Navigator, accountant and secretary in one, it knows more about
you than you think - and will spill its secrets to anyone who has
ways of making it talk
by Linda Geddes
THERE are certain things you do not want to share with strangers. In
my case it was a stream of highly personal text messages from my
husband, sent during the early days of our relationship. Etched on my
phone's SIM card - but invisible on my current handset and thus
forgotten - here they now are, displayed in all their brazen glory on
a stranger's computer screen.
I've just walked into a windowless room on an industrial estate in
Tamworth, UK, where three cellphone analysts in blue shirts sit at
their terminals, scrutinising the contents of my phone and smirking.
"If it's any consolation, we would have found them even if you had
deleted them," says one.
Worse, it seems embarrassing text messages aren't the only thing I
have to worry about: "Is this a photo of your office?" another asks
(the answer is yes). "And did you enjoy your pizza on Monday night?
And why did you divert from your normal route to work to visit this
address in Camberwell, London, on Saturday?"
I'm at DiskLabs, a company that handles cellphone forensic
analysis for UK police forces, but also for private companies and
individuals snooping on suspect employees or wayward spouses. Armed
with four cellphones, which I have begged, borrowed and bought off
friends and strangers, I'm curious to know just how much personal
information can be gleaned from our used handsets and SIM cards.
A decade ago, our phones' memories could just about handle text
messages and a contacts book. These days, the latest smartphones
incorporate GPS, Wi-Fi connectivity and motion sensors. They
automatically download your emails and appointments from your office
computer, and come with the ability to track other individuals in your
immediate vicinity. And there's a lot more to come. Among other
things, you could be using the next generation of phones to keep tabs
on your health, store cash and make small transactions - something
that's already happening in east Asia.
Gone phishing
These changes could well be exploited in much the same way that email
and the internet can be used to "phish" for personal information such
as bank details. Indeed, some phone-related scams are already
emerging, including one that uses reprogrammed cellphones to
intercept passwords for other people's online bank accounts. "Mobile
phones are becoming a bigger part of our lives," says Andy Jones, head
of information security research at British Telecommunications. "We
trust and rely on them more. And as we rely on them more, the
potential for fraud has got to increase."
So just how secure is the data we store on our phones? If we are
starting to use them as combined diaries and wallets, what happens if
we lose them or they are stolen? And what if we simply trade in our
phones for recycling?
According to the UK government's Design and Technology Alliance
Against Crime (DTAAC), 80 per cent of us carry information on our
handsets that could be used to commit fraud - and about 16 per cent of
us keep our bank details on our phones. I thought my Nokia N96 would
hold few surprises, though, since I had only been using it for a few
weeks when I submitted it to DiskLabs. Yet their analysts proved me
wrong.
Aside from the text messages stored on my SIM card, the most detailed
personal information that could be gleaned from my handset came from
an application called Sports Tracker. It allows users to measure
their athletic performance over time and I had been using it to
measure how fast I could cycle to work across London. It records
distance travelled, fastest speed at different points along the route,
changes in altitude, and roughly how many calories I burn off. But
when DiskLabs uploaded this data to their computer and ran it through
Google Maps and Street View, they were able to pull up images of the
front of my office and my home - with the house number clearly
displayed. Sports Tracker also recorded what time I normally leave the
house in the morning and when I return from work. "If I wanted more
information, then I could just stalk you," says Neil Buck, a senior
analyst at DiskLabs.
I had deliberately chosen to turn Sports Tracker on, and many people
might not stop to consider how such programs could be used against
them. In February, Google launched Latitude, networking software
for smartphones that shares your location with friends. It can be
turned off, but campaign group Privacy International is concerned
by Latitude's complex settings and says it is possible the program
could broadcast your location to others without your knowledge.
"Latitude could be a gift to stalkers, prying employers, jealous
partners and obsessive friends," the organisation warns.
It is possible your phone could broadcast your location to others
without your knowledge
A phone-based calendar could also leave you vulnerable. Police in the
UK have already identified burglaries that were committed after the
thief stole a phone and then targeted the individual's home because
their calendar said they were away on holiday, says Joe McGeehan, head
of Toshiba's research lab in Europe and leader of DTAAC's Design Out
Crime project, which recently set UK designers the challenge of
trying to make cellphones less attractive to people like hackers and
identity thieves. "It's largely opportunistic, but if you've got all
your personal information on there, like bank details, social security
details and credit card information, then you're really asking for
someone to 'become' you, or rob you, or invade your corporate life,"
McGeehan says.
