Mobile Devices

These days nearly everyone has a mobile device, right?  You pretty much can’t get along in society without a smart phone to help you check scores, message your friends, solve debates in bars and oh yeah… make phone calls.

What you may not know about your smart phone is that it, along with all of its smart phone brethren, represent one of the fastest growing “attack surfaces” for cybercriminals. It makes sense doesn’t it?  You take these devices with you wherever you go. They are exposed daily to more networks and other devices than any piece of equipment you own. Not to mention the fact that taking them wherever you go makes them more likely to be lost or stolen than most other devices. 

Mobile phones contain a great deal of personal information about you. Many apps on your phone provide access to your bank accounts or other accounts that contain sensitive information. These apps may also store credit card information that can allow criminals to buy whatever they want and ship it wherever they want. What’s more, your phone probably contains direct access to your e-mail, text messages and social media accounts that can be used to steal your identity and to trick your friends into providing their sensitive information as well.

Things like this can happen when an attacker physically gets ahold of your mobile device, sure. But did you know that there are a growing number of exploits that take advantage of your phone’s Bluetooth, Wi-Fi and cellular connections to gain virtual access to your phone? It’s true! Phones can be infected with malware just like a computer can!

So what should you do to make sure your mobile phone is secure?  The following is a list of tips we recommend.

Use a strong pin or password on your phone

This is a must. You should set a strong password on your phone to make it difficult for would-be attackers to gain access to the sensitive information and services on your phone if they get their hands on it. Many phones do not require any password by default and even if you enable password or pin protection the default length may be too short. We recommend you look into your phone’s settings, enable pin or password protection and make sure it is as long and complex as you can manage. If you ever lose it you’ll be glad you did!  Check out this page for tips on setting strong passwords.

Consider enabling fingerprint logins to your device

You add substantial security to your device by logging in to your mobile device with your finger or thumbprint. Your fingerprints are far more complex than any password that you can remember and are difficult to spoof. It will also be much more convenient for you since you can log in to your device with literally the touch of a button. Be aware that most devices will still require a backup password in case something happens to the scanner or… your finger. The good news is that you won’t have to use it often, so you can make it very long and complex and you can save it someplace safe in case you need it. Ideally, we recommend you store it in a secure password manager.

You should also be aware that there are some legal differences between passwords and fingerprints should law enforcement try to force you to give them access to your phone. In short, you cannot be compelled to give up your password, but law enforcement can require you provide your fingerprints. Your 5th Amendment rights protect what you know (your password) but they do not protect what you are (your fingerprint).  

Disable Wi-Fi and/or Bluetooth when you don’t need them

Did you know that when you are not using your Wi-Fi connection or your Bluetooth connection your phone is still broadcasting information and even attempting to make connections with other devices over those interfaces?  Criminals can use this information to track where you are or to gain access to your device. That’s right, while you’re walking around the mall, an attacker can use these connections to steal information about you, implant malware on your device, run up a bill using your services or even let burglars know you are out of the house. Fortunately, most mobile devices make it easy to disable these wireless services and stop the unnecessary broadcasting. So when you don’t need them, we recommend turning them off. The same can be true of your cellular connection. You phone is most secure when it is in airplane mode. So if you don’t need to be reachable for a stretch of time, like when you’re in a movie, maybe just “go all-in” with airplane mode.

Be careful what apps you download and what services you allow them to access

Apps are almost exclusively developed by third parties. This means that you can’t necessarily trust that an App is legitimate just because it comes from the Apple store or Google Play store. Those companies try to do as much screening as possible, but there are still apps out there that include malware; if you download the wrong app you are essentially inviting an attacker onto your device. So do some research and make sure that the apps you download are trustworthy. We recommend that you avoid downloading apps that do not come from your device’s official store unless you know what you’re getting. It’s also very important that you delete apps you no longer need and disable any app services that you do not need for the apps you do have installed.

A service is an application that provides data storage/manipulation, communication, etc.

Examples include:

  • Email services
  • Bluetooth (as a communication service)
  • File sharing services
  • Printing
  • Instant messaging
  • Voice over internet protocol (VOIP)
  • Wi-Fi
  • Location-based services (GPS, GLONASS, etc.)

Having unused services running introduces risks:

  • A service can have known vulnerabilities that can be exploited to run malicious code on your device.
  • An unused service can be collecting information from you without the your knowledge or permission.
  • Unused services can sap resources from a device. Have you ever had your device perform slower than usual? One cause of this could be from extra unused services that are using up your system’s resources.

One good example of an unused (and unwanted) service involves Windows 10. Windows 10 has a feature that collects data based on your browsing and use habits. Using these data points, Microsoft can deliver targeted advertising in hopes of leveraging this data to get you to buy something. You may not want to be tracked this way, even if the information is supposedly de-identified. This particular service also uses a bit of system resources (such as battery, memory, and processing power) that may slow down a system. To turn off this particular service, go to Settings > Privacy. 

Be vigilant in stopping unused services from running on your device. Generally, it is a good idea to turn off Wi-Fi and Bluetooth if you aren’t using them. Opening up and monitoring services on the Task Manager (Windows) or Activity Monitor (Mac) can give you an idea of the services currently running on your devices.

