Attack vectors into the law: smartphones

According to Ofcom, over half of all UK adults own a smartphone, and over a quarter own a tablet. The continuing mobile revolution tops almost every key analyst’s list of 2014’s most significant technological trends – as it has for the last five years. They say that it shows every sign of being a technology as revolutionary for business practices and models as the web was.

Law firms, like everyone else, will want to get in early. It’s the number one investment in technology made by big companies, keen not to replicate their failure to “get” the web. The legal services sector faces structural problems. The more-for-less challenge, identified by Susskind and others, is omnipresent. Firms realise cuts can provide only short term, and partial, answers.

Investment in relatively early apps has already greatly reduced the solicitor’s dependence on the office and office hours, for example. Email, scheduling, case management, research – a few early apps already increasing efficiency, flexibility, and aiding differentiation. However, make no mistake – mobile technology’s security challenges are many, grave and evolving daily.

Indeed, it’s difficult to think of another object so small, and fundamentally insecure, that is also entrusted with such valuable client and commercial information, as the solicitor’s smartphone. It’s hard to take a clear-headed, objective and risk-based approach when the challenges are unintuitive and unfamiliar. So, what are the risks? How are they mitigated?

In this instalment, we aim to answer both questions. Solicitors will learn about key vectors and issues. But the focus is on the practical steps every solicitor can take to harden their mobile security, and so protect themselves, their firm, and their clients. Taking control of your mobile security can liberate you to explore the exciting opportunity mobile technology can bring.

(A) Offline/traditional vectors: loss, accident and theft

Smartphones and tablets are vulnerable to some of the most sophisticated and dangerous technical attack vectors yet developed. But studies show the average person simply loses 1.24 devices a year, without any help from nefarious cyber criminals. As progressively more valuable information is stored on them, theft – including targeted theft – looks set to continue growing too.

In the past, a firm’s most sensitive data was stored only on clunky desktops and huge servers locked in secure offices. Now it can be left on the train, or swiped from a restaurant table, with a mere moment’s inattention. There’s also greater opportunity not to report potentially embarrassing loss. Bring your own device (BYOD) culture makes firm asset tagging difficult.

The costs associated with loss, accident or theft are immensely high, and often complicated. There is the cost of the device, of course. But for solicitors there is a premium on confidentiality. The loss of a smartphone with even only a few apps may still involve not only reputational and economic costs, but also potential breaches – of professional duty, contract, even legislation.

And don’t forget use. Again, even at this relatively early stage, smartphones and tablets have become extensions of working limbs. New devices have not only to be procured, but reconfigured. This time is likely to be one of diminished productivity. It may require reversion to less efficient, flexible and individualised technologies.

So how do you minimise the costs of lost, broken, or stolen smartphones and tablets?

(i) Make sure your devices are password protected. This absolute minimum standard of security is easily circumvented by all but the lowest level attackers, but even still is surprisingly underused.

(ii) Encrypt client/business information. Mobile technologies blur the lines between personal and business use. Encryption is essential to ensuring anyone who comes across your device can’t access sensitive information. You can achieve this by encrypting all information, or assigning an encrypted area for work related material.

(iii) Use anti-theft technologies. There are technologies available that allow you to remotely lock, wipe and locate your device if it is lost or stolen. These are invaluable tools, often free to use.

(iv) Inform your firm/IT person immediately if your device is lost or stolen. If your firm is wise enough to use them, update your personalised mobile device risk assessment. Failing that, you can create an informal profile based on worst case scenarios, addressing the issues above.

(B) Wireless based vectors

Mobile technology makes considerable, and clever, use of wireless networks. Indeed, it’s a core aspect of its flexibility – cafes, homes, train stations, etc become productive spaces. But public wifi is profoundly insecure. Attack vectors abound, not least the “honeytrap” wireless, which is a network created by the hacker himself, requiring little money or skill, to lure you in.

Popular locations for such networks include Starbucks. Solicitors can be targeted specifically, based on their routine. The network name will look legit. Once connected, simple phishing or man-in-the-middle attacks can be used to trick you into revealing sensitive information. These involve communication to hacker-created, or via hacker-controlled, sites and services.

But wireless vectors extend beyond hacker-created networks. These techniques can work with public and home networks too. Indeed, most people still don’t realise just how simple it is to pluck your private information – even email and passwords – straight out of, literally, thin air. And this at the least technically sophisticated tip of a considerable iceberg.

So, how can you minimise the risks associated particularly with public wifi?

(i) If possible, just don’t use it. If you don’t have VPN, or are interacting with anything remotely sensitive, it’s best to avoid it altogether. An imperfect but better alternative is to use your smartphone or tablet’s mobile internet facilities. But what if you simply must?

