by July 5, 2008 0 comments



You’re under attack. With call and SMS spoofing and spam, mobile
viruses…even SIM cloning. What’s more, these threats don’t require rocket
science to learn, making most mobile phones out there extremely vulnerable. We
give you a detailed report on these threats, along with advice on how to protect
yourself against them. Plus we take you through some of the hottest mobility
trends

While they started as the wireless version of the good old landline, mobile
phone usage today is just not restricted to making calls. They are our music
player, camera, video player, Web Browser, all rolled into one. More seriously,
they provide access to bank statements, credit cards, are your password valet,
and overall a sign of your social identity.

Mobile phones contain GSM and CDMA modems for mobile Net access, act as
handheld devices for SFA (Sales force Automation), and so on. Enterprises
extensively use mobile communications for business benefit. Just look around to
see the many different uses of mobile communication.

Enterprises use mobile devices for doing quick polls and surveys, and not to
mention the traditional and push mails that have changed the way mobile
executives communicate. Today you have access to unified clients that provide
access to IMs, VoIP servers, Skype, etc from a single interface. In short,
mobile communication has become the epicenter of our communication today.

And now the flip side

It’s
good to see so many good things happening in the world of mobility. But did you
know that apart from getting so much functionality, how much of your
confidential data is exposed to unscrupulous elements? Many people carry their
ATM/credit card pin numbers on their mobiles, unencrypted or encrypted. Many
people also link their phones with their bank, demat and Insurance accounts.
They store crucial contact details, SMSes, chat logs, etc. So, just image if
your phone becomes vulnerable and somebody manages to access this data? You
wouldn’t even want to imagine the impact!

Believe it or not, but with the growing popularity and increase in the number
of mobile phones, the number of threats that they’re prone to has also
increased. What’s even more worrying is that these threats are not very
difficult to perform. We did a thorough study of these threats and in this
story, we will take you through the most common ones that mobile networks are
prone to. But don’t worry. We won’t leave you dangling with nightmarish thoughts
in your mind. Besides telling you about the threats, we’ve talked about ways to
combat them towards the end of this article.

SMS Spoofing
All of you would be recieving plenty of promotional SMSes that either don’t show
the phone number or comewith only a name, but no phone number. These are
essentially called anonymous or masked SMSes. By the same technique one can even
send SMSes with someone else’s number, and the technique is known as SMS
spoofing.

Unfortunately,
you don’t need to be a tech expert to spoof SMSs. Even a novice can do it. There
are websites on the Internet (both free and paid) that let you send spoofed
SMSes. Besides websites, there are even some software that can do the same.
We’ll not get into the details of which software and how to do SMS spoofing,
because that’s not our intent. We just want to highlight the gravity of the
threat. For instance, just count the number of times your phone number is used
for authentication over the mobile network.

For example, for balance enquiry or for recharging a DTH account, most of the
times you would have registered through your phone number and now access the
same through an SMS.

If someone spoofs your phone number for sending SMSes, then that person can
easily pretend to be you and do all account related enquiries with the spoofed
number.

Call spoofing
VoIP is becoming increasingly popular amongst most organizations. The good news
is that today you can easily download an Open Source IPPBX from the Internet and
configure it as a VoIP gateway on your network and start enjoying the benefits
of VoIP. Add a FXO card to that and you can even make local calls with it over
IP. While it feels good to have so much power, remember that the same power can
also be misused, and one of the methods is called call spoofing. For instance,
you could get a call from somebody posing as a representative of your bank and
ask you some confidential information. If you’re not careful, then you might
reveal this information to the caller and become a victim of call spoofing.

There are sites on the Internet which can be used by
anybody to do SMS Spoofing.

Call
spoofing is similar to SMS spoofing but more difficult to perform. Essentially,
a VoIP gateway with a FXO card is used to initiate a call and the VoIP server
can be configured to change the caller id to a desired value.

This attack is pretty much similar to forged mails, but the scary part here
is that you don’t have a spam filter that would let you distinguish a forged
call from others. Plus, the level of awareness about mail scams is higher than
that of call spoofing. That’s why people don’t take it seriously and hence the
possibility of a successful scam attack is higher.

The way to protect yourself against call spoofs is to remember that no bank
or financial institute is going to ask you for confidential information over the
phone. Even if they do, then you should not give it to them.

