Bigger. Better. Bolder. Inman Connect is heading to San Diego. Join thousands of real estate pros, connect with the power of the Inman Community, and gain insights from hundreds of leading minds shaping the industry. If you’re ready to grow your business and invest in yourself, this is where you need to be. Go BIG in San Diego!
While incredibly useful, mobile phones inherently carry privacy and security risks due to their constant connectivity and the vast amount of personal data they hold.
Operating systems (Android and iOS) and apps collect extensive data, including location, browsing history and personal information. At best, this data can be used for targeted advertising or, at worst, this same information can be used in targeted attacks that might involve “Sim swapping” and accessing bank accounts, credit cards and draining a cryptocurrency wallet.
In general, as long as you password protect your device and keep your mobile applications and operating system updated, the majority of risks can be avoided. However, there’s a bit more that can and should be done to increase awareness and reduce certain kinds of risk.
A quick overview of the threats
Threats include:
Vulnerability to attacks
- Mobile devices are susceptible to malware, phishing and other cyberattacks in the same way, PCs and laptops are.
- Weak app passwords and unsecured Wi-Fi increase these risks.
- Operating system and app vulnerabilities are found regularly, and if users do not update their devices, they become very vulnerable.
Location tracking
- GPS and other location-tracking technologies can reveal sensitive information about your movements.
- This data can be exploited by malicious actors or used for unwanted surveillance.
App permissions
- Many apps ask for access to data that is not needed for the app to function. This can lead to unwanted data collection.
Significant mobile phone risks
Here are some of the risks your phone is up against:
Zero-day attack: A zero-day attack exploits unknown, undisclosed software vulnerabilities before a patch is available, leaving systems defenseless until the flaw is discovered and fixed.
Sophisticated spyware (Pegasus): This advanced spyware, which often utilizes the zero day attack methodology, was built for targeted attacks on high-value individuals and infects iPhones via phishing links, monitoring cameras, microphones and encrypted apps (e.g., WhatsApp) to steal passwords and messages. Sophisticated hackers use undisclosed iOS and Android flaws to install invisible malware via texts or links, often targeting politicians, celebrities, journalists, activists or executives.
SIM swapping is hijacking a phone number by transferring it to a new SIM set up by a criminal. This process usually involves duping the mobile phone company or utilizing a nefarious insider, enabling them to intercept calls and texts for account access.
Phishing and social engineering: Attackers use fake links, messages, or apps to trick users into installing malware or revealing credentials.
Insecure WiFi networks: Public networks expose Mobile phones to man-in-the-middle attacks, risking data interception.
iMessage/FaceTime vulnerabilities: Maliciously crafted messages or files can exploit auto-loading media in iMessage/FaceTime, enabling zero-click attacks without user interaction.
Microphone and camera access: When you download an app, it might request these permissions. If granted, the app can potentially record unauthorized audio or video.
iPhone’s AirDrop vulnerabilities: While convenient, AirDrop has presented some notable security and privacy vulnerabilities.
Key mitigation strategies
Here’s what you can do about it:
Pegasus spyware is exceptionally sophisticated, making it difficult to eliminate the risk. However, there are several steps individuals and organizations can take to reduce their vulnerability from all mobile risks significantly:
Keep devices updated: It is crucial to regularly install the latest operating system and application updates. These updates often include security patches that address known vulnerabilities.
Practice strong digital hygiene: Every time you get an SMS text message, an email, or an iMessage, be aware of the motivation behind it. In other words, avoid clicking on suspicious links or opening attachments from unknown sources. The easiest attack vector on your phone begins with you clicking links, downloading files or visiting malicious websites.
Reboot devices regularly: Research indicates that regular reboots can disrupt spyware’s ability to function and often prompt critical system updates.
Prevent SIM swapping: To prevent SIM swapping, use strong account security, never use the same passcode twice, enable two-factor authentication for your mobile account and email account, and be wary of suspicious requests for personal information. Contact your carrier for extra security measures that may involve implementing knowledge base authentication questions.
Use alternative browsers: Using browsers other than the default ones, such as Firefox Focus or Brave, can sometimes provide an extra layer of protection.
Use a VPN: A Virtual Private Network (VPN) can encrypt your Wi-Fi internet traffic, making it more difficult for attackers to intercept your data.
Anti-virus software: iPhones don’t have the option of downloading or installing antivirus software, but they do have “Lockdown Mode.” For maximum defense against advanced spyware, activate Lockdown Mode. If you believe you’re at high risk, find Lockdown Mode within your privacy and security settings. Androids can download antivirus software, available at the Google Play store.
Be mindful of app permissions: Carefully review the permissions requested by apps before installing them.
Microphone and camera restrictions: Enhance your privacy by reviewing and restricting app access to your microphone and camera. These settings are under privacy and security settings.
Password management: Your mobile phone must be password protected. Every app should have a different password, and you should never use the same passcode twice. Utilizing password management software is the only way to ensure you’ll have a different passcode across each account.
AirDrop protections: Depending on your AirDrop settings (“Everyone,” “Contacts Only” or “Receiving Off”), you might receive unwanted file transfer requests from strangers.
- While you can decline these requests, the potential for receiving them can be a nuisance, alarming and, in some cases, a potential vector for malicious files.
- Adjusting your AirDrop settings to “Contacts Only” or disabling it entirely when not in use can significantly reduce your risk. It is also important to never accept files from people that you do not know.
Location/GPS tracking: For better privacy, disable precise location tracking. In Location Services settings, switch app permissions from “Always” to “While Using.”
Important considerations
Spyware is designed to exploit zero-day vulnerabilities, meaning there’s always a risk even with the best precautions. Regularly, updating your mobile apps and your operating system is often the best protection available.
I’ll say this again: If you’re not password-protecting your device, you are just begging to be hacked. In every presentation, I ask my audiences, “If your mobile phone was lost or stolen, what would that person who now has your device have access to?” And collectively, the entire audience answers with, “Everything!” Yes, everything!
By implementing these measures, individuals and organizations can significantly reduce their risk of falling victim to basic vulnerabilities and other sophisticated spyware. By being aware of these risks and taking steps to protect their devices, consumers can significantly enhance their privacy and security.
Author Robert Siciliano, Head of Training and Security Awareness Expert at Protect Now, No. 1 Best Selling Amazon author, media personality and architect of CSI Protection Certification.
