Tag Archives: Subscriber Identity Module

Phantom Mobile Threats

How secure is your mobile phone?

This is an old bugaboo that folks who sell antivirus software have tried to get us scared about. But the truth is that for the past decade there’s really not much to lose sleep over.

That hasn’t stopped people getting freaked out about it.

A security conference heard that some downloadable applications to phones running the Android operating system would “collect a user’s browsing history, their text messages, the phone’s SIM card number and subscriber identification” and send all this data to a website owned by someone in Shenzhen, China. Some outlets reported that it also transmitted the user’s passwords to their voicemail.

About 700 outlets covered the story, including mainstream publications like the Telegraph and Fortune magazine: “Is your smart phone spying on you?” asked one TV station’s website.

Scary stuff.

Only it isn’t true. It’s not clear who misreported all this—the journalists and others covering the event, or the company releasing the fruits of their research, but it gradually emerged that the applications—downloadable wallpapers—only transmitted a portion of this data. (See a corrected version of a story here.)

Indeed, the whole thing got less suspicious the more you dig.

This is what the developer told me in a text interview earlier today: “The app [recorded’] the phone number [because] Some people complained that when they change the[ir] phone, they will lose the[ir] favorite [settings]. So I [store] the phone number and subscriber ID to try to make sure that when [they] changed the phone, they have the same favorites.”

Needless to say the developer, based in Shenzhen, is somewhat miffed that no one tried to contact him before making the report public; nor had any of the 700 or so outlets that wrote about his applications tried to contact him before writing their stories.

“I am just an Android developer,” he said. “I love wallpapers and I use different wallpaper every day. All I want is to make the greatest Android apps.”

Now of course he could be lying through his teeth, but I see no evidence in the Lookout report or anything that has appeared subsequently that seems to suggest the developer has done anything underhand. (The developer shared with me some screenshots of his app’s download page which show that they do not request permission to access text message content, nor of browsing history.)

In fact, he seemed to be doing a pretty good job: His apps had been downloaded several million times. He declined to give his name, but acknowledged that he was behind both apps provided under the name Jackeey, and under the name iceskysl@1sters!

Not much longer. One website quoted Lookout as saying “We’ve been working with Google to investigate these apps and they’re on top of it.” They have: Google has now removed the apps from their site. So I guess Jackeey, as he asked me to call him, is going to have to look for other ways to spend his time. (He told me that Lookout had contacted him by email but not, apparently, before going public.) 

Seems a shame. Obviously, there is a mobile threat out there, but I’m not sure this is the way to go about addressing it. And I don’t think a guy in Shenzhen doing wallpaper apps is, frankly, worth so much hysterical column ink.

Let’s keep some perspective guys, and not embark on a witch-hunt without some forethought.

Lookout has since been backtracking a bit from its original dramatic findings. “While this sort of data collection from a wallpaper application is certainly suspicious,” it says on its blog, “there’s no evidence of malicious behavior.”

Suspicious? We seem very quick to attribute suspicious behavior to someone we don’t know much about, in some scary far-off place, but less to those we do closer to home: Lookout’s main business, after all, is prominently displayed on their homepage: an application to, in its words, “protect yourself from mobile viruses and malware. Stop hackers in their tracks.”

Conflict of interest, anyone?

Your Phone as Stalker

Phone spam feels like it’s getting worse.

I and my wife have been receiving numerous calls from the local arm of ANZ Bank — a bank I am happy to identify by name because I’ve sought comment from them without reply for nearly a week now. Our mobile phone numbers were probably sold by another bank or possibly by the cellphone company.

Nokia researcher Jan Chipchase starts picking up SMS and phone spam on Hutch in India within a day of activating his SIM card, and finds that the company is three times as slow at removing his number from their spam lists:

Locals in the know send a text message to opt out, a process that, according to Hutch’s automated response takes at least three days to activate: “We respect your privacy. Please give us 72 hours to include your number on our Do Not Disturb list. Thank you” and an unspecified amount of time this to filter through to the companies that already have you on their disturb list.

I’m quite aggressive at fighting SMS and phone spam, but not always successful. One nightclub spammed me regularly until I got upset. Now they don’t. (Embarrassingly, it turned out to be owned by a friend of mine.) Now a lot of people here don’t answer their phone unless they recognize the number on the display.

Still, there’s nothing is quite as bad as this case of cellphone stalking in the U.S., where one family claim to feel harassed to the point of paralysis through their cellphone. A good clear-eyed view of the mess here.