Spamming voice and text
This
is another common threat. All of us receive unwanted calls and SMSes selling
credit cards or free ringtones, etc. Every day I receive about 60% spam SMSes.
For calls, this percentage is lower but still hovers around 20 to 30%. These are
more of a nuisance than a security threat, just like the spam you get in your
mail. But you never know when things will change for the worse. Today, a lot of
spam mail that comes also contains viruses and spyware. You might just start
getting such malware over SMS in the future. The worst part about this
vulnerability is the lack of a good Spam filter for mobiles. There are a couple
of anti-spam solutions available, but they have to mostly be configured
manually. This means you have to manually create the the blacklisted and white
listed phone numbers. However, this is not 100% efficient.

Websites like this are accessible to everyone,
meaning it’s dangerous to leave Bluetooth enabled on your phone in public.




Spyware
This is the biggest risk being faced by mobile networks today. The mobile
spyware industry has evolved tremendously in the last one year and both security
agencies and hackers are trying to use it for spying!

Recently we interviewed the CEO of Appin Knowledge Solutions, who talked
about possible Spyware threats in mobile communication. When asked why mobiles
are so susceptible to spyware attacks he said:

“Spywares are usually based on J2ME, and can be transmitted to a phone
through the following ways:

Downloading unauthorized software like games and videos which might have a
spyware attached, using GPRS.
Clicking on links received via messages. Through an MMS attachment. Through SMS.

”When a computer is hacked the only way
to access it is through Internet; but a phone can be reached by various
modes like SMS, call, internet, etc.”

Rajat Khare – CEO,
Appin Knowledge Solutions”

He further added that “A phone that is infected with a Spyware can be
completely controlled and made to perform various functions. These include:

As soon as a call is made from the controller phone to the target phone one can
hear all conversations, happening at the place where the mobile is located.

Several functions of the phone can be controlled via just an SMS, such as
switching the phone off or on, retrieving data from the phone, ordering the
phone to upload data on a web interface, via GPRS, etc.

SIM cracking software such as this are easily
available on the Internet, and can be used to break encryptions in SIM cards to
create their copies

All the call logs can be checked through a web interface.

The SMS content can also be monitored using a web interface.All the data
stored in the phone can be viewed through a web interface.If the mobile has a
GPS, the location of the phone can also be tracked with this spyware.Even
audio/video recording can be done, just by sending the command through an SMS.

While a mobile operator would use software such as
this to replace your SIM with a fresh one, somebody else could use it to clone
your SIM for malicious intent.

As they say, that there’s a good and bad side to everything. So Appin has
developed one such spyware and plans to provide it to government intelligence
and security agencies so that they can use it to track and spy on suspected
terrorists and criminals.

Mobile Security Solutions for Tata Users

F-Secure Corporation has partnered with Tata Communications
recently. With this partnership Tata Communications will be the first in
India to offer its customers an all-in-one mobile security package. The
Mobile Security solution enabled by F-Secure includes realtime virus
protection, malware protection and an integrated firewall, and enables
smartphone users to enjoy the full potential of their devices without the
fear of mobile threats. This solution supports all the main mobile platforms
running an open operating system, Windows Mobile, Symbian S60 and UIQ. A
firewall provides additional security for all mobile devices that access
public WiFi networks.

The
bad side is of course that there would be many such spyware programs available
on the Net, which can perform similar functions. The irony is that there

 are websites selling such software openly and claiming to help the society
by providing means to track their flirtatious spouse, spoilt kids, etc.

SIM cloning
It might sound very Hollywood like, but yes it is possible. If you have seen the
movies Bourne Supremacy and National Treasure Part 2, then you would be aware of
SIM cloning. But there a few differences in reality. While in the movie, the
protagonist creates a copy of the phone in less than five minutes, and once
done, is able to listen to all calls that are dialed and received through the
original phone.

In reality, however, you can’t clone all SIM cards. Second, if the card has
been clonedss, it still takes a huge amount of time. No one can clone a SIM card
in five minutes. It takes a couple of hours on a standard dual core machine to
clone a SIM card.

sMoreover, after cloning the SIM card it is impossible to hear the
conversation of the original phone from the cloned phone. However, what can
easily be done is to make calls and send SMSes using the number of the original
phone, and it would be billed to the original SIM. Second, if let’s say a call
or SMS is made to the original number, it could be received either by the cloned
or the original phone, depending on which one responds to the operator’s signal
first.

