Saturday

21st Oct 2017

Focus

Smartphones are 'data goldmines' for hackers

With a simple touch, smartphones allows us watch videos, listen to music, check emails, find the nearest restaurant, and update our 'status' on Twitter and Facebook but with the increased technology comes new and largely under-appreciated security threats.

While making our life easier, the smartphone is also a "goldmine of private and confidential data" says Marnix Dekker, an expert with the EU cyber security agency Enisa.

Thank you for reading EUobserver!

Subscribe now for a 30 day free trial.

  1. €150 per year
  2. or €15 per month
  3. Cancel anytime

EUobserver is an independent, not-for-profit news organization that publishes daily news reports, analysis, and investigations from Brussels and the EU member states. We are an indispensable news source for anyone who wants to know what is going on in the EU.

We are mainly funded by advertising and subscription revenues. As advertising revenues are falling fast, we depend on subscription revenues to support our journalism.

For group, corporate or student subscriptions, please contact us. See also our full Terms of Use.

If you already have an account click here to login.

  • Cyber-attacks on smartphones are 'the next big thing' (Photo: @NickyColman)

And they are expected to become even more widespread. With over 400 million units sold this year around the globe, smartphones are set to outnumber personal computers by 2013 and become the most common device for accessing the internet.

"There is more private data on our smartphones than on our desktop PCs: Geolocation data, messages, phonecalls. The biggest risk is unintentional disclosure - either through loss or theft of their device or through people not being aware of what apps do, putting content online without really wanting to," says Dekker.

In a recent report co-authored by Dekker, Enisa warned that "smartphones can be used to keep a targeted individual under surveillance" because they contain "multiple sensors" such as microphones, photo cameras, accelerometers and GPS.

"There are also already several examples of legitimate software, whose express purpose is to allow an attacker to keep the mobile user under surveillance. Furthermore, even tools that are not designed for spyware may be configured covertly to allow for tracking," the report reads.

Location data, for instance, is included in image files which if transmitted further may unintentionally disclose the whereabouts of the person taking the picture. Similar geolocation options are now connected to Facebook and Twitter updates which can be sent from smartphones.

The fact that geolocation allows "an intimate overview of habits and patterns of the owner" has also been flagged up as a serious privacy concern in a paperby the EU's expert committee on data protection.

"From a pattern of inactivity at night, the sleeping place can be deduced, and from a regular travel pattern in the morning, the location of an employer may be deduced. The pattern may also include data derived from the movement patterns of friends, based on the so-called social graph," the paper reads.

Visits to hospitals, religious places or any other private details of one's life can be revealed through geolocation, which allows the monitoring to be done secretively. "Even when people intentionally make their geolocation data available on the Internet, through whereabout and geotagging services, the unlimited global access creates new risks ranging from data theft to burglary, to even physical aggression and stalking," the working party warns.

All geolocation functions should be clearly marked - for instance an "on" sign should be permanently visible and users should consent to transmitting such data, even if the application is put on children's phones by their parents, the group advises.

Good app, bad app

EU officials also increasingly have their hands on Smartphones. According to the European Commission, as of September there are around 1550 iPhones, 45 iPads and 840 Windows Mobile subject to the "ActiveSync security policy" which allows devices to be wiped remotely if they are lost or stolen.

"There have been just a few cases of lost units that have been immediately blocked, thus preventing security incidents," says Antonio Gravili, a spokesman for the commission.

But apart from theft and loss, cyber attacks via "bad apps" are starting to become a security issue as well. Similar to computer viruses, these 'malware apps' can open a so-called backdoor into the phone's main system, allowing it to send private data such as credit card numbers or email passwords to remote servers.

In March this year, Google admitted that up to 260,000 smartphones using its Android system had been hacked into after users unknowingly downloaded infected apps. The malicious programmes, according to Google, could access personal information and take control of the smartphone. Some 50 'bad apps' imitating famous ones were subsequently withdrawn from the Android Market and Google managed to "remote-kill" the virus via a security update. But a fake update made its way onto the app market as well, signalling that virus developers are also shifting from PCs to smartphones.

Even as iPhone's app store runs a more restrictive policy than the Android Market, it too had to withdraw an app called "Big Brother camera" after its software developer admitted to have anonymously collected over 200,000 passcodes used to access the app.

Ironically, the main function of the app was to fend off unwanted intruders to one's iPhone via alarms and pictures taken of the person trying to access the phone. The pictures were taken with the phone camera even if the alleged intruder turned the app off and were sent via email to the owner of the iPhone immediately.

"Software development is becoming more and more consumerised, apps are being developed by one or two people, that means that some may take a very bad approach - quickly write an insecure app and then go on holidays. Then if you want to patch a backdoor in the app, you can't even reach anyone," Enisa's security expert Dekker says.

Enisa's advice to app stores is to improve security by deploying five "lines of defence" - ranging from more thorough reviews of the apps to "remote-killing" those who prove to be malicious. Enisa also gives guidelines to developers on how to create more secure apps.

But to some developers, the only reasonable response is to introduce product liability for every application of the sorts consumers get when buying a hairdryer or a vacuum cleaner.

