Of particular vulnerability are mobile devices, which can be subject to a host of attacks through apps that are spyware in disguise. Cointelegraph interviewed Gary Miliefsky, CEO of cyber-security firm SnoopWall, about the security risks facing mobile device Bitcoin wallet users.
Cointelegraph: Bitcoin smartphone wallets: how secure are they?
Gary Miliefsky: Smartphone wallets are completely insecure. There have been over 500 million downloads of emoji keyboards: keyloggers, spyware disguised as friendly emoticon keyboards. When you startup your smartphone wallet the first time, you may enter bitcoin info or add username/password credentials. These are shipped off to criminal servers remotely because of this kind of keyboard malware.
Many of these QR code and barcode scanners come from legitimate sources like eBay, Zxing, Scan Inc, and DroidLa. Despite this, SnoopWall still deems many of them voluntary creepware. The reason for this is that many have intrusive permissions that allow them to geolocate you, read your contacts, access USB storage, read your call log, make phone calls, and even record audio. Most of these permissions are legitimate, as most of these apps allow the user to generate information like phone numbers, contacts, and locations as scan-able QR codes.
CT: Is this only a concern with aftermarket keyboards, or does this happen with standard iPhone and Android keyboard apps?
GM: Aftermarket keyboards. In addition, on android just about any app can spy on you. For example, our favorite flashlight apps (third party) spying on you while you take a picture of a QR to scan a bitcoin, etc. Android more risky than iPhone.
CT: What are some best practice tips for Bitcoin smartphone wallet users?
- Lock down your smartphone - don't run 3rd party keyboards.
- Don't run risky third party apps - make sure they ONLY USE the PERMISSIONS they need to operate.
- Delete all the apps you never use.
- When using your wallet, make sure NO background apps running: anything on Android and only 4 options on Apple: VPN, emoji keyboard, audio players, alarm clocks.
- Turn off all the hardware ports you don't need when doing Bitcoin transactions so you don't get eavesdropped on. This includes bluetooth, possibly NFC, wifi, etc. The safest is using DATA from cell carrier and making sure SSL is enabled.
CT: So you would recommend against doing Bitcoin transactions over wifi
GM: Too risky to easily man in the middle. They call this EVIL AP and there are others, but it's very easy. Unless you understand what rev of TLS/SSL you are running, if the wifi is encrypted, if you trust the wifi (not spoofed by hackers)...lots of issues.
CT: You mentioned QR code scanners and flashlights being dangerous. Are there any that are secure to use?
GM: Only those that have OPEN Source code or don't use internet or other ports. You can dig through them online using this criteria. My team made 'privacy flashlight' to prove it and it's 200 kilobytes open source, whereas the average flashlight is 3-10 megabytes! Just look for permissions used, maybe pay for one from a trustworthy party. I even think Symantec figured this out and made a 'secure' QR reader.
CT: Is there any way to get spyware apps taken down, or is it simply a matter of "buyer beware"?
GM: Buyer beware. I've tried...no one listens. Apple, Google, Microsoft - they like their (dirty little secret) advert libraries. [They] recompile your app with their spyware libraries (oops, I mean consumer analytics) and you can do anything! Just share the 'ad revenues' even if none, while you pleasantly steal PII.
CT: What got you into the privacy protection game?
GM Couple things:
- I'm a white hat, so infosec is my game
- I'm a parent, so protecting children from exploitation is a natural parental tendency, and when Miss Teen USA 2013 was victimized, it was about the time we released 1.0 of our mobile protection technology... so we gave her and her friends free copies. And finally,
- I am a proud Constitutionalist American who swore an oath. Defending the Constitution means 1st Amendment. Free speech is a big deal to me, and 4th and 5th amendments too. Crypto is good for America. Good for national security. Good for GDP. Good for revenues/tax base. This seems to be counter-intuitive to many folks I know in DC. But I will continue to try to wake them up.