Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

McAfee shows security flaws of smartphones (especially Android devices)

Rob Enderle | Oct. 29, 2012
Smartphone security, or the lack of it, is downright scary. At this week's McAfee Focus event, CIO.com columnist Rob Enderle discovered just how easy it is to hack into someone else's device. Even if you secure corporate phones, employees' personal phones pose a significant risk.

Analysis: Enterprise Version of Windows 8 Focuses on Security

McAfee also argued that attacks such as this are often associated with root kits. That makes it hard for security software that doesn't have a fixed hardware component to address this successfully. While this was clearly a pitch for Deep Defender, which McAFee co-developed with parent company Intel and which is only made available to Windows machines at large business, it is interesting to note that the attack would not have worked on Windows 8. That showcased (intentionally or otherwise) one of the more endearing aspects of the new operating system: secure boot partition.

Smartphone Security Leaves a Lot to Be Desired

However, there is no Deep Defender for smartphones, though McAfee has released mobile security software for Android devices. All you need is to install a vulnerability in a compelling free app. Get a target to install the app, then attack the vulnerability to access whatever's on the device (passwords, IDs, addresses, bank account numbers and so on) and/or activate camera and microphone functionality to essentially turn the device into a spy.

This is when I had my "A-ha!" moment. While you can protect, to some extent, a business phone, how many employees have personal phones on the corporate network that you don't know about? Let's say I wanted to bug a politician, executive, security officer, teacher, competitor, ex-spouse, rival&you get the point. I just need to get them to use a compromised phone; if they carry two, I can go after their personal phone. I could make the compromised app look like some sort of promotion and, once it's installed, turn that phone into a bug that's constantly taking pictures or recording every meeting and conversation, even if the phone isn't used for that particular call. I could try for a drive-by download, too.

Commentary: Why Android Phones Are a Major Security RiskNews: Intel Hopes Mcafee Security Features Will Differentiate Mobile Chips

While curated app stores like the Apple and Microsoft stores actively look for malware, they don't aggressively check for bugs and wouldn't know where to look for a creative exploit. If I build an app that is never widely sold or used, the chance of the exploit being found is low. If I root the phone, too, I can likely destroy the forensic data that would let an investigator figure out how this happened.

This makes me wonder how many people on the Mitt Romney and Barack Obama campaign teams have phones that are broadcasting confidential information. How many police departments have been compromised? How many IT departments, bankers and private citizens don't know they are broadcasting?

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.