Security

From TTC: Mobile Advocacy Toolkit Working Meeting wiki

Contents 1 Introduction 2 General security advice 3 Records on the phone 4 Location-Based Surveillance 5 Monitoring/surveillance of communications 6 Phone as Radio Microphone 7 Pre-Paid Or Account 8 SMS security 9 Connections between phone and your computer 9.1 Infrared security 9.2 Bluetooth security 10 'Smartphone' security 10.1 How to Prevent Mobile Malware Attacks 10.2 Install mobile anti-virus software 11 Additional Resources on Security Issues 11.1 Additional material on Bluetooth vulnerabilities 11.2 Information about EXIF data 11.3 Mobile Phone Spying 11.4 Mobile forensics information 11.5 Undelete SMS 11.6 Cellphone investigation toolkit

[edit] Introduction

The small size, relatively low cost and constant mobility of mobile phones make them invaluable for advocacy work but also make them more likely to be stolen, temporarily misplaced, lost or confiscated.

The use of mobile devices creates new security risks which NGOs and advocates must recognise in order to protect themselves, their organisations and the people they work with. This section of the toolkit will show you how to minimise these risks.

Mobile phones, unlike some other technological devices, can be used to locate you and your companions in a particular place because your mobile is a tracking device when it is switched on. This information is kept by the provider and can be accessed in real time or after the fact. If your work is unpopular with the authorities this can make you very vulnerable - but one benefit of this is that your phone may provide an alibi to show that you were not elsewhere.

Mobile phones carry a vast amount of data; not just your contacts but also logs of calls made and received and SMS messages sent and received - see below for more information on the records carried on your phone.

As an organisation providing services you should also be aware of your responsibilities to users of these services. If you are storing people's contact information you should find out what obligations you have under your country's data protection laws to store these details safely and to delete information when requested. You should also be aware that your mobile phone service provider or your bulk SMS service provider may turn over data to the authorities if requested. Activists in New York running a text alert service on a demonstration were recently the subject of legal action to force them to hand over records revealing the content of messages exchanged and identifying people who sent and received messages. You should also be aware that service providers may refuse to transmit messages in support of controversial campaigns - such as the case of the operator Verizon who refused to carry pro-choice messages on behalf of a group in America.

[edit] General security advice

• When using your phone, remain aware of your surroundings and do not use it in crowded areas or where you feel unsafe.
• The 15-digit serial or IMEI number helps to identify your phone. You can find out a phone's IMEI number by keying *#06# into most phones or by looking behind the phone's battery. Make a note of your phone's IMEI number and keep it separate from your phone, as this number could help the police to trace ownership quickly if it is stolen.
• If you get your mobile phone back after it has been lost, stolen or confiscated be careful to ensure that monitoring software has not been installed on the phone since you last had it in your possession.
• Always use your phone's security lock codes or PIN numbers and do not reveal the numbers to anyone.
• If you are concerned about being monitored or your work is very sensitive, buy an anonymous SIM card such as a pay-as-you-go card, using cash, if possible. Consider changing your number regularly.
• If you are concerned about security make it routine to delete the information on your phone. Check the settings on the phone to see if can be set so that it does not store call logs and outgoing SMS.
• If you do not want your movements to be traceable consider turning the phone off at certain times. From time to time, leave the phone in one place while establishing your presence elsewhere, so that activity on the phone cannot necessarily be linked to you.
• If you're not concerned about the sensitivity of your communications and activities then you could consider registering your phone with the operator because then if you report your phone stolen, the operator should then be able to stop further use of your phone.
• Disable Wi-Fi and Bluetooth when you're outdoors. These functions are easy to exploit for sending malicious code or viruses. It's also possible that sensitive information could be intercepted by a sniffer when these functions are enabled. The safest place to use these functions is at home or in trusted locations.
• Watch for unauthorized GPRS connections. If you find your phone is auto-connected to GPRS (General Packet Radio Service), then your mobile might be infected with a virus that is sending your data to other parties. If you discover this problem, disconnect the device immediately and install anti-virus software to remove the malware.
• It's a good practice to make frequent backups of data stored on mobile devices including your address book.
• You can use three different methods to back up your data to your computer:
  • Infrared connection
  • Bluetooth connection
  • Cable provided with your phone

Once the connection with your computer is established you can backup the data either using software provided with your phone or a free/Open source backup application downloaded from the internet. You can also use a sim card reader which copies the information from your sim card to a separate device.

