Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

The Value of Access > Impersonation - Pg. 358

358 Chapter11·MobileMalwareMitigationMeasures salacious examples of pictures that might have considerable value. In the case of actual loss of the photos, there is likely some value to be considered. Activity History One type of information that often gets overlooked is activity history. Most people do not have a notion of how much information their phone collects about them as they use it. Certainly, it has a call log detailing whom they've called and who has called them. It also usually has a log of text messages, e-mails, and more recently, the Web sites visited. On more modern phones, there's even a browser cache that contains bits and pieces of the sites you visited. Contact history provides some additional value. It tells who you frequently communicate with. While it is somewhat redundant to your address book, it may contain additional data and does provide information about what you have been doing. Knowing what Web sites you access provides clues about where you may have accounts. This can be used as a stepping stone to further compromising additional resources. Application Data Finally, we have another less considered type of information on the phones. As phones begin to act as more general software platforms and users have access to more applications, there is the risk that the applications themselves will begin to collect and store data that might be valuable to an attacker. There are now custom applications to do banking, stock trading, and even the purchasing of movie tickets. If these applications store passwords or account numbers, they make a very attractive target to an attacker. The Value of Access Our final value consideration is that of the access the mobile phone provides to other things. While this receives less attention often than the value of information discussed previously, it actually carries considerably more risk. Historically, perhaps this risk was somewhat limited to billable services directly related to phone service. A lost phone could be used to make calls until service was disconnected. Or perhaps malware could make calls or send data to a premium number. However, as the phones have matured into more complete platforms, their use as an access device has increased considerably as well. Modern phones begin to approach a laptop in terms of capability for remote access. Let's look at a couple of specific examples of things that can be done with a stolen or compromised phone. Impersonation Impersonation is a pretty significant risk. At a very low-tech level, an attacker that gains control of a phone can send messages, e-mail, and make phone calls that appear to come