Cell phone security best practices – keeping your personal information personal.

In presentations I give on security, I have become accustomed to a pattern of presenting the information.  Step one, pose questions or situations that allow your audience to immediately identify with you or the subject.  Step two, provide case studies or scenarios that provide examples to support the subject.  Step three, give the audience some actionable items.

This article is all about supporting step three.  If I’ve done a good job of getting a person to identify with the subject and provided a reasonable explanation of the information, the reader/listener usually focuses in on the action items.

In this case, I wanted to provided supporting information to the Does My Cell Phone Have a Virus article. Also this seems very timely with the recent loss of the next generation iPhone at The Gourmet Haus Staudt in Redwood City, California. While I’m certain Apple has many more policies for device management, nevermind the policies around having a prerelease device, if Gray Powell had simply followed the first recommendation below, things would be much different…

But I digress…   Most all the offline questions I have received from my last article have had a common theme:

  • I did this, did I get a virus?
  • My insert_model_phone_name_here is acting funny what do I do?
  • I installed this app, is it legit?

Trying to address issues at that level and point is the “whack-a-mole” approach you want to avoid.  You want to put preventative measures in place so that these concerns should be minimized.

You will find a number of lists like this on the Internet, but this is my take on steps to take to safeguard your information on your mobile device:

  1. Loss is your biggest risk, don’t lose your phone.  Your cell phone can have the equivalent information as your birth certificate, bank statements, and diary all in one location.  Maintaining physical control of the device is the best thing you can do to avoid losing your information.
  2. Make sure you use a password (or PIN if that’s what your phone supports) to lock out the device.  This is the single biggest thing that users complain about the inconvenience of.  If anyone were to pick up your device, do not leave it wide open for anyone to read.  Protect it.
  3. If your device offers encryption of the device and any removable media, use it.  If you lose a device, the average person who picks it up will not likely have the ability to pull memory chips and decrypt your information.  Make it difficult for someone to get the data.
  4. Just because you can download hundreds of applications, does not mean you should.  Be aware that many free applications are made to get personal information from you (again see my other post on this).  Others may actually be malicious.
  5. When downloading applications, be especially careful of banking applications. Only download them from trusted sources.  If you can download directly from the bank, that is your best option.  If you download from an app store, read the reviews and make sure you are one of the first 10 people to download something.
  6. Only use Bluetooth if you absolutely require it. If you use Bluetooth, enable a PIN for pairing devices and do not leave your device discoverable.
  7. If your device supports WiFi, only connect to secure and trusted networks.  A network called “FreeWiFi” usually is not the best option.
  8. Limit the amount of data you store on your phone.  If you are working on things like tax documents or have personal information on the device, only leave it on the phone while you need it.  Limiting the amount of data on the device limits your risk if the device is lost or stolen.
  9. From a financial liability standpoint, inquire about cell phone insurance from your provider.  In a day where cell phones can initially cost $300 and cost $500 to $600 to replace, it may be worth the couple of dollars a month insurance to be able to replace it.
  10. If your provider offers the ability to remotely manage or wipe a mobile device, know how this works and be prepared to use it in case your device is lost.  If you remove all the data, you can limit your loss to just the device itself.
  11. Inquire with your provider and check with device manufacturer for device patches and upgrades.  Much like your PC, smartphone software is updated on an ongoing basis to fix functionality and increase security.
  12. If your device supports third party security applications (usually Windows Mobile, Symbian, or Palm devices) look to manufacturers like Symantec and McAfee for firewall, anti-virus and SPAM prevention software.

Some of these are configurations you can do on your phone while the others are things you need to know to modify your behavior while using your phone.  If you follow these steps, chances are you should be okay.  In the rare case you loose your phone (ahem… next generation iPhone in a bar) and it happens to get picked up by an extremely technical user who can tear it down (Gizmodo) know that all bets may be off.  But for the average person, you’re going to be okay.

Skype now available on Verizon with 3G (AT&T) coming soon. But is it worth the risk?

Benefits of Skype Mobile on Verizon – PCWorld Business Center

There is a lot of excitement about having a mobile Skype application that can now take advantage of the cellular network you are on.  It had been recently only available for use over a broadband or other fixed wireless connection.

Given the excitement about this upcoming release, there are bound to be quite a few new users to the Skype community.  

Will users gain the benefit of being able to make reduced price phone calls?  Very likely.