• If you're not working on sensitive activities and you don't mind being traced by your phone if you lost or misplaced it, then you could consider security-marking the battery (and phone) with your postcode and street number or the first two letters of your house name.

[edit] Records on the phone

There are a number of records that are kept on a mobile phone by default:

• Call logs – calls made and received: number called, date, time and duration of the call.
• SMS - text messages sent and received
• Photos – album of pictures you have taken
• Calendars, to-do lists and other notes
• Contact information and other stored data

'Remote wiping' software is available which will allow you to remove all the data from your phone if it is lost - this is currently only available in the corporate environment but may spread to the not-for-profit sector.

Call Logs: Depending on the model of phone, it is possible to turn off the automatic logging of calls. Don’t forget that Caller ID means that when you call someone from a mobile phone, the person you are calling can see your phone number, and that this information is stored on their phone even if the call is not answered.

SMS: text messages sent and received are stored in the phone by default. Deleting messages manually is a simple security measure, but if the authorities are taking investigations very seriously these records may be obtained from the mobile operator.

Photos: Using your camera phone at an event? It is a good idea to upload photos straight to a remote server from the phone and then delete them. Be aware that photos taken on mobile phones contain data recording the time and location in which the photo was taken. This data can be removed.

Contacts and other stored data: All contact information stored on a mobile phone is available should the phone be confiscated, lost, temporarily mislaid or stolen. Consider what data you need to store on your phone, especially when you work in dangerous or oppressive situations.

[edit] Location-Based Surveillance

A phone that is switched on can be located. The knowledge that you (or at least your phone) were in a particular place can be either positive or negative depending on the circumstances.

For a mobile phone to be able to communicate with the network, the server keeps track of which transmission mast your phone is connected to. A phone cell is made up of several masts and the information they transmit is used by operators to determine the approximate location (within an area of a few city blocks) of the actual phone. This is occurring all the time your phone is turned on whether it is used to make calls or not.

[edit] Monitoring/surveillance of communications

To undertake surveillance of phone conversations and SMS text messages, governments have to work with the mobile operators and service providers, which is not the case for the internet where your data can more easily be accessed and intercepted.

As an example of the political environment in one part of the world, a European agreement in December 2005 requires that commercial traffic logs of all phone calls, text messages, emails and instances of internet use be stored by telecoms companies for a minimum of six months and up to two years. Even details of calls that are connected but go unanswered will be archived. Software used includes so-called SMS Content Surveillance. Content filter software installed at the message routing point in the network (SMS-C), for example, can filter for specific words and alert the authorities.

Other surveillance agreements might be in operation between your government and the telecoms operators in your country, so if you are working in a sensitive area be sure you understand as much as possible about surveillance agreements in that area.

Mobile phone conversations are not encrypted and it is currently expensive to encrypt calls - however these tools are expected to become cheaper over the next few years. Conversations between Skype and mobile phones are also not encrypted.

[edit] Phone as Radio Microphone

Software can be installed remotely without your knowledge and then the phone used as a microphone/bugging device. A commercial version that can listen to conversations in the region of the phone is also available for purchase although it does not include remote installation. Anyone who had access to your phone could install such software.

Without installing any software a phone can also be set to work as a microphone by setting automatic call pickup and disabling a ring tone - by this means someone can call a remote phone and listen in to whatever is going on in its vicinity.

