I was recently asked by Computerworld to contribute some statements on security of and our dependency on mobile phones. The first response I got was an email by a former student on a Sunday afternoon that my name appeared in an article on nrk.no. It turned out that they cited a Computerworld article that had not yet been published at the time. Here is the part of the Computerworld article where I am mentioned:
Not all my statements made it into the article. That is fair, journalists need more material than they can incorporate in good articles. In my blog I do not have such space limitations, so here is what I had said (the parts labelled in boldface show the published content):
- The mobile phone becomes purse, credit card, gives access to online banking, controls home alarms, email, social media etc. etc. Do we put all eggs in one basket?
Yes, you may say that, we put more and more eggs in the basket. More people go back home when they find out they have forgotten their mobile phone at home than there are people that go back home to pick up their purses. It has become common to use a smartphone or a tablet as the only device to surf the internet. The security that stemmed from having multiple devices – personal computer plus mobile phone – gets lost. Mobile device also promote storing more data in the cloud with fewer service providers. - Do individuals and society as a whole become more vulnerable when „everything“ is on the mobile phone?
Vulnerabilities occur for several reasons: the user is responsible to keep his mobile phone updated, smartphones are exposed to malware (especially Android), and there is a widespread attitude that it is acceptable to „jailbreak“ phones with the effect that one weakens mechanisms that protect against malware. This attitude is less common with respect to traditional personal computers. Individuals become more vulnerable when a device is lost, because of the large amount of data available via the phone one is exposed to id-theft. Individuals also become more vulnerable with respect to availability of data and services – if you lose your mobile phone, you lose access to email, online banking, social media and so on. Storage in the cloud with a few and foreign service providers can represent a problem for society. NSA’s Prism project is a reminder of what centralised access to data in the cloud means for a society that does not want large scale surveillance. - When will we see the first large attacks against multiple mobile phones at the same time (as we have on personal computers)?
There are numbers from antivirus vendors, among them McAfee, that show that the number of mobile phones under attack increases steadily. This happens currently especially in Asia. At NISlab we had an assessment of security of mobile phones last year (http://brage.bibsys.no/hig/handle/URN:NBN:no-bibsys_brage_33692). The result was that all operating systems had good security models that separated apps from each other and that prevented malware from modifying the operating system. So, here we do not have a problem in theory, but a challenge in practice to deliver good code quality and to prevent users from „jailbreaking“ their devices and make them less secure. All offer locking and user authentication. At NISlab we do a lot of research on new methods of authentication so that you get rid of PIN codes in the future. Hints are authentication with fingerprint or based on gait. - What measures do you recommend to secure mobile phones? Is the four digit PIN code sufficient?
I recommend that one does not „jailbreak“ a mobile phone. One should also choose a supplier with a good record with respect to quality in implementation, i.e. few vulnerabilities that are detected in the field. Blackberry and Windows Phone have so far shown good quality implementations. I myself do not use the phone functionality of a smartphone, so I am not affected by malware that calls expensive toll numbers. I use an old phone for calls and text messages; nothing to brag about in 2013, but very secure. Norsis (http://www.norsis.no) has more advice. The four digit PIN code is well enough in most cases. If you wish a longer PIN code, then there are instructions on the internet, e.g. „Configuring strong & memorable PIN codes on your iPhone“.