SMS can be malicious
A subscriber brought RexSpy to my attention after reading here that I took the plunge into a smartphone. This, of course, sent me off on a fact finding journey through Google. There seems to be some trepidation at validating this threat. It may just be a company (SecurStar) trying to drum up business for their product. In fact, little has been heard of it since it was announced and I cannot even find the supposedly free removal tool offered by Securstar anymore. However, it did make me wonder about the safety of what I had thought were plain text messages.
It appears that there is a new version of SMS that allows embedding, because of that SMS messages are not all that secure. So even if RexSpy was just a marketing ploy it is apparently possible for an invisible SMS message to execute things on the phone, change settings, and potentially copy info while the phone shows nothing happening (apparently all newer smartphones are vulnerable). Granted, there are limitations and it’s not easy, but it is possible.
This lead me to delve into my Blackberry for some type of solution. It turns out that it’s firewall (Settings->Security->Firewall) gives you the ability to block SMS, MMS, PIN, and more for: all, all but address book contacts, and all but address book and special addresses (I need to find out what the special addresses means). Of note is that blocked items are lost if you accidentally block something you want, but I suppose that strict settings here would help mitigate an SMS attack. I set mine to just address book.
Smartphones, while useful, are still relatively new and as such are probably not going to be trustingly secure for a while, I’d use them with that understanding. Do a battery pull in any really secure environment you need to be in (or leave your phone behind) and any remote access done should have a secondary access control that is out of band from the phone, like SecureID, either that or utilize a one time use password design. Also favor certificates for internal authentication, so that you are never typing reusable passwords on the phone. That way even if the phone is lost or compromised it is less likely to lead to a network compromise.
PS: SMS isn’t your only threat, don’t forget that your phone is a mobile workstation and as such vulnerable to bluetooth attacks, WIFI attacks (if it has WIFI), application vulnerabilities, and viruses/trojans.
Further information on securing your blackberry.
More on the Blackberry firewall.
