The National Telecommunication and Information Security Board (NTISB) has issued an advisory for the safe usage of mobile phones to avoid hacking.
According to the advisory mobile phones are preferred targets of attackers as they exploit weaknesses related to smartphones that can come from means of communication like SMS, MMS, Wi-Fi networks, Bluetooth, and GSM.
According to the advisory hackers take advantage of vulnerabilities in smartphones. There are also attacks that exploit software vulnerabilities from both the web browser and operating system. There is malicious software, which relies on the weak knowledge of average users.
According to the advisory, users are exposed to various threats while using mobile phones. These threats can disrupt normal operations and transmit or modify user data.
For these reasons, installed applications must guarantee the privacy and integrity of the information they handle. In addition, some apps could themselves be malware, and their functionality and activities should be limited.
According to the advisory, the three prime targets of mobile phone hackers are data, identity, and availability.
Mobiles may contain sensitive data like credit card numbers, authentication information, private information, and activity logs (calendar, call logs). Smartphones nowadays are highly customizable, attackers can access the identity details of users, for further criminal offenses. And also, by attacking a mobile phone, one can limit access to it and deprive the owner of the service.
According to the advisory, there are some signs that any user’s mobile phone has been hacked, such as over usage of data of mobile phone by specific apps, communication with suspicious command and control servers, overheating of mobile phone, rapid battery draining, blocking of social media apps and inaccessibility to log in, sudden loss of networks and data wiping and calls or messages being delivered to contacts without user’s interaction.
The NTISB has asked the users to avoid visiting sites that require Personal Identifiable Information (PII) such as name, locality, CNIC number, passwords, credit card numbers, etc. while using public and insecure wireless hotspots and Wi-Fi, avoid visiting sites. To avoid hacking, users must make the router secure by consulting its user guide, configuring the WIFI network to use WPA2-PSK with AES encryption, keeping the WIFI password complex and at least 15 characters long, and also conducting MAC address filtering.
According to NTISB, SD card protection is very important in mobiles to avoid hacking. SD Card should never be given to anyone and a password should be used to protect it. Intruders can attack mobiles by exploiting software vulnerabilities. If fewer applications are installed on phones, there are fewer chances of potential attacks. Keeping mobile software and all the apps up to date and installing apps from authorized stores is also necessary.
According to the advisory, users must check and allow only the necessary permissions of each app while installing on the phone. A number of applications e.g., loan lending apps actually extract data from phones discreetly without the user’s knowledge. The advisory has asked the users to not open any attachments from unknown sources or senders. If any link or email seems suspicious, it should be ignored; no attempt should be made to unsubscribe it by clicking the unsubscribe link as it may allow hackers to access your email data.
The advisory has asked mobile phone users to never open HTTP sites on the mobile web. Users have also been asked to avoid visiting suspicious websites including adult websites as the majority of them redirect to malicious websites/attachments resulting in hacking of devices. The NTISB has advised mobile phone users to lock their devices with strong PINs and well-reputed and licensed anti-viruses and anti-malware.
The advisory has recommended users to proactively monitor network usage and connections with other APIs through trusted software and limit the apps that allow tracking the location via GPS. Users should install security features in the phone like finding and remotely wiping the device, file encryption, encrypting offline backup, and accessing the camera/microphone. It has also asked users not to use free Wi-Fi provided at hotels, cafes, and airports and publicly available USB charging slots.
The advisory has asked the users to store official or sensitive data in encrypted form with no direct public access and not to store official data and family/private data on the phone. It has also recommended avoiding free and lucrative apps as the majority of them steal data from PC and mobile phones.
Users have also been advised against using cracked versions of software. It has also asked not to share official documents via WhatsApp, Telegram, Messenger, and other so-called end-to-end encrypted messaging apps/secret chatting applications as their servers are hosted outside Pakistan.
