Neel Mehta
ENISA announced the publications of a report, Smartphones: Information security risks, opportunities and recommendations for users, designed to give an informed assessment of the information security and privacy risks of using smartphones.
Eighty million smartphones were sold worldwide in the third quarter of 2010. The report’s objective is to allow users to take advantage of smartphones, while minimizing the information security risks. The report also makes practical recommendations on how to address these risks. The report analyzes 10 information security risks for smartphone users and seven information security opportunities.
The smartphone risks:
1) Data leakage: A stolen or lost phone with unprotected memory allows an attacker to access the data on it.
2) Improper decommissioning: The phone is disposed of or transferred to another user without removing sensitive data.
3) Unintentional data disclosure: Most apps have privacy settings, but many users are unaware (or do not recall) that the data is being transmitted, let alone know of the existence of the settings to prevent this.
4) Phishing: An attacker collects user credentials, using fake apps or messages (text messages or email) that seem genuine.
5) Spyware: The smartphone has spyware installed, allowing an attacker to access or infer personal data. NB spyware includes any software requesting and abusing excessive privilege requests. It does not include targeted surveillance software.
6) Network spoofing attacks: An attacker deploys a rogue network access point and users connect to it. The attacker subsequently intercepts the user communication to carry out further attacks such as phishing.
7) Surveillance: Spying on an individual with a targeted user's smartphone.
8) Diallerware: An attacker steals money from the user by means of malware that makes hidden use of premium text messaging services or numbers.
9) Financial malware: Malware specifically designed for stealing credit card numbers, online banking credentials or subverting online banking or e-commerce transactions.
10) Network congestion: Network resource overload due to smartphone use leading to network unavailability for the end-user.
The authors of the report are Dr. Giles Hogben and Dr. Marnix Dekker of ENISA. The full report can be found on ENISA’s website.
