Smartphones: The threat in your pocket

A Boise PI sees hackers and prying eyes gleaning personal data from smartphones.

zkyle@idahostatesman.comMay 27, 2014 

79412

Neal B. Custer, president and CEO of the Custer Agency private investigation firm, said digital forensics are “an integral part of all of our investigations today.”

KYLE GREEN — kgreen@idahostatesman.com Buy Photo

  • MOBILE TARGET

    Symantec's latest Norton Report, an annual report detailing the cost and damage of cybercrimes, directed special attention to the rise of crimes perpetrated on smartphones, tablets and other mobile devices. The report surveyed more than 13,000 adults in 24 countries, including the U.S., where cybercrimes cost victims $38 billion in 2013. Symantec is a security-software developer.

    Here are some highlights:

    • Nearly half of mobile users don't take basic security precautions, such as passwords, security software or back-up files for their device.

    • More than one-third of mobile device users experienced mobile cybercrime last year.

    • 26 percent of mobile users installed security software.

    • 57 percent of mobile users aren't aware of the existence of security solutions.

    • 49 percent use personal mobile devices in workspaces with serious repercussion of security of business and enterprise.

    • Nearly 20 percent share work-related material with friends and family.

    • 38 percent of mobile users with employer-provided devices let their kids play, download and shop on those devices.

    Respondents were more cautious with cybersecurity on their computers than on their mobile devices:

    Delete suspicious emails: computer - 90%; tablet - 60%; smartphone - 56%

    Have at least a basic free antivirus program: computer - 72%; tablet - 42%; smartphone - 33%

    Avoid storing sensitive files online: computer - 78%; tablet - 53%; smartphone - 48%

Your smartphone holds your secrets.

Text messages. Emails. Banking passwords. Hackers can steal just about any personal information that can be used to rob you or snoop on your activities by accessing your smartphone.

Cases with compromised smartphones are a growing part of investigations conducted by the Custer Agency, a Boise private-investigation firm. Neal Custer, the president and CEO, said he investigates thefts perpetrated over clients' phones. His agency also uses digital investigation techniques to build cases for divorce and other domestic litigation.

"We've found all kinds of things, from child pornography on a husband's phone to evidence of hiding financial assets to emails that reveal affairs," Custer said.

A rise in cybercrime led Custer to open a subsidiary, Reveal Digital Forensics & Security, in 2011, to handle the computer and communications cases.

Dylan Evans, vice president of the forensics business, said clients sometimes come to Custer with an eerie feeling that somebody is tracking their whereabouts or knows more than they should about the client or the client's business. Increasingly, Evans finds that clients' smartphones have been hacked to relay information to another party, often to untrusting spouses or partners.

"Someone notices their battery is draining quickly or their phone starts working slower and they get suspicious," Evans said. "Usually, it's because someone installed surveillance-ware, worried about them cheating."

YOUR PHONE IS WATCHING

Surveillance software can send duplicates of text messages, emails and photos to the installer or relay your location using the phone's GPS device, Evans said. It can access cameras and recorders of infected phones to remotely allow the installer to take photos or eavesdrop on conversations.

Snoops usually install surveillance software by picking up the phone from someplace like a desk or nightstand, Evans said. They then download the software they've previously purchased and created an account for. The process takes less than five minutes.

"The (snoop) has already purchased the app and has the account set up," Evans said. "They know the make and model of the phone. They get the phone in their hands. They install the program and it becomes spyware."

Evans said some antitheft apps can be used as surveillance software when a snoop installs them on a victim's phone.

Most of the cybercrime using smartphones that is investigated by the Boise Police Department involves stalking, spokeswoman Lynn Hightower said. Detectives analyze the phones of potential stalkers to verify allegations, she said.

"The evidence (gleaned) via telecommunications devices may be included in evidence that shows the repetitive behavior and fear necessary to prove stalking," she said.

Compromised smartphones are also a tool of corporate espionage. Evans said one large Boise business he declined to identify smelled something fishy after a competitor underbid a multimillion-dollar contract by a slim amount. A sweep of the corporate boardroom for bugs turned up nothing.

Evans and Custer investigators analyzed the board members' smartphones. They learned one board member left his company phone charging in his office overnight at the insistence of his wife, who didn't want her husband taking his work home with him. Investigators found that phone had been sending copies of text messages, including those the board members sent to submit bids. Evans said those messages were being relayed to a third party, most likely the company that won the bid.

A piece of well-placed surveillance software can be worth millions of dollars to a company if it reveals a competitor's bids or corporate strategy, Evans said.

"It's not a big investment to do a background check on a competitor's cleaning crew, to find someone with a criminal history that's maybe a little unscrupulous, and to offer them $5,000 to borrow a phone for five minutes," Evans said.

The best way to protect against surveillance software or theft is to set a password to open the phone interface, Evans said. He also recommends installing virus protection software on smartphones, though he said all of the programs on the market have vulnerabilities.

"I still recommend running them," Evans said. "You just can't expect them to be the Holy Grail for security."

MALICIOUS APPS

Traditional identity-theft software might seem less creepy than surveillance software installed on your phone by a spouse. But old-fashioned identity theft viruses enable hackers to rob you all the same.

Dianxiang Xu teaches master's-degree students in Boise State University's Computer Science Department how to write programs without vulnerabilities. He said the department is developing an undergraduate minor so that more students can learn about protecting against cybercrime.

Many smartphone users infect their own phones by downloading apps that perform their stated function while hiding nefarious software that gleans passwords or other personal information, Xu said.

Xu said other apps tell you they will glean information from your phone in the agreements that users check off on when opening the program for the first time. He advised not to agree to letting your phone share contact lists, GPS locations and other information that apps often don't need to function. That information is often sold to advertisers, though more malicious software can hack into bank accounts or email accounts.

"You should always look at the permissions," Xu said. "People have a tendency to hit, 'Agree, agree, agree.' We grant potential risks whenever we download apps, particularly if you're not familiar with the source."

Evans said free versions of popular games such as Angry Birds carry risks. Game developers release free versions loaded with ads to try to entice players to buy the full, ad-free versions. Those ads can carry malicious software without the game developer's knowledge.

"Make sure whatever app you are downloading is pretty well reviewed and doesn't just have one five-star review by the developer," he said. "It could easily come bundled with something you're not expecting."

Moscow app developer Goldenshore Technologies LLC was slapped by the Federal Trade Commission in 2013 after the discovery that its app, Brightest Flashlight Free, tracked consumers' data without their knowledge.

The privacy violation came to light when consumers questioned why a flashlight app needed to access the phone's location. The developer sold the information to advertisers despite saying in its privacy policy that it kept data in-house.

In a settlement, the developer agreed to change its practices. No fines were imposed.

Evans said consumers need to fight the urge to download apps impulsively.

"People say, 'I want a calorie counter.' They add the app. They run the app. They need to do the research and find one that works and not one that is something else. They need to treat their smartphone more like a computer and less like a toy."

Zach Kyle: 377-6464, Twitter: @IDS_zachkyle

Idaho Statesman is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service