Did you know that in 10 years, we went from 42% to 95% in smartphone penetration in the US? That is just in the 18+ age group, that number grows when we factor in the number of < 18-year-olds getting smart devices. Unbelievable growth and, more unbelievable, the capabilities and power these devices have (my phone’s camera takes better pictures than my Nikon)! In fact, the smartphone you have in your hand is more powerful than the computers that were used to send us to the moon. Before you send me a bulk of email and phone calls correcting me, you are right, it is not a fair comparison. As it is akin to comparing the first airplanes designed by the Wright Brothers with an F-18 fighter. The point is how fast the capabilities have evolved and continue to grow.

Now, why am I bringing this to your attention? Because as power and speed increases, so do the opportunities for us to use them (and many do) more and more in our daily lives, for work and pleasure. As I’ve said before, I am always looking at the possible “attack vectors” that could jeopardize our cybersecurity – and ultimately, our data. I’m guessing you know where this story is heading, but if not, let me recant a scenario I witnessed live (and then personally spoke with the participants after the demonstration).

At a cybersecurity conference I participated in, I watched as they drove the CEO’s Tesla Model S (CEO of a software security company, not of ISHPI) on the stage, shut it off, locked the car, took the key fob, and threw it to a person in the audience well away from the stage (to remove the possibility of the proximity key being used). From there, the “bad actors” proceeded to not only unlock the car but drive it away! All done with everyday technology tools, easily accessible to anyone with a computer. We watched live as they projected the screen from the laptop they were using, as it was happening, watching every keystroke.

It was quite frightening and pretty sobering to watch, then envisioning, with the way technology has gone, it happening to you or me [gave me shivers]. So, I’m inquisitive and wanted to know HOW they did that. The demonstration did not have a Q&A, so I sought out the person leading the hacking and cornered him, the following conversation ensued:

“OK, impressive. No, VERY impressive” I said. “Now, how in the world did you do that? I know that Tesla is more secure than to allow some random wireless connection to their cars to take control!” He laughed, and said “you’re right, they are very, very secure. In fact, we didn’t hack the Tesla or their app, we used their provided tools to do what we did; we compromised the CEO’s phone.” Ahhhh, now I get it. “So, you stole her digital key, from her Tesla app on her phone?” I surmised. “Yes”, he said. “Once we had the malware installed on the phone, we were able to intercept the key, the car was all but ours”.

So back to where this month’s CyberBytes started, Mobile Applications, All Fun and Games? I think you now know that answer and I hope, before you go trying to download and install the next crazy phone game, the question should first be “how do I protect myself and make sure this is a safe app” [Great question, by the way]?

Here are the basic steps to ensure you are as protected as possible:

1. Only use an official app store (Google Play, Apple App Store). Others should be very closely scrutinized.
2. Do not follow links to download apps, open the app store yourself and find the app you are looking for. This will prevent you being redirected and an app download (called side loading) from a site that is not one of the main app stores or is designed to “look like” an official app store.
3. Read and understand the permissions the app is “requiring” to operate [for example, why does a game need to read image files from device storage or run as a service?]. If it seems sketchy, do some more research as to why it needs it.
4. Do not “root” or “jailbreak” your device. If you do not know what that means, good.
5. Do not delay in applying device and app updates when they show up on your device.
6. Ensure your device is protected with a password and you maintain control of the device.
7. Get a mobile malware tool for your device (I use Bitdefender, but there are other good ones, opt for a paid version).
8. And lastly, in the world of mobile apps, those that start off altruistic and secure, may not remain like that, especially the free ones. They can be either left with no support or updates (say it was a one-person effort and they moved on to something else) or sold to another group (maybe with less of a moral compass, who see it as a toehold inside your device). So, keep an eye on your apps, delete ones you don’t use regularly and always verify what permissions they have on your device!!

Newsletter By:  Rob Collings, ISHPI’s VP of Cybersecurity | CISO

October 2, 2023