Flashing Your SIM

It’s a logical move: marry the SIMcard with flash memory. Investor’s Business Daily reports that M-Systems is doing just that:

The company’s strike on the mobile phone market has a second front. It’s a new product, due to launch during the first half of 2006, that marries flash memory and a Simcard, which is used in 80% of cell phones. M-Systems calls it a Mega Simcard. <…> 
“We’re looking at the Mega Simcard as one of our biggest growth generators in ’07 and ’08,” Maor said.

This does seem to have been around at least a year as an idea (although the correct name seems to MegaSIM card) and it was supposed to have been launched by now. The card would hold up to 256 megabytes (this is according to a story a year ago; I think it’s grown by now).

I guess it’s not just about extra storage — although that would make backing up or transferring contacts a lot easier, since they tend to be split between memory and SIM — but about loading up extra programs. The provider, for example, could issue the SIM with extra software already preloaded. For companies it may also make it easier to keep data secure and swap handsets between employees. And if this product sheet (PDF) is anything to go by, it would also contain Digital Rights Management components.

An Idiot’s Guide To Prepaid GPRS

Further to my earlier post about GPRS traveling woes, I asked Syd Low of AlienCamel to offer his thoughts on the subject. He’s something of an old hand at the game.

For the last two years I’ve gone “on the road” to the Alps. My journey goes through Asia, then Switzerland and finally Austria. In 2004 I had a Treo 600 and this year a Treo 650. I’ve used GPRS with prepaid SIM cards in five countries will almost perfect success to stay in touch with friends and colleagues using IM and Email.

In Europe, I usually look for a mobile shop at the airport or train terminal. Zurich airport is great – all three carriers are there -Swisscom, Sunrise and Vodafone. Just wander in, buy a card and you’re on your way in less than 20 minutes. When you return the following year, you just need to get a recharge card and you’re away in 5 minutes. In Asia and Italy, I found that all carriers have shops in the main street. Venice and Verona for example have Vodafone shops conveniently located among the shops and resellers everywhere. Same deal – quick and fast transactions. In Austria where there’s not much competition, the most convenient place is the post office where you can get A1 prepaid cards. Recharge cards are available at supermarkets.

The Treo 650 auto configures to all of these networks and there’s no need to manually make any setting changes. Just put the sim card in and everything just works. I’ve only had a minor glitch with A1. For a few days I couldn’t get GPRS coverage – not sure if it was my phone or the network high in the Alps.

Life would be a lot simpler if there was a carrier that did global roaming with fair rates, but I think it’ll be a blue moon when that happens. Until then, get yourself a little case to get a sim card for each country.

Thanks, Syd.  Oh and here’s a picture of his SIM-card stash:

Simstash

Cellphone Terrorism

My old colleague Nick Cumming-Bruce writes in today’s IHT on Thailand’s demand that prepaid cellphone users register before they get a SIM card as police continue on the trail of cellphone terrorists.

Interesting piece: the basic idea is that you must hand over your name and address before getting a phone number as a measure to deter terrorists, who have been shown in Thailand and elsewhere to use phones to organise attacks and trigger bombs. Roaming customers visiting Thailand may also have to register.

But how effective is this going to be? First off, I think the practice of prepaid registration is more widespread than this. When I was in Australia last year I had to submit to questioning over the phone by a network employee, who disarmingly assessed whether I was who I said I was before he activated the card.

The other thing is that there’s no way this kind of thing would work except in places where the cost of a prepaid card is high enough to deter fraud, and even then it probably wouldn’t. In a place like Indonesia — where cellphones have been widely used by terrorists to plan, coordinate and trigger attacks — people buy SIM cards for as little as $2; what’s to stop a thriving gray or black market of these cards appearing, as folk offer themselves as registrants. Needless to say, there are 100 reasons why people don’t want others to know — especially, but not only the government — what number they’re using, and they may have nothing to do with blowing things up.

Wrong solution to a problem, I think. If you really wanted to do this properly, I would go for the credit card solution: Use software to track usage patterns and look for unusual behaviour. Cellphone data must be massive but it must also reveal all sorts of interesting data that is not necessarily personally intrusive: where someone is, how they use their phone — voice, SMS, MMS, GPRS — and how often they use it. Monitoring this kind of data would take some time, but it might reveal patterns of usage that expose terrorist-like behaviour.

Terrorists, for example, tend to keep a phone for just certain calls, so usage is very low. Of course, that also describes grandmothers given a phone for emergencies, but coupled with location data — terrorists tend to move around quite a lot — and other data might offer some revealing glimpses.

Maybe this is already being done. For sure, security agencies must have been mining the historical data of phones used by captured terrorists: Interesting patterns may be contained therein. But my tupennies’ worth is that by forcing folk to register their SIM cards is not going to deter terrorists: It’s just going to force them to use a more clandestine channel. Much better to keep them in the open and find a better way of looking for clues there.