I was reading this white paper from one of our partners, Kaspersky, and I have to say that it hits right on the mark when it states the issue is being underestimated. This feels so much like 2001, when viruses where few and far between, and the issue wasn’t under anybody’s radar. Many companies didn’t even have antivirus softwares in place!
There is really no difference between the issues on a workstation, a laptop and a smartphone. The only real issue is the “phone” part within the word, which makes us think of it as a phone when in reality, the phone functionality is but a small % of what these devices do. We need to start thinking of them for what they really are – tiny computers with storage and computing power much, much higher than workstations used to have just a few years ago! They are computers; they store information; they communicate. Hackers are after all 3 options: 1) they can use them as sources for other attacks; 2) they can grab that information and exploit it to achieve their own agendas; 3) they can use them to communicate and you get the charges.
For point 2 – hackers are after the bank account information you stored on that device for online banking; convenient but dangerous. Or they are after that VPN password you use to get to your office, so they can retrieve it and steal your company’s database.
For point 3 – they can make phone calls or send SMSs without you even realizing it; and if you do not have unlimited plans, suddenly your bill skyrockets; or if they are calling a 1-900 number, you pick up the tab. And of course, they own those 1-900 numbers your phone is calling when you are not paying attention!
One thing needs to be said though; phones are not as easy to hack as computers, and as many AV companies are trying to portray. When your computer is on a network, it has a direct IP address; automated scanners can easily find it, scan for open ports and attack it, and you will likely not even know what is happening. The way to “scan” your phone number would be by calling it; which would sort of put you in a state of alert, I like to think. So the situation here is different.
If they wanted to attack it without the phone number, they might need to get their hands on your IMEI number, which is not impossible but neither is it all that simple.
The easiest way to attack your phone is by inducing you in downloading something that looks legit but is, in reality, a Trojan. That is why I’m personally not a fan of Androids; I like open source, the Network Box is based on open source; but the Android apps are not sufficiently controlled and there have been far too many issues with fake games which turned out to be Trojans.
Apple may have had their share of issues too, but these were found and removed, and they weren’t so many. Hackers tend to go where their job is easy, not where their road to success is hard.
One issue that is grossly underestimated with smart phone security is that many of the apps we use, collect information and store it on the web; we keep thinking in terms of “phone” security, but then, we play an app and this app collates data about the game, and in so doing, it also stores my phone number, maybe my IMEI number and who knows what else. This information is then kept on a database accessible via the HTTP backend of that same game; and who is to say my information on that website is safe? And that’s where hackers could put their hands on a lot of information about me and my cell phone without having to even touch my cell phone. So when you use an app, if you can, check the reputation of the provider and try to find out what information they are collecting – it might be a great step towards improving your cellphone security.