Security Review: Cellphones (in general)

I think it's safe to say that cellphones have become a rather common part of our daily life, and that nowadays, getting a cellphone is sort of like a rite of passage; it is not uncommon to see the average fifth grader walking around with a small, compact, and handy cellphone today (whereas when I was in fifth grade, having a cellphone was still that bulky thing with a long antenna that your parents carried with them). I hardly ever walk out the door without my phone with me, and if I happen to forget it, I feel a little out of the loop and disconnected from everyone else, as it has become a primary mode of communication for me. Granted that I only really use it for text messaging and making phone calls, but these little actions have become very routine in my life, as I'm sure it has for most people, as well.

Another feature of cellphones is that they become highly personalized, and not just another item to the user: we choose our wallpapers, customize ringtones for our friends, use nicknames for our contacts. Though these little customizations make our user experience more enjoyable and more convenient, they also so present some inherit security flaws as well. For example, if you happened to lose your phone, or worse, if it was stolen, what's to say that someone would not try to exploit this vulnerability? A lot of cellphones nowadays (whether they be as basic as my Samsung phone to as powerful as a Blackberry or iPhone) have some security features in an attempt to keep access restricted to only the user, such as PIN numbers or passwords. However, I know that there are also several people who don't use these password features, probably for mostly convenience purposes. So what risks are there to these users?

With regards to security goals, I think that cellphone users intend to be the only ones using their cellphones. As I pointed out, cellphones generally do include certain security features such as PIN numbers and passwords that can be changed and customized as the user wants to. Users would use this security feature in order to maintain a level of confidentiality: users want to keep their voicemails private, and may not want others to be looking through their text message inboxes without their consent. The media, and even within our circle of friends, gives us instances where some unfriendly spats result from a friend looking through another friend's cellphone messages, whether it was done out of curiosity of malice. Users may also want cellphone security features in order to keep the integrity of information that they receive through it, too. If someone accessed your cellphone without your knowledge, they pose as you and contact your friends and family for certain information, or they could change certain features within your cellphone, making it less usable (changing names of contacts, etc.). With regards to accessibility, users use cellphone security features in order to make sure that the right people (the user, and those to whom the user gives permission) are able to use the cellphone and access the information inside of it.

If I were an attacker trying to exploit this technology, there are several goals that I could have. With regards to disclosure, I could easily look through a cellphone's messages, and then spread around any personal information that I may find from that search, or use it to my advantage. I could go through the cellphone and change the names/phone numbers of contacts, or maybe delete certain text messages or voicemails that the user may find to be important, which would be a goal involving alteration. I could also just change the password of the phone and just make it unusable for the user, which in turn would just present additional frustrations to the victim.

I think that if users don't use the cellphone security features (i.e. PIN numbers and passwords), they do put themselves at great risk to being exploited by attackers. Having your cellphone stolen is another vulnerabilty that users face with cellphones; since they are rather small and compact, there is not really a great deal of effort involved in picking up a phone that may be left unattended on a desk or table. However, there is also another aspect of cellphones that I think go unnoticed as a vulnerability. As I mentioned before, we tend to customize our cellphones in order to make them more convenient for us to use. For example, instead of wanting to write out proper names of our contacts (First name, Last name, etc.), we may want to use nicknames, like "Mom", "Dad", and the likes. Take a lot less writing, and we know exactly who we are referring to by using those nicknames. Unfortunately, attackers may also try to take advantage of this convenience. My roommate recently got an email from her dad that described a woman's phone being stolen, and then the attacker text messaged her husband asking for some sensitive information (like Social Security Numbers). The woman's husband responded quickly with the information, which thus resulted in the theft of the woman's identity. How did the attacker know which contact number belonged to the woman's husband? Well, he was listed under "Hubby", short for "Husband". In this scenario, not only was the cellphone not protected with any password, but she also listed her contacts based on her relationship with the individuals, which made it easier for the attacker to steal her information.

I think that as cellphone users, we generally take for granted that we think it's not very likely that our phones will be lost/stolen, or that people that we are around won't try to sift through our message inboxes looking for information. Therefore, we don't feel a great need to protect ourselves as well as we should. Not until something bad happens, anyways.

Just because there are inherit risks, however, this does not mean that users will stop using this technology, as they do provide a great deal of usefulness and convenience to our daily lives. I think that there are a variety of approaches that a user can take with regards to using cellphones and dealing with the risks. First, as I did just mention, though there are risks to having a cellphone, I highly doubt that people will forgo using them all together, because the benefits of a cellphone (in my opinion) tend to outweight the disadvantages. As a result, a user inevitably has to accept certain risks that come with owning a cellphone. For example, because cellphones are so compact, they are rather easy to steal at any time, whether the theft is as easy as just swiping the cell off of a desktop, or pickpocketing off of an unsuspecting individual. However, users can also try to mitigate the amount of damage that could arise from an attacker trying to use the cellphone without permission. A user can make their cellphone password protected, and while this is not completely fool-proof, it may be somewhat effective in dissuading an attacker from trying to "break in". A user could also make sure to not list their phone contacts according to the nature of their relationships. For instance, list people by their fullnames, as opposed to nicknames such as Mom, Dad, Hubby, etc. Names that suggest personal relationships could present opportunities for someone trying to steal information about you. Also, I would recommend not texting or leaving voicemails containing sensitive information such as Social Security numbers, passwords, or credit card numbers. It is a simple task to listen to a few messages, or look through a text message inbox, though the results of having such information in the hands of the wrong people is very damaging.