Vulnerabilities and Threats of Mobile Computing

Vulnerabilities and Threats of Mobile Computing

By: Amy Wees CSEC620 Section 9082University of Maryland University College

 

Introduction

Tech target defines mobile computing or nomadic computing as “the use of portable computing devices (such as laptop and handheld computers) in conjunction with mobile communications technologies to enable users to access the Internet and data on their home or work computers from anywhere in the world (TechTarget.com, 2012).”

Mobile computing is a part of everyday life for many people.  Devices that offer the ability to connect to the Internet on-the-go are vast.  Some common examples are smartphones, laptops, tablets, Global Positioning System (GPS) devices, music players, handheld video games, wireless home appliances and e-readers (O’Dell, 2010).  A study conducted by Morgan Stanley in 2010 “predicts that the mobile web will be bigger than the desktop web by 2015 (O’Dell, 2010).”  This is mostly due to the development of smaller, more affordable devices with better data coverage and connection speeds.  Mobile e-commerce is also increasing along with the use of social networks over e-mail use (O’Dell, 2010).

Mobile computing is prevalent for businesses and consumers because of its many advantages.  Businesses can communicate with employees and customers in and out of the office, employees can update their work and human resource requirements in online portals.  People can search for, communicate with, and navigate to businesses on-the-go.  Productivity and leisure time are also increased as people can send and receive e-mails, update their social status, conduct research, or watch a movie all while waiting at the airport or standing in line at the coffee shop (Shukla, 2011).  “We are entering the era when the mobile employee has become the typical employee rather than the exception. One recent survey found that 81% of global executives use a mobile device, and analyst firm IDC estimates that there will be 1 billion mobile workers by 2011, including nearly 75% of the US workforce.”

Although mobile devices offer ways to be productive without an Internet connection such as by tracking appointments and reminders, creating documents and taking notes, capturing photos or videos, and listening to music; an Internet connection offers the ability to access and share information at anytime from almost anywhere.  Many software applications used for productivity and leisure are also limited or unusable without an Internet connection.  Some examples are Microsoft Office’s templates, e-mail applications which require Internet access to download new mail or send mail, music and video streaming software such as Apple’s iTunes which requires online access to download new content and anti-virus programs such as Norton that download important updates from online repositories.

Mobile computing devices connect to the Internet in a variety of ways such as wirelessly using a Wi-Fi card and a wireless internet connection or hotspot, through a mobile broadband connection such as third generation (3G) or fourth generation (4G) wireless connections provided by a cellular network, or by tethering using a cellphone as a modem (Pinola, 2012).

Vulnerabilities and Associated Threats of Mobile Computing

The benefits of mobile computing also come with various cybersecurity threats and vulnerabilities.  The vulnerabilities of mobile computing can be associated with the devices hardware, the Bluetooth or wireless internet connections, or mobile applications, data, and information transfer.  Threats associated with vulnerabilities are rated on a scale of low, medium, and high based on the likelihood of the threat versus the impact to the user (Bosworth, Kabay, & Whyne, 2009).  Threats will be listed from highest to lowest threat rating and strategies to decrease the probability of or mitigate the threat will also be noted.

1. 1.      High Threats (Likelihood and Impact to User are High)   

Theft or Loss

The chance of loss or theft of a device is high.  Some devices are small and easy to lose and because of their portability even larger laptops can be left behind.  Theft of devices is also a concern as there is a large market willing to buy and “most devices are stolen for their cash value and not their information value (Barcelo, 2011).”  The vulnerability with theft or loss is the loss of proprietary or personal data.  A study done by the Ponemon Institute found that “55 percent of consumers are aware that they may be putting their employers’ confidential business information at risk when using their smartphone for both business and personal use.  The survey also found that 52 percent of those who are aware of the risk say that it has happened (NZ Business, 2011).”

Employers need to consider this risk when drafting security policies to ensure the rules on the use or prohibition of personal devices for company purposes are spelled out.  Hardware and software of the device should be known to the employer and employees should be required to follow minimal secure practices on their devices before accessing company websites or e-mail (NZ Business, 2011).  The Information Systems Control Journal notes “The biggest decision a corporation needs to make with respect to mobile device deployment is the cost of support based on graduated levels of security. If the total cost of the device and the risk it generates does not surpass the business benefit, corporate management should “just say no (Milligan & Hutcheson, 2008).”

It is difficult to prevent theft or loss of devices, but the loss of data can be minimized by encrypting data on the device, requiring a password, biometrics, or an access key to use and configuring the device to erase data after a number of failed logon attempts.  The cost of these mitigations is minimal since most operating systems offer password protection and biometric systems are also relatively inexpensive (Milligan & Hutcheson, 2008).  Another option is to install software that allows remote wipe of the data such as Lojack for laptops and Sophos for smartphones (Barcelo, 2011).  Users may not want to take the extra steps in logging on to their devices but the pay off is rewarding if the device is lost or stolen.

