Give me your mobile and I’ll tell you who you are!

Pierluigi Paganini March 12, 2012


No doubt the last two years witnessed the true revolution in information technology world is the development and deployment of mobile systems. I speak of mobile systems and I avoid simply to define them “devices” because of their processing capacity equal to a common desktop. Unfortunately the development of the sector is not paid to the implementation of appropriate security mechanisms to protect these systems, but more importantly is the lack of awareness by users of the necessity of having to defend a system so valuable.

Why we believe the mobile systems are so precious? They are somehow an extension of our person, follow us everywhere, track our position, they know our contacts (email, phone numbers), manage our appointments, and when we surf on the web through these devices indirectly we provide them information on our customs and traditions.
Give me your mobile and I’ll tell you who you are!

Cyber ​​criminals and government agencies are aware of the importance of information gained from our mobile and therefore are showing an high interest in the field. Regarding cybercrime we have observed an exponential growth of malware designed to attack mobile systems and steal sensitive information, useful for the accomplishments of frauds, very impressed the banking sector. Regarding the governments the high interest is linked to the ability to exercise remote control of any user, spy on it and possibly trace a useful profile of the victim.

Among the risk factors that most concern there is also the growing use of jailbreak procedures for the activation/introduction of features not available in the version distributed officially. These systems replace the original operating system intercepting all calls to the underlying hardware, a special path for those who wish to install spyware, rootkits or other malware. These procedure open the way to new potential cyber threats, the user is convinced to have a system with higher performance while actually has an operating environment which ignores everything. Often these procedures allow download from parallel app store for applications where there is no certification. A child’s play to spread in this way applications that can steal all sorts of information to the user.

In both cases, the methods used are favored by the absence of suitable safety systems.  Just mobile platforms could also provide a further option in the hands of murderous groups hacktivist, which could benefit of too many dark areas in the sector to conduct new and dangerous operations. Today an FBI conf call has been intercepted, tomorrow could be published as full profiles of “politically” inconvenient.

In recent days the news published by “The Sunday Times” that some widely used applications for mobile devices transfer data to servers leased in countries known as may actors in the security field, such as Israel and China.
The discovery was made using appropriate software, which analyzed the outbound traffic of mobile systems with interesting results.
Of about 70 apps analyzed “twenty-one Transmitted the phone number, six sent out email addresses, six shared the exact co-ordinates of the phone and more than half passed on the handset’s ID number.”

We are confronted with two problems:

At first, the absence of a regulation that defines in a indisputable manner the type of the information that these applications can collect and its purpose, in the second place should be provided evidence of the destination to which the data are sent. The survey found out a second aspect very critical, users are not informed of where their information are actually sent. The survey found that the data were sent to countries outside the EU such as China, Israel, India and America.

This risk for user’s privacy is really high and let consider also that serious problems can derive not managing this situation.  Today’s smartphones are used virtually everywhere, from the shop downstairs to the managers of large enterprises, to finish with top government officials. The privacy of every one is exposed to serious risks and not only, at risks is the security of entire countries. All are united by the risk of being spied on.

Some government agencies have begun to address the problem equipping its employees with armored systems, as happened in the case of the DoD ( Department of Defense) that have developed a custom version of Android for its mobile devices.

However we have learned that to retrieve valuable information of a government it sufficient attack contractors still too vulnerable, and begin from their mobile is a good start.

In the article is reported the Article 25 of the Data Protection Directive (DPD), It demands that the European Commission determine when “third countries” are providing DP standards equivalent to the EU’s DPD.

For completeness I propose again the above article:
Article 25 Principles

  1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection,
  2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.
  3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2.
  4. Where the Commission finds, under the procedure provided for in Article 31 (2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question.
  5. At the appropriate time, the Commission shall enter into negotiations with a view to remedying the situation resulting from the finding made pursuant to paragraph 4.
  6. The Commission may find, in accordance with the procedure referred to in Article 31 (2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.

The article in question is not recognized by many countries and therefore poses many concerns about privacy and protection of sensitive data. India and China,  mentioned in the report, do not recognize the regulation.

In light of the discussion is essential that measures globally recognized will be taken to protect the privacy. It must be increased trust and transparency between users and app companies and new regulation must dispel any doubt regarding. These regulations must include the fact that each mobile device can be used in private, but also in strategic sectors, and therefore must be defined strict rules to protect information. Protection must involve storage processes, data transfer processes, encrypting of information, limitation on the minimal subset of user’s data that an app can manage. The regulations should establish strict guidelines which must be followed by device manufacturers and application developed .
Only when such a regulation will be defined and recognized worldwide we can consider to have classified the new cyber threats so prevalent with the advent of mobile technology.

Pierluigi Paganini

 



you might also like

leave a comment