I have a couple of things I’m trying to get written up at the moment, but to my excitement, I’ve just yesterday managed to ask David Perez a few questions about mobile security . I wrote about this topic a few weeks ago in connection with David’s information security company Taddong, who I think are extremely cool. Here’s what happened when I asked David about mobile security threats.
[Josh] First, could you tell me briefly what Taddong does as a company?
[David] Taddong is a highly specialized information security research, consulting, and training firm. We carry out in-depth security analyses of complex infrastructures and new technologies, investigate high business impact security incidents, perform internal and external multi-platform penetration tests in mission critical environments, and we accept other requests from customers that have very specific needs. We also do research in areas of special interest to us, our customers, or the community. Finally, we also offer very technical and practical training courses on different topics of information security.
[Josh] I understand that phones are much more vulnerable to hacking when they are using 2G as opposed to 3G (see my previous article). Can you explain (in an easy to understand way) what happens when a phone switches between operating in 3G and 2G? And why is it not possible to use your fake base station on a 3G network?)
[David] Second generation (2G) mobile communications (GSM, GPRS and EDGE) are much weaker than 3G (UMTS, HSPA). 2G communications are encrypted, in an attempt to provide privacy to the users, but the encryption algorithms it uses have already been broken, meaning that is now possible to intercept a call and, almost in real time, decrypt it and listen to it. But there is an even bigger vulnerability in 2G, which is the lack of mutual authentication: the mobile device must prove to the network the identity of the subscriber, but, surprisingly, the mobile device does not require the network to prove its identity. This makes possible to attack the communications of a mobile device by simply setting up a fake base station, pretending to be from a real network carrier: the mobile device will blindly accept its service, and all communications to and from the mobile device will be at the mercy of the attacker.
In 3G, however, better cryptographic algorithms are used to encrypt the communications, and mutual authentication is required: both the mobile device and the network must prove their identity to the other party. Thus, the fake base station attack does not work against devices that only speak 3G and refuse to speak 2G.
Nevertheless, most 3G capable mobile devices are usually configured to use 2G service when 3G service is not available. In this case, all an attacker needs to do in order to perform the base station attack is to switch on a jammer that blocks the 3G frequency bands leaving the 2G bands untouched. All 3G service will be rendered unavailable, and the devices will look for 2G service, and they will connect to the fake base station.
[Josh] Obviously people are using social media more and more these days. Do you think this leads to an increased threat to personal security? In what ways?
[David] People tend to share much personal information via social media, some of which they would never give to a stranger in real life. The problem is that too often this information is not transmitted, stored or distributed in a secure way. For example, if a social network application running [on] a smartphone sends information unencrypted to a server when it is using a 2G (GPRS or EDGE) data connection, that information could be read, and even manipulated, by an attacker performing the simple fake base station attack.
The problem with small mobile devices in general, is that they tend to offer less security options than full-blown computers. For example, we should ask ourselves, does my smartphone come with a firewall and an antivirus ? Most often than not the answer is no, and the fact is that they would really benefit from having one. Or, does my smartphone let me choose whether to use 3G only, rejecting 2G? Again, most devices do not offer that option.
With the explosion in the usage of tablets and so many other mobile devices, we can only hope that they will offer these features, but that will probably not happen unless we, as users, demand those features from the vendors.
 I have to respectfully thanks David for giving up his time to talk to me.
 The opinion I expressed here is that these new tablets will mean tablets become cheaper and cheaper due to increased competition. That makes the market for information and/or identity theft larger and so I think mobile internet security will become more of an issue.
 It should be noted that I make no comment on the security strengths and weaknesses of these individual devices. I’m simply giving examples of the sorts of more affordable tablets which have recently appeared on the market.
 This technology does exist and can be bought separately and installed on devices.