Mobile security fear

Gernet Hertz, a researcher at the University of California, proposed this method of ensuring mobile security: a safe with a slot for a mobile phone at the top. The safe allows you to set the time during which the phone will be locked inside. It can not be obtained, and there is no way to reduce the specified time. While the phone is in the locked box and you do not use it - your data is safe. With her installation, Hertz shows that the main vulnerability lies in the user. Is it so, we reason under the cut.

User listening and reaction

There are already more telephones than people, and a reliable method of protecting information for them has not yet been created. The demand for mobile devices has overtaken the pace of development of protective equipment. Although every self-respecting anti-virus company has released mobile versions of its products, these solutions have a weak response from users.


This Blackphone is a regular Chinese smartphone on Android, which was positioned by Silent Circle as a device for encrypted communications. Data encryption provides a modified version of Android - PrivatOS. Inside there is a set of specific applications: SIP phone VoIP client, Silent World cross-platform voice traffic encryption program (used to communicate with subscribers who do not have Silent Phone), Silent Contacts address book, Silent Text messenger and browser. All traffic goes through VPN as part of a proprietary paid service.
')
Google has given the company the opportunity to seriously modify Android. Even terrorist organizations recommended these phones to their supporters, but many questions remained. How much does Silent Circle know about us? According to the company itself, it can block a client smartphone, “if it’s really about life and death.” That is, we are not talking about absolute protection. Add to this information from Azimuth Security about vulnerabilities found in the first version of Blackphone.

Users took this device cool. Blackphone fell through, and Silent Circle was in debt. The reality has shown that people are not very concerned about the protection of their data. The smartphone was convenient, but it was not interesting to anyone.


Blackberry has similar problems. The head of the global sales department, Karl Wiese, acknowledged that the production of smartphones is no longer profitable. At the same time, despite the skepticism of analysts, software development seems to be the most promising direction for the company. Blackberry continues to create software in the field of data encryption, but only a narrow segment of politicians and businessmen will be able to use their services.

Perhaps the reason for the indifference of users is that a smartphone that looks simple is perceived as a priori vulnerable. Blackphone did not provide any hardware protection, while many ways to ensure security are not very convenient for mass products. For example, two encryption devices that connect to existing phones - the signal to the phone is already transmitted in an encrypted form, and even if it is intercepted, the attacker will not receive valuable information. In this case, the encryption algorithm keys are distributed among subscribers using a special device connected to the computer. Not the best solution if you value convenience and simplicity.

SMS hacking

SMS hacking has been around for about the same age as the communication standard itself: a message comes to you from one number, and in fact it was sent from another number. In this way, you can scroll through various types of fraudulent schemes: find out credit card information, appear to be a bank, send links to viruses, in the end - just lure the subscriber from the apartment.

SMS is often used to activate vulnerabilities in mobile OS. For example, a line composed of certain Unicode characters sent as an SMS to any Apple device causes the operating system to crash .

It is surprising that news of new hacks via SMS come back year after year. At the beginning of the "zero" was known: the phones do not check the source of service messages, which allows you to send them to anyone from anyone.

In 2010, anti-virus companies reported on the first infections of mobile devices by malicious applications that send SMS to short-term paid numbers.

Imagine that there is a small application on the SIM card that receives a message from the service provider and displays it on the screen of your Android device. Using the SIM Toolkit on Android 5.1, you could emulate and intercept SIM commands.

There is a lot of news of this kind, and the conclusion can be made unequivocal: if someone wants to read your SMS, he has many ways to do it.

Hacking the networks themselves

GRX (GPRS exchange roaming) is used to route commercial roaming traffic between visited and home operators. In general, 2.5G and 3G networks used GRX for data roaming.

IP exchange (IPX) is a model of telecommunication interaction for the exchange of IP traffic between clients of individual mobile and fixed operators via IP based on the gateway.

The process of establishing voice calls in mobile networks is based on SS7 technology, the development of which began back in the 70s of the last century. SS7 (Signaling System No. 7) is a digital network and a set of technical protocols that control data exchange. Now SS7 is often used for roaming, and thanks to this technology you can receive / make calls and send SMS where your mobile operator is not working.

Forty years ago nobody thought about software protection. As a result, the whole heap of security problems safely reached our days. The vulnerability of networks based on SS7 technology allows us to reveal the subscriber’s location, disrupt its availability, intercept SMS messages, forge USSD requests and transfer funds using them, redirect voice calls, and eavesdrop on conversations. When making an attack, no special equipment or special knowledge is required. Fully prepared instructions on the attack on SS7 a few years ago could simply be downloaded from the Internet - even a schoolboy could be engaged in this type of hacking. You can read more about attacks in this study .

In short, the essence of the problem is this: all SMS authorization applications are vulnerable. Vulnerabilities affect not only the SS7 network, but also the air interface encryption algorithms. There is only one protection from users in this situation: the use of two-factor authentication (one password will need to be remembered and not recorded anywhere). Protection from mobile operators: constant testing of their networks for possible, impossible and incredible vulnerabilities.

Do not forget about modern achievements. InfoWatch Company
She said that she was going to intercept (legitimately) telephone conversations, integrating with the core network of the operator and creating a trusted base station. Then this base station will intercept voice traffic from mobile phones that are in range.

How to protect yourself

The good news is that most of the listed risks can be minimized if the user is not lazy and takes a number of steps to ensure their own mobile security.

First you need to come to terms with the idea that the phone knows everything about the user. Moreover, he even knows what the user has already forgotten. Old contacts, notes taken a few years ago, ancient photos, videos, SMS (which you have long been planning to delete), access to cloud storages, a password bank or simply passwords to your bank recorded in notes.

A phone that is more than a year old often lives its own life: one day you will be surprised to find that you see programs in it that you have not installed. As mentioned above, to access various services, use two-factor authentication whenever possible. Make backups where you cannot access from your phone. It is much easier to turn on the cloud on the device itself, but the chance of losing all the data with the phone increases many times over.

Now almost every stall has its own mobile application. If you order a taxi through it - nothing terrible will happen. More difficult if using a mobile bank. An infected smartphone that has access to the account directly is a huge problem. And the confirmation of the operation, coming in the form of SMS on this smartphone, only aggravates the situation. The solution for users who are seriously concerned about their security, in this case, only one thing: the second phone, intended only for receiving authorization SMS.

Unfortunately, many people forget about even simpler methods of protection. Use different passwords on your smartphone and in applications, do not forget to make them more complicated. And wherever possible, use data encryption.