineer used a specific handset and Bluetooth headset. This data was fed back to intercept technicians who were able to remotely monitor the engineer's conversations, having hacked the Bluetooth headset.
For many people these targeted attacks would seem extreme and not something they should be bothered about. The reality is that those after your data will target the weakest link, and the prevalence of cell phones is making them a top target.
If you lose a laptop, USB stick or CD it can be fairly obvious that the data has gone missing. Voice data is very different, as a successful interception can leave no physical trace so there is little chance of realising your data has actually been intercepted until it is too late. For many, this realisation may be when they have been undercut by a competitor or see their products copied in another country. This makes the promotion of voice security more of a challenge, as a direct link to an incident is often difficult to make.
Of course this lack of detection and traceability is a real bonus for the eavesdropper. When a victim realises the loss of data the attacker is long gone, hiding their trail as they go.
The study reveals that 67% of those 75 organisations surveyed were not confident that the information passed during a cell phone conversation was adequately secured and only 14% use technologies to secure cell phone calls when travelling to sensitive areas. The cost to the organisation each time a corporate secret is revealed to competitors or their agents has been averaged at $1.3 million.
The next article in this series will explore cell phone technology in more detail and identify the weaknesses that are being exploited.