Keeping Safer on Mobiles

Date
Author:
Riley Reid, ARC Solutions

Keeping Safer on Mobiles

 

Mobile networks and mobile phones are an important and ubiquitous part of New Zealanders’ personal and working lives. In Aotearoa[i], around 95% of mobile phones sold are now smartphones. More people access the internet on a smartphone than any other device. The largest two carriers’ networks reach around 98% of the population, and at least 5.8 million mobile connections exist across the country.

However, despite our Kiwi love affair with the mobile phone they can be exploited through the fundamental design of:

  • mobile networks’ use of an underlying core communications system;[ii] and
  • mobile phones’ inbuilt cellular network connection module (mobiles’ baseband processors).i [iii]

Those exploits target, for example, network and device users’ data and behaviours for monitoring and interception or manipulation.[iv]

Using Bluetooth and WIFI to connect mobile phones to functions and services also opens them up to exploit and attack risks, with risks further heightened through newly discovered vulnerabilities such as Blueborne[v] (Bluetooth) and Krack[vi] (WIFI).

Though mobile devices are pervasive and risky, like cars they are a practical and valuable tool in our working and personal lives. So, let’s briefly explore some actions you can take to keep safer on your mobile phones.

Top 5 must do actions:

  1. Encrypt phone hardware: Set your phone to encrypt the data stored on itself. Use a passphrase instead of a password.[vii]
  2. Lock your phone: Set your phone access lock and make it lock automatically after the phone is inactive for a short time.
  3. Update phone software: Keep your phone’s operating system up to date always. Keep your applications on your phone up to date.
  4. Control WIFI exposure to other users: Always use a trustworthy VPN service whenever using public shared WIFI.
  5. Personal privacy responsibility: Read thoroughly the terms and conditions of the software and services you use on your mobile phone, so you know what you are agreeing to.

Some other actions you could take:

  1. Control being seen in public: Switch off WIFI and Bluetooth out in public when you’re not using them because your device can be seen when these features are on. Switch off NFC when not in use too.
  2. Control being seen and heard in private: For privacy, cover your front facing camera and consider your conversations. Cameras and microphones can be activated remotely without notification. i ii
  3. Know when your mobile is attacked: For your privacy, protect your mobile baseband processor because without it, baseband processor attacks go undetected. i ii [viii]


[i] 2016 Annual Telecommunications Monitoring Report – May 2017, Commerce Commission New Zealand, http://www.comcom.govt.nz/dmsdocument/15435

 

[ii] SS7: Locate. Track. Manipulate. You have a tracking device in your pocket, December 2014, Tobias Engel, presented at the Chaos Communication Congress 2014, https://media.ccc.de/v/31c3_-_6249_-_en_-_saal_1_-_201412271715_-_ss7_locate_track_manipulate_-_tobias_engel

 

[iii] Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks, September 2012, Ralf-Philipp Weinmann, University of Luxembourg, https://wwwen.uni.lu/snt/news_events/woot_best_paper_award and https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf

 

[iv] Study on Mobile Device Security, April 2017, US Department of Homeland Security, https://www.dhs.gov/sites/default/files/publications/DHS%20Study%20on%20Mobile%20Device%20Security%20-%20April%202017-FINAL.pdf

 

News Release: DHS Delivers Study on Government Mobile Device Security to Congress, May 2017, US Department of Homeland Security, https://www.dhs.gov/science-and-technology/news/2017/05/04/news-release-dhs-delivers-study-government-mobile-device

 

[v] Blueborne. A new attack vector exposes almost every connected device, April 2017, Armis, https://www.armis.com/blueborne/

 

[vi] Key Reinstallation Attacks. Breaking WPA2 by forcing nonce reuse, May 2017, Mathy Vanhoef, Imec-Distrinet Research Group KU Leuven, https://www.krackattacks.com/ and https://nieuws.kuleuven.be/en/content/2017/severe-flaw-in-wpa2-protocol-leaves-all-wi-fi-traffic-open-to-eavesdropping

 

[vii] Passphrases that you can memorize – but that even the NSA can’t guess, March 2015, Micah Lee, The Intercept, https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/

 

[viii] The only mobile phone range the writer is aware of that has baseband processor protection is the GSMK Cryptophone/ESD Cryptophone.

News Release: DHS Delivers Study on Government Mobile Device Security to Congress, May 2017, US Department of Homeland Security, https://www.dhs.gov/science-and-technology/news/2017/05/04/news-release-dhs-delivers-study-government-mobile-device