NEWS

Smartphone apps need securing at software development stages

7MARCH/APRIL 2010

Smartphones could very easily become spy phones, with hackers

able to eavesdrop on your conversations, researchers at Rutgers

University in the US have warned. The handsets could be hijacked

using malware, as they have now become as advanced as computers,

say experts.

Researchers at Rutger’s University have developed a proof-of-

concept rootkit that can be ported to multiple smartphone operating

systems such as the Apple iPhone plus Google Android, and allows

hackers to remotely turn on the GPS function, as well as remote-

enable the phone’s microphone.

Rootkits – which have been around on PCs since the mid-

1990s – are notable for masking their own existence on the

computer, and can be installed via emails that trick users into

opening attachments.

“Smartphones are essentially becoming regular computers’”, said

Vinod Ganapathy at Rutgers University in New Jersey. “They run the

same class of operating systems as desktop and laptop computers,

so they are just as vulnerable to attack.”

“What we’re doing today is raising a warning flag”, said fellow

researcher Liviu Iftode. “We’re showing that people with general

computer proficiency can create rootkit malware for smartphones.

The next step is to work on defences”, he added.

Fortunately for the many hundreds of millions of smartphone

users around the world, the researchers concede it is much harder

to slip rootkits into smartphones – which tend to have strict rules on

non-approved code being installed.

According to Richard Kirk, European director with application

vulnerability specialist Fortify Software, with the rootkit, the

researchers have developed a full-blown hacker code methodology

that allows all the features of a smartphone to be turned over to a

hacker’s control.

“Just like a compromised desktop PC, all the operations of the

hacked smartphone can be used for all manner of hacking purposes,

including data theft, botnet swarming, distributed denial of service

attacks and even remote automated mass hacking of critical national

IT systems infrastructures”, he said.

Kirk added that desktop software secure code development

strategies have evolved to ensure that desktop systems software

cannot normally be compromised by this type of hackery.

But, he noted, smartphone code developers – owing to the relative

youth of their industry – have had no similar pressures imposed on

them, as smartphones have always been viewed as a less powerful

computing option.

All that changes, he explained, with the evolution of rootkits for

smartphones, as it means that hackers can assume control over a

handset that is every bit as powerful as a computer of just a decade ago.

“As the Rutgers University scientists say, as the population of

mobile devices increases, there will be an increasing interest in

attacking these devices. This means there is a rising security risk from

operating system-driven smartphones”, said Kirk.

“With hundreds of millions of these devices in active use,

and the majority of them wirelessly connected, you can see the

potential scale of the problem. Code developers must wake up to

this pressing security issue and adopt secure code development

practices, such as regular security testing, at the earliest available

opportunity”, he added.

Serious Fraud Office warns on social networking data harvestingThe Serious Fraud Office (SFO) has warned that Facebook and Twitter

– two of the most popular social networking sites – are actively being

used by criminals to harvest users’ personal financial details. The

SFO says it has written to around 10 000 users of the sites, warning

that their details are on a ‘master list’ being circulated by fraudsters.

Reports suggest that the master list includes a range of personal

information including their name, address, birthday, phone number,

place of business, income and relationship status.

Infosecurity notes that, whilst Facebook no longer lists all

information from users on its site, criminals can still look on various

other sites, such as LinkedIn and Twitter, and collate data on

individuals. Newswire reports suggest that this appears to be what

criminal gangs are doing, even going to the extent of setting up boiler

rooms dedicated to calling users on the master list and selling them

non-existent goods or services at heavily discounted prices.

The sole purpose of the calls appears to be generating extra

information, such as bank or credit payment card details, as

well as confirming other data such as home addresses. The

criminals then sell the resulting data on to identity fraudsters.

Recently published research from CIFAS, the fraud

prevention service, found that levels of identity theft rose

by 32% during 2009, compared to figures published a year

earlier.

Commenting on the surge in identity thefts, Peter Hurst,

chief executive of CIFAS, said that anything that helps bring

an understanding to all parties of the impact of fraud on our

economy has to be beneficial. “It also represents a first step. By

attempting to quantify fraud losses, it provides a foundation for

further work towards reducing them”, he said.

The key to beating this kind of fraud – the kind that involves

criminals sharing personal information amongst themselves –

is to share fraud information between members of CIFAS.

Members of CIFAS report nearly £1bn in savings each year from

sharing fraud information, Hurst explained.

“Following the Serious Crime Act of 2007, there are no

legal impediments preventing public sector organisations from

participating in these data sharing arrangements and CIFAS

would welcome them into membership”, he said.

“Discussions are already taking place with a number of public

sector organisations and, by next year, we are hopeful that they

too will be able to prevent more fraud by taking advantage of the

benefits that data sharing can offer”, he added.