Phones: Smart or Security Threat?

The Indian Air Force (IAF) issued a notification in August asking all its personnel and their families to not use any and all products by Xiaomi, the world’s third-largest smartphone manufacturer after Apple and Samsung, including their smartphones and tablets amid fears over the security of data. The IAF maintained the alert through October taking into consideration the report by its intelligence unit and a security firm, F-Secure that noted that the Xiaomi Redmi 1S was forwarding carrier name, phone number, IMEI (the device identifier) plus numbers from the address book and text messages back to the servers in Beijing [i].

The IAF alert is in line with other similar security threats detected against the Xiaomi phones. Reports in June 2014 claimed that a woman in Nanjing, China, had her bank account details including the last ten transactions displayed on the Xiaomi smartphone that was kept in close proximity to the bank card [ii].

India is expected to add more than 200 million new smartphone users in 2014, second only to China with the country already boasting of 156 million smartphone users out of a population of 1.2 billion, which could rise to more than 350 million by the end of 2014 [iii]. This is a sizeable number when compared to the number of internet users in India, which stands at 200 million. Considering cyber security is yet to find its feet in the country, raising concerns over the security threat due to phones is of paramount importance.

The European Union Agency for Network and Information Security (ENISA) published a report in December 2010 highlighting the information security risks of using smartphones and categorised the risks into three levels depending on the degree of relative sensitivity [iv].

1. High: These include data leakage, unintentional disclosure of data and attacks on decommissioned phones.
2. Medium: These include phishing, spyware, network spoofing, surveillance and financial malware attacks
3. Low: This relates to network-congestion

Any smartphone uses either cellular network data or Wireless LAN (WLAN) / Wi-Fi to connect to the internet. Both these mediums are fraught with security risks.

As per data released by the Cellular Operators Association of India (COAI), India has over 720 million subscribers on the GSM network, which is more than 60% of the population. However, the GSM (Global System for Mobile) network was already shown as compromised in 2009 by a German computer engineer Karsten Nohl, who broke the encryption algorithm developed in 1988 and used by GSM networks around the world [v]. Nohl reproduced the GSM algorithm, technically called the A5/1 privacy algorithm which uses a 64-bit binary code (consisting of 0s and 1s). The encryption algorithm has since evolved into more complex and sophisticated 128-bit binary codes, namely the A5/1 algorithm but few network operators have made the upgrade due to the financial and infrastructural commitments that have to be made.

A similar security breach was detected by an Indian company called Matrix Shell in 2012 when they found a way to hack into the GSM networks of Indian cellular companies, including Vodafone, Airtel and Reliance Communications. The company also highlighted that most service providers in India still use A5/0 encryption algorithm, which provides practically no safety despite the GSM Association and allows for interception of calls and messages from a number.

Apart from the GSM, the GPRS (General Packet Radio Service) is another crucial data protocol on a phone. While the GSM is used for calls and messages, the GPRS has more varied applications including browsing the internet and sending texts and emails. Karsten Nohl demonstrated in another event in 2011 that the GPRS can be similarly hacked into by attackers to sniff around the data being transmitted. It was also found that many countries do not encrypt GPRS communications to allow for monitoring and surveillance [vi].

The Wi-Fi has also not been void of security risks with concerns being raised over the security protocols and certification programmes, namely WEP, WPA and WPA2. Wired Equivalent Privacy (WEP) was the first security algorithm designed for wireless networks in 1998 but was soon found to be susceptible to basic hacking tools and was superseded by the Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access-II (WPA2) in 2004. The WPA was intended as a stopgap replacement for WEP and after vulnerabilities were revealed, it was replaced by WPA2. However, a feature called the Wi-Fi Protected Setup (WPS) in the wireless network allows a brute force attack to bypass the network security in couple of hours and tamper with the connected devices. A simple Google search on how to hack a Wi-Fi lists more than a million results which teach a novice with an android phone to crack the Wi-Fi security.

India has yet to come to terms with cyber security with the country still lacking in essential infrastructure, policy and manpower to tackle the newest domain of warfare. Technology evolves every couple of years but the ability to fight the evils of technology has not evolved along the same parallel. Computers, internet and phones are the new weapons of warfare and the sooner we recognise the threats they pose, the better prepared we can be for the future.

The author is Research Assistant at CLAWS. Views expressed are personal.