| Date post: | 06-Apr-2018 |
| Category: |
Documents |
| Upload: | akash-agrawal |
| View: | 215 times |
| Download: | 0 times |
of 20
8/2/2019 Mobile in Security
1/20
MOBILE Viruses
Akshay Sanklecha(3N-36)
8/2/2019 Mobile in Security
2/20
Smart Phone Growth
The day when everyone has a PC intheir pocket has arrived Annual growth rate is 150%
Three things driving growth Increasing amount of time we spendonline whether business or pleasureInstant gratification-hard to wait tocheck messages or update statusLifestyle patterns, social networking
2National Science Foundation 5/21/2009
8/2/2019 Mobile in Security
3/20
Arent Smart Phones Secure?
1. Proliferation of mobile devices with powerfulcomputing resources2. No massive malware outbreak to date = no
panic about security
iPhone SMS attack in July 2009 changed thatperception to some degree 3. We trust smart phones & think they are safe
We have the mistaken sense they are immune
to security threats4. Smart phones typically lack security features,
like antivirus, found on other computers
3
8/2/2019 Mobile in Security
4/20
What Keeps Malware off Mobiles
1. Code signing programsa. Mobile network operators, OS vendorsand handset manufacturers all havecode signing programs to control what
code is run on the phoneb. Changing with Android & jail breaking2. Fragmented market
a. Nothing like the market share MicrosoftWindows has on computer
b. Malware authors choose minorityplatform
4
8/2/2019 Mobile in Security
5/20
Developers Responsibility Mobile application developers mustlearn how best to manage mobileapplication security risks
Limited memory and CPUMultiple security models Always on network
Knowing the risks and how to respondto them is the only hope for creatingsecure software
5
8/2/2019 Mobile in Security
6/20
Smart Phones Difficult to Protect
Easily stolen: theft is single largest problemYou put it down for a minute & walk away Falls out of your pocket somewhereMobility = higher risk
Protection options not well knownEncryption options are all different
Eavesdropping options are available
More types of smart phones = complicationsNo standardization at this time , which isboth good and bad
6
8/2/2019 Mobile in Security
7/20
Smart Phones R Pocket Computers
Most commonly used phones, as definedby operating system (OS) Android (Android OS)BlackBerry (RIM OS)iPhones / iPod touch (iPhone OS)PalmPre (WebOS)Windows Mobile (WinMobile OS)
7
8/2/2019 Mobile in Security
8/20
Viruses and Smart Phones
How smart phone viruses spread Internet downloads ( file-sharing, ringtones,games, phony security updates, etc)Bluetooth virus (short range)Multimedia Messaging System (MMS) virusspreads using the device address book
Viral epidemics a highly fragmented smart
phone market share has inhibited outbreaksOnly smart phones susceptible to virusesPhones that can only make and receive callsare not at risk
National Science Foundation 5/21/2009 8
8/2/2019 Mobile in Security
9/20
Internet, Bluetooth, and MMAs
In all of these transfer methods, theuser has to agree at least once (andusually twice) to run the infected fileBut smart phone virus writers get youto open and install their product thesame way computer virus writers do:
The virus is typically disguised as a
game, security patch or other desirableapplication
9
8/2/2019 Mobile in Security
10/20
Bluetooth Threat Vectors
Bluejacking - sending unsolicited messagesover Bluetooth (BT) to BT-enabled devicesLimited range, usually around 33 ft on mobile phones
Bluesnarfing - unauthorized access of information from a wireless device througha BT connection
Allows access to a calendar, contact list, emails and textmessages, and on some phones users can copy picturesand private videosPossible on any BT-enabled deviceEither can do serious harm - Bluesnarfing copies infofrom victims device and is more dangerous
10
8/2/2019 Mobile in Security
11/20
Lock Down Bluetooth!
Bluetooth is default-onWastes your batteryLeaves you open to Bluetooth-based
attacks most common at this time
11
8/2/2019 Mobile in Security
12/20
Social Engineering Threats
The best security in the world will not helpyou if You click on an phishing email and giveyour personal information
You click on a SMS/text message thatappears to come from your carrierYou respond to a vishing phone call*
Never give information via email or byphone or on the web, unless you initiate theexchange
12
http://ourmidland.com/articles/2010/02/08/police_and_courts/2412111.txt
8/2/2019 Mobile in Security
13/20
Smart Phone Spyware is Real
Configure default application permissions tobe more restrictiveDon't just download any and all games,applications, security software you comeacross, or messages from your carrierAvoid granting applications trustedapplication status, which grants untrustedapplications additional privilegesBeware berTwitter, which demands fullaccess to your BlackBerry
13http://www.sfgate.com February 8, 2010
http://www.sfgate.com/http://www.sfgate.com/8/2/2019 Mobile in Security
14/20
Eavesdropping
Last year Karsten Nohl, a UVa PhDgraduate, cracked the secret codeused on 80% of the worlds phonesMobile interception, as a result, is nowwithin the reach of any reasonablewell- funded criminal organization You and I cannot fix this problem, butits not likely to affect us individually
14http://www.nytimes.com/2009/12/29/technology/29hack.html
8/2/2019 Mobile in Security
15/20
Jealous Husband Scenario
5 minute physical access to an iPhone, anApple $99 developer license, a USB cableInstall SpyPhone, and send the reportDelete the report from sent emails,
Delete SpyPhone 15
8/2/2019 Mobile in Security
16/20
On the Internet, Nobody Knows Youre a Dog
16
Any message, whether on a smart phone, computer, USB,or Facebook, on your windshield, or in your physical mailbox,can be spoofed. Verify independently.
8/2/2019 Mobile in Security
17/20
Threats to Smart Phones 2012Attackers will exploit our social conditioningentering Personally Identifiable Information(PI/PII), while interacting with phone voiceresponse to commit vishing and identity theft. 1
We demand more and better availability fromphone service than we would from an ISP, sothe threat of a DoS attack might compelcarriers to pay out on a blackmail scam. 1
At this point, mobile device capability is far ahead of security Well start to see the botnetproblem infiltrate the mobile world in 2010. 2
1Tom Cross - X-Force Researcher, IBM Internet Security Systems2Patrick Traynor - Assistant Professor, School of Computer Science at Georgia TechGeorgia Tech Information Security Center 17
8/2/2019 Mobile in Security
18/20
Defense-in-Depth
Get latest firmware and software yourmobile device manufacturer providesMaintain situational awareness whencarrying any electronic device
Watch your mobile device as you gothrough airport securityKnown bad location for device theft
Do not use insecure wireless hotspotsSave important transmissions until you canconnect to a secure environment
18
8/2/2019 Mobile in Security
19/20
Questions?
19
8/2/2019 Mobile in Security
20/20
20