So, let’s say, the original phone is off or it is out of reach, all calls
will go to the cloned phone. Even if both phones are on, the one that responds
first to the tower signal will receive the call.

SIM cloning is also not too difficult to do. Anybody even remotely familiar
with a little bit of programming can easily do it. Of course, we’re not about to
get

 into a tutorial of SIM cloning here. But we’d just like to add that SIM
cloning means copying the SIM’s identification number to another SIM card so
that the operator treats both as one. Every SIM has an encryption key that needs
to be cracked. Thankfully, the newer SIMs have strong encryption keys, making
them more difficult to crack. It’s the older 16k and some 32k SIMs that have
weaker encryptions which can easily be cracked. So if your mobile phone has a
SIM card that is older than June 2005, then chances are it can be cloned very
easily.s

Our advice is to get it replaced immediately. Most service providers do it
free of cost.

Other hot trends
Besides threats to mobile security, there are some very good trends taking shape
in mobility and mobile communication as well. The number of mobile phones

 has exceeded 250 million this year. The cost of mobile phones has
dropped significantly, from the 3-4K range to 1.5-2K range.

Protection against Mobile Fraud
We talked about so many threats that mobile phones face
today. Now let’s talk about protection. Following is a list of some Dos and
Don’ts:

Dos:

1. If you are using a SIM card which is more than one and a
half years old, then get it replaced immediately. This service is generally
free of cost and all you have to do is to contact your service provider.

2.
If your mobile phone was left unattended for some time (at least 4 hours or
more) at a location where someone else could have accessed it, then keep an
eye on your mobile bill. If you observe a discrepancy, then get the SIM
blocked and have a new one issued from your operator.

3. Install a good
antivirus on your mobile phone.

4. SMS is not a clean medium to communicate
confidential data. But if you still want to, then use encryption software
such as SMSProtector, Fortress SMS, etc.

5. Keep a close eye on your bill.
If you see some discrepancy, immediately get your mobile phone and SIM card
checked by an expert. Your phone could have a spyware.

6. If you are feeling
your phone’s response time is very high, again take it to an expert. Your
phone might have a spyware.

Don’ts
1. If your phone doesn’t have an
encrypted password valet, then don’t save PIN numbers and passwords on it.

2. Don’t leave your phone unattended for long.

3. Don’t connect your phone
or its memory card to a PC which doesn’t have an updated antivirus
installed.

4. Don’t click on MMS or SMS links if you don’t know or trust the
sender. Even if you trust the sender, it’s always good to call him back and
check if he has actually sent the link or not.

5. Don’t accept any SMS with
an attachment unless it is from your service provider and you have requested
for the same.

6. Never pass on sensitive information, such as bank account
or credit card details over the phone, if you get a call from a bank or
credit card agency. They’re not supposed to ask you for this information
over the phone.

Note: We’re not legal experts, so the points above should
not be treated as legal advice. You would need to contact a legal pracitioner if you need legal advice on protection against mobile fraud.

Another hot emerging trend is that of SMSes. They’re being used for some
really fancy applications.

Besides being used for generating business in TV shows, one application is
multi-lingual SMSes, and there are companies like Geneva Software offering thes

 same. Geneva allows you to send SMSes to anybody in multiple Indian
languages. What’s more, these SMSes can be sent to even ordinary cellphones
because the application converts them into a graphics image. This simple
solution can have as powerful impact, as it can be sent to people who’re not
English literate. The govt. for instance can use this functionality to convey a
message to the common public, most of which is non-english speaking and carries
ordinary cellphones.

It could also be used to make public announcements, such as an early warning
system about a disaster. So for instance, if (God forbid), a Tsunami is about to
hit the Indian shores, then multi-lingual SMSes can be sent to the people who’re
likely to be affected by it. It would be the fastest means of reaching out to
masses.

Likewise, GPS is another hot trend in mobile communication. Today it comes
in-built with many high-end mobile phones. A lot of companies have started
offering GPS maps. Nokia for instance, offers maps of over 100 countries, and
for eight Indian cities. These maps contain details of 75k+ Kms of road, 10k+
restaurants and hotels, 10k+ bank ATMs, 5k+ schools and colleges, 3k+ petrol
pumps, 3k+ places of worship, 2k+ hospitals and medical shops, etc.
Plus, even ordinary phones today with a GPRS connection can have location
information thanks to Google Maps, which uses GSM towers to identify your
location on a map.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<