Security

The small size, relatively low cost and constant mobility of mobile phones make them invaluable for advocacy work but also make them more likely to be stolen, temporarily misplaced, lost or confiscated.

The use of mobile devices creates new security risks which NGOs and advocates must recognise in order to protect themselves, their organisations and the people they work with. This section of the toolkit will show you how to minimise these risks.

Mobile phones carry a vast amount of data; not just your contacts but also logs of calls made and received and SMS messages sent and received - see below for more information on the records carried on your phone. By virtue of carrying a list of all your contacts your mobile phone shows exactly who you are working with. If you are working on a sensitive area this can make both you and everyone else in your network vulnerable.

As an organisation providing services you should also be aware of your responsibilities to users of these services. If you are storing people's contact information you should find out what obligations you have under your country's data protection laws to store these details safely and to delete information when requested. You should also be aware that your mobile phone service provider or your bulk SMS service provider may turn over data to the authorities if requested. Activists in New York running a text alert service on a demonstration were recently the subject of legal action to force them to hand over records revealing the content of messages exchanged and identifying people who sent and received messages. You should also be aware that service providers may refuse to transmit messages in support of controversial campaigns - such as the case of the operator Verizon who refused to carry pro-choice messages on behalf of a group in America.

Top tips

Once the connection with your computer is established you can backup the data either using software provided with your phone or a free/Open source backup application downloaded from the internet. You can also use a sim card reader which copies the information from your sim card to a separate device.

Records on the phone

There are a number of records that are kept on a mobile phone by default:

Your call records and SMS messages are also accessible by your mobile service provider.

'Remote wiping' software is available which will allow you to remove all the data from your phone if it is lost - this is currently only available in the corporate environment but may spread to the not-for-profit sector.

Call Logs: Depending on the model of phone, it is possible to turn off the automatic logging of calls. Don’t forget that Caller ID means that when you call someone from a mobile phone, the person you are calling can see your phone number, and that this information is stored on their phone even if the call is not answered.

SMS: text messages sent and received are stored in the phone by default. Deleting messages manually is a simple security measure, but if the authorities are taking investigations very seriously these records may be obtained from the mobile operator.

Photos: Using your camera phone at an event? It is a good idea to upload photos straight to a remote server from the phone and then delete them. Be aware that photos taken on mobile phones contain data recording the time and location in which the photo was taken. This data can be removed.

Contacts and other stored data: All contact information stored on a mobile phone is available should the phone be confiscated, lost, temporarily mislaid or stolen. Consider what data you need to store on your phone, especially when you work in dangerous or oppressive situations.

Monitoring and surveillance

Location-Based monitoring

A phone that is switched on can be located. The knowledge that you (or at least your phone) were in a particular place can be either positive or negative depending on the circumstances.

Mobile phones can be used to locate you and your companions in a particular place because your mobile is a tracking device when it is switched on. This information is kept by the provider and can be accessed in real time or after the fact. If your work is unpopular with the authorities this can make you very vulnerable - but one benefit of this is that your phone may provide an alibi to show that you were not elsewhere. Commercial services are now available that will allow you to track a mobile phone for a small fee from a website.

For a mobile phone to be able to communicate with the network, the server keeps track of which transmission mast your phone is connected to. A phone cell is made up of several masts and the information they transmit is used by operators to determine the approximate location of the actual phone. In large cities this can locate your phone within a couple of streets. This is occurring all the time your phone is turned on whether it is used to make calls or not.

Monitoring of communications

To understand the sensitivity of mobile phone communication its worth bearing in mind that it is much harder to use a mobile phone anonymously than it is to surf the internet anonymously.

To undertake surveillance of phone conversations and SMS text messages, governments have to work with the mobile operators and service providers.

However monitoring and surveillance of mobile phone use is relatively easy through;

In some countries it is relatively easy for to get access to call and SMS records through;

Surveillance agreements might be in operation between your government and the telecoms operators in your country, so if you are working in a sensitive area be sure you understand as much as possible about surveillance agreements in that area. Governments have been known to work with mobile operators to do searches of call and SMS records for key terms.

In some countries the mobile phone network has been shut down by the authorities during election periods. For example, in response to the effective use of text messages to communicate with and mobilise supporters by the NGO Kinijit after the contested election in Ethiopia in May 2005, the government shut down SMS services. The services were only restored in 2007.

Mobile phone conversations are not encrypted and it is currently expensive to encrypt calls - however these tools are expected to become cheaper over the next few years. Conversations between Skype and mobile phones are also not encrypted.

Phone as Radio Microphone

Software can be installed remotely without your knowledge and then the phone used as a microphone/bugging device. A commercial version that can listen to conversations in the region of the phone is also available for purchase although it does not include remote installation. Anyone who had access to your phone could install such software.

Without installing any software a phone can also be set to work as a microphone by setting automatic call pickup and disabling a ring tone - by this means someone can call a remote phone and listen in to whatever is going on in its vicinity.

Pre-Paid or contract

If the account you have with a phone company is a monthly account, a record of all calls made and received with the operator is kept and can be accessed long afterwards. Records held include billing, which services were used, where you were when making or receiving calls, numbers called and the numbers from which you received calls.

