Using Your Smartphone Safely
This article was written by Elinor Mills of CNET News.com.
Smartphones aren't just smart, they're personal computers. Unlike a desktop or even a laptop PC, those devices and other mobile phones can easily slip out of a pocket or purse, be left in a taxi, or get snatched off a table. They let you store photos, access e-mails, receive text messages, and put you one browser click away from potentially malicious Web sites.
In effect, gadgets like the Apple iPhone and those running Google's Android software can be as risky to use as PCs, except that the wide variety of mobile platforms has deprived malicious hackers of one dominant software element to target, such as they have with Microsoft's Windows operating system on desktops and laptops.
Here is a look at the different types of threats that affect smartphone users and what people can do to protect themselves.
What's the biggest security threat to my mobile phone?
Losing it. "You are way more likely to leave it in the back of a taxi than to have someone break into it," Charlie Miller, a principal analyst at consultancy Independent Security Evaluators, said in a recent interview. The best way to protect data in the event of losing a device is to not store sensitive information on it, he said.
If you must store sensitive information on it, use a password on the phone and encrypt the data. Devices can be configured so that they ask for a password every time e-mail or a VPN is accessed. Use a strong enough password that a stranger can't guess it. And back up your data frequently.
CNET Smartphones aren't just smart, they're personal computers. Unlike a desktop or even a laptop PC, those devices and other mobile phones can easily slip out of a pocket or purse, be left in a taxi, or get snatched off a table. They let you store photos, access e-mails, receive text messages, and put you one browser click away from potentially malicious Web sites.
In effect, gadgets like the Apple iPhone and those running Google's Android software can be as risky to use as PCs, except that the wide variety of mobile platforms has deprived malicious hackers of one dominant software element to target, such as they have with Microsoft's Windows operating system on desktops and laptops.
Here is a look at the different types of threats that affect smartphone users and what people can do to protect themselves.
What's the biggest security threat to my mobile phone?
Losing it. "You are way more likely to leave it in the back of a taxi than to have someone break into it," Charlie Miller, a principal analyst at consultancy Independent Security Evaluators, said in a recent interview. The best way to protect data in the event of losing a device is to not store sensitive information on it, he said.
If you must store sensitive information on it, use a password on the phone and encrypt the data. Devices can be configured so that they ask for a password every time e-mail or a VPN is accessed. Use a strong enough password that a stranger can't guess it. And back up your data frequently.
Lookout offers data security, backup, and management over the Web and a way to locate and protect missing or stolen devices. iPhones that have been "jailbroken" are potentially vulnerable to a worm that replaces the device's default wallpaper with, yes, a photo of pop singer Rick Astley. Another iPhone worm similar to the "Rickrolling" malware has been found targeting users in the Netherlands. A hacker asks victims to pay $7 to get instructions for fixing a security hole in their jailbroken iPhones. Two security researchers prove to a reporter during Black Hat that they can indeed "Pwn" her iPhone by just sending a text message. Phones that support MMS on GSM networks are vulnerable to new SMS spoofing attacks, researchers say at Black Hat. Trust Digital explains how an attacker could take over a phone or steal data off it by sending SMS messages. Mobile phone users are subject to the same types of phishing lures that they get through their e-mail, Sprint warns as 'SMiShing' attack makes the rounds. If a new hands-free driving law has forced you to buy a Bluetooth mobile phone headset, this advice from the U.S. government can help protect against getting "bluesnarfed." Users should not use their browser until a patch for a security hole is made available, a security researcher says. Here's what the major wireless carriers say you should do when you get that pesky text spam.
There are also ways to lock the phone remotely or wipe the data if it is stolen. AT&T spokesman Mark Siegel said users who lose their phone should call the company immediately and "with just a keystroke, we can prevent anyone else from using the phone--and from running up charges."
A number of companies offer software and services to protect mobile phones. One of them is a start-up called Lookout that offers a
that backs up the data, remotely wipes the data if stolen, can help locate the device, and includes antivirus and firewall protection.Web-based Lookout protects mobile devices, data
Mobile device users should also be careful about leaving the phone unattended, or loaning it to people. Spyware can be installed without you knowing it. For instance, the PhoneSnoop program can be used with BlackBerry devices to remotely turn the microphone on to eavesdrop on nearby conversations.
Can mobile phones get viruses?
Yes. Mobile viruses, worms and Trojans have been around for years. They typically arrive via e-mail but can also spread via SMS and other means. Mobile phone users should be diligent in installing security software and other updates for their devices. All the major desktop security vendors have mobile antivirus and related offerings.
