Mobile Security Weekly: SMS, Skype and Smartware Used For Snooping

Lacoon Mobile Security.” width=”115″ height=”75″ /> Ohad Bobrov is co-founder and CTO at Lacoon Mobile Security.

Besides presents, Santa Claus has brought us some interesting mobile security updates. This week’s Christmas edition contains three truly different threats to mobile security in the enterprise. This goes to show just how dynamic and fluid this world is. From a threat at the network level, to an app vulnerability and finally a hardware exploit that places a serious question mark regarding the security of smartwear.

Merry Christmas & Happy Holidays to you all!

Attackers Can Read Users’ Private SMS and Listen to Phone Calls

German researchers have discovered a security flaw that could let threat actors listen to private telephone calls and intercept text messages on a potentially massive scale – regardless of the level of encryption implemented by the cellular networks.

The vulnerability exists in SS7, the global network that enables cellular carriers to route calls, texts and other services to each other. Designed in the 1980s, SS7 seems to be packed full of security issues. Initially meant to allow dynamic switching from cell tower to cell tower, attackers can exploit this to eavesdrop and extract content.

Encryption doesn’t help, because if one side of the communication between two networks is outdated (say a number from a developing country in Africa) calls an American number, the encryption becomes irrelevant.

http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/18/german-researchers-discover-a-flaw-that-could-let-anyone-listen-to-your-cell-calls-and-read-your-texts/

Why is this Significant?

This is a relatively rare example of an attack coming through the network itself. The can be performed in several methods, with some relying on physical proximity to the victim. Attackers can pretty much record and decrypt any network. Undoubtedly more of a nation-state level threat at the moment, it’s important to recognize the fact that history has shown us that these capabilities trickle down to the private sector exceedingly quickly.

Security Hole In Skype Allows Attackers To Secretly Connect To Other Users

First discovered on Reddit, this security flaw in the Android version of Skype can force the app to answer calls. Multiple users have backed up these claims.

Skype can be tricked into thinking that two users have lost their connection and performing a reconnect. This can be exploited to initiate and conduct a Skype conversation with one side never actually agreeing  or accepting the call.

http://www.jbgnews.com/2014/12/security-flaw-in-skype-allows-eavesdropping/023912.html#ixzz3MxgQXE7j

Why is this Significant?

Without going into too many details on how the hack works, it’s the bottom line that counts. Despite the set-up being slightly complicated, this is an example of an app that many businesses use on a day to day basis, in many cases, for professional reasons. Unlike other social media apps, Skype can be an integral part of an enterprise environment and even the smallest security vulnerability demands appropriate attention.

Can Smartwear Pose a Security Risk?

With 2015 just around the corner, it’s undeniable that smartwear is likely to be a big trend in the coming year. Many companies and developers are creating watches, bracelets with an ever increasing variety of available apps.

Recently, researchers have presented how this might pose another problem for enterprise security. It looks like hacking into the bluetooth connection that links smartphones and smartwatches may be far too simple. Many platforms rely on this connection to relay notifications, messages and content between the mobile phone and the smart device. With more sensitive data being accessed via mobile devices, smartwear may be just the entry point attackers need.

http://www.wired.com/2014/12/android-wear-critical-mass-apple-watch/

Why is this Significant?

Smartwear is still gaining popularity. At the moment, only early adopters are making smartwear a part of their lives. Despite this, the relative ease of the exploit in this case makes us wonder how many vulnerabilities might be discovered when attackers really start looking. We’ll be keeping a close eye on just how dangerous smartwear may be to companies with and without BYOD policies in the near future.