Stuart Clarke,7Safe: Jude law, my phone and stolen identities
April 2009 by Stuart Clarke,7Safe
In February of this year I read a news article which reported the purchase of a Blackberry for £16 from a well known Internet auction site. Upon receiving the Blackberry, the new owner discovered the contact details of 50 celebrities stored on the handset (Knapton, 2009)1. This very publicly highlights the personal security issues associated with mobile phone technology. At the time of writing this paper I visited the same online auction site and found 14,625 used mobile telephones for sale. It is a possibility that the majority of these handsets have not been securely wiped down and as a result we should expect to hear more reports like this in the future. The following article discusses the dangers of your mobile telephone falling into the wrong hands and how the information stored on it can be used to steal your identity. I am also going to show you why a picture is worth a thousand words in mobile phone identity theft.
Millions of people across the globe own a mobile telephone and many have more than one device in their possession at a time, whether it is for work or private use. In the UK alone it was reported that around 84% of households owned a mobile phone in 2008 (Ofcom, 2008. P4)2. Mobile telephones have turned smart in recent years with touch screen technology, Internet access, Bluetooth connectivity, video, music, email and games. They are now essentially small computers that allow us to communicate and organise our time effectively. Increasing interaction with such technology is encouraging us to become more dependent and trustful.
A mobile phone stores a vast amount of information by design, such as contacts, SMS and call records. Modern mobile phones often have very good email and calendar access which can be setup to synchronise with email servers such as Microsoft Exchange and is a commonly used function in a business environment, allowing employees to keep up to date at all times. The general trend of modern mobiles is Internet accessibility which is made easier with the widely accessible 3G networks and wireless connectivity. The storage capabilities and functionality of a modern mobile handset are in some ways more advanced than the average PC was a decade ago.
Photographs are very useful in an identity theft exercise. Many modern mobile telephones with GPS (Global Positioning System) capability embed the GPS information relating to location in which the photograph was taken. To clarify, if you were to take a photograph outside the front door of your house with a GPS enabled mobile phone, the geographical location of your house is embedded into the picture. This is great information for attackers and may help them to identify the home address of the mobile phone owner or indeed family members. I took a photograph of Liverpool Street Train Station in London and upon examination of the photograph I easily identified the GPS data, which, when entered into Google Maps identified the location in which the photograph was taken. The results are clear to see, but notice the map is not fully zoomed in and it is possible to get detail which would allow you to clearly identify your home and car parked outside. Recently introduced technology allows mobile phone users to update and share their location with friends using GPS. As this technology evolves and attracts wider use, imagine how many of your family’s and friends’ locations could be exposed should you lose possession of your mobile telephone.
In addition to picture based attacks there are several applications available which can be installed and run from your mobile phone. One such capability which concerns me from an identify theft perspective, is the use of social networking on mobile phones. It is possible for a user to enable their account for automatic login, either via a custom social networking application or via a web browser. Therefore if a phone were to be stolen with such capabilities potentially endless amounts of information may be exposed and exploited. Examples of other applications, with a potentially harmful side effect, are those which record our movements and location. It has been identified by Zdziarski (2008. P76)3 that the Google Maps application on the iPhone retains the most recently viewed locations making it possible to plot an individual’s latest movements, should this technology have been enabled.
More direct attacks against mobile phones over the years have attempted to exploit Bluetooth as quite serious flaws have been discovered which may consequently lead to the theft of personal information. This concept has adopted the name ‘Bluesnarfing’ and on certain mobile phones it will give access to contact lists, text messages, emails and a calendar via a Bluetooth connection. Protection is continually being improved against ‘Bluesnarfing’ and as a result we are seeing more attacks evolve into using malicious software. There are various forms of malware which have been developed that attempt to steal data including SMS and contact information. The Pbstealer (F-Secure, 2005)4 Trojan (7Safe, 2005 & 2007)5 does require some user interaction but once installed on specific types of mobile phones it will send out your contact list to the nearest Bluetooth device whilst posing as a friendly utility. This is one of many malicious Bluetooth applications which may prove very dangerous in a busy environment like the London Underground. There are likely to be countless people on the tube with Bluetooth activated, which creates a perfect opportunity for an attacker to sit on the Underground and perform as many malicious attacks and thefts as they desire. Although such Bluetooth attacks are currently relatively rare, we should be aware of the vulnerabilities and only have Bluetooth activated when we need it.
Having established the vast forms of information a mobile phone can hold, which many of you may not have been aware of, we need to understand what a criminal could do with typical mobile phone data (SMS and contacts) and how this could be used to steal your identity.