Will they risk giving up some additional privacy in doing so?  Also very likely.

Will most people care?  Probably not.

I will disclose that I am not wearing my tin foil hat as I type this, but, as I see it, the limited benefits of Skype just don’t warrant the risk of its use.

My Skype issues short list:

  1. Skype communicates more like your computer than your traditional phone
  2. A basic Peer to Peer connection is made between you and whomever you call (the Peer).  However some peers are “SuperNodes” and they are bad, bad, bad, bad, bad.

Let me break down my concerns with each of these:

1. Skype communicates more like your computer than your traditional phone

This happens to be part of my biggest concern with Skype from it’s inception.  The Skype API is specifically written to “trick” firewalls to make it easier to use the application in environments with typical security controls in place.

For example, most businesses will have rules that only allow certain application to access the Internet.  In most cases, a end user PC will not have direct access to the internet and will go through a proxy device.  The trick used by VoIP software consists of persuading the firewall that a connection has been established, to which it should allocate subsequent incoming data packets. The fact that audio data for VoIP is sent using the connectionless UDP protocol acts to Skype’s advantage. In contrast to TCP, which includes additional connection information in each packet, with UDP, a firewall sees only the addresses and ports of the source and destination systems. If, for an incoming UDP packet, these match an NAT table entry, it will pass the packet on to an internal computer with a clear conscience.  (full explanation by Jurgen Schmidt)

In my world, this is called a trojan or worm.  However since the software is installed by the end user and (presumably) the terms are agreed to upon installation, then this is an infection that people are consciously welcoming to their PCs.

2. A basic Peer to Peer connection is made between you and whomever you call (the Peer).  However some peers are “SuperNodes” and they are bad, bad, bad, bad, bad.

In simplest terms, a Peer to Peer connection is not as direct as most would initially believe.  There are many devices in the path of your connection that intercept at least parts of your transmission.   What makes this particularly alarming are two fold:

  1. Some Skype “peers” are actually “super-nodes.” When Skype is run on a computer that has a public IP address and is not otherwise behind a firewall, it can become a “super-node.” These computers are used as rendezvous points so that computers behind firewalls can receive connections from other Skype users. Although Skype refuses to explain the details of their protocol, it is likely that computers behind firewalls scan the Internet looking for super-nodes, then form and maintain long-term connections with these other computers. The super-nodes then proxy connections to the encumbered connections behind the firewalls.
  2. There are (supposedly) countries who are actively working with Skype (or parent company eBay) regarding the interception of their encrypted communications.  For example:
  • 2008 NYT Article – Canadian privacy group uncovers snooping of Skype and other forms of Internet communication in China.  Not really surprised are we?
  • SlashDot reveals German Govt Docs – Last year alot was made of comments from Germany’s Ministry of Justice.  Documents were found that detailed costs regarding interception boxes, key forwarding trojans and anonymous proxies to hide police communications.
  • In 2005 the New York Times ran articles on how post 9-11 security measures had also given the US Government powers to intercept IP communications.

While Skype clearly states that all communications are encrypted end to end, they seem to be playing a game of semantics there.  Yes it is encrypted, but it is also decrypted in the middle and very likely made available to parties with enough governing power, influence, or money to influence it’s use.

But wait, there’s more…

Even if you don’t have the money or power of a large government to request/buy the proprietary encryption algorithms from Skype, there is new opportunity.  Recent university papers sponsored by the National Sciences Foundation have found that the patterns of spoken words make breaking the encrypted traffic easier that traditional data encryption techniques.  See Wright, Ballard, Coull, Monrose, and Mason of John Hopkins paper on ‘Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations’

So, will most people care?  I still say probably not.  However I expect that most corporations and government agencies will, especially their security departments.  I would not want an executive of a company speaking to an oversees bank about work they are doing for a large acquisition over this technology.  There are too many parties that could have competing interests that would want to overhear parts of those conversations.

My recommendations:

  • If you really want to use Skype on your cell phone, do so with the understanding that you conversation “could” easily be monitoring anywhere in the world.
  • Do not use your Skype connection to conduct any business transactions
  • Do not discuss any work related items over your Skype connection
  • If you are an IT or Security professional, educate your users on the issues with utilizing the technology.

Of course I expect someone to email me about cell phone encryption and mobile tower surveillance that occurs quite often in the US.  That will have to be another post when I’ve sufficiently stocked up on tin foil.