UAE companies fear staff smartphones will be hacked while overseas
DUBAI // Companies are increasingly concerned that staff’s smartphones will be hacked when they go abroad on business trips, analysts say.
A security firm in Dubai has been consulted several times about the issue and is working to bring new hardware into the country that could mitigate some of the risk.
The move follows a report by Symantec, which develops anti-virus software, that suggests as many as half of all smartphones in the UAE have been targeted by some sort of malware.
“We’ve been asked the question by oil and gas and large investment companies,” said David Michaux, director of Whispering Bell.
“They send their employees abroad and have concerns that employees are coming back with infected devices that are then connecting again to the corporate network.”
When people travel to a new country, with a new carrier network, they can be susceptible to spyware.
The settings of most smartphones can be adjusted remotely by the carrier network, often without the user knowing.
In some cases, the network can push a phone to download a malware application, which is installed in the bootloader section.
“The two ways you can infect this phone are either state sponsored, where you go through the national operator, or well-funded espionage, or corporate espionage, where you’re looking at infecting systems through fake base stations,” Mr Michaux said.
Mobile phones and other wireless devices connect to the internet through a base station, provided by the national carrier. Most mobile devices will connect to the strongest signal, which is often the nearest base station.
But corporate hackers get around this by tricking phones into connecting to fake stations.
“I park outside your office and I push the power of my base station higher than the local station,” Mr Michaux said. “Your phone automatically roams on to my base station. The data is transiting through my base station.”
Tight regulation from UAE authorities means this is not an issue here, he said, but was a problem in certain African and Asian states.
To combat this, Whispering Bell is working with a US-based company, IntegriCell, which has designed a hardware security module that constantly monitors phones for any evidence the settings have been altered remotely.
If changes are detected from the “gold build” – the model of the phone as it is supposed to work on a local carrier network – it will reset the phone.
Aaron Turner, president of IntegriCell, said there was a market for the hardware in the UAE.
“Smartphone integrity is a global problem,” he said. “As long as valuable information is stored on these communications devices, there will be people interested in getting access to that information.”
But the real threat, he said, was from corporate hackers rather than governments.
“It has been our experience that the non-government actors in the smartphone attack space have been much more innovative than any national intelligence service,” he said.
“For example, the data harvesting that takes place on the back-end of free games that people install on the devices is much more prevalent than any sort of targeted smartphone attack perpetrated by some country’s spy agency.”
Data that can be harvested from the phones of senior corporate executives is often highly sensitive, Mr Michaux warned.
“If you have access to oil and gas-flow information, you’re able to start hedging on the next day’s commodity prices,” he said.
“If you have information from companies involved in mergers and acquisitions, you’re able to pass information to competitors.
“There are companies that specialise in this, and it’s big business now.