Jailbreaking, NFC to up phone hacks: IBM

Users jailbreaking their devices and using near-field communication chips have been flagged by IBM as a high security risk and could lead to a prolific rise in the number of hackers targeting mobile phones.

IBM has flagged jailbroken phones and near-field communications enabled phones as a high security risk which could lead to a prolific rise in the number of hackers targeting mobile phones.

Near-field communication facilitates the transmission of data over a range of approximately 10cm. A chip in a mobile phone interacts with a proximity card reader on any compatible device, — a technology that serves as a drawcard for mobile payments.

Tom Cross, threat intelligence manager for IBM's internal security taskforce X-Force, gave journalists at the IBM Pulse conference in Las Vegas a preview of the squad's annual security report, which this year contains a detailed look into mobile computing security.

Cross said that most computer crime on the internet is motivated by financial gain, adding that smartphones aren't generally widely used for e-commerce transactions like desktops or laptops are.

However if near-field communication technology became widely used in the future, it could lead the way to a whole new raft of security threats, Cross added.

"If we see people doing more e-commerce on the phone and we see the phone being used as a payment device in the physical world that people are working on, that may be creating a financial incentive to exploit the device," he said.

Cross added that users jailbreaking devices also presents a credible threat to corporate security and could lead to data theft or corporate network intrusion.

"A lot of users are hacking or jailbreaking their devices so that they can do things the manufacturer had never intended. In order to do that they need the same sort of exploit code a malicious person would need to remotely control the device, and this desire to jailbreak is driving [harmful] exploits," Cross said.

"Often people have [virtual private network] connections to their corporate network, so many attackers are now starting to use these devices as 'lilypads' to connect form the internet into your corporate network."

His opinion echoes that of security researcher Kaan Kivilcim, who works for Sydney information security firm Sense of Security. Kivilcim even created an attack demonstration to show that an iPhone has the same functionality and is exposed to the same risks as a computer once it is jailbroken.

"[iPhones], Androids and modern Nokias are in a league of their own," Kivilcim said. "They are basically cut-down Unix computers with all the functionality of a laptop computer, but corporations are still considering them as just mobile phones."

The fix

Cross said that companies need to be asking themselves tough questions about how best to deal with these new devices on a corporate network to prevent data loss.

"The primary concern [for enterprise] right now is that information might exist on these devices. The question is: you've got policies for data storage on a laptop or a desktop, but how are you going to enforce those when that same information finds its way onto a mobile or tablet device?" he said.

Some ideas could be restricting the installation of unsigned third party apps on phones, a passcoded screen lock and only having limited virtual private network access on mobile devices to prevent unauthorised tunnel through.

Yet the responsibility of device security, also lies in part with device manufacturers, according to Cross.

"In the future, we would like to see more [data] segmentation in the design of the device for personal and business use," Cross said, adding that people aren't likely to carry around two phone devices anymore.

The full X-Force security report from IBM is set to be released later this month.

Luke Hopewell travelled to Las Vegas as a guest of IBM.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All