Why our smartphones need hacking protection
Smartphones are increasingly carrying personal financial data – an attraction to hackers
We’ve all been trained that we need to install antivirus software on our computers, and most of us are now doing this. Every December I get a call from my father-in-law telling me his virus protection is about to expire and I walk him through updating it for the next year. This is great because it means the message is finally out there. While we’re all getting better about protecting our home computers from hackers we are dreadfully bad about doing so for our smartphones.
If you have a reasonably current iPhone, chances are your phone is updated to the latest version of iOS and you are (for the most part) good and secure. But if you’re like me and use an Android phone, chances are, your phone hasn’t been updated for a while. While Google continues to improve Android every year, these updates do not always get sent out by the cellphone manufacturers, and if they do, there is no guarantee your cellphone carrier will send it to you, or even make it available. Inexpensive cellphone manufacturers are some of the worst offenders, but even the big guys like Samsung get accused of dragging their heels on updates.
Why does this matter? What possible good could come from breaking into someone’s phone? The answer is that the smartphone in your pocket is getting more and more powerful every year. That makes it an attractive target for a cyberattacker. A malicious user can chain together many thousands or even millions of phones and control them from a single point. This is referred to as a botnet. These botnets that can pose a huge threat to our telecommunications infrastructure.
Last September, a research paper published at Ben-Gurion University of the Negev entitled 9-1-1 DDoS: Threat, Analysis and Mitigation caught my attention as I had never considered how a cyberattack on our 911 system might take shape. The paper showed how as few as six thousand phones could take down the 911 system in a state the size of North Carolina.
A group of hijacked phones in an area could be used to make repeated calls to 911 and this attack would lead to an overload of the system that could interrupt service for days. Part of the reason for this is an FCC requirement that all 911 calls must be routed regardless of where they come from. Basically, a cellphone can call 911 even if it’s not an active phone with a cellular plan.
In Canada, the CRTC is currently looking at ways to improve the 911 system and is actually looking at vulnerabilities to ensure we don’t experience a major disruption, but a potential 911 attack is only one possible use case for taking over a group of phones.
Your personal information, photos, videos, emails, call logs, phone numbers, and even location history are all stored within your phone. With Apple Pay now supported by most Canadian Banks and Android Pay coming soon, our financial details will also be at risk if our phones are not secure.
As most of these phones are sold by our federally regulated mobile phone companies, I would suggest that it is time for the CRTC to step up and require our regulated mobile carriers to provide software updates for a minimum of three years after the sale of the phone. This would ensure the only handsets sold would be from manufacturers that promise to provide these updates, and would prevent carriers from selling products that are about to be discontinued leaving a purchaser with an outdated and insecure
Your personal information, photos, videos, emails, call logs, phone numbers, and even location history are all stored within your phone.
phone for the life of that contract.
The CRTC has not had to think a lot about this type of security in the past, but with nearly every one of us walking around with a networked computer in our pocket that if used incorrectly could cause serious harm to our telecommunications system, it may be time for them to look closely at this issue going forward.