In November, several worms hit the iPhone, but only devices that had been jailbroken so they can run apps other than those approved by Apple.
changes the wallpaper on affected devices to a photo of 80s pop singer Rick Astley of "Rickrolling" fame. The second,
Rickrolling iPhone worm is never gonna give you up
attempts to remotely control affected iPhones and steal data such as bank login IDs. Jailbroken iPhones have also been directly hacked via SMS, including by one Dutch hacker who
New "Malicious" variant of the Rickrolling worm now available
from victims for information on how to secure their iPhones.Hacker breaks into jailbroken iPhones, asks for $7
Miller says: "Don't jailbreak your phone. It breaks all the security, basically." If you simply must jailbreak it, you should change the default root password and not install SSH (Secure Shell network protocol).
What are other types of attacks?
Just like with computer users, smartphone users are vulnerable to e-mail and Web-based attacks like phishing and other social-engineering efforts. All attackers have to do is create a malicious Web page and lure someone to visit the site where malware can then be downloaded onto the mobile device. People should avoid clicking on links in e-mails and text messages on their mobile device.
SMS offers another avenue for attack. Last year, researchers demonstrated several ways of attacking phone using SMS messages.
, they exploited a vulnerability in the way the iPhone handles SMS messages. Researchers
Researchers attack my iPhone via SMS
how an attacker could spoof an SMS to make it look like it comes from the carrier to get the target to either download malware or visit a site hosting it. In another
Researchers can attack mobile phones via spoofed SMS messages
, a text message was used to launch a Web browser on a mobile device and direct it to a site that could host malware. When the attack is used to phish for personal information it is referred to as "
SMS messages could be used to hijack a phone
." 'SMiShing' fishes for personal data over cell phone
Is it safe to use Wi-Fi and Bluetooth?
Yes and no. If you are doing something sensitive on your phone, like checking a bank account or making a payment, don't use the free Wi-Fi at a coffee shop or other access point. Use your password-protected Wi-Fi at home or the cellular network to avoid what is called as a man-in-the-middle attack in which traffic is intercepted. Pairing a mobile phone with another Bluetooth-enabled device,
, means any device that can "discover" another Bluetooth device can send unsolicited messages or do things that could lead to extra fees, data being compromised or corrupted, data stolen in an attack called "bluesnarfing," or the device being infected with a virus. In general, disable Wi-Fi and Bluetooth unless you absolutely need to use them.Pairing your cell with Bluetooth? Buyer beware
Which is safer: the iPhone or Android?
Apple vets all the apps that are used on the iPhone, and that tight regulation of the Apps store has kept users safe from malicious apps so far. Nothing is foolproof, however. Once apps are approved they can do any number of things. For instance, Apple removed free games in November developed by Storm8 that were found to be collecting users' phone numbers.
From an architecture standpoint, Android offers more granular access control. But the open-source nature of the Android platform means apps aren't as controlled as they are on the iPhone and holes can be introduced by any number of parties. For instance, Miller
mobile platform last year that could have allowed an attacker to remotely take control of the browser, access credentials, and install a keystroke logger if the user visited a malicious Web page. The hole was not in code written by Google, but was contributed by a third party to the open-source Android Project. However, any risk was mitigated by an application sandboxing technique Google uses that is designed to protect the device from unauthorized or malicious software that gets onto the phone, Google said. Miller recommends that Android users only download software from trustworthy vendors and reputable sites. Android phones await security patch
Are standard mobile phones safe?
Obviously regular mobile phones don't pose the Web-based threats that smartphones do. But they are still used to store sensitive information that can be accessed by gaining access to the device. For instance, the inbox and outbox for text messages can contain information that can be used for identity fraud, said Mark Beccue, a senior analyst for consumer mobility at ABI Research. "Regardless of what type of cell phone, the most dangerous current threat is through a cellphone's in/out message boxes," he said. "Clear (them) out regularly. Do not transmit full account numbers, PIN or passwords within a text message unless you immediately delete the out box message."
Standard phones that support Java can be susceptible to certain threats that smartphones are. For instance, scammers in Russia and Indonesia are hiding a Trojan in pirated software that surreptitiously sends SMS messages to premium rate numbers - costing as much as $5 each, thus racking up huge bills, said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab.
And what about spam?
That's a growing problem on mobile devices. For information on what to do when you get mobile spam read "
." FAQ: How to vanquish mobile spam
By Elinor Mills
Popular in SciTech
- One woman's journey to save the white lions
- Calif. teen wins Intel Science Research competition Play Video
- Computer visionary says he knows who invented Bitcoin
- New Flickr comes with 1 terabyte free storage
- Canada trying to lure Silicon Valley tech workers
- Apple's next iPhone may be coming in June
- Preview: Killzone Mercenary
- Thousands online proclaim: Jahar Tsarnaev is innocent
