Corporate executives traveling abroad should beware of links in incoming SMS messages, as they might target the security of their mobile devices, according to a recent presentation at the OWASP (Open Web Application Security Project) AppSec DC 2012 conference on Thursday.
The presenter, Justin Morehouse, a security researcher, claimed that executives or other high value employees should be on guard for attempts to compromise their mobile devices, even while they're still on the tarmac. A common point of entry into the phone is an SMS message containing a link. These attack messages often imitate the standard "welcome" texts that local mobile providers use to inform travelers of local mobile and data rates. This makes these attacks very effective, as the messages are accepted as normal, and are often expected.
Morehouse said that while China and Russia are two of the most mentioned areas for this problem, executives should use caution when traveling to countries in Africa and the Asia-Pacific region as well. The level of danger one's phone is in depends on the nature and sensitivity of that person's work to the visited country.
"In the last nine months, I've traveled more than 100,000 miles," Morehouse, the founder and principal of GuidePoint Security in Reston, Virginia, said. During his travels, he became increasingly concerned that someone else might "own" his mobile device. "I mean, this is a consumer device, but it's a piece of the security puzzle that hasn't been getting a lot of attention," he said in the presentation.
He did offer some advice to traveling VIPs, including buying a SIM card at each destination and avoiding using public WiFi connections at all cost, opting instead for a company-provided and secure VPN (Virtual Private Network), which should terminate in the home country. Using "throw away" voice accounts such as Google Voice is also an easy solution. Morehouse also added that travelers should always be mindful of physical security, such as not keeping sensitive information or items containing it in unsecured hotel rooms.