(ii) Check the network’s provenance. This means, make sure the Starbucks you see on your device is really Starbucks and not, say, Starrbucks. Staff can assist with this, and networks requiring you to login, even with token details, give a worthwhile, if small, bit of verification.

(iii) Favour encrypted sites and services. The Heartbleed virus has undermined confidence in the value of seeing “https” or the padlock symbol in your browser. Still, if the site is encrypted it shouldn’t be trivial to simply “read” your conversation with it out of the air.

(iv) Consider encrypting your wireless activity using VPN technology. It’s relatively cheap for consumers, and can bring a significant reduction in public wifi attack vector surface. It works by wrapping your entire internet activity in an encrypted layer by routing it through an encrypted system. Firms can also set up their own, free, encrypted VPN to staff and make it policy to use it.

(C) Internet based vectors

In the early burgeoning internet, hackers were prone to talking almost as if you could spill coffee on your keyboard and look up to find you had accidentally hacked NASA. Hyperbole aside, security follows use, and those patterns and the ingenuity of criminals exploiting them have not yet been established. Of course, desktop PCs and servers do perform a broader range of tasks.

But the mobile ecosystem is vast. The variety of vendors, platforms, and apps is dizzying. It’s been rightly said that if the attack vector surface of mobiles is narrower, it’s also deeper. This means not only new vectors, but the re-imagining of basic attack vectors for the mobile environment. Of these, phishing and malware are particularly grave, and potentially prolific.

Mobile phishing

If you read the first instalment in this series and the wireless section above, you’re familiar with two species of phishing. Both work by manipulating the way we use and assess websites, to trick us into believing a hacker-created site is the real thing. The principles outlined in the first instalment entirely apply here too. But we don’t use mobile technology in exactly the same way, so the particulars vary.

The following are three unique features of mobiles that affect use. You’ll be all too familiar with login boxes popping up, taking the whole screen. Similarly, apps frequently embed sites within them, allowing you, say, to login and share with Twitter. Indeed, even in web browser apps themselves, the address bar showing the real site is often minimised to save space.

In each case, the feature makes it even harder than it is on a PC or laptop to verify independently the true identity of a website. To some extent, other than in the browser app, you simply have to trust that the login box, or the app you are using, is actually what it purports to be. This makes the internet tips below regarding app due diligence even more important.

The last instalment also made brief mention of malware, as malware and phishing often go hand in hand. You will likely already have (bad) experience with it, already, in some form. It includes viruses, software that bombards you with adverts, spies on personal data, locks up your device until you pay money, etc. But malware has broken the bounds of the Windows computer.

Mobile malware

Malware is one of the cornerstones of international digital crime. Wherever financial and confidential information goes, malware follows. And it’s gone mobile. Malware “apps” are sophisticated and dangerous for the same reasons other apps like email are so useful and popular. Vendors make it easy to access everything on a device, to encourage developers.

The unintended consequence is that truly sophisticated malware apps are easy to make. And it’s not the only one. Google Android doesn’t regulate its marketplace as rigidly as Apple’s. The liberty that comes with this has been key in making its platform by far the most popular – and so vulnerable. Remember, too, even if marketplaces were regulated perfectly, there’s other ways in.

So, in the end, what further steps can you take reduce the risk of internet-based attacks, including not only phishing and malware, but the broader range of unknown vectors?

(i) Do app “due diligence” before downloading. Consider the provenance. Ask yourself: how secure is the marketplace you’re downloading from? Does the developer have a good reputation? As a firm, setting up your own app-store of vetted apps can be really helpful.

(ii) Don’t give access away lightly. It’s tempting to give an app the access it asks for. You want it to work. But ask yourself if it really needs what it asks for. A calculator that wants access to your contact list, for example, shouldn’t be allowed, and should perhaps be a red flag.

(iii) Updates and patches are your friend. Do all of them. It can be really annoying to see that your phone’s operating system, and seven of your apps need updating. But remember, as in PCs etc, updates are the mechanism by which security issues that come to light are addressed.

(iv) Use secure and multiple passwords. Secure passwords are easy. JaJwUtHtFaPoW14. Looks complicated, but really just uses the first letter of every word in a popular nursery rhyme. Using different passwords, though difficult, stops one breach cascading across the board.

(v) Turn off automatic wifi connection. This is a small but useful tip. A few vectors, social and technical, leverage automatic wifi connections, against you, and potentially your networks.

(vi) Install anti-malware software. The risk is highest for Google Android products. It, alone, currently offers anti-malware services. Remember, however, malware for Apple iOS, Windows and Blackberry will nonetheless exist, so follow the above steps.