Mobile Security

As smartphones are becoming more sophisticated everyday, more and more malware is being created and distributed. The two main platforms that dominate in terms of market share is Android and iOS. Both are not completely secure, as new vulnerabilities are found every month. Both Apple and Google often release updates with security patches to fix things such as lock screen bypasses and security against viruses that are sent through different mediums.

Attacks and Exploits can occur through various methods, such as…

  • SMS/MMS
  • Cell Networks
  • Wi-Fi
  • Bluetooth
  • Web Browser
  • System Certificates
  • Bugs in Code
  • Hardware

The most common exploits are through messages, Wi-Fi and the operating system itself.

An example of exploits through messages is from 2015, when Apple phones would restart when sent a specific string of characters. These Unicode characters would crash the phone because of the way iOS processes notification popups and displays them. The string itself was “effective. Power لُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ 冗” and would cause the iPhone to restart or respring the homescreen. Apple soon fixed this with a software update, but provided a temporary fix in the mean time.

maxresdefault

Another more recent iPhone glitch has the same principle, where you can send a link to a video that when watched, causes a loop or memory leak, which is a “failure in a program to release discarded memory, causing impaired performance”. This is similar to the first iPhone glitch, except the only way to solve it is through holding a series of buttons and performing a hard reset. If you want to test this out for yourself, the link is here. Please try it at your own risk.

While both of these glitches are fairly harmless, the vulnerabilities can be used for more unethical purposes, such as transmitting malware. An example of a more serious vulnerability was discovered in 2015, and known by the name of Stagefright. This exploit could be executed remotely through MMS. This type of attack would have been very deadly, as all you needed was the victim’s phone number. Google and other manufacturers released software updates following the release of this information.

sicherheitsluecke1-w782

As you can see, new vulnerabilities and exploits are being found by companies, users, and hackers everyday. White hat hackers are people who find such vulnerabilities and report them to the companies so they can fix it. Black hat hackers do the opposite and hack for financial gain or other nefarious reasons. Luckily, companies try to stay aware of these exploits and work as fast as possible in order to patch them in an upcoming software update. As for individuals, you should be aware of what apps you install and to have an anti-virus on your phone in order to scan files you download. You should also be aware of what networks you connect to and use a VPN in public areas. These practices will help keep your smartphone secure.

Data Breaches

What is a data breach? A data breach is an “incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so.” It can lead to sensitive data being leaked, such as credit cards and passwords to various websites. These hacks can lead to downtime of services and identity theft.

In 2016, the biggest example of a breach was when Yahoo had information stolen from 500 million user accounts. This breach did not happen this year however, but in 2014. It was only detected recently in September. The attack was done by a state-sponsored actor, which is an individual or a group who is paid by the government to hack a company or website. The data stolen includes name, emails, phone numbers, birth dates, encrypted passwords and security questions and answers. Credit cards and bank account numbers were apparently not stolen. The cost for this breach to Yahoo is estimated to be about $100-200 million dollars.

160922095225-yahoo-hack-780x439

Other notable breaches include the 2011 PlayStation Network breach. It was an external intrusion where over 77 million accounts were compromised. The attack lasted for 2 days between April 17th and April 19th. Sony was forced to suspend all services on the 20th. Credit cards were also stolen when the hackers were accessing the network, but instances of fraud were not reported or properly linked to this breach. The cost to Sony was $171 million and the users had to deal with 23 days of downtime. To fix the problem, Sony upgraded all of its security and sent software updates to all PS3 consoles and PSP handhelds. A mandatory password reset was also required.

playstation-network-007

Both of these attacks show that even with strong passwords and diligence from your side, data breaches are still commonplace, and can affect everyone. You should continue to use strong passwords and watch out for phishing attacks. In the end, data breaches are usually caused by an ignorant user who may click on a link in an email by accident, which downloads a small program that run in the background and opens up access. The hacker uses this to gain access to other computers and databases. They are then free to browse the whole network. Today, companies are doing their best to have strict policies between their app, database, and web layers. This should help prevent unauthorized access of large databases containing user information, which companies spend millions on to improve the security every year.

ANova Hackathon @UCBerkley

Recently, my friends and I decided to attend ANova Hacks, which is hosted by a Non-Profit Organization within UC Berkley and sponsored by Facebook Techstart. We thought that we could try and build something that was very practical and useful, while impressing the judges and showcasing our creative uses.

We thought about different feasible ideas that we could code in a mere 12 hours, and we thought about a tutoring app, textbook selling app, and many others. These apps were all very practical and useful, but they did not really have a unique factor that set us apart from the ≈40 other teams that were participating.

We eventually found a real world problem that everyone has to manage, Time! We decided that we wanted to find an easy way for your phone to tell you the time without you turning it on and getting distracted by it. Using a table seemed like a good input device because it did not involve you having to look at your phone. By knocking on the table, we noticed that the phone could pick up vibrations from about 3 feet away. We then decided to use the accelerometer, which operate on a 3 axis system.

Since we live in a 3 dimensional world, the x, y and z axis provided real world data. X was moving the phone side to side on a table, y was up and down a table, and z was through the table. In our code, we added parameters to prevent the x and y axis from getting triggered if we moved the phone. By doing this, we were able to make the app only sense spikes in motion changes, which then cause the app to say the time if the spike was under a certain amount of time.

img00021

We then integrated a service to allow it to run silently in the background, so it could be triggered by a tap on the table even when off. The app worked very well on wood tables that could vibrate, so the phone could detect it. Our next challenge was adding notifications if the user tapped the table. We got close to finishing it, but an issue we ran into was that we could not call for notifications to be read when we chose, but only when they arrived. Another problem was that we could not get the notification service to bind properly with the app making it very hard to integrate.

Screenshot_20161111-210030.png

Overall however, the judges were very impressed with our app and loved the unique functionality and UI, as it could be expanded beyond time and implemented in other projects. We ended up winning first place and taking home Gear VR headsets, which was very nice. This hackathon was very fun and I hope to come back next year with new skills and create something even more helpful for our daily lives.

img_20161111_195120

DNS and Security

The internet is a network of computers, each with their own IP address. In your web browser, you type a website URL, such as facebook.com. The browser does not know which IP address that is connected to, so it refers to DNS, or Domain Name Servers. These servers act like phone/address books for websites that we visit often.

dns-and-ipv6

There are many free DNS servers, from companies such as Level3, Verisign, Google, OpenDNS and often you will get one from your ISP. They all have primary and secondary addresses that you can enter on your devices or directly into your router. By entering it into your router, you can force every device on that network to use that DNS server. This can give you some features such as internet filtering and improved security.

One very well knows DNS server that gives this kind of functionality is OpenDNS. This service can be added to your devices by manually adding 208.67.222.222 and 208.67.220.220. On the other hand, if you want to secure your whole network and add filtering, you should use put it on a router. You have to go into your router settings, which is done by typing in your router’s IP and changing the DNS settings. You can customize the website block list, what internet categories are blocked, which devices these rules apply to, etc. All the traffic will then be recorded by OpenDNS, and you can then view the websites visited, what times, if they were blocked or not, and more. These features allow you to monitor what is happening on your network, and you can check if any abnormalities are found.

threat-2

This could be very useful if you have kids, and only want them restricted to a few websites that you approve. This can also be used at schools to prevent students from getting off task and playing games. DNS services can also offer speed improvements, to make your browsing faster, as they are updated very regularly. Phishing attempts are also identified, protecting you from scams and identity theft. You can learn more about it in my last article. Overall, DNS servers can offer many positive features that your ISP does not give you, and it may benefit you so they are worth looking into and trying out.