Code cracker
When Buck looked at my colleague's iPhone, he found two 4-digit
numbers stored in his address book under the names "M" and "V". A
search through his text messages revealed a few from Virgin informing
him that a new credit card, ending in a specific number, had just been
mailed to him. Buck guessed that "M" and "V" were PIN codes for the
Virgin credit card and a Mastercard - and he proved to be correct on
both counts.
"Out of context, an individual piece of information such as an SMS is
almost meaningless," says Jones. "But when you have a large volume of
information - a person's diary for the year, his emails, the plans
he's building - and you start to put them together, you can make some
interesting discoveries."
In this way the DiskLabs team also identified my colleague's wife's
name, her passport number and its expiry date, and that she banks with
Barclays. Ironically, Barclays had contacted her regarding fraud on
her card and she had texted this to her husband. Buck's team also
discovered my colleague's email address, his Facebook contacts, and
their email addresses.
This kind of personal data is valuable and can fetch a high price
online. It's ideal for so-called 419 scams, for instance, in which you
receive an email asking for help in exporting cash from a foreign
country via your bank account, in exchange for a share of the profits.
"What they need to launch a successful 419 scam is personal
information," says Jones.
A growing awareness of identity theft means that many people now
destroy or wipe computer hard drives before throwing them away, but
the same thing isn't yet happening with cellphones, says Jones. At the
same time, we are recycling ever greater numbers of handsets.
According to market analysts ABI Research, by 2012 over 100
million cellphones will be recycled for reuse each year.
As part of a study to find better ways to protect cellphone data,
Jones recently acquired 135 cellphones and 26 BlackBerry devices from
volunteers, cellphone recycling companies and online auctioneers eBay.
Around half of the devices couldn't be accessed because they were
faulty. In our own smartphone experiment, we were unable to retrieve
any data from a BlackBerry, or the Samsung E590.
However, Jones's team found 10 phones that contained enough personal
data to identify previous users, and 12 had enough information for
their owner's employer to be identified - even though just three of
the phones contained SIM cards.
Of the 26 BlackBerrys, four contained information from which the owner
could be identified and seven contained enough to identify the owner's
employer. "The big surprise was the amount we got off the BlackBerry
devices, which we had expected to be much more secure," says Jones.
While BlackBerry users have the option of encrypting their data or
sending a message to purge data from their phones should it be sold or
stolen, many had not done this. "Security is only any good if you turn
the damned thing on," says Jones.
Security is only any good if you turn the damned thing on
His team managed to trace one BlackBerry back to a senior sales
director of a Japanese corporation. They recovered his call history,
249 address book entries, his diary, 90 email addresses and 291
emails. This enabled them to determine the structure of his
organisation and responsibilities of individuals working within it;
the organisation's business plans for the next period; its main
customers and the state of its relationships with them; travel and
accommodation arrangements of the individual; his family details -
including children, their occupations and movements, marital status,
addresses, domestic arrangements, appointments and addresses for
medical and dental care; his bank account numbers and sort codes, and
his car registration index. Two further BlackBerrys "contained details
of a personal nature about the owner and other individuals that would
have caused embarrassment or distress if it had become publicly
known", says Jones.
Although his team used specialist forensic software to retrieve data
from the phones, much of it could be obtained directly from the
handsets themselves, or by using simple software of the kind that is
sold with a phone. "This was not designed to be a sophisticated
attack, it used simple techniques that anyone would have access to,"
Jones says.
That's bad news, considering that around 20 millions handsets were
lost or stolen worldwide in 2008, according to UK data-security
specialists Recipero. So how can people go about making their phones
more secure? Turning on the security settings is an important first
step, says McGeehan, as this may dissuade potential thieves from going
to the effort of trying to crack the codes. Then make sure you delete
anything you want to keep secret, while bearing in mind that it is
often possible to recover it (see "Phone security Q & A"). "I work
on the basis that anything I put on there I've got to be prepared for
people to see," says McGeehan.
