Tuesday, 15 September 2020
By Nick Pockl-Deen

Close to a billion smartphones could be a threat to the security of their user’s confidential business and personal information.

Smartphone manufacturers are always pushing the envelope to create new and innovative features for customers. As such, third-parties are often involved to manufacture the hardware and software to facilitate these features. A common example of this is the 'Digital Signal Processor' or DSP. Found in smartphones, TVs and other consumer devices, the silicon chip is responsible for transmitting signals through the device to make it possible to render features such as charging, watching and capturing videos/ audio and making and receiving phone calls.

Qualcomm Technologies is a leading manufacturer of the chip found in about 40% of smartphones. These Qualcomm chips are not manufactured for iPhones but are found in Android phones such as Samsung and Google. Over 400 vulnerabilities have been identified with the Qualcomm DSP chips, turning otherwise secure devices into remote spying devices capable of:

  • Eavesdropping on calls and acting as a remote listening device,
  • Exfiltrating photos, videos, contact details, GPS and location data
  • Making the phone unresponsive and unavailable to the user

The DSP vulnerabilities are not the only threat and aren't just limited to Android devices. This was proven by the phone virus injected into the iPhone X of Amazon's CEO Jeff Bezos. It is speculated that by embedding a virus into an encrypted video sent to the iPhone via WhatsApp, the virus gave actors remote access to Bezos' phone without his knowledge. This was done by slowly and discretely transmitting data to a remote server over the subsequent months after receiving the video. This ultimately caused the irreversible transfer of a significant amount of Bezos' private personal data, transferring up to 4.6GB on one single day.

Forensic smartphone experts analysed Bezos' phone using analysis software. After an in-depth review involving running malware scanners and reviewing historic network traffic, there was still no concrete evidence that the device had been compromised. However, it is known that some malware can implement techniques to avoid detection by analysis software, which was assumed to be the case here.

Despite the inability to identify any malicious software, the increased outbound data transfer occurring on the device indicated to the forensic experts that it was more than likely that the iPhone was compromised by the video attachment received via WhatsApp. It is clear the threats to your laptop are just as prevalent as those to your phone, whether you use an Android or iPhone. Businesses and users need to be vigilant to threats to minimise the occurrence of a data breach.

For businesses, it is always recommended to implement Mobile Device Management (MDM) software on smartphones when they have access to or modify business data. The benefits of an MDM are mainly that applications can be monitored and access restricted, preventing unauthorised leakage of data. Although this can place unwanted limitations on the devices, such as a 30-second screen timeout and limiting applications that can be installed, it is well worth the cost for the increased security.

For everyday users, activating where possible, two-factor-authentication (2FA) significantly reduces the likelihood of unauthorised access to any device or account. Additionally, it can act as an alert whenever there is an attempt to access any of your accounts. If you are not accessing your account and you receive a 2FA code, your best course of action may be to change your password as soon as possible.

A simple yet effective method to increase your phone security is to increase the complexity of your phone access PIN. Some phones can be 'brute-forced'; a process where all possible combinations of a PIN are attempted until the phone is unlocked. The time required to brute-force a 6-digit PIN code compared to a 4-digit PIN code can be a difference of years, even more so when using an alphanumeric code (a combination of letters and numbers). In the case of Androids, it is recommended to steer clear of 'Pattern' or ‘face unlock’ methods, these Android unlock methods are found to be insecure and easily bypassed.  Apple's Face ID is more secure based on the facial recognition technology utilised. An additional layer of protection offered on iPhones is to select the option to wipe all data after 10 failed unlock attempts - but be sure to have a regular backup in place!

In some instances, despite best efforts, there may be a suspected data leak. In these situations, devices can be forensically analysed to search for malware and viruses, and network traffic can be examined to look for large transfers of data or any unusual or suspicious activity. By forensically analysing devices, evidentiary information can be obtained about the series of events during a given time, allowing the data leakage to be controlled and then resolved.

Considering mobile phones play such an important role in people's lives, from personal and business communication to entertainment and banking, phone security should be front of mind for everyone. We should not rely on smartphone manufacturers to take the necessary steps to ensure the security of our private personal or confidential business data.