However, it is equally important to understand which services are necessary for the normal operation of the device. Therefore, if you are unsure of what services are necessary for the normal operation of the device, please consult your local IT technician or the BuckeyeBar.

Disable location services when you don't need them

Location-based services, such as GPS, are present in most cellphones. Other devices, such as tablets, laptops and even desktop computers, may also have location-based services. They provide a way for applications to calculate where a device is. Some location services use GPS, others use different means such as Wi-Fi access point mapping.

Have you ever entered into a retail store and received notifications on your phone that contain coupons or links to the current deals? Retailers constantly use location data to create targeted advertising campaigns. This may be with or without your express consent.  There are a few other reasons to turn off location-based services if you aren’t using them:

  1. The unused service will drain the battery and may use cellular data.
  2. The unused service may introduce a security risk due to a vulnerability, leading to unexpected exposure of your information.
  3. Other apps on the device may be using location-based services to spy on you. This data will be sold and used for all sorts of purposes, including targeted marketing and advertising campaigns. You have no control over who has access to this data.

If retailers can get access to your data, think about who else can access itAn example of what retailers collect and what they do with data; from the Interactive Advertising Bureau,

For example, instead of only using internet browsing behavior to identify and prospect against “auto intenders,” advertisers can now opt to identify these people based on how frequently they’re visiting show-rooms or auto-shows. Another concept along this same theme is “lapsed visits.” For instance, if a regular consumer hasn’t visited a store for a certain amount of time, this would send a signal to the advertiser that it is time to re-engage with that consumer.

Interactive Advertising Bureau

This is literally from the playbook of advertising companies. Think about who else can be using this playbook, and whether they have your best interest in mind. Do you really want people to access where you are at all times?

Unless you are actively using GPS or you desire targeted advertising, turn off GPS and other location-based services. Remember to also check permissions to ensure apps are not accessing your location information without your knowledge or consent. 

Be careful about where you plug in your phone

The plug you use to charge your mobile device could provide more than just power. It could also be a high speed data link, which means that anything can be transmitted over that line. This includes personal data that could be removed from your device or malware that could be installed on your device. This data can be exchanged in an instant without your knowledge or permission.

You should only plug your devices in to physical connections you trust. We recommend that you steer clear of plugging directly into any USB socket you find in a public place like an airport or rental car. There is no way to tell if tampering has occurred within those outlets. If you need to charge your mobile device in public, plug it into the USB port of your trusted laptop device or use the adaptor that came with your cable and plug directly into an electrical outlet. In most cases, those adapters will not allow data to be transmitted to your device, only power.

Employ remote wiping software

Most mobile devices have a built in service that you can enable that will allow you to erase all of the data on your phone from a remote location. Why, would I want to do that, you ask?  Well, it’s a last ditch effort to protect your personal data and accounts if you have lost your phone and think you will never get it back.

When you activate a wiping service, all the data, apps, call records, texts, etc. on the phone will be completely erased the second the phone connects to a cellular tower or internet connection. Ideally this will happen before the thief who stole your phone cracks your password (this is also why you should make sure your password is a good one)!  

Backup your phone often

This is a very important security step, especially if you may use a remote wiping service. Backups will allow you to easily recover your data if it is lost or if your mobile device is stricken with ransomware, which is all the rage in the cybercriminal world right now.

Fortunately, most mobile devices will constantly backup your data to a local computer, or “the cloud” (if you enable cloud services and also pay for a sufficient amount of storage space). These are both really convenient and effective options that usually don’t cost much. Check with the manufacturer to look up how to do that for each of your devices if you’re interested.

Consider employing a Mobile Device Management (MDM) solution

MDM solutions can offer encryption for your whole mobile device or for some subset of your apps or data. By using this kind of encryption, you are making it much more difficult for an attacker to extract meaningful information from your devices. MDM solutions are usually third party solutions so you’ll have to do some research to figure out which one is right for you.

Consider using Windows 10 - Fall Creators Update Or Later

Windows 10 has placed a strong emphasis on security improvements. Some of these features such as Windows Defender and Exploit Guard are on by default. A few of the included security features are:

Windows Defender – Antivirus that leverages traditional signature based AV, machine learning detection engine and Cloud based lookups to find malicious programs.

Windows Defender Exploit Guard – This functions similar to a Microsoft tool called EMET that is used to protect select applications from attacks / exploits.

Controlled Folder Access – This limits the ability for unknown applications to make changes to data in user folders like My Documents. This can help prevent a ransomware infection from encrypting sensitive documents or pictures.

For Enterprise users of Windows additional features are also available:

Windows Defender Application Control – This feature provides application whitelisting (only run application on an approved list) controls such similar to Software Restriction Policies / AppLocker.

Windows Defender Application Guard – This enables a new tab in the Edge Browser that isolates Edge from the rest of the system providing a safer web browsing experience.

Windows Defender Credential Guard – This features provides protections for domain credentials being pulled out of memory.

Bitlocker -  This allows the hard drive to be encrypted so that a malicious user could not access the data on a rebooted machine.

Some Additional Information can be found here:

https://docs.microsoft.com/en-us/windows/threat-protection/overview-of-threat-mitigations-in-windows-10

https://support.microsoft.com/en-us/help/17187/windows-10-protect-your-pc

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard