What’s the biggest risk for smartphone users?
‐ According to Vodafone NZ 41% of people use mobile internet on the toilet
‐ Cell phone technicians anecdotally report that 60% of handsets they’re asked to repair
have suffered water damage
‐ Do you want to buy a second hand handset now?
IN EMERGENCY: HOW TO DRY OUT A MOBILE PHONE:
1. Remove from water
2. Remove the battery
3. Remove the SIM card and pat dry
4. Remove all covers and dry the phone without shaking it
5. Wipe inside with alcohol to displace water ‐ do not use a hairdryer.
6. Leave in a bag with a packing desiccant or in a bowl of uncooked rice overnight to
7. Leave for a few days before installing the battery again
An important disclaimer at the outset – I am not an Apple fan‐boy but the iPhone has
revolutionised the smartphone market
Buy your own PLAYMOBIL Apple Store Playset at
Moore’s law and the exponential improvement of digital electronics
That said this Apple comparison graphic shows how the last decade has seen some
impressive technological developments.
And the pace of change is increasing – just researching this Spotlight topic has been a
challenge to keep up with new threats and new products
A brief history of mobile phones:
The first handheld mobile phone was demonstrated by Dr Martin Cooper of Motorola in
1973. 10 YEARS LATER in 1983, the DynaTAC 8000x was the first to be commercially
available and sold for $4000.
My first mobile phone – how times have changed...
In the 20 years from 1990 to 2010, worldwide mobile phone subscriptions grew from 12
million to over 4 billion.
25% of handsets are now considered to be smartphones.
The evolution of mobile phones in Russian doll style is by UK artist and designer Kyle
y s ou d ca e?
Why should I care?
Cyber criminals have the ability to rapidly change tactics and can take advantage of
flaws in app and platform code, antiquated or non existent laws, understaffed police
forces and consumers ‘hell‐bent on convenience’ and unaware of the risks
Phones carry a lot of personal data ripe for identity theft, they can be sold on for cash
and with the move to mobile commerce (your phone doubles as your wallet allowing
and with the move to mobile commerce (your phone doubles as your wallet allowing
payments and identity checks) they will be a prime financial target for cyber criminals
To date 88% of smartphone attacks have targeted Symbian devices – Nokia’s market
share is declining and the company has plans to use Microsoft’s new Windows Phone
platform. A review of OS market share follows – it’s predicted the low cost Android
platform will soon be number 1 in many markets and criminals are moving focus.
There are 3 times as many smartphones being activated every minute around the
world than there are babies being born
Hans Vestberg, CEO of Ericsson speaking at the at the CITA wireless conference
on 23rd March 2011 ‐
As technology changes it’s important for NetSafe and the New Zealand population to
keep ahead of cyber criminals as they change their tactics
Google has found that when a person gets a smartphone, the number of searches they
make increases fiftyfold ‐ http://www.stuff.co.nz/technology/gadgets/4684068/Under‐
‐ The global smartphone base grew by 44% YOY in 2010
‐ 5.2bn apps were downloaded, generating $2bn – a 10th of Fonterra’s annual dairy sales
‐ US ownership increased 60% over 2010 and the growth is escalating due to lost cost
‐ In Q4 2010 in Australia 4.25m phones were sold with 62% of these being
‘smartphones’. IDC expects Android to be the number 1 smartphone OS within months
(Telstra sells an Android smartphone for just $99AU)
In the UK Android took the number one spot in April: Android: 28% / Apple: 26% / RIM: 14%
pp g pp p p pp f
**The Apps debate – how to count free and multi‐lingual apps and wallpaper apps that are of no real use?
In the US the figure is 20%; In Hong Kong it’s 48% ‐ in NZ it’s estimated to be 7/10% of
4.7m – 330K/470K
BUT 26% of people surveyed by Nielsen in September 2010 said they were considering
purchasing a smartphone and 20% a tablet
That’s a number NetSafe think it’s well worth educating
Mobile vs desktop internet: Mobile overtakes in 2014.
This shows the importance of recognising device convergence and internet portability
‐ Carrier billing vs. NFC payments
‐ NFC is already common is Japan
This move towards mobile commerce will shift crime to mobile devices as payments
by NFC and wallet systems concentrate criminals on where the money is
‐ Mobile payments will double to $3.6bn by 2015
‐ Forrester research states 12% of Americans and 6% of Brits have already made a
transaction from their phone
‐ goMoney videos are available on YouTube. The NZ FAQs are at
‐The National Bank also has iPhone banking ‐ http://itunes.apple.com/nz/app/national‐
‐ NetSafe would welcome more discussion with the NZ banks about mobile banking
penetration and technologies and moves to eduacte consumers
‐ Location Based Services are the next big push for marketers keen to direct messages to
the consumer’s handset
‐ Google is working with MasterCard on integrating GPS location status with vouchers
and ads on mobile surfing and NFC payments at POS
‐ Retailers can target shoppers close by – raising privacy concerns about both personal
location and Google accessing your spending behaviour
Business vs. Consumer – there is a lot of crossover advice and information based on dual
f d i
use of many devices
‐ 30% of our survey respondents said the device was provided by their employer with
over half of those stating they’d had no guidance on usage and security
‐In the UK CESG ‐ the UK's National Technical Authority for Information Assurance at
GCHQ – has published official guidance on smartphone use in the public sector
(classified) but only gives its rubber stamp of approval to the BlackBerry platform
f_smartphones_in_Government.html). In NZ the BlackBerry remains the sole accredited
device for govermnent restricted use.
‐ For corporates the downside to BYOD approach, convergence with the cloud and
mobile workforce means having data and devices outside the secure physical walls of
the office and the risk of malicious users gaining access inside the network. Small
p p p y y ( y p)
portable devices are prone to physical loss and many staff (as our survey data backs up)
see employer owned smartphones as something they can use for personal tasks too.
Crippling cameras, USB and app store functionality may be the key to corporate security
‐ A mobile security strategy needs to address: Securing devices and data; securing
communications to and from devices and networks; compatability with enterprise
What are the risks?
Compared to PCs the number of threats remains low but the growth in devices and
lack of consumer knowledge will combine to offer criminals a great opportunity – the
number of smartphones out there now makes mobile devices an attractive target
The steady rise in threats and recent move towards building apps that can control
mobile devices as a botnet show the interest criminals are taking
Physical loss remains a big threat and very common
STATS ON LOST PHONES from published research by Kapersky and others:
53% of Indians
36% of Americans
27% of our NZ survey respondents
Do you want to avoid a Facebook shoutout? And let your friends publish their private
Install software/apps that will allow you to locate and/or lock/wipe a lost device.
STATS ON PHONE LOCKING from published surveys by Kapersky and others:
40% of Indians
46% of Americans
47% of Brits
69% of NZ respondents in our survey
MALWARE AND OTHER TECH THREATS
The first mobile virus was discovered in 2004 and the talk of a growing threat has been
doing the rounds for several years
In 2010 F‐Secure was detecting 30 mobile viruses per month – a tiny amount compared
Hyppönen thinks the situation is such because the first malware on every new platform
is always created by hobbyists ‐ as a challenge and a method to show off their skills.
When money‐making opportunities begin to rise, the "real" criminals enter the arena.
That day is coming soon because mobile banking is on the rise.
HACKING HISTORY – A sample of smartphone attacks since 2008
The recent Android.Bgserv Trojan (early March) was published as a fake Google security
patch after the Droid Dream outbreak. The code was clever but not perfect and could
change device APNs and block incoming calls from known phone numbers (your
network’s technical support number) – however it had to be downloaded from unofficial
marketplaces and the process was visible when checking what’s running in the
background on Android.
