Security triple whammy


Are you a paranoid Android owner? If you’re not paranoid, and are connecting to Bluetooth or wi-fi with your mobile device running Google’s Android operating system, you ought to be.

A triple whammy of security issues affecting mainly mobile devices have recently come to light. Since mobile devices running the Android operating system occupy around 86 percent of the market, Android owners are the most likely to be affected. However, owners of mobile devices running other operating systems such as Apple’s iOS are also vulnerable.

Mobile devices are vulnerable to flaws known as BlueBorne when connected to Bluetooth. Attackers can use the vulnerability to control devices and their data, intercept data over the air and install malicious software.

Devices running Android 6.0 (Marshmallow), or below, are at risk and owners of such devices are reliant on their hardware manufacturers to release an update that mitigates the risk. Owners of Apple iPhone 4S models, and older, are also at risk. They are ineligible to update to iOS 10 which fixes the issue. Microsoft fixed the Bluetooth vulnerability in Windows months ago.

To be safe, turn Bluetooth off when it’s not in use on your mobile device.

A newly discovered wi-fi vulnerability, KRACK (Key Reinstallation Attacks), threatens any wi-fi connected device. Some device and router manufacturers have responded with software and firmware updates in response. Check your device, or router manufacturer’s website, for more information. If there’s nothing there try their support email or phone line and ask when it is coming and how to install it. Finally, if you thought encrypting your data guarantees it won’t fall into the wrong hands then think again.

Further concerns were raised when it emerged encrypted data once considered secure was no longer bullet proof. Encryption keys, used to unlock encrypted data, have public and private parts. We learned that holders of the public part of an encryption key using one particular service could find the private part, making encrypted data meaningless.

What it means is that every single system that users access for any of their cloud services is vulnerable.

The takeaway here is that if you use data encryption it’s probably time to change your encryption key, or password, to something more complex.


About Author

David Hallett

David Hallett is a director of Hamilton software specialist Company-X.