Latest threat vector: Our mobile devices

As the "security guy" for my entire adult life, I've gotten a wide variety of security questions from friends, family, colleagues, travel companions and more.  I tend to use these questions in the aggregate to spot trends in the wild.   Far and away the most frequent questions are now focused on our mobile devices -- specifically how they are being used to spy on their owners and reveal our most intimate of secrets.

In the run up to the last Olympics I had lots of questions from law enforcement and intelligence communities around the world about the risks to corporate executives preparing to travel to the games.  At that time, there were several known attack vectors being used to exploit traveler's smart phones, regardless of brand.  These were well organized and highly focused attacks against high value targets -- people expected to have significant confidential data stored in their e-mail, contact lists, text messages, photo cache, document store and the deleted files.  The information gained through these types of attacks could be used for corporate, political, or personal leverage.

Now, however, I'm getting similar questions from a very different and much wider group of folks.  Rather than just the government calling, now corporate executives and regular folks who are going through some sort of breakup -- personal or professional -- are getting hit with very similar attacks, and it's hurting them much more deeply than a simple blue screen of death.  Their innermost secrets are being revealed, and used against them in the most personal of ways.

There are three basic types of common attack vectors on smart phones: direct entry, via a download, or through Bluetooth. 

A direct entry attack means that someone has physical control of your phone for a few minutes and they load spyware on it (yes, there is a lot of spyware on the market specifically for mobile devices).  Think about how often you leave your phone sitting on your desk, your night stand, or a table at the coffee shop.  If you start treating that phone more like your Visa card, you're a lot less likely to be attacked in this direct way.  If you're going through a breakup of some sort, it takes a conscious effort to keep your 'trusted' partner from gaining access while you're at lunch, asleep, or at play.  Once installed, mobile spyware can listen in on your calls, copy and transmit your e-mails and texts, and even steal your photos.   Most people find out only when others seem to know information they really shouldn't.  This is the most common form (other than from  well-funded intelligence-gathering agencies) of mobile attack, and is easily spotted  (more on how to spot mobile spyware in an upcoming post) and removed with several good commercially available programs -- once you know to look for it.

The next most common form of this attack is through a program download.  Blackberry users who are addicted to Brick Breaker should watch out for add-ons (a new Blackberry patch is coming shortly).  Similarly, everyone who downloads games should realize they might also carry a spyware payload along with the game.  Whenever you download a program to your smart phone from a previously unknown website, email, or text link (and no, a Google hit does not a trusted relationship make), you run the risk of adding spyware to your mobile device.  These programs perform basically the same spying functions as found with a direct entry attack, but they are generally not targeted at you specifically, as it's really up to you to find and download the program in the first place.  This is a growing form of information harvesting, with corporate data and identity theft being the big targets.

Finally, it is now possible to attack many smart phones simply by standing within a few feet of them for a minute or two.  That's how long it takes  for programs to guess their way into your 4 digit Bluetooth key (even faster if you left it set to 0000 like most of the human population).  Once in, the most common attack is to load a new 'blank' record into your contact list along with some code that can remotely activate your microphone.  With that in place, you can be eavesdropped on whenever and wherever -- even when you don't think you're using the phone.  This attack is the hardest to accomplish, and still the least common, but it has now spread beyond the foreign intelligence and organized crime world into regular, old fashioned corporate and personal espionage.  If you use a Bluetooth earpiece, you're susceptible to this attack.

We now rely on our smart phones for all aspects of our lives.  They contain most of our secrets, yet we still don't take them seriously when it comes to security.  Everything that happens on our desktops is quickly moving to our smartphones, and that includes the bad with the good.  Judging from the calls I've been getting, it's time to protect our smart phones as well as or better than the rest of our computers.

Next up:  Exposing the direct links between cyber-crime and terrorism.

Tom Patterson is the Chief Security Officer for MagTek, a leading secure transaction technology provider to the global financial community.