On October 29, 2015, Robert J. Shields, Special Agent in Charge of the Milwaukee Division of the Federal Bureau of Investigation (FBI) hosted a special presentation during National Cyber Security Awareness Month. Special agents from the Milwaukee Division gave a presentation that focused on mobile phone cyber threats. The presenters discussed the rising security threat to mobile devices and offered suggestions (included below) on how to safeguard smartphones connected to the Internet in an effort to prevent cyber attacks.
Media was allowed to view a display of the equipment used by agents and analysts during cyber crime investigations.
Although mobile phones are taking on more capabilities formerly available only on PCs, technical security solutions for mobile phones are not as sophisticated or widespread as those for PCs. This means that the bulk of mobile phone security relies on the user making intelligent, cautious choices. Even the most careful users can still fall victim to attacks on their mobile phones. However, following best practices regarding mobile phone security can reduce the likelihood or consequences of an attack.
- When choosing a mobile phone, consider its security features. Ask the service provider if the device offers file encryption, the ability for the provider to find and wipe the device remotely, the ability to delete known malicious apps remotely, and authentication features such as device access passwords.
- Configure the device to be more secure. Many smartphones have a password feature that locks the device until the correct PIN or password is entered. Enable this feature, and choose a reasonably complex password. Enable encryption, remote wipe capabilities, and antivirus software if available.
- Configure web accounts to use secure connections. Accounts for certain websites can be configured to use secure, encrypted connections (look for “HTTPS” or “SSL” in account options pages). Enabling this feature deters attackers from eavesdropping on web sessions. Many popular mail and social networking sites include this option.
- Do not follow links sent in suspicious e-mail or text messages. Such links may lead to malicious websites.
- Limit exposure of your mobile phone number. Think carefully before posting your mobile phone number to a public website. Attackers can use software to collect mobile phone numbers from the web and then use those numbers to target attacks.
- Carefully consider what information you want stored on the device. Remember that with enough time, sophistication, and access to the device, any attacker could obtain your stored information.
- Be choosy when selecting and installing apps. Do a little research on apps before installing them. Check what permissions the app requires. If the permissions seem beyond what the app should require, do not install the app; it could be a Trojan horse, carrying malicious code in an attractive package.
- Be sure to download apps through the official app store, stay clear of discontinued apps and make sure to read the user reviews.
- Maintain physical control of the device, especially in public or semi-public places. The portability of mobile phones makes them easy to lose or steal.
- Disable interfaces that are not currently in use, such as Bluetooth, infrared, or Wi-Fi. Attackers can exploit vulnerabilities in software that use these interfaces.
- Set Bluetooth—enabled devices to non-discoverable. When in discoverable mode, your Bluetooth-enabled devices are visible to other nearby devices, which may alert an attacker or infected device to target you. When in non-discoverable mode, your Bluetooth—enabled devices are invisible to other unauthenticated devices
- Avoid joining unknown Wi-Fi networks and using public Wi-Fi hotspots. Attackers can create phony Wi-Fi hotspots designed to attack mobile phones and may patrol public Wi-Fi networks for unsecured devices. Also, enable encryption on your home Wi-Fi network.
- Delete all information stored in a device prior to discarding it. Check the website of the device’s manufacturer for information about securely deleting data. Your mobile phone provider may also have useful information on securely wiping your device
- Be careful when using social networking applications. These apps may reveal more personal information than intended, and to unintended parties. Be especially careful when using services that track your location.
- Do not “root” or “jailbreak” the device. Third-party device firmware, which is sometimes used to get access to device features that are locked by default, can contain malicious code or unintentional security vulnerabilities. Altering the firmware could also prevent the device from receiving future operating system updates, which often contain valuable security updates and other feature upgrades.
- Report the loss to your organization and/or mobile service provider. If your phone or PDA was issued by an organization or is used to access private data, notify your organization of the loss immediately. If your personal phone or PDA was lost, contact your mobile phone service provider as soon as possible to deter malicious use of your device and minimize fraudulent charges.
- Report the loss or theft to local authorities. Depending on the situation, it may be appropriate to notify relevant staff and/or local police.
- Change account credentials. If you used your phone or PDA to access any remote resources, such as corporate networks or social networking sites revoke all credentials that were stored on the lost device. This may involve contacting your IT department to revoke issued certificates or logging into websites to change your password.
- Change your passwords on your social media accounts. If you set your cell phone of PDA to auto log in, your password is then stored in the device. If you feel the device has been compromised, do not use the device to change your password. Log in from a secure, trusted computer system, such as your personal computer, to change your password. Do not change your password from an un-trusted computer system, such as a public computer used by unknown persons.
- If necessary, wipe the phone. Some mobile service providers offer remote wiping, which allows you or your provider to remotely delete all data on the phone
- If you have reason to believe your device is infected but AV apps are not finding anything, your last course of action is a factory wipe of all your data.
- You may back up your personal media files, such as pictures or videos to a trusted computer system. This will remove any and everything local that might be executable.
- You may back up all your pictures (and music and videos) to your Google account or Apple account. Google and Apple are great places to store your backup, however, it may come with a cost.
- Take the SD card out of your phone if it has one and wipe and repartition it using the built-in software for disk management. It is best not to save anything on the card. Malware can hide itself on the media.
- To conduct a factory reset:
- On your Android, go into the Settings and look for the backup and reset options. You want to perform a full factory reset of all your data, including any local storage space.
- On your iPhone, go into General—Reset—Erase all Content and Settings
- Let it do it’s thing, and when you set it back up, be sure to not restore any backed up data from your Goggle or Apple account. The data backed up may contain the malware.
- You still want to change passwords to your e-mail account and contact your credit card companies.
You also want to take a close look at the way you do things to try and prevent this from happening again. Before restoring any files, use the device for a short period. If certain apps are needed, download them from the approved vendor site, such as Apple or Google.
Public Affairs Specialist Leonard C. Peace
This content has been reproduced from its original source.