Hole in your pocket - Memo for mobile security

Have you ever gotten your phone out of your pocket, because it seemed to you that it was buzzing and found that it wasn’t actually ringing? Scientifically, this is called "phantom vzhzhzh." Phantom vzhzhzh is a side effect of the ancient human instincts. Is there a tiger rustling in the bushes or did it seem to me? The genes of those who decided that there is no tiger, or did not notice anything at all, very quickly cease to be inherited, so people have learned well how to isolate information even among the noise. A missed call will probably upset you, so the brain adapts to your needs and increases the likelihood of successful recognition of vibration in your pocket due to a small number of false positives.

What am I leading to? This reaction can be illustrated by the saying "it is better to perebdet, than to come short." How often do you spend time away from a mobile phone? What a sin to confess, most likely, you even sleep with him. In the 24/7 mode, next to you is a device with microphones, cameras, GPS, all sorts of other sensors and Internet access, and you trust him with your money, daily routine, inner thoughts ... Just a personal servant! How reliable is it?
')
Unfortunately, information security is always in last place on the agenda, so the same story repeats in every technology industry. The first users of the technology appear, it becomes popular, the number of users grows dramatically, enterprising people begin to use the technology for dishonest earnings, and only after a few major scandals do some movements in information security begin. So it was with cellular communication. The first mobile phones in general could be tapped using a radio.

Then came the digital communication standards, but it was not much better. For GSM, secret encryption protocols were created, but, apparently, compassionate intelligence agencies had a hand in the development, and the protocols turned out so-so . As if this was not enough, two versions of the protocol were created: one for “friends” and the other for “potential enemy”. GSM protection was rather designed to divert attention and stop free calls, because only the phone should be presented to the network, and the network should not confirm its authenticity. As soon as this fact became known to hackers, fake cellular stations appeared, with which you can eavesdrop on conversations and make account transactions, this method is still popular . But it seems that in the near future, homemade equipment will press femtocells , which can be bought directly from operators at an affordable price.

By the way, one of the active researchers of mobile technology security, Karsten Nol, who discovered the A5 / 1 cipher used in GSM in 2009, recently told about the found vulnerability in old sim cards using DES. This news about "750 million hacked phones" was even shown on TV. When was the last time you intentionally changed a sim card? That's the same thing! On Habré already described in detail the essence of the problem and how to deal with it, read.

The situation with sms is not better. If you forget about spammers and scammers with short numbers, then there is still SMS-spoofing. Spoofing is when a message comes to you from one number, and in fact it was sent from another. For example, you receive a message with a link allegedly from your friend, open it, and there may be anything: a subscription to a paid service, a virus, just an advertisement. Or it may come smsku from your passion with the proposal to meet, you come, there is no one there, you wait, and you clean the apartment.

More advanced spoofing can use message processing errors in the operating system of the recipient device, then the sender of the message will display one number, but the response message will be sent to another. The possibilities for fraud are endless. If you think that SMS-spoofing is a difficult business, I hurry to dissuade you, there are a lot of sites on the Internet that offer it as a service. Just register and you can begin to decide the fate of people.

Bluetooth and Wi-Fi

Most of the aforementioned problems are associated with poor legacy and poor security issues in due time. However, since then, the phones have other interfaces that can give you problems. Bluetooth and Wi-Fi are very similar and very reliable, all serious vulnerabilities involve the use of outdated versions of protocols and equipment. But even the most protected technology will not cope if you help the attackers. One of the popular attacks via Bluetooth: change the device name to “Enter 1234”, come to a crowded place and start sending connection invitations to everyone around. The person who received the invitation will see something like “Enter 1234 wants to connect to your phone” on the screen. Someone in the bustle of the day does not immediately figure out what's what, someone will be curious, but access is gained. To deal with such things in some phones, device detection is turned off by default, and to connect it you need to specifically turn it on, but it is better to make sure that there are no problems in the future. Better yet, turn off Bluetooth altogether when it is not needed, it saves nerves and battery.

The problem of connecting to incomprehensible networks is peculiar to Wi-Fi. In free networks without encryption in cafes and shopping centers, data is transmitted in the clear, no need to make any efforts to intercept them. Generally speaking, the access point can also be fake. Most sites do not use https during authorization, including Habrahabr, which means that the username and password can be peeped. Even if a stolen account is not of great value to you, it can be used for fraud or spam.

The case is aggravated by the fact that many applications are very fond of surfing the Internet without asking, while again, without using encryption. You may not even notice how any task list will merge your data.

Applications and personal data

Speaking of applications and data. In modern mobile phones, applications are used to work with a variety of different information, and cloud storage can potentially contain an unlimited amount of data. Moreover, many applications use information from other applications, supplying them with metadata, such as modification time and location. A real find for a spy.

Often, these data are already in the public domain thanks to developers who are trying to make publishing on social networks as easy as possible. Analyzing this information, you can learn the habits of a person, his daily routine, place of residence and work. At first glance, this is not so much, but enough to use this information in any criminal scheme.

There is a rather old trick with telephone polls. They call you supposedly for an opinion poll, they want to know your favorite radio station. When do you listen to her? Do you listen to her in the car or at home? And other family members? How do you feel about playing radio tickets? Positively? Where do you usually relax? With such simple questions you can find out the welfare of the family, at what time there are no owners in the apartment, and when it can be cleaned. Now for this there are social networks.

It's not even that something is stolen from you. The Internet is large, and there will always be inadequate people who like to insult and pester people, and you would not want them to use this information. Such cases are not uncommon, especially if the victim has become famous due to some news. You can fight off unnecessary metadata by disabling options in application settings or using special programs that send false data to applications, such as this . The latter method can also help in cases where trusted applications play pranks and collect unnecessary information.

But enough about that, we better talk about viruses and coochackers. The line between computers and mobile phones is gradually erased, and at the same time their problems become common. Even the methods are the same: as in the good old days, viruses spread through warez sites and dubious mailings. But, as always, history does not teach anyone anything, and defending again in the position of catching up. Some progress is still there, for example, mandatory certification of all applications and their centralized distribution. True, this scheme does not work if you have allowed the launch of unsigned applications. And got root on your phone. And put the test firmware from some forum. Oops

Fortunately, the viruses are not yet very scary, the evil rootkits have not yet arrived on mobile phones. For now virus writers are limited to sending SMS to paid numbers or masking malware for popular games and require money to open access to new levels. Given the current "progressive" methods of monetization, the user may not notice the catch.

However, even if you do not like to experiment with the firmware and settings, the OS vulnerabilities remain. When was the last time you installed a security update on your phone? If you are the owner of a phone on Android, then most likely never. On Habré laid out statistics on the release of updates for different phones. Since then, the picture has changed little. Perhaps in the future, if manufacturers agree with each other, then everyone will receive updates on time.

Trends

If we dream further, then interesting prospects are outlined. Mobile phones are constantly increasing their sensory abilities, they already have a gyroscope, accelerometer, magnetometer, light sensor, proximity sensor, one camera on each side, a pair of microphones, GPS, Bluetooth, Wi-Fi, NFC. Skillful use of these features allows you to create amazing things. Two years ago, security researchers used an accelerometer lying next to the keyboard of the phone for covert recognition of typed words, and now the phone developers arrived in time, and in some new models, the microphone will always be turned on and ready to recognize voice commands.

Botnets from phones appear, infected computers and mobile devices begin to work together. The practice of Bring Your Own Device is gaining popularity, and the target may not be your data, but your employer's network. In addition, there are new mobile devices: trackers, smart watches and glasses. The first vulnerabilities have already been discovered in the well-known glasses - the camera software automatically processed QR codes that fell into the frame, which allowed the attacker to download malware onto the device.

Memo

How to keep track of all this commotion of technologies, standards, hackers and defenders? You can subscribe to the newsletter of information security, build anti-virus, firewalls and live in a cryptocontainer. If you don’t have much time, just remember a few simple tips:

• Describe the important information that is accessible from your phone. Make a list of what you would not want to lose or give to strangers. You can simply list in your mind: a list of contacts, photos, videos, notes, schedule, correspondence, settings, cloud storage, password bank. It is easier to keep track of your property when it is ordered.
• Periodically do the cleaning . Check installed programs, delete unused, install updates for applications and firmware. Some applications make a "basket" for deleted data, look in there too. If you don’t use root or developer mode, then maybe you don’t need them anymore?
• Keep track of money on the phone . Money account love. At a minimum, you will always be aware that the operator has re-connected you with an unnecessary service.
• Do not forget to make backups . And do not forget to check them. If possible, make a complete image of the phone, so it will be easier to restore it.
• Make a plan in case of phone loss . Remember the numbers of the people or organizations you want to warn. Understand the procedure for restoring access, if you use anywhere two-factor authentication. Store documents to the phone, in which IMEI is recorded, write it down from the system settings or from the phone case in case you have to go to the police. Consider installing an anti-virus program.
• Warn loved ones about possible dangers . Communicate with them frequently, so that they will not be embarrassed by the text message “Urgently throw me money on this phone! +71234567890.
• Finally, be on your guard . Keep your health safe. Get rid of bad habits and do not climb on hot places.
• Buy a prepaid grandmother's phone on fake documents, keep it off and turn it on only for short calls.