Cell Phone Passwords: A Weak Security Link

Corporate IT staffs are being put in a bind: They are providing users with cell phones that cost at most a few hundred dollars, yet employees rely on the devices to access corporate data that can be worth millions. Strong security checks are crucial to make sure that enterprise information is protected whenever users access it, but the reality is that many cellular networks offer only rudimentary security features.

“Carriers designed cellular networks to protect voice messages,” noted Pete Lindstrom, research director at Spire Security, LLC, a Malvern, Pa. consulting company. “Since users are now using these devices to work with business data, stronger security measures, especially with cell phone voice mail systems, are needed, but carriers have been a few steps behind in providing them.”

A few high profile break-ins help to illustrate the problem. In the fall of 2003, Nicolas Jacobsen, a 22-year-old hacker, used cellular network security loopholes to access about 400 T-Mobile USA customers’ accounts. Earlier this year, Paris Hilton had her account compromised and a similar problem arose with a U.S. Secret Service agent.

Noteworthy Target

Analysts said such problems should have been expected. Because cell phones were first designed to support consumers’ voice transmissions, no one — not software developers, carriers, corporate network executives and certainly not end users — appeared to take their security requirements seriously, at least not initially. As a result, they became attractive targets for hackers.

“Hackers look for big payoffs; they concentrate on gaining access to devices that have low levels of security but potentially store important information,” said Bob Egan, president of consulting firm Mobile Competency Inc.

As cell phones evolved from voice communication systems into devices that work with e-mail information, employee calendaring data, photos, and even video clips, they have become attractive targets. As handheld memory capacities have risen and the devices have become more powerful, the potential losses have become substantial.

Companies now have to be concerned that cell phone use will lead to theft and corruption of corporate data; unauthorized network access; the disruption of transactions to and from handheld systems; and malicious code passed to an enterprise network from the handheld.

One problem is the password systems used to protect call phone data are fairly easy to compromise. One reason is the user has so much responsibility for securing the password system. “Security systems are only as strong as their weakest link, and with password systems, that can be the user,” Spire Security’s Lindstrom told TechNewsWorld.

Time to Change Your Password

Initially, users are assigned default passwords, which they are supposed to change once they access the network. In many cases, they fail to take that step and leave themselves open to intruders. Another problem is users pick easy-to-remember passwords, such as their first name or simple numeric sequences, like 123456. “If a password is simple for the user to remember, it is also simple for the hacker to crack,” Mobile Competency’s Egan told TechNewsWorld.

Carriers have been trying to make consumers aware of such problems and forcing them to work with more complex passwords. In order to help remember them, users often then write the passwords down or store them on their handhelds, which makes they are susceptible to outside interference.

Another issue is users tend to be cavalier with their security checks. “Mobile voicemail is a prime target for hacking because many people give their cell numbers, and even their passwords, to close friends, relatives, and colleagues,” said Ira Brodsky, president of market research firm DataComm Research Co.

Ease-of-Use Versus Sufficient Security

In addition, carriers have stumbled as they tried to balance making their services convenient and easy-to-use while maintaining strong security checks. A hacker was able to break into Paris Hilton’s mail box by duping a carrier’s Caller ID system. If a call comes from a user’s phone number, the customer can change his or her password security options.

A hacker found Hilton’s phone number, mimicked it, changed the settings, accessed her personal information, and then shipped it to a variety of Web sites. As a result, phone numbers and e-mail addresses for rapper Eminem, actor Van Diesel, actress Lindsay Lohan, singers Christina Aguilera and Ashlee Simpson, and tennis players Andy Roddick and Anna Kournikova become available to anyone with an Internet connection.

Another option for hackers is to first mimic a valid phone number and then grab a unique token given to a user so they can reset their passwords. Also, flaws in the design of the reset feature allows hackers who know the URL of a carrier’s password reset page to bypass the user authentication page and change an account’s password without having to provide information that proves they are the account owner.

A similar technique focuses on the databases where carriers store user password data. In an SQL injection attack, hackers rely on SQL database queries to inject unexpected commands into a password database, which allows them to manipulate the database’s contents.

Hardening the Perimeter

As the various problems have become clearer, cell carriers have tried to harden their password security. Some support digital signatures, which are a stronger way to authenticate users than Caller ID. Also carriers have improved phone security functions: many now feature protected memory, which can prevent malicious applications from accessing data or parts of the phone’s operating system.

Yet in the short term, the problem is expected to get worse. “Because of the recent high profile cases, carriers are aware of the limitations with password security,” noted Mobile Competency’s Egan. “Many are trying to improve system security, but it will take time to make it as strong as it should be.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels