Co-authored by Dr. Stephen Bryen, Founder & Chairman, Ziklag Systems
He plays bass guitar, and rather well some say. He discovered Christianity for himself and reads biblical texts. He has been a hacker since the age of 8. He is known amongst other hackers as "nerve gas," his pseudonym. His ability and competence are unquestioned; law enforcement and top government agencies call on him for help. He is an expert, one of the best outside of the company itself, on Apple's iOS operating system. That's the operating system on iPhones.
His name is Jonathan Zdziarski. He has uncovered shocking information about iPhone vulnerability. Basically it is this: if you take advantage of encryption on the iPhone to back up your iPhone you may think you are protected, but you are not. Zdziarski has found undocumented services on the iPhone that would let an intruder recover everything on your phone. According to Zdziarski, these undocumented services should not be on the phone, but they were put there. Who knows why?
Meanwhile three researchers working at the University of California Riverside at the Bourns College of Engineering have found that it is possible to get sensitive personal information off the phone taking advantage of what they call "shared memory" statistics. Basically, every smartphone shares memory among applications, meaning the memory is both accessible and vulnerable. If what looks like an APP you like to run has been tampered with and includes malware, it can be running alongside of regular software you typically use. Looking into this further, the research team of Zhiyun Qian, a computer scientist and engineer, Z. Morley Mao, an Associate Professor at the University of Michigan, and PhD student Qi Alfred Chen, were able to demonstrate how Gmail, H&R Block, NewEgg, WebMD, Chase Bank, Hotels.com and Amazon could be hacked and personal information stolen. They did this fairly consistently, over 80 percent for all of them, except Amazon, where they were able to hack 48% of the time. According to the team, while they carried out their demonstration hacks on the Android platform, the same thing should be true for iPhones and Windows-based smartphones. Their proposal: side memory channels need to be eliminated, but this is very unlikely because the side channels facilitate running multiple programs at the same time.
Smartphones are outselling all computers (desk top and lap top) because we have moved into the world of highly mobile computing. Smartphones, phablets and tablets offer convenience and power; because of their multiple sensors, cameras, microphones and fast processors, smartphones make everything easier. You can, for example, take a snapshot of a check you received, send it electronically to your bank and deposit it. In fact, our California research team has a neat video showing how a check sent to Chase can be perfectly hacked, meaning an intruder gets the check image and from that the bank account number, the name and address on the check, and the depositor's signature.
The smartphone problem is a growing one. As smartphones are increasingly used for financial transactions, sharing sensitive personal and proprietary information, and for operating other devices (such as home security systems), the field for intruders grows and becomes increasingly attractive. Smartphones are intentionally built as open platforms so programmers and developers can quickly build APPS to take advantage of the phone's potential. Under some public pressure from privacy organizations, smartphone makers have been grafting on encryption to try and protect phones; but putting encryption on a phone does not mean that it is used, and even when it is, as "Nerve Gas" proves, it is easy to get around.
But, you say, I am careful and I only use my smartphone to call the family or check the news, sometimes for a text message or email. Even if someone picks it off, it does not really matter much.
Think again. Your smartphone can be listening even when you think you have turned it off. There is a type of malware called a "spy phone." The spy phone can actually activate your phone at your office or home and listen in to your conversations, even take photos without you knowing it. If you write on your calendar APP that you will attend an important product meeting or board meeting, the spy phone can attend too. It will hear what you hear, and send it back to the intruder.
Government spying on smartphones is now well known. But spying by corporations and private eyes gets less attention than it deserves. Private companies spy on each other and get away with it, because they are rarely caught. In Britain a major scandal broke out more than a year ago involving 140 top firms in the UK, including law firms, who were all spying on competitors or adversaries. The scandal was picked up by a Parliamentary committee who started to ask questions. The police claimed they would interfere with ongoing investigations and asked them to stop inquiring. The scandal was covered up, mostly because some of the firms were spying on their overseas competitors (mostly in the US one would guess), and thus the spying was helping the British economy.
If you work in a competitive company, in a law firm, in an advocacy organization, in the health care service industry, or in banking and finance (just to name a few highly targeted organizations), then you and your smartphone are on someone's hit list. Beware.
So what can you do? To start, minimize putting personal information of any kind on your smartphone. If you put it there it is exposed to hackers. Next, try and avoid using social APPS on your smartphone. They are easy pickings for even amateur hackers. Don't use web based email, even if it is supposedly free. The best email system is one that is run by your company and works over a dedicated client on your smartphone. Almost all public web based email systems scan your email and sell the information from the scans to advertisers or others willing to pay for the information. In fact, free email providers don't necessarily know who they sell to because they work through data brokers. At last count data brokers were holding some 700 billion data "elements" and adding 3 billion new "elements" (pieces or saleable information) per month. Sad to say, there are no rules about who gets all this information or what they do with it.
And, of course, don't put APPS on your phone that you don't really need and which ask for a bunch of permissions you may not want to give. For example, if a photo APP says it wants to know your location, don't download it.
Above all, think before you use an APP, type out a password, grant a permission, use social media, snap a photo or take your phone into a sensitive meeting.