90% of smartphones are at risk of password theft, stolen data & hackers taking full control of devices
Security researchers revealed two separate threats last week they say could put up to 90 percent of the world’s 2 billion plus smartphones at risk of password theft, stolen data and, in some cases, let hackers take full control of devices.
One vulnerability involves flaws in the way scores of manufacturers of Apple, Google Android and Blackberry devices, among others, have implemented an obscure industry standard that controls how everything from network connections to user identities are managed.
The threat could enable attackers to remotely wipe devices, install malicious software, access data and run applications on smartphones, Mathew Solnik, a mobile researcher with Denver-based cyber security firm Accuvant, said in a phone interview.
A separate threat specifically affecting up to three-quarters of devices running older Android software has been unearthed by researchers at Bluebox Security of San Francisco.
Dubbed “Fake ID”, the vulnerability allows malicious applications to trick trusted software from Adobe, Google and others on Android devices without any user notification, the company said on Wednesday.
“Essentially anything that relies on verified signature chains of an Android application is undermined by this vulnerability,” Bluebox said in a statement referring to devices built before Google updated its core software late last year.
Solnik stressed that the threat to smartphone management software identified by Accuvant remained remote to average users and said that only a few dozen mobile communications experts in the world would currently be able to replicate the technique. But by publicizing the risks, his company hopes to avert this becoming a danger on a global scale.
Christina Richmond, a security services analyst with research firm IDC said detecting these vulnerabilities is positive in that the phone industry has a chance to act on these findings before they can be exploited by bad actors.
“These security threats have become everyday issues for billions of smartphone users worldwide,” she said. “Mr. and Mrs. End User needs to understand the risk of not updating their phone’s software.”
http://www.reuters.com/article/2014/07/31/us-mobilephone-cybersecurity-idUSKBN0G01RI20140731
Why you should secure your smartphone:
A new nationwide survey by Consumer Reports found that 34% of all smartphone owners do absolutely nothing, not even a simple code to lock the screen.
"This is one of the reasons why so many people's accounts get hacked when their mobile phone is lost or stolen," said security expert Robert Siciliano with BestIDTheftCompanys.com. "When the device is not password protected, anyone who finds or steals it has direct access to all of your accounts that automatically log-in as soon as an application is launched."
Consumer Reports found that only 36 percent of the smartphone users have set a 4-digit PIN to lock their phone.
"Four digits are better than nothing, but the strongest passcodes have at least eight digits in them and have a mix of letters, numbers and symbols," said Mike Gikas, a senior electronics editor at the magazine.
Even fewer people take more aggressive measures to protect the data on their phone, such as:
Install software that can find the phone if it's lost: 22 percent
Install an antivirus app: 14 percent
Use a PIN longer than 4 digits, a password or unlock pattern: 11 percent
Install software that can erase the data on the phone: 8 percent
Use security features other than screen lock, such as encryption: 7 percent
"I'm not surprised by these low numbers," said Timo Hirvonen, a senior researcher at the global security firm F-Secure. "Most people don't see the need for security on their mobile devices. This is very short-sighted considering the kinds of information people have on them and access with them."
"That smartphone is a computer, like any other, and there's just as much risk of being a victim if you don't take the proper security precautions," said Alphonse Pascual, a senior analyst for security, risk and fraud at Javelin Strategy & Research. "Criminals are targeting those devices and people need to understand that."
Malware is a very real threat, especially for Android devices. The same type of viruses and other malicious software that can infect your desktop or laptop—and spy on everything you do – are now being launched at mobile devices.
"They can record your user names and passwords, the websites you visit, the text messages or emails you send and receive—it's pretty scary," Siciliano said. "You need to protect your mobile devices with antivirus, anti-spyware and other security software."
Security tips for smartphone users:
Set the phone to lock after one minute or less.
Does your phone have a setting that will erase all the data if there are too many—typically more than 10—unsuccessful attempts to enter the password? If so, enable it.
Update the operating systems, apps and programs as soon as you are notified. These updates often contain security enhancements and patches for vulnerabilities.
Use a "find my phone" app that lets you locate the phone if it's lost or stolen and erase all the data remotely.
Stick with trusted app stores. This won't guarantee "clean" software, but it will greatly reduce the risk.
Don't click links in an email, text or social network on your mobile device. It could lead you down a rat hole.
8 more tips to protect your smartphone:
Avoid public Wi-Fi such as at airports, hotels and coffee houses unless you are using a VPN from Hotspot Shield.
Disable your GPS to keep your location hidden.
Stay clear of unofficial versions of the popular applications. These are often found on 3rd party sites when you root or jailbreak your phone.
Don’t save your passwords in your browser, use a password manager.
Go through all of your apps make sure they don’t have access to personal information that you don’t want them to have access to.
Never save a password in a very private application like that of your bank’s and always log out completely from your e-mail every time you’re done using it.
Anti-theft software. Enable the remote wipe function. This kind of app will help you locate a lost or stolen smartphone, but don’t delay in setting this up.
Keep a backup of all of your device’s data.