Advertisment

How Safe is Your Mobile?

author-image
PCQ Bureau
New Update

You're under attack. With call and SMS spoofing and spam, mobile

viruses...even SIM cloning. What's more, these threats don't require rocket

science to learn, making most mobile phones out there extremely vulnerable. We

give you a detailed report on these threats, along with advice on how to protect

yourself against them. Plus we take you through some of the hottest mobility

trends

Advertisment

While they started as the wireless version of the good old landline, mobile

phone usage today is just not restricted to making calls. They are our music

player, camera, video player, Web Browser, all rolled into one. More seriously,

they provide access to bank statements, credit cards, are your password valet,

and overall a sign of your social identity.

Mobile phones contain GSM and CDMA modems for mobile Net access, act as

handheld devices for SFA (Sales force Automation), and so on. Enterprises

extensively use mobile communications for business benefit. Just look around to

see the many different uses of mobile communication.

Enterprises use mobile devices for doing quick polls and surveys, and not to

mention the traditional and push mails that have changed the way mobile

executives communicate. Today you have access to unified clients that provide

access to IMs, VoIP servers, Skype, etc from a single interface. In short,

mobile communication has become the epicenter of our communication today.

Advertisment

And now the flip side





It's

good to see so many good things happening in the world of mobility. But did you

know that apart from getting so much functionality, how much of your

confidential data is exposed to unscrupulous elements? Many people carry their

ATM/credit card pin numbers on their mobiles, unencrypted or encrypted. Many

people also link their phones with their bank, demat and Insurance accounts.

They store crucial contact details, SMSes, chat logs, etc. So, just image if

your phone becomes vulnerable and somebody manages to access this data? You

wouldn't even want to imagine the impact!

Believe it or not, but with the growing popularity and increase in the number

of mobile phones, the number of threats that they're prone to has also

increased. What's even more worrying is that these threats are not very

difficult to perform. We did a thorough study of these threats and in this

story, we will take you through the most common ones that mobile networks are

prone to. But don't worry. We won't leave you dangling with nightmarish thoughts

in your mind. Besides telling you about the threats, we've talked about ways to

combat them towards the end of this article.

SMS Spoofing



All of you would be recieving plenty of promotional SMSes that either don't show
the phone number or comewith only a name, but no phone number. These are

essentially called anonymous or masked SMSes. By the same technique one can even

send SMSes with someone else's number, and the technique is known as SMS

spoofing.

Advertisment

Unfortunately,

you don't need to be a tech expert to spoof SMSs. Even a novice can do it. There

are websites on the Internet (both free and paid) that let you send spoofed

SMSes. Besides websites, there are even some software that can do the same.

We'll not get into the details of which software and how to do SMS spoofing,

because that's not our intent. We just want to highlight the gravity of the

threat. For instance, just count the number of times your phone number is used

for authentication over the mobile network.

For example, for balance enquiry or for recharging a DTH account, most of the

times you would have registered through your phone number and now access the

same through an SMS.

If someone spoofs your phone number for sending SMSes, then that person can

easily pretend to be you and do all account related enquiries with the spoofed

number.

Advertisment

Call spoofing



VoIP is becoming increasingly popular amongst most organizations. The good news
is that today you can easily download an Open Source IPPBX from the Internet and

configure it as a VoIP gateway on your network and start enjoying the benefits

of VoIP. Add a FXO card to that and you can even make local calls with it over

IP. While it feels good to have so much power, remember that the same power can

also be misused, and one of the methods is called call spoofing. For instance,

you could get a call from somebody posing as a representative of your bank and

ask you some confidential information. If you're not careful, then you might

reveal this information to the caller and become a victim of call spoofing.

There are sites on the Internet which can be used by

anybody to do SMS Spoofing.

Call

spoofing is similar to SMS spoofing but more difficult to perform. Essentially,

a VoIP gateway with a FXO card is used to initiate a call and the VoIP server

can be configured to change the caller id to a desired value.

Advertisment

This attack is pretty much similar to forged mails, but the scary part here

is that you don't have a spam filter that would let you distinguish a forged

call from others. Plus, the level of awareness about mail scams is higher than

that of call spoofing. That's why people don't take it seriously and hence the

possibility of a successful scam attack is higher.

The way to protect yourself against call spoofs is to remember that no bank

or financial institute is going to ask you for confidential information over the

phone. Even if they do, then you should not give it to them.