As for me, I've taken to deleting potentially incriminating messages
as soon as they arrive in my inbox - and reproving the sender in
return. I have also passed my old handset to my husband for
safekeeping. If those brazen messages must fall into someone else's
hands, I'd rather they were the hands of the Don Quixote who composed
them than a smirking IT geek in a distant windowless room.
Future phones
By next year about 1 in 3 new smartphones will have accelerometers.
Pressure sensors and gyroscopes will follow, and soon your handset may
keep tabs on your health and pay your bills too.
For example, Nokia is experimenting with adding biosensors capable of
monitoring heart and breathing rates, as well as glucose and oxygen
levels in the blood. "Your phone could act as a wellness diary, and
start to integrate data with the primary health records kept by your
doctor," says Marc Bailey, a researcher at the Nokia Research Centre
in Cambridge, UK.
Meanwhile mobile commerce, or M-commerce, in which phones are used to
transfer money or pay for shopping, is already expanding rapidly.
Cellphone users in Japan can buy train or airline tickets with their
handset, while people in Afghanistan, the Philippines and east Africa
can use their handsets to transfer money to each other. "M-commerce is
coming, and the expectation is that it will become prevalent in the UK
and other European countries within four years," says Joe McGeehan,
head of Toshiba's research lab in Europe.
Though these developments should bring many benefits, security is
expected to become a problem. "As soon as you put money on anything,
criminals become more interested in it," says McGeehan.
To counter this, manufacturers are developing more secure ways of
encrypting data on handsets. According to Nokia, users will be able to
alter security settings depending on how much data they want available
at any one time. Phones with built-in fingerprint scanners are already
on the market, and Sharp has experimented with face recognition on
handsets, though hackers have recently shown that face recognition is
easily defeated with just a photograph.
Meanwhile, Apple is thought to be considering adding biometric
security measures, such as a fingerprint scanner, to future
iPhones. However effective these security features are, though, they
will only work when turned on.
Phone security Q & A
If I delete a message or photo on my phone will it disappear
completely?
Data often remains on a phone's memory chip until it is overwritten.
Phones also create extra copies that are spread around its memory. It
is possible to overwrite files by copying new data onto the phone.
Commercial software will "zero fill" a memory or SIM card to overwrite
it.
Where do recycled handsets end up?
According to Andy Jones, a security specialist at British
Telecommunications, the main markets for recycled phones are Nigeria
and China, "both of which are regarded as areas posing a high threat
to the security of information".
What if I smash up my SIM card?
Forensic analysts can often recreate SIM cards using the data that's
stored on the handset. How much information they can retrieve depends
on the phone model. It is also possible to stick a damaged SIM card
back together and then extract its data.
Can my movements be tracked, even if I don't have GPS on my phone?
A technique called cell site analysis can be used to track someone
to within 10 to 15 metres, using cellphone masts to triangulate their
position. GPS can give more detailed information, such as your
altitude or the speed you are travelling at.
Can my handset be used to spy on me?
If someone can get direct access to your handset, they can install
software that lets them listen to conversations and monitor text
messages without your knowledge. Without direct access, they can still
monitor your phone usage remotely, but not eavesdrop on your
conversations. It is also possible to send text messages that look
like they come from someone else - a technique called SMS spoofing.
This makes it possible to upload messages to someone else's Twitter
account, or send your boss rude messages using a colleague's number.
How do I improve my phone's security?
Switch on all security options such as handset PIN codes. Download
software to wipe your phone before you throw it away or send it for
recycling. Consider buying a handset with fingerprint recognition
security. Alternatively, add software that can find your phone or
even take control of it remotely should it be stolen, allowing you
to encrypt all data stored on it, disable it entirely or even make it
emit a loud alarm.
Is it legal for my employer or partner to send my cellphone for
analysis?
If it is a company phone, or was a present from your partner, beware.
Chances are that they can claim legal ownership and so can do what
they want with it.
To unsubscribe send a message to [email protected] with
the subject unsubscribe.
To change your subscription to digest mode or make any other changes, please
visit the list home page at
http://accessindia.org.in/mailman/listinfo/accessindia_accessindia.org.in