[edit] Pre-Paid Or Account

If the account you have with a phone company is a monthly account, a record of all calls made and received with the operator is kept and can be accessed long afterwards. Records held include billing, which services were used, where you were when making or receiving calls, numbers called and the numbers from which you received calls.

It is possible in some countries to obtain a pre-paid SIM card without providing any personal information but this is becoming increasingly difficult. For added security, it may be advisable to pay with cash and choose an outlet not covered by CCTV.

Using a credit card to pay for your mobile phone will also create a data trail to you, which you may want to avoid.

[edit] SMS security

SMS communications are inappropriate for confidential transactions because they can be accessed by anybody who gets hold of the phone. If you are worried about security you may want to consider using software such as CryptoSMS or SMS007 which are commercial SMS encryption tools which can be installed on your phone. Unfortunately CryptoSMS seems only to work on new 3G phones and is challenging to use so you should not install it unless you have very serious security concerns.

[edit] Connections between phone and your computer

There are particular security risks associated with connecting your phone to your computer in order to transfer information.

[edit] Infrared security

Infrared provides a secure and simple way to transfer and synchronise data between your phone and your computer. In order for infrared communication to work properly, infrared devices must operate on a line-of-sight basis. They must be placed at a 30-degree angle from each other and no farther than 1 metre (approximately 40 inches) apart. Because infrared operates over such a short distance and at a narrow angle, it is relatively difficult for an attacker to intercept data that is sent over infrared.

However, infrared does not provide data encryption, so take the following precautions to ensure that data sent over infrared is not intercepted:

• Do not enable infrared image transfer.
• Infrared image transfer is disabled by default (that is, the option to use Wireless Link to transfer images from your device to your computer is disabled). If you enable this option, all of the incoming files that are sent over infrared image transfer are automatically accepted. Because incoming files might contain harmful programs, ensure that the files originate from a trustworthy source. Do not open files if you cannot verify the source, do not recognise the file format or are unsure of the content. Instead, delete the files immediately.
• Align infrared devices so that they are between 0.1 metre (approximately 4 inches) and 0.5 metre (approximately 20 inches) apart when you establish an infrared link between two devices. Although the transfer can take place at a distance of up to 1 metre, placing the devices closer together minimises the risk of interference from an outside infrared device.
• Ensure that all infrared devices and data sources are trustworthy.
• Finally, if you are transferring data via infrared to another person, conduct the transfer in a private location whenever possible.

[edit] Bluetooth security

Bluetooth provides a way to connect and exchange information between devices such as mobile phones, PCs, printers, digital cameras and video game consoles.

Bluetooth lets these devices communicate with each other whenever they are in range. The devices use a radio communications system, so they do not have to be in line of sight of each other and can even be in separate rooms, as long as the transmission is powerful enough.

A common task that involves Bluetooth security for most users is the "pairing" of devices. By default, Bluetooth communication does not require the two devices to exchange security information or 'authenticate' and thus almost any device can freely connect to another. However, to access a particular service such as a dial-up account, a voice gateway, or to do a file transfer, some sort of authentication is usually required.

The process of authentication is usually done during the pairing process by entering identical PIN codes (passkeys) on both devices. Once users have entered their correct PIN codes, both devices will generate a link key, which can be stored in the device's memory and will allow it to skip the authentication and authorisation process when it attempts to communicate with the other paired device in the future.

Unfortunately for Bluetooth users, the process of authentication and authorisation to access services is not always correctly implemented by manufacturers. Such weaknesses have already affected several Sony Ericsson and Nokia mobile phones, allowing malicious hackers to steal phone books, photos and calendar information, or to make phone calls or send SMS using other people's mobile phones. This is because authorisation is not required for two important services on these phones.

[edit] 'Smartphone' security

Smartphones are mobile phones with more capabilities than a typical mobile phone, often functioning like a PC.

