Sign up to save your podcasts
Or
Share HPR2717: Mobile Device Security
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
HPR2717: Mobile Device Security
Introduction
Hello and welcome to Hacker Public Radio, I’m Edward Miro and for this episode I decided to address mobile device security. As with most of the research and articles I’ve written in the past, these are geared toward standard users in a business setting and are meant to be a jumping off point for further research and to be a foundation for cyber security 101 level training classes. If you like what I do, and want to have me come speak to your team, feel free to email me.
As an information security researcher, I have noticed a trend in what potential clients lately have been interested in: cell phones. Almost everyone I have consulted for in the area of private investigations make this area their main priority. This makes sense as users have started to transition to using mobile devices more and more. Not only do cell phones represent the main conduit to the internet for a huge chunk of people, but many use them for work also. Many companies have smartly presented policies against this, but there are still many organizations that allow bring-your-own-device style implementations. In the following podcast I will try to define the threats, defense and considerations in very broad strokes.
Cell phones differ from a standard hacking target in a few ways. For the most part, many of the same vectors are still valid. Remote code execution however is more rare, but not out of the question. I’m going to attempt to present these different vectors in an ascending list of what is most likely to be used as an attack, in my humble (and possibly ignorant) opinion.
1. Passive Surveillance
This vector is one many in the hacking world will already be familiar with and it is a major concern for mobile devices as well. Attackers can monitor an access point where the mobile device is connected and collect packets in all the usual ways. Open public WiFi is a treasure trove and tons of data that’s being sent in the clear can be collected, analyzed and leveraged by attackers.
Defense here is a bit more complicated for the general user, but shouldn’t be too intrusive for most:
Use a VPN on your mobile devices.
Switch to a DNS provider that provides secure DNSSEC.
Implement proper encryption on access points.
2. Spyware
Many commercial spyware applications are readily available on both of the main app stores. The challenges for attackers lie in either gaining physical access to the unlocked device to install the spyware, or tricking the user into installing it themselves. Most often the target’s spouse or close contact does this. Some of these apps can be disguised to look like innocuous applications as a feature, but with devices that are rooted/jailbroken, they can be completely hidden from the user. I found a few surveys that state the average smart phone user has about 30 apps installed. I don’t think it’s unreasonable to suspect the average person wouldn’t notice a second calculator or calendar app. These apps feature the full gamut of what you’d expect from a spyware app.
Defense against spyware is pretty simple:
Don’t allow unsupervised access to your device.
Use a strong passcode or biometric lock.
Remove unused applications and be aware of new apps that may pop up.
Don’t root or jailbreak your device.
3. Social Engineering
The tried and true vector that has always worked and will continue to work is social engineering. It doesn’t matter what kind of device a target is using if you can get them to click a malicious link, open a malicious attachment, or disclose their password to the attackers. With a user’s password you can conduct a vast amount of surveillance through their Google or Apple account. Not to mention lev
View all episodes
By Hacker Public Radio
4.2
3434 ratings
Introduction
Hello and welcome to Hacker Public Radio, I’m Edward Miro and for this episode I decided to address mobile device security. As with most of the research and articles I’ve written in the past, these are geared toward standard users in a business setting and are meant to be a jumping off point for further research and to be a foundation for cyber security 101 level training classes. If you like what I do, and want to have me come speak to your team, feel free to email me.
As an information security researcher, I have noticed a trend in what potential clients lately have been interested in: cell phones. Almost everyone I have consulted for in the area of private investigations make this area their main priority. This makes sense as users have started to transition to using mobile devices more and more. Not only do cell phones represent the main conduit to the internet for a huge chunk of people, but many use them for work also. Many companies have smartly presented policies against this, but there are still many organizations that allow bring-your-own-device style implementations. In the following podcast I will try to define the threats, defense and considerations in very broad strokes.
Cell phones differ from a standard hacking target in a few ways. For the most part, many of the same vectors are still valid. Remote code execution however is more rare, but not out of the question. I’m going to attempt to present these different vectors in an ascending list of what is most likely to be used as an attack, in my humble (and possibly ignorant) opinion.
1. Passive Surveillance
This vector is one many in the hacking world will already be familiar with and it is a major concern for mobile devices as well. Attackers can monitor an access point where the mobile device is connected and collect packets in all the usual ways. Open public WiFi is a treasure trove and tons of data that’s being sent in the clear can be collected, analyzed and leveraged by attackers.
Defense here is a bit more complicated for the general user, but shouldn’t be too intrusive for most:
Use a VPN on your mobile devices.
Switch to a DNS provider that provides secure DNSSEC.
Implement proper encryption on access points.
2. Spyware
Many commercial spyware applications are readily available on both of the main app stores. The challenges for attackers lie in either gaining physical access to the unlocked device to install the spyware, or tricking the user into installing it themselves. Most often the target’s spouse or close contact does this. Some of these apps can be disguised to look like innocuous applications as a feature, but with devices that are rooted/jailbroken, they can be completely hidden from the user. I found a few surveys that state the average smart phone user has about 30 apps installed. I don’t think it’s unreasonable to suspect the average person wouldn’t notice a second calculator or calendar app. These apps feature the full gamut of what you’d expect from a spyware app.
Defense against spyware is pretty simple:
Don’t allow unsupervised access to your device.
Use a strong passcode or biometric lock.
Remove unused applications and be aware of new apps that may pop up.
Don’t root or jailbreak your device.
3. Social Engineering
The tried and true vector that has always worked and will continue to work is social engineering. It doesn’t matter what kind of device a target is using if you can get them to click a malicious link, open a malicious attachment, or disclose their password to the attackers. With a user’s password you can conduct a vast amount of surveillance through their Google or Apple account. Not to mention lev
More shows like Hacker Public Radio
View all
The Infinite Monkey Cage
1,952 Listeners
Click Here
418 Listeners
Hacker And The Fed
168 Listeners