Malware and Phishing Attacks

The threat of malware includes viruses, Trojans, worms, spyware and other types of malicious software that can severely degrade or destroy a computer system’s operations.  Most malware is targeted at laptops but threats against mobile phones have also recently been discovered.  The danger of mobile devices infected with malware is that they can infect other computers when connecting to a network at work or home.  The “mobile blind spot” is a large threat for businesses that allow their employees to use corporate devices and travel for weeks exposed to malware without updating anti-virus software and then returning and connecting to the business’ network (Friedman & Hoffman, 2008).

Phishing attacks are an additional concern for users’ on-the-go. The risk of malware can be reduced by using updated anti-virus and anti-spyware software but phishing tricks users into giving up personal information, log-on information or downloading a file that could be a virus simply by sending an e-mail or displaying a website that appears to be from a reputable company but is really a cybercriminal looking for an easy target.  Phishing attacks have gotten so sophisticated they are often hard for even the experienced computer user to distinguish.  “In May 2011, Trend Micro discovered a vulnerability in Hotmail that could compromise a user’s account just by previewing an e-mail. The malicious messages, specially crafted for individual targets, triggered a script that could steal e-mail messages and contact information and forward new messages to another account (Newman, 2011).  Although some phishing attacks may be hard to recognize, the best prevention strategies are to read e-mail carefully to ensure it is from a reputable source, look for grammatical errors and avoid opening attachments unless their receipt is expected (Newman, 2011).

1. 2.      Medium Threats (Likelihood and Impact to User are Medium)

Wireless Internet Connections –

Unlike wired devices within the work center which are often behind firewalls and physical security defenses, mobile devices connect to corporate networks and the Internet directly without the protection of firewalls.  Wireless networks controlled by business are much more protected and controlled than the wireless hotspots mobile workers are connecting to which may have little or no security, leaving devices vulnerable to interception or spoofing (Friedman & Hoffman, 2008).

Unsecured WiFi connections such as those at the local Starbucks coffee shop are an open invitation for snoopers and can even allow an attacker to take over a users’ browsing session.  A hotspot attack called sidejacking uses automated tools to take over unsecured websites.  One such tool developed by Mozilla as a Firefox browser plug-in is called “Firesheep.”  “Firesheep automates session hijacking attacks over unsecured Wi-Fi networks by analyzing traffic between a Wi-Fi router and a person’s laptop or smartphone using a packet sniffer (Westervelt, Top 5 mobile phone security threats in 2012, 2011).”

Users can reduce risks of hotspots and wireless networks by deactivating the automated search and connect to wireless feature on their device and connecting to secure wireless connections whenever possible.  “Developers such as Google offer encryption support for browsers using open connections and IBM has created a Secure Open Wireless Standard that uses a digital certificate to secure the hotspot and ensure the Service Set Identifier (SSID) is legitimate (Westervelt, Top 5 mobile phone security threats in 2012, 2011).”

Bluesnarfing

            Bluetooth technology allows laptops, phones and other devices to wirelessly transfer data between devices, connect to technologies such as keyboards and other peripherals, and stream audio and video.  Mobile devices with Bluetooth activated and set to discoverable are vulnerable to bluesnarfing attacks.  Bluesnarfing uses a Bluetooth connection to steal data such as contacts, calendars, e-mails and text messages, often without the user’s knowledge.  “Bluesnarfing requires software such as “SpyBuddy” which is easy to install software can monitor a device’s text messages, phone calls, and GPS and is totally undetectable (Bluejacking Tools, 2012).”

With the amount of uses for Bluetooth technology today, it is important for mobile users realize the security threats to Bluetooth, to pair with known devices only, and turn Bluetooth off when not in use.

1. 3.      Low Threats (Likelihood and Impact to User are Low)

Mobile Phone Applications

            Although applications submitted to Apple and Android markets are evaluated prior to being added to the marketplace, recent events leave reason to believe the security of applications is not the number one priority (Westervelt, 2011).  In June of 2010, Apple banned a Vietnamese developer from the iTunes store after his electronic books application reportedly charged 400 users for books they did not purchase.  Experts believe the developer launched the attack to boost his ratings in the iTunes store; as he was able to move from position 50 to 21 in a matter of weeks.  In response, Apple implemented a new policy that requires users to enter credit card data more often (Computer Weekly, 2010).  One month later a reported 4.6 million Android users downloaded a wallpaper application that was collecting data such as the users’ phone number and transmitting information to China (Warwick, 2010).   Security firm Lookout studied the application and reported that although the application was suspicious there was no proof that the activity and data transmission was malicious.  Lookout’s Chief Technology Officer Kevin MaHaffrey spoke on mobile application security at a BlackHat conference: “Apps that seem good but are really stealing your personal information are a big risk at a time when mobile apps are exploding on smartphones (Warwick, 2010).”

