A SearchSecurity.com reader recently wrote: I am concerned with spying on our corporate iPhones. As a policy, we don't encourage accessing the Web, we wipe the memory, we use PINs to authenticate, and we make sure our users never let the devices out of their sight. Users receive and send emails via Gmail, but they typically do not use Bluetooth; the setting is turned off. Is it still possible for a third party to eavesdrop on users' conversations, and if so, what can be done to prevent this?
I certainly wish that more of my clients would take the security of their mobile devices as seriously as you do. Without locking a phone with a passcode, anyone who gets hold of one can access all of its email and data. A hacker could also take the opportunity to install software that wiretaps calls and even records ambient noise when the phone is unused. Also unless your phone is set up correctly to use encryption, you may send passwords and sensitive data in cleartext over untrusted networks.
Obviously it's illegal to tap a phone unless you belong to the intelligence services or the police force and have been given explicit permission to do so. Also when it comes to the issue of iPhone and mobile phone spying, modern smartphones are a lot more secure than older cell and analog phones. Phones featuring digital technology are difficult for the average eavesdropper to crack, so you can feel pretty comfortable knowing your calls are secure. With a Global System for Mobile Communication (GSM) network, calls are encrypted between the handset and the network. There are exceedingly expensive ($200,000 and up) law enforcement cell phone scanners that can eavesdrop on modern phones, but you would have to be involved in serious criminal activity or discuss information of extreme value before anyone would undergo the expense of tapping your phone.
This may be changing, though. In 2008, security researchers demonstrated technology in development that they say will greatly decrease the time and money required to decrypt, and therefore snoop on, phone and text message conversations taking place on GSM networks. The 64-bit encryption method used by GSM, known as A5/1, was first cracked, in theory, about 10 years ago; GSM A5/1 is still in use today.
The proposed device would only cost around $1,000, and would be able to successfully crack the GSM encryption in 30 minutes. To crack the encryption in a more valuable 30 seconds would still cost around $100,000, and the GSM Association claims it will have a superior encryption method ready for implementation well before the $1,000 eavesdropping device is on the market.
Another possible iPhone eavesdropping opportunity occurs when mobile phone calls cross networks, such as from one mobile provider to another, or from one country to another. These calls will pass through various exchanges and networks, possibly as an unencrypted digital stream. This means a wire tap could be used to intercept the call at any point where it's unencrypted.
Also remember that whenever your cell phone is turned on, your network provider knows where you are within a hundred meters or so. How? Well, by comparing the strengths of the signals at each station, a provider can triangulate your position and work out where you are.
There are companies such as CellCrypt that offer end-to-end encrypted calls, even over untrusted networks. However, both parties to the call need to have the same application installed on their phones. Unless you are using a specialist device or software, I would never assume that voice calls are secure, so like fax and email, never discuss confidential or sensitive issues on the phone, and never leave confidential voice messages. You need to think about the value of the information you wish to exchange and then choose the right communication method for sharing it.
If your employees are allowed to use iPhones, there is little that can be done about the security of the GSM network -- this is true for any cell phone -- so a strong acceptable usage policy is vital. Consider banning the use of unknown access points and ensure that your mail server is configured to allow POP or IMAP access only via SSL, which ensures emails are transmitted securely to and from the phones. Outlook Web Access or Lotus Domino Web Access are also alternatives as they both use SSL. Use of a PIN number should be mandatory along with the Auto-Lock function. It is essential, too, that no phone is ever left unattended. An attacker with physical access to it can break the PIN and data encryption relatively easily -- the remote wipe feature only works if the iPhone is connected to the cellular network.
There are some enterprise management tools for the iPhone appearing in the app store, such as the Secure IT Management app, but these types of apps are reliant on individuals using their phones in accordance with the enterprise's rules, particularly when it comes to preventing eavesdropping at the endpoint. Sensitive conversations should not be allowed in public places where they can be overheard. An information classification policy should re-emphasize the only exchange methods that can be used to transmit certain types of information to prevent leaking information through careless conversations. The iPhone is feature-rich, but it's not possible to fully prevent the security risks that come with it, so proceed with caution.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.
This was first published in February 2010