The iPhone suffers from a weak password and file storage system which has been
hacked by both Swiss and US researchers
ZitMo and ING Poland two factor SMS intercept ‐
The current low level of threat awareness, coupled with the high value of
information stored on smartphones and the growing number of malicious
programs targeting mobile platforms, not to mention the possible loss or theft of
a device, are key factors testifying to the need to educate users
As many as 52 per cent of smartphone users from all the countries surveyed are
oblivious to the existence of antivirus software for mobile phones, and only 12
per cent are already using it.
per cent are already using it
HOW MANY IN OUR SURVEY HAVE AV INSTALLED? Only 12% of our survey
respondents had security software on their phone
Kaspersky Lab Smartphone User Survey (UK, France, Italy and Spain)
“I understand that it is in Google's interest to have as many Android developers as
possible, but a $25 entry fee to publish your application can encourage malware writers
and spammers to create new developers account every day.”
Vanja Svajcer, Principal Virus Researcher, SophosLabs
In theory sandboxing on phones improves security on the device should prevent
malicious use of phone data by applications
BUT projects like this one from Lookout show how free apps can interact with your
• Android apps less likely than iPhone to have access to personal information
• 29% of 'free' Android apps can access personal location
• 33% of 'free' iPhone apps can access personal location
• 14% of iPhone apps can access personal contact data
• 8% of Android apps can access personal contact data
• 47% of 'free' Android apps have third‐party code with ability to interact with
personal data – TRACKING THE USER AND DATA ON THE DEVICE
• 23% of 'free' iPhone apps have the same ability
PHYSICAL LOSS ‐> can allow access to your device and data ‐> BACK UP YOUR PHONE AND DATA and use LOST/FIND SERVICE
• Lost content and contacts
• Cost of SMS and data usage
• Financial loss through banking/stock apps/stored passwords and scams perpetrated on your friends/contacts
• Reputational risk around email/corporate information/social profiles
MALWARE ‐> KEEP YOUR FIRMWARE / OS UP TO DATE and AVOID PUBLIC WI‐FI ESP. FOR BANKING
The number of pieces of new mobile malware in 2010 increased by 46 percent ‐ McAfee Q4 Threat Report
OTHER THREATS SHOWN IN THE GRAPHIC INCLUDE:
Malware apps ‐ can be easily built by developers copying and adapting code from current games: “stealing a popular app, packing it with booby‐trapped code and offering it for
free can reap rewards”
Dialerware – Android malware has proven the old dial‐up internet trick is possible and it can take time for a user to spot costly calls/txts being racked up on their credit or
account. How do telcos respond to these charges?
Android users can install some ported apps by installing Android Package files (APKs)
Sideloading – Android sers can install some ported apps b installing Android Package files (APKs)
Phishing / Smishing ‐ Will telcos introduce SMS filtering?
Phishing has been given a smartphone makeover for 2011 ‐ and is now known as Smishing, or SMS phishing ‐
"Smishing is a growing problem for all banking segments including credit unions, regional banks and large nationwide banks," said the RSA reports.
"Large nationwide banks have been the hardest hit by smishing as cybercriminals can distribute their SMS spam to a wider base of mobile users who are more than likely to have
some form of financial account at one of these institutions. Smishing has now become more successfulthan its well‐established desktop computer cousin, partially because while
there are spam‐filtering systems in place with internet service providers, and again on individual machines, no well‐developed mechanism exists for weeding out suspect text
"Success rates are higher with a smishing attack compared to a standard phishing attack as consumers are not conditioned to receiving spam on their mobile phone, so are more
likely to believe the communication is legitimate."
SMS – subject to hoaxes, spam, spoofed messages and malicious download links. Symbian worms have sent texts to users in the contacts list often costing the phone owner
MMS – this multimedia protocol can be used to send spam and executable malware files where worms and trojans masquerade as updates to applications
Wi‐Fi – information can be harvested from unencrypted public Wi‐Fi networks and it’s suggested that smartphone users avoid banking and shopping transactions on public
hotspots such as airport and cafe networks
PAN – a Bluetooth network can be exploited to transmit malware and ‘bluejacking’ can allow the sending of unsolicited messages and files
Bluetooth worms – limited due to connectivity range but leaving your Bluetooth turned on and your device discoverable can result in requests to accept transmissions from
• Set the Bluetooth‐enabled device to non‐discoverable when not in active use
• Do not accept Bluetooth‐transmitted files from unknown users
Privacy – Location New Jersey federal prosecutors are investigating if smartphone apps illegally collect information about handset users without proper disclosure, including
location and phone identifiers
QR CODES DEMO
65% of Facebook malware links used shortened URLs – Symantec
QR codes could provide a similar blind attack route on smartphone users
‐120 responses: data is analysed by overall trends and then split by platform
‐ We can’t claim the survey is scientific as many of the respondents were recruited via
Facebook, Twitter and comments left on related Herald stories – self selecting and/or
friends of friends
‐ We didn’t include Windows Phone 7 as an option
‐ 70% of those responding lived in NZ – we also garnered responses from Austrlia, the
UK, Canada and the US
‐ Mean age of respondents was 40
50% of respondents to our survey were Apple iPhone owners – this may just be because
they’re happier to stop and talk (going on the behaviour of business people in the CBD)
Examining responses from just NZ residents, Android penetration moves up and RIM
25% of those questioned had no idea what software their phone ran on – can we
immediately suggest that at least 1 in 4 smartphone owners would not see their phone
as something to be kept up to date?
Anecdotally there seems to be confusion around if/how you can upgrade your
Android phone – on forums and talking to owners and phone shop workers there’s
confusion about this and concern amongst developers over Android fragmentation
driven by the freedom given to carriers and manufacturers to customise Android
iPhone owners were more up to date suggesting the simplicity and repeated prompting
of iTunes is effective in keeping iOS patched. Only 10% of iPhone owners surveyed
identified their phone as being jailbroken
More than half of those few with a security app installed didn’t know if they could lock
or wipe their device remotely
1 in 3 smartphone owners do not backup their data and devices
The core messages behind the 2008 NetBasics computer security programme remain
key to smartphone security too – http://www.netbasics.org.nz
WHAT CAN SMARTPHONE OWNERS DO?
Secure your device and the data on it with a password or swipe pattern
‐ Secure your device and the data on it with a password or swipe pattern
Physical loss is one of the most common ways to put your information at risk. 1 in 4 people responding to our survey stated they’d lost a phone and
never recovered it. 1 in 3 didn't lock their phone.
Invest in a security app like Lookout or register with a service like MobileMe (for iPhone owners) or Motoblur (for Motorola handsets) so you can track
your missing phone and remotely lock or wipe the contents.
‐ Back up your data
Most phones hold enormous amounts of data including personal and business contacts, emails and other hard to replace information. Sync your
phone with a computer to backup contacts and files or simply copy the SIM card regularly.
‐ Only download apps from the major stores
Avoid unofficial marketplaces and always read reviews to see if previous downloaders have experienced problems. Stick with major developers who
have lots of positive reviews.
There are spyware apps being developed that harvest your phone’s information and report back to a central control server. Be aware of what you're
really downloading and check the app permissions for what functions it wants access to on your phone.
Unusual SMS or data activity or a rapidly draining battery can be signs that your phone is infected
Unusual SMS or data activity or a rapidly draining battery can be signs that your phone is infected.
Android, BlackBerry and Windows Phone 7 owners should install anti‐virus and anti‐malware security suites to help protect their phone and scan file
‐ Keep your operating system up to date
When the iPhone 4 was hacked at the Pwn2Own 2011 event in Vancouver last month, the developer able to retrieve contacts from the device
acknowledged that Apple closed off the exploit with the release of iOS 4.3.1. Don't ignore those iTunes messages to update your software.
‐ Jailbreak at your peril
Apple iPhone owners can unlock their phone to install non‐Apple approved software. Whilst the process has become relatively simple, make sure you
know what you're doing before going down this route. In the past the only iPhones troubled by malware have been of the jailbroken variety.
The most common phone incidents are bogus phone/SMS charges and rogue applications (over 500 identified) – all normally require the user to take
action to cause the problem such as clicking a link to accept or install a program so don’t trust texts or emails from unknown parties in the same way
you don t open attachments or click links in PC spam.
you don’t open attachments or click links in PC spam
iPhone owners should consider cleaning their search and keyboard caches regularly and should use specialist software to fully wipe their phones
before selling on according to US security researchers.