First of all, an attacker can try to track down contact entries with telling names of ‘Home’ or ‘Me’ which can then be used to start some further information gathering. For example, I searched for my home number using Google and even though my number is ex-directory I was able to identify my home location (town). I have conducted the same test with family members, which on occasions revealed their full address as they were registered with various organisations who kindly posted their details on the Internet. Also, I suggest a bold attacker could call the number listed as ‘Home’ and try to socially engineer the person into giving out their full name and even their address and various other pieces of information. From contacts we may also be able to establish who an individual works for and organisations of which they are customers for example utility companies and banks. Having such entries in a phone book is not uncommon as it is convenient and enables people to contact organisations at all times should they need to. Cross referencing contact entries with call records may also indicate which organisations the phone owner has most contact with. In addition, I know of people who store personal banking information as a contact under an alias name like ‘Lesley’ for LLoyds. An informed criminal may be able to apply credit and debit card formulas to this information and identify further banking information. If you think you have been cunning in the hiding of your financial information, think again.
Text messages are often useful in gleaning a wealth of information about a person and can greatly assist in understanding the owner of a mobile phone. By reading text messages we can understand what an individual’s interests are; for example; are they into sport, or do they regularly socialise. Although this information may not always be relevant it does help build a picture of the person who owns the phone and this may lead to further clues in information gathering. If an attacker is lucky enough they may be able to establish a person’s full birth date by reading through their text messages. I think most of us get at least one text message on our birthday saying “Happy Birthday”. On one occasion I examined the mobile phone of someone who appeared to have just moved home and was clearly still unsure of their new contact details. The handset contained a draft (saved) text messages saying ‘’New address” which was promptly followed by a full address and a telephone number, there were even gas and electric meter readings recorded on the message.
As previously stated, mobile telephones are now very capable of storing emails, be it for work or personal purposes. Email has a range of uses and has become a primary means of communication and for some has replaced the traditional ‘snail mail’ altogether. Take a moment to think about the information you have in your email account, either about yourself or the people close to you and consider the consequences of this information falling into the wrong hands. The information stored in an email box is limitless and is priceless information for an identity theft. As we continue to rely on email access on our mobile phone we are increasingly vulnerable to attack.
The various other features of mobile handsets, including calendars and notes are often packed with information and assist greatly with information gathering. A well organised person may store all meetings and significant events in their calendar, for example “meeting with ABC bank”. Again a bold attacker may call the bank and confirm the meeting and try to establish the victim’s name. Notes in a mobile phone are in my experience one of the most common areas to store passwords and PIN codes. Although this information may not directly assist in identity theft it is one step towards card fraud or the unauthorised access of password protected information.
I also think we should seriously consider the information we store on and write into our mobile telephones. We are urged to not write our passwords and PIN numbers down yet telephone banking services and mobile top up systems urge us to enter banking details into our handsets to reveal account information. Perhaps the forensic implications of this are an avenue to explore further in the future.
The purpose of this article is not to put you off mobile phones. It is to make you think about what they are and what they mean to you. My advice is that you treat a mobile telephone like anything else you value, just like your house or your car. Lock it up, keep it secure and if you happen to sell your phone or in a corporate environment it becomes decommissioned, make absolutely sure that the critical resident data is securely erased.
About the author:
Stuart Clarke is a Forensic Consultant at 7Safe Limited. Stuart has been involved in a large number of computer forensic and mobile phone investigations as well as working on large e-Discovery programmes. Stuart has conducted extensive research into various technical aspects of computer and network forensic investigations and specialises in the following areas:
• Computer Forensics
• Mobile Phone Investigations
• E-Discovery Programmes
• Information Security
1 Knapton, S. 2009. Jude Law and Natalie Portman’s numbers found on eBay Blackberry. Found at: http://www.telegraph.co.uk/news/newstopics/celebritynews/4610236/Jude-Law-and-NataliePortmans-numbers-found-on-eBay-Blackberry.html - (Date Accessed: 16th February 2009)
2 Ofcom. 2008. National and Regions Communications Market Report 2008. Ofcom.
3 Zdziarski, J. 2008. iPhone Forensic. O’Reilly Media, Inc.
4 F-Secure. 2005. Pbstealer. Found at: http://www.f-secure.com/v-descs/pbstealer_a.shtm (Date Accessed: 12th February 2009)
5 7Safe. 2005 & 2007 Trojan Defence. Found at http://www.7safe.com/resources.html (Date Accessed: 18th February 2009)