by Marc Goodman
As should be obvious by now, there are numerous risks from the exponentially growing sea of data in which we find ourselves. Not only do we face an onslaught of data mining from Internet companies, marketers, and third-party data brokers, but criminals, terrorists, and rogue governments too have us under constant assault and surveillance, forever aggregating and amassing. Those trails of data detritus, however, are growing exponentially longer thanks to the computers we’re now carrying with us at every turn—our mobile phones.
CHAPTER 7
I.T. Phones Home
Mobile phones are one of the most insecure devices that were ever available, so they’re very easy to trace and they’re very easy to tap.
EVGENY MOROZOV
On March 21, 2002, Milly Dowler, a thirteen-year-old from Surrey, England, phoned her father to say she’d be home soon. Hours later, the teen still hadn’t arrived, and calls to her cell phone went unanswered. By the following evening, a massive search of the area was under way, and Milly’s disappearance had made national news.
As part of their investigation, the Surrey police accessed the mobile phone voice mail of the missing girl in their search for clues. Ongoing checks with her mobile phone carrier revealed that five days after her disappearance, the voice-mail system had been accessed, and a new message that had arrived that day was played by parties unknown. The discovery gave the Dowlers hope that their daughter was still alive. As the weeks dragged on, additional messages left on Milly’s voice mail continued to be retrieved and deleted, leading investigators to question whether the missing girl was in fact a runaway.
Sadly for the Dowlers, Milly was no runaway but was abducted, her body discovered twenty-five miles away from where she was last seen alive six months prior. In an instant, Milly’s case was declared no longer that of a missing person but a full-blown murder investigation. But one fact continued to confound police: Who had been repeatedly accessing the young girl’s mobile phone long after she was missing and now presumed to have been dead? Was it the killer? A jealous boyfriend? Her parents? For nearly a decade, the haunting question went unanswered until June 2011 when the mystery was finally solved. The culprit was one nobody would ever have guessed.
In a lengthy article published by the Guardian newspaper, it was revealed that Milly’s phone was among those targeted by Rupert Murdoch’s News of the World in a scandal dubbed Hackgate by the British press. Milly’s phone was hacked not by the killer, her parents, or a boyfriend but by those looking for a scoop for their tabloid pages. Poor Milly and the Dowlers were not the only victims of Hackgate; so were numerous celebrities, politicians, and even members of the British royal family, which might make sense given their high public profiles. But ultimately, it was discovered that reporters and private investigators hired by the News of the World had extended their mobile data theft operations well beyond that of high-profile public figures. Shamefully, they had also hacked into the mobiles of the relatives of British soldiers killed in Iraq and Afghanistan, as well as victims of the tragic 7/7 London terrorist bombings. The appalling details of the case led to a global public outcry and the closure of Murdoch’s News of the World after 168 years of continuous publication. Dozens of employees and contractors of the paper were arrested, including the private investigator it had hired to gain details of the young girl’s disappearance.
Of course for two grieving parents, the sanctions and arrests of those involved were of little comfort. For the Dowlers, the news that it was a newspaper that had broken the security of Milly’s phone was unfathomable. Had this unlawful mobile phone hacking of a missing thirteen-year-old girl somehow impeded the investigation of their missing daughter’s whereabouts? What police resources were wasted trying to get to the bottom of what appeared to be a prominent clue possibly left behind by Milly’s suspected murderer—precious time wasted that might have prevented her tragic and untimely death. We will never know, nor will the Dowlers, who have to live with the tragedy and the burning question every day for the rest of their lives.
While the actions are indeed deplorable, sadly they are all too easy to perpetrate. Our mobile phone security—that of the device that most modern citizens hold most dear—is a farce, easily exploited by organized crime, stalkers, terrorists, and even journalists lacking a moral compass or a shred of decency.
Mobile Phone Operating System Insecurity
Mobile phones are becoming our computers of choice. These “snitches in our pockets” serve as constant beacons of our activities and our locations. Just as mobile phones provide a treasure trove of data to advertisers, so too do they for criminals. Even worse, mobile phones may be the most insecure of all devices. The software is notoriously easy to subvert, the risks are poorly understood, and the systems for device protection are immature and wholly underdeveloped. As a result, smart phones are among the easiest devices to hack. While law enforcement and security services have been able to target and tap mobile phones for years, now the very same techniques are readily available to criminal enterprises and everyday hackers as well.
Today, there are viruses and Trojans specifically designed to give attackers access to your cell’s microphone, recording any sounds nearby, even when you are not on a call. Anything you do or any data you store on your mobile phone—your entire text-messaging history, your address book, photographs, call logs, social networking passwords, and account information—can all be intercepted, hacked, and forwarded to criminal organizations for future exploitation.
Mobile phone malware can be used to track your persistent location and allow criminals to see your position in real time, conveniently plotted on a Google map. Even your smart phone’s video camera can be turned on (without any warning light) to record you. There are so many YouTube videos, instructional Web sites, and prefabricated criminal software programs for sale that even novices can hack a mobile phone. In fact, it’s often as easy as sending an infected SMS message to your target.
