Share This
Related Posts
Tags
Smartphone Safety
By Anca Gagiuc on Mar 21, 2014 in Technology
For most of us, the smartphone has become the latest version of “don’t leave home without it” – remember that old American Express slogan from back in 1985? Most of us can’t make it more than a few minutes without access to our personal communication devices, which double as mini-computers and someday very soon will probably supplant our credit cards as a financial transaction point of contact.
Most of us have adapted to the positive implications of the mobile technology we are carrying in our pockets. But we are less aware of the capable sensor suite, and associated risk, that is probably within your visible – or at least audible – range at this very second.
Scientists and researchers have examined phones from all the angles, trying to help us prepare for any threats to the security of our personal information and data contained therein.
One facet of the study on mobile phones involves the accelerometer’s power to detect vibrations. According to a research conducted by the computer scientists at Georgia Tech, placing a phone on a desk can detect the vibrations from keys pressed on a nearby keyboard and even pick out words with an accuracy of up to 80 percent.
Although this type of attack might be more difficult than other methods of keylogging it can be a highly effective espionage story. “The best-case scenario, if you are an attacker, is if you are going after a very specific person”, says assistant professor at Georgia Tech, Patrick Traynor. “I think it is realistic in that case.”
Accelerometers track movement in three dimensions: side-to-side, forward-and-backward and up-and-down. Analyzing the data they collect can give a good idea of the number code or pattern used to protect a smartphone.
Adam J. Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M. Smith from the University of Pennsylvania have conducted a study entitled Smudge Attacks on Smartphone Touch Screens. They show that the smudge attacks can be a threat for three reasons: smudges are persistent in time, it is surprisingly difficult to incidentally obscure or delete smudges through wiping or pocketing the device, and collecting and analyzing oily residue smudges can be done with just a camera and a computer. Their results confirm this idea: “in one experiment the pattern was partially identifiable in 92% and fully in 68% of the tested lighting and camera setups.”
Even in their worst performing experiment, under less than ideal pattern entry conditions, “the pattern could be partially extracted in 37% of the setups and fully on 14% of them.” Perhaps Apple should hurry up with the fingerprint lock?
Another study supported by the National Science Foundation and conducted by Liviu Iftode and Vinod Ganapathy from Rutgers University goes deeper on the path of criminal thinking. They asked their grad students to develop malicious applications for a common smartphone platform, if possible unnoticeable to the user.
The team injected rootkits into the phone’s operating system; for a computer these software components are devious threats as they attack the operating system itself and the traditional antivirus software cannot detect them because they don’t appear to be standalone applications or viruses. And if a computer is protected by rootkits by the virtual machine monitor, the smartphone doesn’t deploy these monitors because of their limited size and energy resources, so it is very difficult to know that a rootkit attack took place.
Once the rootkits were in place, just by sending a text message the researchers were able to hijack the smartphone. Once in, they could easily and in perfect silence turn on the device’s microphone, listening to everything that was taking place in the room where the phone had been placed. Another attack turned on the GPS, reporting the phone’s exact location without the user knowing it. Ultimately, by turning on different high-energy functions, the hack team was able to rapidly drain the phone’s battery, thus making it useless.
“What makes a smartphone different from just being a mobile computer is all these extra [sensor] interfaces that are provided on the phone for different purposes,” Ganapathy wrote. “Once you have access to this larger body of features, the implications of an attack can be much larger and can be more complicated to address.”
The trend toward the “consumerization of IT” means companies have less control over the security of the devices coming into the network. Does the installation of security measures and limiting the applications that are downloaded go far enough as to prevent malware infections? What measures do you take to protect your network and allow your employees to use their smartphones on the workplace?