Smartphone users can download a number of productivity programs, connectivity programmes, games, and utilities including freeware and shareware programmes from untrusted sources. The programmes can be easily installed without network administrators being notified. These programmes may contain Trojan horses or other malware that can affect the user's hand-held device.

There are few security tools available for many of these devices. In some cases users are unable to track security attacks on these phones.

There are several new operating systems and applications running on these devices that have not been thoroughly tested by the market to expose any potential vulnerabilities.

Hand-held devices have a number of communication ports from which they can send and receive data, but they have limited capabilities for authenticating the devices with which they exchange data.

Windows Mobile and Win32 (PC based) software is developed in similar ways, so it's easy for authors of Win32 malware to convert their malware for use against mobile devices.

Malware is malicious software, developed for the purpose of harming computers; examples include computer viruses, worms, trojans, and spyware.

[edit] How to Prevent Mobile Malware Attacks

The best way to protect your mobile device is to keep malware off your phone in the first place. Use the same precautions for your smart phone as you would for your Windows laptop or desktop computer.

Look at the Tactical Tech Security NGO in a box site for more information on this issue and some suggested tools for your laptop or desktop computer.

[edit] Install mobile anti-virus software

The majority of large security software vendors now have a mobile version of their anti-virus solutions. If you have a smart phone you should give it the same protection you give your desktop system.

[edit] Additional Resources on Security Issues

• Security for Activists A Practical Security Handbook for Activists and Campaigns.
• A Guide to Mobile Phones A short guide to using mobile phones safely and securely for activists.
• A Brief Introduction to Secure SMS Messaging in MIDP: Nokia developer guide
• ChameleonSMS: Encrypted SMS (commercial with free trial)
• MultiTasker: Encrypted SMS (commercial with free trial)
• SecureAge: Encrypted SMS (commercial with free trial
• SMS 007: Encrypted SMS (commercial with free trial)

[edit] Additional material on Bluetooth vulnerabilities

http://www.thebunker.net/resources/bluetooth

[edit] Information about EXIF data

Some information on the hidden data files which are embedded in camera phone pictures http://www.exif.org/

[edit] Mobile Phone Spying

Phones used as spying devices - http://www.mysecured.com/?p=127

[edit] Mobile forensics information

SIM Card Forensic Analysis is worth thinking about in terms of how much data is hidden on your phone; from http://www.mobile-phone-analysis.com/. This can give us:

• The phone number (MSISDN), this is dependent on the set up of the handset, and can be altered by the user.
• The network provider
• The last cell site connected to (LOCI).
• Any stored phonebook entries (Abbreviated Dialling Numbers (AND)), if the SIM is set to store this information.
• Last Dialled Numbers, if the SIM stores this information.
• Text messages (including deleted messages), if the SIM is set to be used as a store.
• IMSI (International Mobile Subscriber Identity): A unique number that is allocated to each SIM

Mobile Phone Handset Forensic Analysis This can give us:

• The software version of the phone (similar to the operating system).
• The IMEI (International Mobile Equipment Identity) - This is set during manufacture and is a unique string of 15 digits. This can be found on the back of the phone within the battery compartment, and also by typing *#06#. These should match; if they don't then someone has been tampering with the phone.
• Phonebook
• Speed dial numbers
• Phone settings and profiles
• Pictures
• Audio recordings
• Videos
• Call logs
• Java applications
• Calendar/Organiser
• WAP settings

[edit] Undelete SMS

Software that is available online for retrieving text messages from a SIM card. http://vidstrom.net/stools/undeletesms/

[edit] Cellphone investigation toolkit

http://www.search.org/files/pdf/CellphoneInvestToolkit-0807.pdf Creating a Cell Phone Investigation Toolkit: Basic Hardware and Software Specificationspdf (358kb)

With thanks to Mike Grenville from 160characters.org for permission to reuse excerpts from his 'Security Guide for Mobile Activists'.