One might legitimately ask, how can mobile phones be so readily compromised? The answer is that it’s all about the operating system. Mobile phone operating systems are newer than their long-standing desktop counterparts and even more insecure. Criminals fully recognize that the world of big data is going mobile, and that is where they are concentrating their efforts to ensure the largest return on their malware investments. Mobile is the platform of choice. It is intimate and always with us, and criminals are adapting and innovating with alacrity.
By 2014, McAfee had already identified nearly four million distinct pieces of mobile phone malware, a 614 percent increase over the previous year. Moreover, according to a study by Cisco (and widely touted by Apple’s senior vice president of worldwide marketing, Phil Schiller), 99 percent of all mobile malware is targeted against Google’s Android mobile operating system. The findings are deeply troubling, especially given that 85 percent of smart-phone handsets shipped worldwide as of mid-2014 were Android and that it is expected that one billion additional Android mobile devices will shipped by 2017. To be sure, the open-source nature of Android’s operating system is one of the platform’s biggest selling points, but with such openness and the ability to customize the free software as one sees fit comes a huge liability—security. The majority of device manufacturers and phone carriers simply implement the software poorly.
So what is it that makes it so easy to pilfer data from Android devices? Simply stated, it is a lack of updates and bug fixes to the mobile phone’s operating system. New versions of Android dribble out to users from carriers as a means of forcing upgrades. In addition, carriers and handset manufacturers need to tweak each installation of Android and customize it to work with individual mobile phone models, an expensive and time-consuming process resulting in far fewer updates per device in the Android world. Worse, according to several studies, it is this customization process and the insecure software added by mobile phone companies and handset manufacturers that lead to 60 percent of the security threats in the Android ecosystem. All thos
e annoying apps and skins that come with your phone are known as bloatware, because they take up space on your device, are of dubious value, and serve as little more than marketing gimmicks for your handset manufacturer or wireless carrier. Not only are they bothersome, but their poorly thought-out implementation leads to the majority of security threats on Android devices.
By comparison, Apple controls its entire hardware and software ecosystem. As such, it can ensure that its mobile iPhone operating system (iOS) software works more seamlessly, and carriers are prohibited from fundamentally altering the underlying operating system with their bloatware. A comparison between Android and iOS clearly tells the story: five months after its release in 2013, 82 percent of Apple’s 800 million mobile devices were using 7, the most up-to-date version of its mobile operating system. Only about 4 percent of Android users were running the latest version of Google’s Android, also released the same year. What is deeply frustrating about these figures is that if all Android users were simply upgraded to the latest version of the mobile phone operating system, a full 77 percent of security threats could be largely eliminated. It is the failure of Google and its partners to make security updates widely available to its user base that allows criminals the time they need to find hole after hole in the Android OS and target it for exploitation.
Mind the App
App makers such as Rovio, Zynga, and Snapchat aren’t the only ones creating apps as a means of acquiring and selling your data; organized crime groups have also adopted the practice. Though one might logically presume that any app submitted by a developer to Google’s Android or Apple’s App Store would have undergone a vigorous security review of its computer code and its developer, all is not as it seems. With more than a million apps in both the Android and the iOS ecosystems, strikingly little if any human verification occurs—a fact known by criminals, who have subverted the mobile app stores on numerous occasions. Instead, computer-automated algorithms do all the heavy lifting in the review process, and the app store creators just hope it all works out.
As a result, mistakes are common, and apps that contain malware are increasingly hosted in what you would presume to be a reputable app site. By 2013, more than forty-two thousand apps in Google’s store had been found to contain spyware and information-stealing Trojan programs. The malware in these apps specifically targets the data on your phone, particularly financial information. Just days after the original Android Market app store had launched, criminals had uploaded fake banking apps for major financial institutions around the world. The apps were deeply realistic and used the correct bank logos, fonts, and color schemes to add to their credibility. Tens of thousands of people were tricked into downloading the apps, and when they failed to work, angry customers called their banks, only to find out “we don’t have an Android app yet.”
Cyber criminals have retooled their operations to create many more fake banking apps. Though only sixty-seven banking Trojans had been identified in 2012, the number had grown to more than thirteen hundred by the end of 2013, according to Kaspersky Lab. To date, mobile malware packages have been uncovered targeting customers of the world’s largest banks, including Citibank, ING, Deutsche Bank, HSBC, Barclays, and sixty-six other financial institutions around the world.
And malware is even more rampant in third-party app stores. While there is at least some limited algorithmic security screening in the official Android marketplace, there is often none whatsoever in third-party sites. As a result, more than five hundred such third-party app vendors have been found to be offering Android apps containing malware. Because there are no security reviews in these app stores, apps containing viruses and Trojans can have near-infinite shelf lives, providing lifetime annuities to the criminals who create and upload them.
