ALTOM: Take the time to set up smartphone security

September 26, 2009

If you want a good chill down the back, hang out with security experts. I mean the top-notch guys, the ones who, were they to go “black-hat,” could imperil entire networks or even whole industries.

One of their collective roosts each year is CanSecWest, a major Canadian security conference. Every year, the organization holds its “Pwn2Own contest,” which is hacker-speak for “gotcha!” Experts attempt to crack into various devices, including phones and browsers. Manufacturers are there, too, to see what they have to work on in their next versions. There are even money prizes.

There’s bad news if you’re running Safari on a Mac; it went down literally in a few seconds. It wasn’t just Safari that was taken over, either, but the entire Mac computer. Microsoft’s Internet Explorer and Mozilla’s Firefox lasted a good deal longer, but by the end of the day they, too, were wide open.

Interestingly, Google’s under-marketed browser, Chrome, was untouched by the end of the conference. Nobody could defeat it. This is real progress, because the original version of Chrome was widely known to be unsecure. I still wouldn’t recommend going with Chrome for various reasons, but its fortitude while under attack is encouraging.

Even more interesting were the results from the cell-phone cracking competition. Any guesses as to which smartphone yielded itself up by the end of the competition and became, as gamers say, “pwned”? (Pronounced any way you like—it’s usually just written out.)

Trick question. Not one did. This is notable, because security flaws have been found before in these phones, and many security gurus still point them out from time to time. A popular theory for why the phones were still uncracked at day’s end is because even experts need time to get familiar with the systems they’re attacking. Give ’em time, they said. The FBI reportedly has already used a technique for activating a cell phone microphone remotely and listening in on conversations.

But the fact remains that, for the foreseeable future, it’s unlikely your smartphone will be taken over by any kind of malware. The major security leaks in smartphones, as in every other kind of technology, aren’t in the device, but in the human brain.

It’s remarkable how many people don’t bother setting security features on their expensive smartphones. Because they keep the phone somewhere close to them most of the time, they believe it’s secure, but that’s not true. To start with, there’s a constant danger of dropping the darned thing or forgetting it somewhere. A goofy teen-ager might just use it to text his girlfriend, but a seasoned crook could extract all sorts of dangerous information out of it. He could even draw out all its secrets, then call you up to innocently return the phone to you.

To start with, set the password function, so if the phone is stolen the thief won’t get access to all your data. I know it can be a hassle to enter a password when you want to use the phone, but a thief should have to, also.

Security professionals also advise turning off your Bluetooth connectivity when it’s not in use, as well as switching it to “non-discoverable” mode, which tells the device to alert you if another device wants to talk to your device. Unnecessary Bluetooth uses up additional battery power for one thing, but it can also be a security hole, with older phones being particularly vulnerable.

Bluetooth has built-in security, so it’s not easy to get in through the Bluetooth channel, but it can be done, through a process inelegantly known as “bluesnarfing.” “Snarfing” is slang for “making unauthorized copies of data.” There is even a name for sending unsolicited messages to a Bluetooth-enabled phone: “bluejacking.” A persistent attacker can be at work at the next table, draining your battery and perhaps stealing contacts, schedules and anything else you have stored on the phone.

Authorities also recommend encrypting your data, if the phone permits it, and not allowing your browser to retain IDs or passwords. Lots of us use our phones to check online accounts at banks, investment companies and other sensitive places, and it wouldn’t take a thief long to discover the keys to your kingdom when he launches the browser.

They also recommend clearing out data, such as unencrypted e-mails, certificates (used for Web application security), user names, passwords and cookies. On most newer phones, you can set this to happen automatically. There is even an outside chance your phone could pick up a virus from the Web when you use your browser. The traditional antivirus companies such as Norton (www.symantec.com) and McAfee (www.mcafee.com) offer protective packages that, in effect, make the smartphone even smarter.•


Altom is an independent local technology consultant. His column appears every other week. He can be reached at taltom@ibj.com.


Recent Articles by Tim Altom

Comments powered by Disqus