Spamming voice and text



This
is another common threat. All of us receive unwanted calls and SMSes selling

credit cards or free ringtones, etc. Every day I receive about 60% spam SMSes.

For calls, this percentage is lower but still hovers around 20 to 30%. These are

more of a nuisance than a security threat, just like the spam you get in your

mail. But you never know when things will change for the worse. Today, a lot of

spam mail that comes also contains viruses and spyware. You might just start

getting such malware over SMS in the future. The worst part about this

vulnerability is the lack of a good Spam filter for mobiles. There are a couple

of anti-spam solutions available, but they have to mostly be configured

manually. This means you have to manually create the the blacklisted and white

listed phone numbers. However, this is not 100% efficient.

Advertisment
Websites like this are accessible to everyone,

meaning it's dangerous to leave Bluetooth enabled on your phone in public.

Spyware



This is the biggest risk being faced by mobile networks today. The mobile
spyware industry has evolved tremendously in the last one year and both security

agencies and hackers are trying to use it for spying!

Advertisment

Recently we interviewed the CEO of Appin Knowledge Solutions, who talked

about possible Spyware threats in mobile communication. When asked why mobiles

are so susceptible to spyware attacks he said:

“Spywares are usually based on J2ME, and can be transmitted to a phone

through the following ways:

Downloading unauthorized software like games and videos which might have a

spyware attached, using GPRS.



Clicking on links received via messages. Through an MMS attachment. Through SMS.

”When a computer is hacked the only way

to access it is through Internet; but a phone can be reached by various

modes like SMS, call, internet, etc."

Rajat Khare - CEO,



Appin Knowledge Solutions”

He further added that “A phone that is infected with a Spyware can be

completely controlled and made to perform various functions. These include:

As soon as a call is made from the controller phone to the target phone one can

hear all conversations, happening at the place where the mobile is located.

Several functions of the phone can be controlled via just an SMS, such as

switching the phone off or on, retrieving data from the phone, ordering the

phone to upload data on a web interface, via GPRS, etc.

SIM cracking software such as this are easily

available on the Internet, and can be used to break encryptions in SIM cards to

create their copies

All the call logs can be checked through a web interface.

The SMS content can also be monitored using a web interface.All the data

stored in the phone can be viewed through a web interface.If the mobile has a

GPS, the location of the phone can also be tracked with this spyware.Even

audio/video recording can be done, just by sending the command through an SMS.

While a mobile operator would use software such as

this to replace your SIM with a fresh one, somebody else could use it to clone

your SIM for malicious intent.

As they say, that there's a good and bad side to everything. So Appin has

developed one such spyware and plans to provide it to government intelligence

and security agencies so that they can use it to track and spy on suspected

terrorists and criminals.

Mobile Security Solutions for Tata Users

F-Secure Corporation has partnered with Tata Communications

recently. With this partnership Tata Communications will be the first in

India to offer its customers an all-in-one mobile security package. The

Mobile Security solution enabled by F-Secure includes realtime virus

protection, malware protection and an integrated firewall, and enables

smartphone users to enjoy the full potential of their devices without the

fear of mobile threats. This solution supports all the main mobile platforms

running an open operating system, Windows Mobile, Symbian S60 and UIQ. A

firewall provides additional security for all mobile devices that access

public WiFi networks.

The

bad side is of course that there would be many such spyware programs available

on the Net, which can perform similar functions. The irony is that there

 are websites selling such software openly and claiming to help the society

by providing means to track their flirtatious spouse, spoilt kids, etc.

SIM cloning



It might sound very Hollywood like, but yes it is possible. If you have seen the
movies Bourne Supremacy and National Treasure Part 2, then you would be aware of

SIM cloning. But there a few differences in reality. While in the movie, the

protagonist creates a copy of the phone in less than five minutes, and once

done, is able to listen to all calls that are dialed and received through the

original phone.

In reality, however, you can't clone all SIM cards. Second, if the card has

been clonedss, it still takes a huge amount of time. No one can clone a SIM card

in five minutes. It takes a couple of hours on a standard dual core machine to

clone a SIM card.

sMoreover, after cloning the SIM card it is impossible to hear the

conversation of the original phone from the cloned phone. However, what can

easily be done is to make calls and send SMSes using the number of the original

phone, and it would be billed to the original SIM. Second, if let's say a call

or SMS is made to the original number, it could be received either by the cloned

or the original phone, depending on which one responds to the operator's signal

first.