While much less common, malicious apps have also been found in Apple’s App Store. Although the Apple iOS ecosystem is tightly regulated and controlled, many users find the environment too stifling. When they initially purchase their products, iPhone users cannot customize their keyboards, change their default browsers, manage files locally, or add widgets to their home screens—all features standard in Android. To get around these limitations, many users “jailbreak” their iOS devices, using specialized software to hack their own mobiles in order to obtain root administrative access to phones and control over features locked down by Apple. Jailbreaking an iOS device allows users to gain access to thousands of software programs not officially approved by Apple. Nearly ten million iOS devices have been jailbroken, and their users have turned to third-party app stores like Cydia to download their apps. While jailbreaking these devices provides much greater control to users, it also opens iOS mobile devices to the same security threats common in the Android ecosystem, including a variety of financial frauds.
Why Does My Flashlight App Need Access to My Contacts?
Hundreds of millions of smart phone users around the world have downloaded that ever-popular and convenient flashlight app. It’s so useful when looking for keys in a purse or trying to open the door late at night, and most of us paid absolutely nothing for the privilege. But why does your flashlight app need access to your contacts? Why does it ask for my location? My location should be obvious: I’m in the dark; that’s why I need a flashlight app! As it turns out, the majority of these apps, especially in Android, are just convenient mechanisms to steal your data, download all your contacts, ascertain your persistent location, install keystroke loggers, and capture your financial information. As a result, we are seeing the “app-fication” of crime, criminal acts reduced to the simplicity of a mobile phone application.
The permissions granted to these apps, especially in the Android ecosystem, where there is no way to deny a specific permission to a given app prior to installing it, mean you and your data are at risk. App permissions on mobile devices are akin to terms of service: we all click yes but never really stop to think about the implications of our decision. The reality is that permission means a rogue or criminal app developer now has the authority needed to commit fraud or steal from your bank account via your mobile device.
Criminals are also creating fake apps specifically to commit telecommunications fraud. Three-quarters of all cell-phone malware exploits loopholes in mobile payment systems by sending fraudulent premium-rate SMS messages, each one generating $10 in immediate profit. Multiplied by hundreds of thousands of fake SMS premium messages, the money generated is huge. In one incident, scammers were able to post fake versions of wildly popular games such as Angry Birds and Assassin’s Creed into an app store. Once the app was downloaded, every time the user opened it, it would send three premium SMS messages without the user’s knowledge at $7.50 per message. In just a few hours, thieves generated tens of thousands of dollars of fraudulent charges.
Hijacked mobile phones are increasingly being used to send spam e-mail messages as they join so-called botnet networks. Botnets are a collection of enslaved, malware-infected computers that work in unison, under the control of hackers or criminals, to pump out massive amounts of spam or take part in DDoS attacks, unbeknownst to the device’s legitimate owner. While botnets were previously limited to desktops or laptops, now millions of mobile phones have also been commandeered, and these drone devices are under the full control of criminals and hackers who have joined them to their exponentially growing “zombie networks.” These massive networks of hacked devices lie in wait, ready to be unleashed against any target at a moment’s notice. Given that mobile device shipments are outpacing desktops and laptops by a factor of ten to one, it is clear that the future of computing is mobile. As such, criminals have figured out that the future of data theft, DDoS, and malware is mobile too.
Even legitimate apps can put you and your data at risk if the software is poorly written or contains undetected security vulnerabilities. Such was the case with the highly popular “social photo booth” app known as Snapchat. Snapchat is a service that allows users to send “selfie” photographs (often involving nudi
ty) that purportedly disappear in just a few seconds after arriving on the recipient’s phone. More than one billion photographs have been sent via the service, and in late 2013 Facebook unsuccessfully tried to buy the company for $3 billion. In early 2014, it was revealed that Snapchat contained a security flaw that exposed millions of iPhone users to denial-of-service attacks.
The vulnerability meant that hackers could target your phone specifically by sending a thousand Snapchat messages in just five seconds, thereby crashing your phone and making it unavailable for your use until you performed a hard reboot of the device. Moreover, hackers were also able to compromise nearly five million Snapchat user accounts and published a database of user names and phone numbers on a hacker Web site. Worse, it was revealed that Snapchat’s foremost feature—the ability to send naked photographs that would self-destruct in ten seconds or less—was also flawed. The images did not self-destruct as promised and could still be retrieved both on the recipient device and on Snapchat’s own computer servers. As a result, tens of thousands of Snapchat photographs thought to have been deleted have shown up across the Internet, reposted on Instagram and on numerous revenge-porn sites. The photographs have subsequently been used for the purposes of extortion and other criminal offenses.
Mobile Device and Network Threats
The emerging threats to the data we carry on our mobile devices are not only affecting consumers but also having a major impact on business. In today’s modern enterprise, BYOD, or bring your own device, has become the standard and allows employees privileged access to sensitive corporate data and applications from their own personal mobile devices. Today 89 percent of employees are accessing work-related information on their mobile phones, and 41 percent are doing so without permission of their companies.