It is possible in some countries to obtain a pre-paid SIM card without providing any personal information but this is becoming increasingly difficult. For added security, it may be advisable to pay with cash and choose an outlet not covered by CCTV.

Using a credit card to pay for your mobile phone will also create a data trail to you, which you may want to avoid.

SMS security

SMS communications are inappropriate for confidential transactions because they can be accessed by anybody who gets hold of the phone. If you are worried about security you may want to consider using software such as CryptoSMS or SMS007 which are commercial SMS encryption tools which can be installed on your phone. Unfortunately CryptoSMS seems only to work on new 3G phones and is challenging to use so you should not install it unless you have very serious security concerns.

Connections between phone & computer

There are particular security risks associated with connecting your phone to your computer in order to transfer information.

Infrared security

Infrared provides a secure and simple way to transfer and synchronise data between your phone and your computer. In order for infrared communication to work properly, infrared devices must operate on a line-of-sight basis. They must be placed at a 30-degree angle from each other and no farther than 1 metre (approximately 40 inches) apart. Because infrared operates over such a short distance and at a narrow angle, it is relatively difficult for an attacker to intercept data that is sent over infrared.

However, infrared does not provide data encryption, so take the following precautions to ensure that data sent over infrared is not intercepted:

Bluetooth security

Bluetooth provides a way to connect and exchange information between devices such as mobile phones, PCs, printers, digital cameras and video game consoles.

Bluetooth lets these devices communicate with each other whenever they are in range. The devices use a radio communications system, so they do not have to be in line of sight of each other and can even be in separate rooms, as long as the transmission is powerful enough.

A common task that involves Bluetooth security for most users is the "pairing" of devices. By default, Bluetooth communication does not require the two devices to exchange security information or 'authenticate' and thus almost any device can freely connect to another. However, to access a particular service such as a dial-up account, a voice gateway, or to do a file transfer, some sort of authentication is usually required.

The process of authentication is usually done during the pairing process by entering identical PIN codes (passkeys) on both devices. Once users have entered their correct PIN codes, both devices will generate a link key, which can be stored in the device's memory and will allow it to skip the authentication and authorisation process when it attempts to communicate with the other paired device in the future.

Unfortunately for Bluetooth users, the process of authentication and authorisation to access services is not always correctly implemented by manufacturers. Such weaknesses have already affected several Sony Ericsson and Nokia mobile phones, allowing malicious hackers to steal phone books, photos and calendar information, or to make phone calls or send SMS using other people's mobile phones. This is because authorisation is not required for two important services on these phones.

'Smartphone' security

Smartphones are mobile phones with more capabilities than a typical mobile phone, often functioning like a PC.

Smartphone users can download a number of productivity programs, connectivity programmes, games, and utilities including freeware and shareware programmes from untrusted sources. The programmes can be easily installed without network administrators being notified. These programmes may contain Trojan horses or other malware that can affect the user's hand-held device.

There are few security tools available for many of these devices. In some cases users are unable to track security attacks on these phones.

There are several new operating systems and applications running on these devices that have not been thoroughly tested by the market to expose any potential vulnerabilities.

Hand-held devices have a number of communication ports from which they can send and receive data, but they have limited capabilities for authenticating the devices with which they exchange data.

Windows Mobile and Win32 (PC based) software is developed in similar ways, so it's easy for authors of Win32 malware to convert their malware for use against mobile devices.

Malware is malicious software, developed for the purpose of harming computers; examples include computer viruses, worms, trojans, and spyware.

How to Prevent Mobile Malware Attacks

The best way to protect your mobile device is to keep malware off your phone in the first place. Use the same precautions for your smart phone as you would for your Windows laptop or desktop computer.

Look at the Tactical Tech Security NGO in a box site for more information on this issue and some suggested tools for your laptop or desktop computer.

Install mobile anti-virus software

The majority of large security software vendors now have a mobile version of their anti-virus solutions. If you have a smart phone you should give it the same protection you give your desktop system.

Additional security resources

Additional material on Bluetooth vulnerabilities

http://www.thebunker.net/resources/bluetooth

Information about EXIF data

Some information on the hidden data files which are embedded in camera phone pictures
http://www.exif.org/

Mobile Phone Spying

Phones used as spying devices - http://www.mysecured.com/?p=127

Mobile forensics information

SIM Card Forensic Analysis is worth thinking about in terms of how much data is hidden on your phone; from
http://www.mobile-phone-analysis.com/. This can give us:

Mobile Phone Handset Forensic Analysis
This can give us:

Undelete SMS

Software that is available online for retrieving text messages from a SIM card.
http://vidstrom.net/stools/undeletesms/

Cellphone investigation toolkit

http://www.search.org/files/pdf/CellphoneInvestToolkit-0807.pdf
Creating a Cell Phone Investigation Toolkit: Basic Hardware and Software Specificationspdf (358kb)

With thanks to Mike Grenville from 160characters.org for permission to reuse excerpts from his 'Security Guide for Mobile Activists'.