The mobile office has become a reality for many business people, and the proliferation of mobile devices (such as smartphones and tablet PC’s) has provided new avenues of attack for cyber-criminals determined to access your company’s important data. While we have become security conscious as far as our business laptops are concerned, mobile smartphones are not normally protected with the same level of care, despite the sensitive nature of information which can be on these devices.
Edwin Thompson, General Manager of Infrastructure and Technology at MTN Business, spent some time with ITNewsAfrica.com discussing the dangers of an insecure smartphone, and some of the measures businesses can put into place in order to protect their mobile offices.
According to Thompson, there are a lot of examples of “legitimate” spyware applications which are readily available to consumers. “What these apps do is they sit on a phone (an iPhone, a BlackBerry, an Android phone, anything), they are written to effectively create a layer between the user interface (the keyboard) and the rest of the phone’s insides,” he said.
“They are created for various supposed reasons; vendors claim they are designed for the security of children, they can monitor the child’s behaviour in terms of joining adult sites and what kinds of people are communicating with your child,” Thompson said. “But at the same time it will come up with a banner ad down the side which will say ‘catch your cheating spouse’, which is obviously the intent of the software; to create a mechanism whereby you can see what people are doing on the device.”
We can compare these applications to what is happening in the PC world as well.
“Nothing is actually different in the PC segment,” Thompson said. There are similar programs available that you can put on your PC, most are intended to be used by a legitimate user (like a business administrator, or a concerned parent), but the potential exists for these programs to be used to spy on a company, or to steal confidential information.
“These programs sit on a phone, or a tablet PC, and publish information about whatever you are doing to a website,” Thompson explains. “The perpetrator, or person monitoring your activities, can go into the website and withdraw everything you have done on that device. Every keystroke, every e-mail, every URL you have visited, every picture you have taken or received.”
Thompson further explains that some spy software can intercept phonecalls. “You can place a call to the phone, it will not ring or anything, but the program will switch the microphone on. There is no indication that the call has happened, however, it opens the mic and that can be used to eavesdrop,” he said.
A lot of these programs configure themselves by SMS. The phone intercepts every single SMS and filters it before it is given to the user. If it is a configuration SMS it obeys the SMS and then discards or hides it without the user knowing about it. If you have some kind of spyware on your phone, it may be receiving instructions via SMS and you would be none-the-wiser.
“If you allow people to breach the physical security of a device then you are looking for trouble,” Thompson said. “As we bring more and more functionality into the device, it’s like the PC, if you allow your office PC to be open, anyone can come in and load spyware onto the PC.”
“Viruses etc. do it more covertly,” he said. “The mobile phone has not yet come to the point where these things are disseminated in viruses like on a PC, we will start seeing that but it’s not there yet. Ensure you have physical security. Lock your smartphone with a password.”
“We’ve been carrying laptops around for a long time, do you hand your laptop to someone the same way you hand your phone to someone? No!”
“It’s quite easy for someone to give their phone to someone in the office, when you get your phone back are you 100% sure that it has the same programs on it? These things hide in the background and there is no easy access to the user interface. You may have to dial some obscure code before the setup menu can be accessed, and then it hides itself again.”
Smartphone developers are building in admin tools which allow you to remotely lock or format the device, but the onus of responsibility still falls to the device’s daily users. BlackBerry, for example, has an administration program which allows the business owner of a device to remotely format all information from a lost or stolen smartphone. Apple devices are slightly more secure, Thompson explained, because these kinds of spy programs can only be installed on a “jail-broken” device, a modification which is removed every time the device is updated. This automatically removes any spyware at the same time.
“The smartphone is becoming a business tool and therefore it should be managed like a business tool, there should be policies and procedures in the back end to protect the device. With that sort of intelligence in the mobile environment you have to deal with the dangers.”
For further information, please read the .pdf of a presentation which Edwin Thompson gave at the ITNewsAfrica Innovation Dinner on 19 April 2011, available here.
By Angela Meadon