In today’s corporate environment, very few people are without some kind of cell phone. And many phones have more functions and options than the average user needs. For better or worse, they are a ubiquitous part of life, and for many, they are simply indispensable.
As a result these are becoming the back door into corporate networks.
Backdoors, in this context, describe non-obvious devices and technologies that can interface with a network and pry open an attack vector that most security mechanisms don’t account for. For example, unauthorized wireless access points can be considered back doors. Software backdoors — and the paranoia surrounding them — is a topic for another site…
This whole article came about when a friend asked about what items he should put on his new smartphone to protect his small business. It occurred to me that, in his scenario may not be all that unique. And, on a larger scale, corporations may be overlooking a glaring back door in their network security.
So what are the risks?
Many of the ones that we see for wireless and Bluetooth as well as existing desktop OS risks are the same ones that can affect phones. Many phones today are being bundled with Windows Mobile, Microsoft’s PDA/cell phone OS. This OS allows for greater interoperability with standard Windows applications and allows users to feel comfortable since they are already used to Windows on their desktop.
So, unsurprisingly, there exists malware and viruses for these tiny computers. Take a look at yours. Where’s the firewall to protect against intruders? No? What about encryption to protect those passwords you use to access email or your voice-mail? No? What about anti-virus and spyware detection? No?
It is becoming evident that as part of the cell phone package, providers may need to include these items, particularly for their corporate customers. There are a few ways infection can occur. The first is the standard and most obvious one: get the user to download something, preferably something they want. Say, for instance, a free Texas Hold ‘em Poker or Sudoku game for the phone.
Or perhaps something that “promises” ways to get more messages to and from friends. Whatever the program, it’s enticing; it’s important; it’s “needed”. Once the program is downloaded and run, the malware is launched.
This, in case you haven’t already noticed, is very similar to what happens in the desktop world.
An additional factor is ever-present, never-dying spam.
It is easier to fill a cell phone mailbox with spam than it is a modern computer. And yet, we have no filters for this. I personally experienced a mini-flood done by my personal cell phone provider when their email server began sending out things in triplicate.
It can be frustrating since there is no header info, no filter options for MMS and no mouse to easily select a bunch and just delete. While reports of this are sporadic, it will undoubtedly, climb since it’s not hard to generate phone lists.
The other two methods include MMS messages with attachments and the Bluetooth option.
The MMS option works very similar to that of email: double-click on the attachment and the virus/malware launches. The one that is most interesting is the use of Bluetooth as a vector of attack. Similar to wireless, Bluetooth is often used in cell phones and PCs, and used to allow communication between phones and PCs. If the phone is in discoverable mode (that is, it’s attempting to find a Bluetooth device nearby), then an attacker can connect and inject.
The challenge is finding devices in discoverable mode. An application like Blooover II makes finding discoverable phone easier. Blooover is one of a few tools out there; others include Super Bluetooth Hack, BlueTest, BTCrack, T-Bear, Bluesnarfer and many others.
A simple search for “Bluetooth hack” will generate enough results to keep someone busy for a little while (most of these will require installation on a phone with Java ME to work). The biggest impact made by these tools, like their predecessors in the wired world like ettercap, is that they make it easier to get into systems with little to no knowledge.
In essence, these tools allow for an attacker to sniff a Bluetooth stream for info or to inject nastiness.
In addition, they can also find Bluetooth devices that are discoverable and, if encryption is used, crack it. Of course, for any of these attacks to prove successful, proximity is critical (10m/30ft but some devices have a range of roughly 100m/300ft). But when the financial institutions of the world are close to each other and everyone goes for lunch to the same deli or sushi place, it shouldn’t be too hard to do.
With all these threats are there steps that can be taken at the enterprise level to address this? You could invest in existing technologies that address cell phone issues such as McAfee’s Total Protection or Sophos Endpoint Security and Control. But in addition to this, education remains the primary method of addressing cell phone security. Users should be reminded of the following:
Work cell phones are corporate property. No unauthorized applications should be installed
Personal cell phones should be disabled at work and/or the Bluetooth discoverable feature disabled.
Bluetooth discoverable should only be used with encryption and only for specific devices (that is, set the discovery for manual pick up rather than automatic).
Set a boot password and a main phone password. This helps secure the phone even when lost.
Remind users that work phones are NOT to be unlocked (this avoids someone bypassing security measures that may be tied to a SIM).
Even though Cabir, the first mobile phone virus, is a toddler of sorts now that it’s 4 years old, it’s not the last virus or malware attack we’ll see for the mobile. The rest are just over the horizon.
Are you ready?
Article courtesy of Enterprise IT Planet