A study by Veracode Inc. found a hard-coded cryptographic key in 40 percent of Android mobile applications.  Veracode discovered these keys assign the same password to multiple users allowing for anyone, namely an attacker, to easily discover and publish keys in public forums (Westervelt, 2011).  Chris Wysopal, Chief Technology Officer of Vericode stated “If someone loses their phone and an attacker gets access to that application, the attacker could basically get access to all the data that everyone in the organization can access (Westervelt, 2011).”

Mitigation of application vulnerabilities is easier said than done as the resources and infrastructures for creating applications are still very immature.  Some suggestions for improvement in software are code signing which allows users to verify the applications’ source; sandboxing, which separates an application from other processes; and permission notifications to warn users of an application attempting to access their data (Westervelt, 2011).  It will be up to the application police such as Google for Android and Apple for iTunes to raise the standard for security requirements in mobile applications and to users to review the application before downloading.

Conclusion

            People and businesses today have found ways to use mobile technology to their advantage by working and communicating from anywhere at anytime.  Although the advantages of mobile computing come with cybersecurity risks; the right training, information, and policies can reduce these risks and allow for continued productivity in the mobile world.  As devices and technologies improve, cybercrime will also evolve.  Technology professionals and businesses must keep security at the forefront of development and implementation in order to keep customers and proprietary information safe.

References

Barcelo, Y. (2011, September). Mobile Insecurity. CA Magazine, pp. 36-38.

Bluejacking Tools. (2012). Mobile Phone Spy. Retrieved from Bluejacking Tools: http://www.bluejackingtools.com/bluesnarf-mobile-spy/mobile-phone-spy/

Bosworth, S., Kabay, M., & Whyne, E. (2009). Physical Threats to the Information Infrastructure. In F. Platt, Computer Security Handbook. New York: John Wiley & Sons Inc.

Computer Weekly. (2010, July 12). iTunes hack could effect thousands, say experts. Retrieved from Computer Weekly: http://www.computerweekly.com/news/1280093237/iTunes-hack-could-affect-thousands-say-experts

Friedman, J., & Hoffman, D. (2008). Protecting data on mobile devices: A taxonomy of security threats to mobile computing and review of applicable defenses. Information Knowledge Systems Management, 159-180.

Milligan, P. M., & Hutcheson, D. (2008). Business Risks and Security Assessment for Mobile Devices. Information Systems Control Journal, 1-5.

Newman, J. (2011, June 3). 4 Security Tips Spurred by Recent Phishing Attacks. Retrieved from PC World: http://www.pcworld.com/article/229361/4_security_tips_spurred_by_recent_phishing_attacks_on_gmail_hotmail_and_yahoo.html

NZ Business. (2011, September). Are mobile devices compromising your business security? NZ Business, p. 60.

O’Dell, J. (2010, April 13). New Study Shows the Mobile Web Will Rule by 2015. Retrieved from Mashable: http://mashable.com/2010/04/13/mobile-web-stats

Pinola, M. (2012). Mobile Internet Access Comparison. Retrieved from About.com Mobile Office Technology: Pros and cons of different Internet-on-the-Go options: http://mobileoffice.about.com/od/wifimobileconnectivity/a/wireless-internet-comparison.htm

Shukla, I. (2011, September 21). Advantages of Mobile Computing. Retrieved from Buzzle.com: http://www.buzzle.com/articles/advantages-of-mobile-computing.html

TechTarget.com. (2012). Search Mobile Computing. Retrieved from Techtarget.com: http://searchmobilecomputing.techtarget.com

Warwick, A. (2010, July 30). Millions downloaded suspicious Android wallpaper. Retrieved from Computer Weekly: http://www.computerweekly.com/news/1280093401/Millions-download-suspicious-Android-wallpaper

Westervelt, R. (2011, December 8). Android app security: Study finds mobile developers creating flawed Android apps. Retrieved from SearchSecurity: http://searchsecurity.techtarget.com/news/2240112235/Android-app-security-Study-finds-mobile-developers-creating-flawed-Android-apps

Westervelt, R. (2011, December 9). Top 5 mobile phone security threats in 2012. Retrieved from Search Security: http://searchsecurity.techtarget.com/news/2240112288/Top-5-mobile-phone-security-threats-in-2012