"Some say the only two products not covered by product liability today are religion and software. For software that has to end; otherwise, we will never get a handle on the security madness unfolding before our eyes almost daily in increasingly dramatic headlines," Danish developer Poul-Henning Kamp wrote in a column earlier this month. Smartphone apps, as a smaller part of the software landscape, are not different. "The fact that they are much easier to get hold of only makes the problem even more pressing," he told this website.

Legal protection against cyber attacks is patchy, with the EU institutions still negotiating a draft law put forward last year. Smarthpones would also be covered under this law, although the forensics of such crimes are much harder to investigate than classic ones.

Estonia training Nato 'techies' for cyberwar

In an unassuming, renovated military barracks dating back to tsarist times, Nato's cyber defence centre in Tallinn is training computer experts to secure networks from attacks. The training comes amid rising cyber threats from China and Russia.

EU institutions to create new cyber defence unit

EU institutions are setting up a joint team of internet security experts some three months after the European Commission was hacked in a bid to get sensitive data on external relations and monetary issues.

EU to make public data easily accessible

The European Commission on Monday proposed that public data in the EU be easily accessible and open to re-use, a move it says will spur economic growth.

Europol wants to host EU cyber crime centre

The EU's joint policy body, Europol, is angling to host a new European cyber crime centre, with the European Commission due next year to decide where to put its new defence against online threats.

Turkey funding cuts signal EU mood shift

EU leaders at their summit spent some three hours deliberating on relations with Turkey before asking the EU commission to come up with a plan on cutting and reorienting some €4.5 billion in pre-accession aid.

News in Brief

  1. Rajoy to trigger Article 155 on Saturday in Catalan crisis
  2. EU conducts unannounced inspection of German car firm
  3. Lithuania calls for new EU energy laws
  4. EU leaders aim for December for defence cooperation
  5. Juncker says hands tied on Russia pipeline
  6. Czechs set to elect billionaire Andrej Babis
  7. Italian regions hold referendums on more autonomy
  8. EU leaders refuse to mediate Catalonia conflict

Stakeholders' Highlights

  1. Mission of China to the EUPresident Xi Jinping Proposes Stronger Global Security Governance at Interpol Assembly
  2. European Friends of ArmeniaEU Engagement Could Contribute to Lasting Peace in Nagorno-Karabakh
  3. UNICEFViolence in Myanmar Driving 12,000 Rohingya Refugee Children Into Bangladesh Every Week
  4. European Jewish CongressBulgaria Applauded for Adopting the Working Definition of Antisemitism
  5. EU2017EENorth Korea Leaves Europe No Choice, Says Estonian Foreign Minister Sven Mikser
  6. Mission of China to the EUZhang Ming Appointed New Ambassador of the Mission of China to the EU
  7. International Partnership for Human RightsEU Should Seek Concrete Commitments From Azerbaijan at Human Rights Dialogue
  8. European Jewish CongressEJC Calls for New Austrian Government to Exclude Extremist Freedom Party
  9. CES - Silicones EuropeIn Healthcare, Silicones Are the Frontrunner. And That's a Good Thing!
  10. EU2017EEEuropean Space Week 2017 in Tallinn from November 3-9. Register Now!
  11. European Entrepreneurs CEA-PMEMobiliseSME Exchange Programme Open Doors for 400 Companies Across Europe
  12. CECEE-Privacy Regulation – Hands off M2M Communication!

Latest News

  1. The mysterious German behind Orban's Russian deals
  2. Mogherini urged to do more on Russian propaganda
  3. Turkey funding cuts signal EU mood shift
  4. Posted workers top EU agenda This Week
  5. Leaders lobby to host EU agencies at summit's margins
  6. Legal tweak could extend EU control on Russia pipeline
  7. Ukraine language law does not harm minorities
  8. EU begins preparations for Brexit trade talks

Stakeholders' Highlights

  1. ILGA-EuropeHealth4LGBTI: Reducing Health Inequalities Experienced by LGBTI People
  2. EU2017EEEHealth: A Tool for More Equal Health
  3. Mission of China to the EUChina-EU Tourism a Key Driver for Job Creation and Enhanced Competitiveness
  4. CECENon-Harmonised Homologation of Mobile Machinery Costs € 90 Million per Year
  5. ILGA-EuropeMass Detention of Azeri LGBTI People - the LGBTI Community Urgently Needs Your Support
  6. European Free AllianceCatalans Have Won the Right to Have an Independent State
  7. ECR GroupBrexit: Delaying the Start of Negotiations Is Not a Solution
  8. EU2017EEPM Ratas in Poland: "We Enjoy the Fruits of European Cooperation Thanks to Solidarity"
  9. Mission of China to the EUChina and UK Discuss Deepening of Global Comprehensive Strategic Partnership
  10. European Healthy Lifestyle AllianceEHLA Joins Commissioners Navracsics, Andriukaitis and Hogan at EU Week of Sport
  11. Nordic Council of MinistersNordic Council Representative Office Opens in Brussels to Foster Better Cooperation
  12. UNICEFSocial Protection in the Contexts of Fragility & Forced Displacement