So, let's say, the original phone is off or it is out of reach, all calls

will go to the cloned phone. Even if both phones are on, the one that responds

first to the tower signal will receive the call.

SIM cloning is also not too difficult to do. Anybody even remotely familiar

with a little bit of programming can easily do it. Of course, we're not about to

get

 into a tutorial of SIM cloning here. But we'd just like to add that SIM

cloning means copying the SIM's identification number to another SIM card so

that the operator treats both as one. Every SIM has an encryption key that needs

to be cracked. Thankfully, the newer SIMs have strong encryption keys, making

them more difficult to crack. It's the older 16k and some 32k SIMs that have

weaker encryptions which can easily be cracked. So if your mobile phone has a

SIM card that is older than June 2005, then chances are it can be cloned very

easily.s

Our advice is to get it replaced immediately. Most service providers do it

free of cost.

Other hot trends



Besides threats to mobile security, there are some very good trends taking shape
in mobility and mobile communication as well. The number of mobile phones

 has exceeded 250 million this year. The cost of mobile phones has

dropped significantly, from the 3-4K range to 1.5-2K range.

Protection against Mobile Fraud
We talked about so many threats that mobile phones face

today. Now let's talk about protection. Following is a list of some Dos and

Don'ts:

Dos:

1. If you are using a SIM card which is more than one and a

half years old, then get it replaced immediately. This service is generally

free of cost and all you have to do is to contact your service provider.

2.

If your mobile phone was left unattended for some time (at least 4 hours or

more) at a location where someone else could have accessed it, then keep an

eye on your mobile bill. If you observe a discrepancy, then get the SIM

blocked and have a new one issued from your operator.

3. Install a good

antivirus on your mobile phone.

4. SMS is not a clean medium to communicate

confidential data. But if you still want to, then use encryption software

such as SMSProtector, Fortress SMS, etc.

5. Keep a close eye on your bill.

If you see some discrepancy, immediately get your mobile phone and SIM card

checked by an expert. Your phone could have a spyware.

6. If you are feeling

your phone's response time is very high, again take it to an expert. Your

phone might have a spyware.

Don'ts



1. If your phone doesn't have an

encrypted password valet, then don't save PIN numbers and passwords on it.

2. Don't leave your phone unattended for long.

3. Don't connect your phone

or its memory card to a PC which doesn't have an updated antivirus

installed.

4. Don't click on MMS or SMS links if you don't know or trust the

sender. Even if you trust the sender, it's always good to call him back and

check if he has actually sent the link or not.

5. Don't accept any SMS with

an attachment unless it is from your service provider and you have requested

for the same.

6. Never pass on sensitive information, such as bank account

or credit card details over the phone, if you get a call from a bank or

credit card agency. They're not supposed to ask you for this information

over the phone.

Note: We're not legal experts, so the points above should

not be treated as legal advice. You would need to contact a legal pracitioner if you need legal advice on protection against mobile fraud.

Another hot emerging trend is that of SMSes. They're being used for some

really fancy applications.

Besides being used for generating business in TV shows, one application is

multi-lingual SMSes, and there are companies like Geneva Software offering thes

 same. Geneva allows you to send SMSes to anybody in multiple Indian

languages. What's more, these SMSes can be sent to even ordinary cellphones

because the application converts them into a graphics image. This simple

solution can have as powerful impact, as it can be sent to people who're not

English literate. The govt. for instance can use this functionality to convey a

message to the common public, most of which is non-english speaking and carries

ordinary cellphones.

It could also be used to make public announcements, such as an early warning

system about a disaster. So for instance, if (God forbid), a Tsunami is about to

hit the Indian shores, then multi-lingual SMSes can be sent to the people who're

likely to be affected by it. It would be the fastest means of reaching out to

masses.

Likewise, GPS is another hot trend in mobile communication. Today it comes

in-built with many high-end mobile phones. A lot of companies have started

offering GPS maps. Nokia for instance, offers maps of over 100 countries, and

for eight Indian cities. These maps contain details of 75k+ Kms of road, 10k+

restaurants and hotels, 10k+ bank ATMs, 5k+ schools and colleges, 3k+ petrol

pumps, 3k+ places of worship, 2k+ hospitals and medical shops, etc.



Plus, even ordinary phones today with a GPRS connection can have location
information thanks to Google Maps, which uses GSM towers to identify your

location on a map.

Advertisment