ellwood Evidence Inc

View Original

The Invader in Your Pocket: The Android Phone and Stealth File Copying

Lucky me. I just got the latest and greatest whizbang Android phone, the Samsung Galaxy S4.  It comes with a slot for a memory card, so I bought a $60 64GB little chip, and slid it in.  Cool.

I wanted to load it up with music and stuff. Normal. Using a USB connection to my MacBook was a pain. So I spend another $1.38, and bought a little application that allows the wireless file transfers to my phone, from any computer with a web browser. How convenient.

Convenient, yes. But also SCARY. I’ll tell you why.

I walk over to a friend’s office.  “Hey,” I ask, “can I access the wifi network here?” Affirmative. He has a secure password, so he had to enter it himself.  Thanks. My phone was on his wifi network.

I then opened the web browser on his computer. It was also on the office network. Via this little $1.38 app I connect to my phone. Then I transferred a whole directory of stuff over the wifi network from the servers attached to my friend’s office computer to my phone, without ever taking the phone out of my pocket.  No connecting wires. No cables. No nothing.

I pulled out the phone to show my friend that I had just copied all this stuff from his ‘secure’ network. Ugh.

Worse still, if I had opened a private browsing window in his web browser, there wouldn’t even have been any history of the copying event.  No finger prints.

There are lots of issues here. Lots. These are the just the low hanging fruit:

1. At your office (perhaps your home, too) consider offering a guest a wireless network that is separate from your internal one.  This way, there is no path from guest users into your files.

2. If staff bring their own devices to work (is there anyone who doesn’t?), allow these devices to ONLY access the Guest network.  Otherwise, expect your corporate crown jewels to go waltzing out of your office in someone’s pocket.

3. If you have a corporate wifi network you want to use with your devices, have your IT people restrict access to the network to known devices only (they do this through a MAC address - they’ll know what I’m talking about here).  

4. When an employee who knew the office wifi network password leaves the firm: change the password, for heaven’s sake.  Yes, I know it imposes an inconvenience on everyone. Sorry. Too bad. Security trumps minor annoyances. If this can’t be done in connection with the termination process, change the password weekly. Not a great solution, but better than leaving the barn door open permanently.  

Technology is great. Smart phones are great.  Take the steps necessary to guard your stuff from unwanted attention.  Not hard to do. But you have to do it.

The application on my phone is called WiFi File Transfer Pro from SmarterDroid. But there are dozens of these programs readily able from the Google Play Store, Amazon and other online stores .

- Steve Ellwood