Mobile apps and smartphones pose a clear and present danger*
By Stephen Bryen
Saturday, February 17th, 2018 @ 2:32PM
Most people don’t realize that the mobile phone is being ‘weaponized.
New revelations show that Iran has posted apps found on Google’s Play Store which give the Iranians the ability to easily spy on anyone who downloads them to their smartphone. Some say these are “weaponized” smartphone apps.
Most people don’t realize that the mobile phone is probably the most dangerous device available today. It is more powerful than any conventional computer, and it is totally vulnerable to hacking.
The modern smartphone combines significant computing power made up of a very fast microprocessor and graphics engine plus memory with a host of sensors and radios, including GPS.
The cameras are high resolution and compete with digital cameras and in some cases outperform them. And the device’s sensors, including at least two microphones, guarantee the possibility of an intruder listening to conversations, even when the user thinks the smartphone is turned off.
In fact, so long as there is a battery in a smartphone, a type of malware known as a “spy phone” can switch the phone on, and record and transmit conversations. Spy phone apps can be planted on phones in a variety of way, or even built in by third-party device makers.
You can buy a spy phone on the web or from an app outlet although most of those sold commercially require manual installation and lack the attributes of a professional-grade version.
These can either be engineered into the smartphone from the point of manufacture. They can also be slipped in through an app or a vulnerability in the phone’s operating system, or by human error – the result of a phishing attack.
There is, in practice almost no way to mitigate the spy phone risk. Many modern smartphones, to keep them thin and gain the maximum screen coverage, have sealed in batteries that cannot be removed or serviced. This means that an embedded spy phone can take it over at any time without the user being able to kill the phone.
The best strategy is not to take a smartphone into sensitive meetings, but this “strategy” only blocks out the conversations in the meeting, not the spy phone capability itself.
At the Pentagon and other government agencies in the United States, users are asked to put their smartphones in a storage box if they attend a classified meeting.
Certainly, this is only a half measure, since otherwise, the phone can record just about any activity, a boon to foreign spies who want to know more about the Pentagon players, and the plans and programs that otherwise are hidden from view.
Even the White House, until a few weeks ago was not restricting personal smartphones at all but now, the chief of staff, General John F. Kelly, has banned the White House staff use of personal smartphones.
Unfortunately, for the White House, and probably across the US government, banning personal smartphones is coming rather too late.
By now, foreign spying agencies and many others already have picked off lots of information, such as phone books and call logs, emails and text messages and plenty of passwords as well as other sensitive personal information that can be exploited.
In fact, the smartphone has created an unprecedented bonanza for foreign spy agencies, investigators, government agencies and commercial enterprises seeking a leg up in a competition for getting their hands on sensitive technology.
Consider, as an example, the US Patent Office. Workers there who have smartphones open a window on Patent Office activity that can tip off a spy agency or a techno-bandit to new developments that might be of great military or commercial significance. This applies especially to patents that the US Government may choose to classify and not openly publish.
America is very slow to wake up to the danger and other countries are equally insensitive to the risks. This past week, the FBI, CIA, and NSA gave another warning about certain Chinese smartphones made by Huawei and ZTE.
But most smartphones are made, in whole or in part in China, so the possibility of infecting them at the point of manufacture looms large for virtually all models.
This, of course, is only the beginning of risks to smartphones. Some manufacturers openly embed software into the phones they sell loaded with advertising apps that pop up here and there and often annoy users.
Probably, it is a good rule that the cheaper the phone is at the point of sale the more likely it is going to loaded with junk apps. But this rule of thumb doesn’t mean that other apps can’t be bugged and still promoted by top manufacturers.
The truth is there is no systematic or sound vetting system to clean out junkware and spyware, and sometimes it is impossible to delete – or can only be partially deleted or disabled leaving behind the really bad stuff.
Software for phones, including operating systems, is full of bugs and vulnerabilities. For example, many modern smartphones come with sophisticated photo editing and location-linked APPS, and these can be, and sometimes are, not only bugged but infected.
Software codes, including operating systems, are often put together with various elements, some old, some new and some from third parties. Especially popular is so-called community-sourced code, which is available free of charge, and some of these and algorithms wind up in smartphones.
The Heartbleed Bug got on to smartphones and computers in precisely this way. In this case, the major vulnerability compromised SSL encryption, the type commonly used for secure email and for banking and credit card transactions.
Worse still, the industry was relying on what it calls “Open SSL” for cryptography, in other words, relying on encryption coming from unknown sources for security.
Encryption from unknown sources is not only inherently dangerous because its sources are not known and there is no accountability. But it is especially reckless to use this code in a security application.
But it gets worse. Most commercial software and operating systems are produced by teams of programmers from around the world without any solid way to detect bugs and malware.
Still, it is interesting to note that the Pentagon recently identified three phones as safe: the Samsung’s Galaxy phone with Knox (a type of security partition), Apple’s iPhone and the latest Blackberry. How the Pentagon came to this conclusion is impossible to say.
But the Pentagon has put itself into a deep, dark hole because it is relying on smartphones and smartphone technology for combat missions, for drones, and for other systems and it still allows private smartphones in the Pentagon, government laboratories, and military bases (not to mention on the premises of defense contractors).
Secretary of Defense James Mattis is said to want to ban smartphones, but he has not yet acted. He should do so, but he also should clean out all the smartphones and related devices from the US military arsenal.
Then there is the probability of third-party apps. The Google Play Store and the Apple Store feature thousands of apps of all kinds, including even spy phones. Neither company has either the manpower or the skill to properly vet apps that show up in its outlets. Thus it is caveat emptor for users, but even they can make mistakes.
What is really needed is a far better security system for smartphones. It is up to governments to provide leadership to make this happen. Unfortunately, the incentives are perverse, because too many governments are invested too heavily in the spy business, so they don’t want to wake up and address the threat.”
* This commentary was published in AsiaTimes, on Feb. 17, 2018.