Via The New York Times
-----
Chuck Bokath would be terrifying if he were not such a nice guy. A jovial senior engineer at the Georgia Tech Research Institute
in Atlanta, Mr. Bokath can hack into your cellphone just by dialing the
number. He can remotely listen to your calls, read your text messages,
snap pictures with your phone’s camera and track your movements around
town — not to mention access the password to your online bank account.
And while Mr. Bokath’s job is to expose security flaws in wireless
devices, he said it was “trivial” to hack into a cellphone. Indeed, the
instructions on how to do it are available online (the link most
certainly will not be provided here). “It’s actually quite frightening,”
said Mr. Bokath. “Most people have no idea how vulnerable they are when
they use their cellphones.”
Technology experts expect breached, infiltrated or otherwise compromised
cellphones to be the scourge of 2012. The smartphone security company Lookout Inc.
estimates that more than a million phones worldwide have already been
affected. But there are ways to reduce the likelihood of getting hacked —
whether by a jealous ex or Russian crime syndicate — or at least
minimize the damage should you fall prey.
As cellphones have gotten smarter, they have become less like phones and
more like computers, and thus susceptible to hacking. But unlike
desktop or even most laptop computers, cellphones are almost always on
hand, and are often loaded with even more personal information. So an
undefended or carelessly operated phone can result in a breathtaking
invasion of individual privacy as well as the potential for data
corruption and outright theft.
“Individuals can have a significant impact in protecting themselves from
the kind of fraud and cybercrimes we’re starting to see in the mobile
space,” said Paul N. Smocer, the president of Bits,
the technology policy division of the Financial Services Roundtable, an
industry association of more than 100 financial institutions.
Cellphones can be hacked in several ways. A so-called man-in-the-middle
attack, Mr. Bokath’s specialty, is when someone hacks into a phone’s
operating system and reroutes data to make a pit stop at a snooping
third party before sending it on to its destination.
That means the hacker can listen to your calls, read your text messages,
follow your Internet browsing activity and keystrokes and pinpoint your
geographical location. A sophisticated perpetrator of a
man-in-the-middle attack can even instruct your phone to transmit audio
and video when your phone is turned off so intimate encounters and
sensitive business negotiations essentially become broadcast news.
How do you protect yourself? Yanking out your phone’s battery is about
the only way to interrupt the flow of information if you suspect you are
already under surveillance. As for prevention, a common ruse for making
a man-in-the middle attack is to send the target a text message that
claims to be from his or her cell service provider asking for permission
to “reprovision” or otherwise reconfigure the phone’s settings due to a
network outage or other problem. Don’t click “O.K.” Call your carrier
to see if the message is bogus.
For added security, Mr. Bokath uses a prepaid subscriber identity
module, or SIM, card, which he throws away after using up the line of
credit. A SIM card digitally identifies the cellphone’s user, not only
to the cellphone provider but also to hackers. It can take several
months for the cellphone registry to associate you with a new SIM. So
regularly changing the SIM card, even if you have a contract, will make
you harder to target. They are not expensive (about $25 for 50 of them
on eBay). This tactic works only if your phone is from AT&T or
T-Mobile, which support SIM cards. Verizon and Sprint do not. Another
way hackers can take over your phone is by embedding malware, or
malicious software, in an app. When you download the app, the malware
gets to work corrupting your system and stealing your data. Or the app
might just be poorly designed, allowing hackers to exploit a security
deficiency and insert malware on your phone when you visit a dodgy Web
site or perhaps click on nefarious attachments or links in e-mails.
Again, treat your cellphone as you would a computer. If it’s unlikely
Aunt Beatrice texted or e-mailed you a link to “Great deals on Viagra!”, don’t click on it.
Since apps are a likely vector for malware transmission on smartphones,
Roman Schlegel, a computer scientist at City University of Hong Kong who
specializes in mobile security threats, advised, “Only buy apps from a
well-known vendor like Google or Apple, not some lonely developer.”
It’s also a good idea to read the “permissions” that apps required
before downloading them. “Be sure the permissions requested make sense,”
Mr. Schlegel said. “Does it make sense for an alarm clock app to want
permission to record audio? Probably not.” Be especially wary of apps
that want permission to make phone calls, connect to the Internet or
reveal your identity and location.
The Google Android
Market, Microsoft Windows Phone Marketplace, Research in Motion
BlackBerry App World and Appstore for Android on Amazon.com all disclose
the permissions of apps they sell. The Apple iTunes App Store does not,
because Apple says it vets all the apps in its store.
Also avoid free unofficial versions of popular apps, say, Angry Birds or Fruit Ninja. They often have malware hidden in the code. Do, however, download an antivirus app like Lookout, Norton and AVG.
Some are free. Just know that security apps screen only for viruses,
worms, Trojans and other malware that are already in circulation. They
are always playing catch-up to hackers who are continually developing
new kinds of malware. That’s why it’s important to promptly download
security updates, not only from app developers but also from your
cellphone provider.
Clues that you might have already been infected include delayed receipt
of e-mails and texts, sluggish performance while surfing the Internet
and shorter battery life. Also look for unexplained charges on your
cellphone bill.
As a general rule it is safer to use a 3G network than public Wi-Fi.
Using Wi-Fi in a Starbucks or airport, for example, leaves you open to
hackers shooting the equivalent of “gossamer threads into your phone,
which they use to reel in your data,” said Martin H. Singer, chief
executive of Pctel, a company in Bloomingdale, Ill., that provides wireless security services to government and industry.
If that creepy image tips you into the realm of paranoia, there are supersecure smartphones like the Sectéra Edge
by General Dynamics, which was commissioned by the Defense Department
for use by soldiers and spies. Today, the phone is available for $3,000
only to those working for government-sponsored entities, but it’s
rumored that the company is working to provide something similar to the
public in the near future. General Dynamics did not wish to comment.
Georgia Tech Research Institute is taking a different tack by developing
software add-on solutions to make commercially available phones as
locked-down as those used by government agents.
Michael Pearce, a mobile security consultant with Neohapsis
in Chicago, said you probably did not need to go as far as buying a spy
phone, but you should take precautions. “It’s like any arms race,” he
said. “No one wins, but you have to go ahead and fight anyway.”