Defending Cell Phones and PDAs Against Attack

From: US-CERT Security Tips []
Sent: Wednesday, January 28, 2009 7:42 AM
Subject: US-CERT Cyber Security Tip ST06-007 -- Defending Cell Phones
and PDAs Against Attack

Hash: SHA1

                        Cyber Security Tip ST06-007
               Defending Cell Phones and PDAs Against Attack

   As cell phones and PDAs become more technologically advanced, attackers are
   finding new ways to target victims. By using text messaging or email, an
   attacker could lure you to a malicious site or convince you to install
   malicious code on your portable device.

What unique risks do cell phones and PDAs present?

   Most current cell phones have the ability to send and receive text messages.
   Some cell phones and PDAs also offer the ability to connect to the internet.
   Although these are features that you might find useful and convenient,
   attackers may try to take advantage of them. As a result, an attacker may be
   able to accomplish the following:
     * abuse your service - Most cell phone plans limit the number of text
       messages you can send and receive. If an attacker spams you with text
       messages, you may be charged additional fees. An attacker may also be
       able to infect your phone or PDA with malicious code that will allow
       them to use your service. Because the contract is in your name, you will
       be responsible for the charges.
     * lure you to a malicious web site - While PDAs and cell phones that give
       you access to email are targets for standard phishing attacks, attackers
       are now sending text messages to cell phones. These messages, supposedly
       from a legitimate company, may try to convince you to visit a malicious
       site by claiming that there is a problem with your account or stating
       that you have been subscribed to a service. Once you visit the site, you
       may  be lured into providing personal information or downloading a
       malicious file (see Avoiding Social Engineering and Phishing Attacks for
       more information).
     * use your cell phone or PDA in an attack - Attackers who can gain control
       of your service may use your cell phone or PDA to attack others. Not
       only does this hide the real attacker's identity, it allows the attacker
       to increase the number of targets (see Understanding Denial-of-Service
       Attacks for more information).
     * gain access to account information - In some areas, cell phones are
       becoming capable of performing certain transactions (from paying for
       parking or groceries to conducting larger financial transactions). An
       attacker who can gain access to a phone that is used for these types of
       transactions may be able to discover your account information and use or
       sell it.

What can you do to protect yourself?

     * Follow  general  guidelines for protecting portable devices - Take
       precautions to secure your cell phone and PDA the same way you should
       secure your computer (see Cybersecurity for Electronic Devices and
       Protecting Portable Devices: Data Security for more information).
     * Be careful about posting your cell phone number and email address -
       Attackers often use software that browses web sites for email addresses.
       These addresses then become targets for attacks and spam (see Reducing
       Spam  for  more  information). Cell phone numbers can be collected
       automatically, too. By limiting the number of people who have access to
       your information, you limit your risk of becoming a victim.
     * Do not follow links sent in email or text messages - Be suspicious of
       URLs sent in unsolicited email or text messages. While the links may
       appear to be legitimate, they may actually direct you to a malicious web
     * Be wary of downloadable software - There are many sites that offer games
       and other software you can download onto your cell phone or PDA. This
       software could include malicious code. Avoid downloading files from
       sites  that  you do not trust. If you are getting the files from a
       supposedly  secure  site,  look  for  a  web site certificate (see
       Understanding Web Site Certificates for more information). If you do
       download a file from a web site, consider saving it to your computer and
       manually scanning it for viruses before opening it.
     * Evaluate your security settings - Make sure that you take advantage of
       the  security  features offered on your device. Attackers may take
       advantage of Bluetooth connections to access or download information on
       your  device. Disable Bluetooth when you are not using it to avoid
       unauthorized access (see Understanding Bluetooth Technology for more

     Author: Mindi McDowell

     Produced 2006 by US-CERT, a government organization.

     Note: This tip was previously published and is being re-distributed
     to increase awareness.
     Terms of use
     This document can also be found at

     For instructions on subscribing to or unsubscribing from this
     mailing list, visit <>.