Hanging on the Telephone

It’s almost as if we have all gone, Marty McFly style, back to the 1990s. The UK has a Conservative government with a small majority and looks locked in a battle over Europe. The next US presidential election will almost certainly be fought between Bush and Clinton. TGI Friday and The Crystal Maze are to be resurrected on UK TV. Oh and mobile phones are bad for you.

That’s right. As old chestnuts go, the ‘microwaves are cooking your mind’ theory is a hard-shelled fruit of a real vintage. And like a lot of messages of this ilk, it seems that proximity to the Arctic Circle is directly proportional to mobile mania. According to a report delivered recently by the Canadian House of Commons Standing Committee on Health (HESA) microwave radiation from wireless devices is now a “serious public health issue.” Furthermore the report recommends Canadian doctors be taught to recognize the symptoms associated with using common wireless devices and advises that parents be taught the risks of wireless radiation to ensure their families are safe at home and at school.

It’s kind of hazy how the recommendations of the report about the dangers of mobiles from the land of the Blackberry will be implemented in the commercial world. But what is crystal clear is the growing threat of mobile-based security threats. Accompanying the Canadian survey was a new report from industry specialist Pindrop Security revealing that phone-based fraud increased by 30% over the past year among financial and retail firms, exposing the average call center to $9m in fraud. The vendor collected phone scam complaint data from online sites, as well as running its own large scale ‘telephony honeypot’, using fingerprinting technology to analyze the audio content of calls in order to compile its annual State of Phone Fraud report.

And probably worse, news emerged that many Samsung phones – and there are quite a few of those knocking around in corporations, many as a result of BYOD programs – may be hackable due to a security hole in the pre-installed keyboard app. According to Paul Ducklin, a senior security advisor at Sophos, at the center of this issue is the diversity of the Android ecosystem which said the exec means that security patches often take ages to work their way into the real world, or even end up never arriving.

“Until Google fixes that problem, you have to look out for yourself,” Ducklin warned. “So we suggest you ask your provider, ‘What’s the story for my device?’ But please don’t rant. Ask nicely: the more people who ask their phone provider pointedly but politely what has been done, the more likely we will collectively get the answers we need.”

And to round off a good week, Reuters reported that security researchers in Germany had uncovered a flaw in the way thousands of popular mobile applications store data online, leaving users’ personal information, including passwords, addresses, door codes and location data, vulnerable to hackers. The team of researchers found 56 million items of unprotected data in the applications it studied in detail, which included games, social networks, messaging, medical and bank transfer apps.

So, incoming from every direction in the mobile sphere; but what is to be done? Despite the wishes of some in Canada, businesses just can’t make a big switch off. Life just isn’t like that. However some wise words emerged from Winston Bond, European Technical Manager, Arxan Technologies who said: “The findings of this research are of no real surprise and whilst I haven’t personally come across this vulnerability, the underlying problem in the development lifecycle that is leaving this kind of data open is something we see frequently in the industry… In today’s highly distributed mobile application environment, it’s virtually impossible to secure all the networks and devices that are leveraged, so establishing application protections, particularly at runtime, is essential.”

And that’s it. No system, fixed or mobile is fully risk-free. But there are more that companies and developers in general can do to reduce risk, such as, to quote Bond, digging deeper down the stacks to add protection, or as Sophos’s Ducklin says, ask your dealer as to what more they can do. Whatever the level of threat or risk, the answer is in your hands.

What’s Hot on Infosecurity Magazine?