Your smartphone is probably not so smart - telling tales out of school, whispering your secrets and being a big blabbermouth.

Years ago, I wrote about the security of the first batch of Windows Mobile phones because I noticed that unlike the desktop operating system, the portable variant never seemed to receive any updates.

Microsoft’s response at the time was that it worked with device vendors who worked with carriers, and updates were released through the latter. It really didn’t happen very often, yet the devices were small, hand-held computers connected to high-speed 3G networks that cost a small fortune at the time to use. If someone had hijacked the Internet connection to send out spam for instance, it could’ve cost thousands of dollars in network charges.

What’s more, the devices also contained the usual slew of personal information that you didn’t want to end up in the wrong hands.

I recall it was possible to set PINs and encrypt the storage areas to protect against physical access in case you lost the phone. However, the internet entrance was left pretty much wide open for the bad guys with little or no thought given to security.

Fast forward to the iPhone Era, and we now use mobiles even more. We buy stuff with them, do our banking on them, use them for business applications and share our social lives with the world.

Smartphones can now do so much, so quickly and so conveniently. So many people have one, but that capability and convenience can make smartphones hazardous to your finances, reputation and freedom.

In fact, the smart bits such as banking apps are just one worry. Because mobile phones do double duty as authentication devices - that is, keys - getting access to non-smart features such as voice and SMS is worthwhile for criminals too.

In Australia, criminals have ported postpaid mobile phone accounts to new, prepaid SIMs. This lets them bypass standard two-factor authentication used for online banking (a combination of texts and/or calls). When that bypass is used in conjunction with a malware-infested browser or computer that logs keystrokes, your money could be gone in an instant.

On top of robbery, smartphones can be tremendously useful as surveillance tools. Not for you, the mobile phone owner, but for anyone who can track you either via the GPS, or through cellsite triangulation. This can allow access to your contacts, emails, voice messages and texts. It’s a subtle panopticon that provides for easy, automated intelligence gathering for any purpose, political or otherwise. If you’re going to an Occupy Movement demo or if you’re a celebrity sneaking off for a secret tryst, don’t bring your phone. It may rat on you.

In light of the various privacy holes already present on phones, it was curious to see the furore around the Carrier IQ ”rootkit„ that’s installed on some 130 million devices around the world. CIQ’s software invisibly monitors the ”mobile user experience„, logging a large number of parameters that show exactly what happens when people use their devices.

Now, CIQ promises that while they can see if an SMS was sent successfully and from where, they don’t peek into the contents of the message. Also, they anonymise the data and say it’s transmitted and stored securely. As of writing, everything points to CIQ not having nefarious or malicious intentions. The software appears to be what CIQ says it is: a telemetry gathering set up to monitor service quality for operators. The company says it has given a fair bit of thought to security and privacy around how the information gathered by the ”rootkit„ is used.

Which is not to say the CIQ ”rootkit„ couldn’t be abused, and this makes it all the more stunning that cellular operators thought it would be a good idea to install it without informing customers.
If you add it all together, an alarming picture appears. Over the years, we’ve seen voice mail systems being implemented with no security, causing messages to be intercepted with ease; insecure devices being sold; app markets with malware; faulty procedures that let allow others to ”slam„ or hijack your account; and now, a probably well-intentioned but ill-advised rootkit that logs everything you do.

As an end-user, there isn’t an awful lot you can do beyond sleeping with one eye open and trusting device vendors and operators to do the right thing when it comes to security and privacy.

The problem is, there aren’t enough incentives for device vendors and operators to do more to stem security and privacy breaches. For instance, US carriers don’t use International Mobile Equipment Identity (IMEI) numbers like our telcos do. These make it easy to remotely disable phones, even when a new SIM with a different number is installed, as the IMEI is unique to each device.

US carriers don’t use IMEIs because it’d cost more to implement and a stolen phone means a new customer on another network.

What needs to happen is for security and privacy breaches were to hurt device vendors and operators as well end-users, with mandatory disclosure requirements.

If that happens, we can start trusting that wonderfully convenient and powerful thing in our pockets again.

Juha Saarinen