Smartphone security fears stalk MWC

The ghost at the feast at the Mobile World Congress 2015, which took place in Barcelona last week, was smartphone security.

While phone makers such as LG, Microsoft and Huawei unveiled their new handset ranges, delegates would have been left pondering the growing threat that cyber crime and espionage now represents for smartphone users.

The more savvy among them would also have been wondering whether their own smartphones were being hacked into whilst they were in Spain and by whom.

Cyber security fears, now widespread throughout the industry, are reflected in some of the product ranges launched in Barcelona last week. Phone maker Blackphone, for example, teamed up with encryption specialist Silent Circle to produce what it believes in the most secure smartphone on the market, the Android-powered Blackphone 2, together with the equally secure Blackphone+ tablet.

Products such as the Blackphone 2 reflect how criminals and corporate spies now target not only senior executives, but are also becoming increasingly adept at using mid and lower-level employees as an entry point though which they can hack into corporate networks.

Owing to their portability and multi-functionality, smartphones are rapidly being identified by hackers and the weak link in the corporate communications chain.

According to research company Gartner, this year alone around 1.36 billion smartphones will be shipped globally, dwarfing PC sales of about 316 million. The research also forecasts that Google's Android operating system will power over half the 2.4 billion computers (desktops, laptops, tablets and phones) sold worldwide.

16 million mobiles already carry malware

Cyber criminals and the State spy agencies are aware of this shift away from desk and laptop computers to handheld computing and have now begun to concentrate their efforts on hacking corporate smartphones.

According to Alcatel-Lucent’s Motive Security Labs, around 16 million mobile devices are already infected by malicious software designed to spy on users and steal confidential data. This form of malware is capable of tracking the phone and its owner's location, monitoring ingoing and outgoing calls, text messages and emails, as well as tracking web browsers.

Cyber-criminals are now targeting Android devices with infection rates for Android and Windows devices estimated to be split 50/50.

Many multinational firms, however, still employ an unmonitored bring-your-own-device (BYOD) policy. This frequently means key staff are connecting to the corporate communications network via unsecured smartphones. It has also led to a situation where staff access social networking sites and audio/visual entertainment of all kinds, exposing them to a growing number of malware attacks.

IBM, for example, reports that people who use mobile dating apps on phones they also use for work are increasingly putting their corporate data base at risk. The company tested 41 dating apps on an Android handset and found that 26 of them were vulnerable to hacking.

Once hacked, IBM found that the smartphones could be used to spy on their owners, monitoring their every movement. Cyber criminals and corporate spies can hack into the phone's global positioning system (GPS) via the dating apps. Hackers can also control the smart phone's microphone and camera, enabling them to spy on the owners around the clock.

IBM polled companies to discover how many of their staff used dating apps. The results - roughly half of all staff use vulnerable dating apps - highlight the danger of unmonitored BYOD policies. IBM also warns that, as well as spying on corporate executives, the hack can be used to garner information about their dating habits in order to blackmail them.

Socially engineered hacks on the increase

Even innocent-seeming websites offer a treasure trove of privileged information to determined hackers. Social media posts on sites such as Facebook, LinkedIn and Twitter often contain very specific personal information about key personnel. Socially engineered hacks, frequently comprising the personal details of, for example, the IT manager, are now becoming the norm among organised gangs of cyber-criminals.

There is now a growing number of largely unreported cases of organisations losing significant sums, sometimes running into six-figures, as a result of a new kind of socially engineered hack which relies on gaining the confidence of mid-level staff using personal information regarding their superiors and co-workers which have been gleaned from social networking sites.

There is also growing evidence that some smartphones are carrying pre-installed security flaws designed to spy on even most the careful business user. Security systems at Gemalto, which supplies mobile phone SIM cards to leading carriers such as Vodafone, Verizon and China Mobile, are reported to have been hacked by the security services.

While any honest business traveller should have less to fear from American and British intelligence agencies than from organised cyber-criminals, the hack reveals disturbing vulnerabilities in the smartphone industry's underlying technology.

While there is little that end-users can do to guard against pre-installed malware, all delegates who attended MWC 2015 should take some basic precautions to safeguard against corporate espionage and organised cyber crime.

Business travellers should not send sensitive information via unencrypted emails and should regard all public wifi hotspots with suspicion. Robust and extremely cheap encryption software is now widely available online.

Other precautions might include leaving communications devices safely locked in the hotel during the evening to avoid a physical hack or straightforward theft of the device.

A preferred alternative for some security-aware executives is to leave their smartphone either at home or safely locked in their case for their entire trip whilst purchasing an inexpensive mobile phone and SIM card locally and keeping unsecured communications to a minimum.

That way, they are sure they are not inadvertently compromising their firm's data system each time they log on to a public wifi service or leave their phone unattended for a few minutes.

Stuart Poole-Robb is the chief executive of the security, business intelligence and cyber security adviser, the KCS Group Europe.