The Invisible Threat From Mobile Devices
By now I’m sure we are all aware of the potential risks of wireless networks, and the threat to both corporate and home users from hackers, crackers, worms, viruses, spammers and the like. Whether it be corporate espionage, simple mischief or malicious script kiddies, the damage is quickly done and the consequences can be far reaching and long lasting. Articles are being written not just in the technical press, but also in the national dailies, warning of vulnerable WiFi networks being deployed at an alarming rate, and companies exposing their entire corporate networks through careless installation of access points in their offices.
However, how many have considered that the mobile phone or PDA in their pocket could also be a problem? With the increasing convergence of phone and network aware devices, come new and often unnoticed threats. Features such as built-in cameras, wireless networking, Bluetooth, calendars, phone books, all present their own particular problems, and associated risks. If we think of each feature by category, it becomes clear that they each have their own expected security perimeter, and it is this that is quietly being expanded and, potentially, exposed.
For example, let’s look at phone books and calendars. Your personal phone book will normally live in several places – on a card index, in a personal computer, and, nowadays, on your mobile phone. The perimeters, therefore, are the walls of your office, the LAN that your PC is connected to, and the pocket that your phone is carried in. If none of these are breached then your data is, in theory, safe. Or is it? The fact that these devices are becoming network aware means that they may be unwittingly creating a path that extends these perimeters way beyond that which you originally planned for or expected. Other service categories’ boundaries may start to overlap in unexpected ways, and a change to the way, say, voice signals are handled, may compromise the security of your image, calendar or phone-book data, even though they are nominally unrelated.
Recently, a simple change to the UK law restricting driving whilst using a mobile phone has led to a massive increase in the number of headsets being deployed… Bluetooth is an obvious and convenient technology to use for headset connectivity -no messy wires to get tangled up in whilst driving or to create an unsightly bulge in your pocket – just switch on, stick your phone back in your pocket, and you’re away. But with Bluetooth connectivity comes a number of extra features – you can copy your calendar, phone book, photographs etc. directly to your PC with a touch of a button. Although you only wanted a headset, you’ve opened a number of other gateways simply by switching Bluetooth on. The phone in your pocket is now capable of transmitting all of your data across the room, through walls, even into neighbouring buildings or to the car following you on the motorway, potentially without your knowledge or consent. By the simple act of adding a headset to your personal armoury of gadgets, you have extended your security perimeter beyond your wildest dreams, and it has been proven in field trials that Bluetooth devices can be attacked from over a mile away using specialist (but not hard to find) antennae and a standard laptop.
Possibly even more worrying than the loss of personal or corporate data is the idea that the device could create a ‘tunnel’ through your perimeter and effectively invite an attacker into the room with you. Mobile phones have very good noise cancelling microphones built into them, and are designed to pick up sounds close by, but ignore background noise. Many of them are intended to be used as ‘speaker-phones’ when laid on a table or desk, or even carried in a shirt pocket. This makes them an ideal covert listening device. Imagine, then, if an attacker could switch on your phone’s microphone and use it as a bug during a private meeting. Unfortunately, they can do exactly that… By having the phone initiate a GSM call and then transmit everything it hears, an eavesdropper can sit anywhere in the world and listen to every detail of the private conversation you thought was safe within the physical perimeters of your office. Once again, the attack vector is Bluetooth. The attacker that takes over the phone and initiates the call must be within a mile, but the GSM network will carry that call to anywhere in the world. Want to bug a man in London from an office in Tokyo? No problem.
Now this may all sound far fetched and the stuff of Hollywood spy movies, and, indeed, it has been called just that by some observers and members of the telecoms industry. However, independent tests and field trials have shown over and over again that significant numbers of devices are out there, in the wild, and totally vulnerable. My own tests have shown that it is more or less impossible to be out of range of a Bluetooth enabled device when in any densely populated area of the UK, and similar data exists for other parts of Europe. Of these devices, many of the older (but most popular) mobile phones are vulnerable, and these number in the hundreds of thousands if not millions. Again, my tests showed that during the evening rush hour on the London Underground, I was seeing a new potentially vulnerable device once every 10 seconds.
Having said all that, it’s not all doom and gloom. The industry as a whole, and the Bluetooth SIG in particular, seem to be cleaning up their act and addressing the problems. The SIG have initiated a program of security testing at their regular “Unplug Fests” -the forum in which manufacturers get together to perform interoperability tests -and have raised the profile of security within their own roadmap and specification program to ensure that these issues are at the forefront of manufacturer’s and developer’s minds in the future.
It seems that the handheld, and, in particular, the mobile phone industry, is going through the same painful process the software industry went through at the outset of the Internet. Suddenly, what was a very closed industry has opened it’s doors to the masses, who are free to poke around in their technology, and do not need to abide by the rules. In the early days of the Internet, the standard response to a security problem was to deny everything and hope it went away. Now they tend to work with the (hopefully ethical) hacker that first found and reported the problem, and release fixes as soon as possible. Let’s hope the embedded device guys learn from this quickly, and get the infrastructure in place to do the same, and, indeed, the response of the SIG is certainly a step in the right direction.