Millions of people share personal information such as bank details, Social Security numbers, and credit card numbers via mobile devices. The recent Black Hat USA 2012 security conference (held in Las Vegas from July 21 to 26) continued to focus on new vulnerabilities, including increased concern over the safe sharing of information through mobile devices, spanning security issues for all forms of mobile communication, including HTML5 risks, web application firewalls, mobile baseband firmware, and new vulnerabilities in near field communication (NFC).
Major Focus on Smartphone Security
Newmediatrendwatch.com estimates that half of all cellphone users will be smartphone users by 2013. Smartphones are essentially mini-computers, making these devices a common source of attack for hackers. Some smartphone venders are already using NFC technology such as contactless mobile payments. However, famed former Apple hacker Charlie Miller has exposed vulnerabilities in this technology, including the ability to access user’s personal information such as photos and contact details. Miller presented his findings at one of the most popular presentations from this year’s convention.
Cloud-Based Security a Rising Concern
This year’s Black Hat conference featured a presentation by cloud-based application security leader Veracode, Inc. The presence of the company echoed the rising concern over cloud-based security. Cloud technology may be a convenient solution for distributing data, but the nature of this technology also creates potential security risks. The company’s co-founders discussed static binary analysis, including how devices analyze code for security flaws, and the connection between permission requirements and application security.
Growing Threat of Mobile Malware
Malware, including unwanted software such as viruses and worms, is now a growing concern for smartphone users. University of Luxembourg researcher Ralf-Philipp Weinmann hosted a presentation discussing how to prevent attacks against baseband processors – the way mobile devices communicate with cellular networks. Last year, Weinmann presented a demonstration showing how it’s possible to use easily-accessible hardware and open source software to make a phone recognize a fake tower. This year, Weinmann discussed how these so-called “rogue towers” aren’t even necessary if you have an Internet-connected device. The demonstration showed that all that is required is a little manipulation of IP-based connections. This means that millions of smartphones could be at risk, especially those operating on the popular Android platform.
Malicious Apps That Start Out Benign
Representatives of Trustwave discussed a technique that allowed them to install a seemingly benign app via Google Player. The app remained in place for several weeks before turning malicious. Nicholas Percoco of Trustware says that the app was then able to obtain contact information, photos, and even deny the user access to certain services. The app, used for testing purposes, is no longer available.
This is just some of the security presentations from this year’s event. Nearly every aspect of mobile security was discussed. Other presentations covered attack techniques like SQL injection and directory traversal, protocol-level evasion techniques, vulnerabilities with HTML5 technology, and security issues with embedded devices. Solutions were also offered at the conference, including a presentation of 150 tests that can determine weaknesses in Web application firewalls. The goal of the annual conference is to raise awareness of security issues with any device connected to the Internet, with the ultimate goal being prevention.