Surveillance rootkits on smartphones

Liviu Iftode and Vinod Ganapathy, two researchers at Rutgers University, have revealed some experiments they have been conducting, showing how rootkits could be used to take control of smartphones.

The scientists have shown that a malicious attacker could cause a smartphone to “eavesdrop on a meeting, track its owner’s travels, or rapidly drain its battery to render the phone useless”.

Watch the following YouTube video to learn more:

It’s a cute little video, but how realistic is this threat in reality?

I don’t think the kind of attack described by Iftode and Ganapathy is a big deal right now.

Yes, it is possible to change or put software onto a smartphone (by, for instance, installing a rootkit) so that the mobile device then performs malicious functions. For instance, code that enables covert remote surveillance, battery drainage or silently steals data.

Of course, this relies upon the smartphone allowing you to make changes to its low-level software. Popular smartphones like the Apple iPhone lock down that kind of meddling to a great extent.

So, the key thing to remember is that the bad guys have to somehow get the malicious rootkit onto your phone in the first place.

How are they going to do that?

They would either need to have physical access to your smartphone, exploit an unpatched security vulnerability or use a social engineering attack to trick you into installing malicious code. Even if they went down the “trick” route they would be relying upon the phone’s OS to allow you to install unapproved apps (iPhones, for instance, are strictly controlled by their Cupertino-based overlords, allowing users to only install code that has been approved and checked by the AppStore).

So it doesn’t sound like what Iftode and Ganapathy are describing is actually any different from the rootkits that infect traditional desktop computers. The main difference is that there are probably less opportunities (and thus much harder) to infect a mobile phone than, say, a computer running Windows.

Furthermore, I would argue that the typical mobile phone user is still typically less used to installing applications than their Windows counterparts, and so the chances of success via fooling the user into installing a dangerous application can be assumed to be even lower.

Iftode and Ganapathy have not demonstrated any revolutionary new way of getting round the biggest hurdle for those wanting to spy on smartphones: how are they going to get the malware onto the phone?

If I really wanted to snoop on someone’s phone I think it would probably be easier to swap my victim’s mobile phone for an identical (but bugged) device rather than go to all this effort with no promise of success.

Smartphone snooping

Sure, the mobile phone malware threat is growing – but it’s a tiny raindrop in a thunderstorm compared to regular attacks that strike Windows computers. Slowly but slowly it’s becoming more serious (the recent discovery of financially-motivated malware that targets jailbroken iPhones is proof of that), and undoubtedly we will begin to see more users running anti-virus security on their phones in the years to come.

However, if I was responsible for securing my company’s mobile phones I would be much more worried about the real security threat of staff losing their phones in taxis or on the train, rather than the theoretical risk of surveillance rootkits.

It’s a nice video and presentation that Iftode and Ganapathy made, but I won’t be losing any sleep over it just yet.

More information on the topic of smartphone rootkits can be found in the paper Iftode and Ganapathy have produced: “Rootkits on Smart Phones: Attacks, implications and opportunities” [PDF]

Source: Surveillance rootkits on smartphones


Posted in Naked Security, English-Italian Translations and tagged , , , , by with no comments yet.

PleaseRobMe site exposes danger of sharing too much information online

Users of sites like Twitter and Foursquare will be all-too-familiar with seeing messages from friends broadcasting their current location and – through implication – that they’re not at home.

A new website called Please Rob Me mashes together content from Foursquare and Twitter, providing an easy way for potential burglars and stalkers to find out where you are supping your cappuccino, and when you may have left your home empty.

Please Rob Me website

Although playfully presented as an aid for house robbers, the Please Rob Me website claims to be designed with one simple purpose in mind: to raise awareness of the dangers of sharing too much information online:

The goal of this website is to raise some awareness on this issue and have people think about how they use services like Foursquare, Brightkite, Google Buzz etc. Because all this site is, is a dressed up Twitter search page. Everybody can get this information.

And they’re right – there’s nothing on Please Rob Me that you can’t find directly from these websites. It will be interesting to see if Foursquare and Twitter attempt to prevent Please Rob Me from automatically scooping up data from their sites following the publicity this “service” has received, but the most important thing we can all learn from this website is the importance of being more careful with the information we share with everybody on the internet.

Source: PleaseRobMe site exposes danger of sharing too much information online


Posted in Naked Security, English-Italian Translations and tagged , , by with no comments yet.

Online Credit/Debit Card Security Failure

Ross Anderson reports:

Online transactions with credit cards or debit cards are increasingly verified using the 3D Secure system, which is branded as “Verified by VISA” and “MasterCard SecureCode”. This is now the most widely-used single sign-on scheme ever, with over 200 million cardholders registered. It’s getting hard to shop online without being forced to use it.In a paper I’m presenting today at Financial Cryptography, Steven Murdoch and I analyse 3D Secure. From the engineering point of view, it does just about everything wrong, and it’s becoming a fat target for phishing. So why did it succeed in the marketplace?

Quite simply, it has strong incentives for adoption. Merchants who use it push liability for fraud back to banks, who in turn push it on to cardholders. Properly designed single sign-on systems, like OpenID and InfoCard, can’t offer anything like this. So this is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure. We conclude with a suggestion on what bank regulators might do to fix the problem.


Posted in Bruce Schneier, English-Italian Translations by with no comments yet.