It has been just under 10 months since the Snowden leaks of US Signals Intelligence activity revealed the intelligence targeting of the cell phone of Germany’s Chancellor Angela Merkel. This revelation threw into the spot-light a very real-world scenario of a cell phone/smart phone conversation being captured. No doubt many within the defense industry looked at their own devices with the realization that they too might be subject to a nation state intelligence targeting. They would be right in that assumption.
Counterfeit with a side of malware
Take for instance the recent news concerning Samsung’s Star N9500 smartphone – a cheaper version of the Galaxy S4. Apparently the success of the Star N9500 was such that the organized criminal element in China tooled up and brought to market counterfeit knock-off versions of the phone. In this instance, apparently with a bit of potential for nation state involvement, those counterfeit Star N9500 came pre-loaded with malware (Malicious software) which sent the user’s data to an internet address located in China.
Original manufacturer with a side of malware
Then there is the news about one of the leading Chinese manufacturers of cell phones in China, Xiaomi. Xiaomi recently pushed aside Samsung as the leading vendor of cell phones in China. Indeed the rise of Xiaomi to prominence is a case study for business schools. The founder of Xiaomi, Lei Jun, said during a CNN interview in 2013, “We focus on making the product that makes users scream.” He apparently is getting his wish, as Xiaomi is being called out for covertly sending user data to a server located in China. A user in Hong Kong documented how when he connected to WiFi, that another server was also receiving his text and images. Criminal or state sponsorship? We may never know.
What to do?
Those seeking guidance and advice should turn to their agency/company security teams. At the National Oceanographic and Atmospheric Administration, their cell phone security guidance, written in 2001 continues to hold water in 2014 (albeit in need of a bit of a tune up with regard to technological updates). Three of their most salient pieces of advice:
- Phones are vulnerable to monitoring – do not discuss sensitive information on an unencrypted cell phone.
- Compromised phones can be remotely activated and used as a microphone (removing the battery is a good defense).
- Always use a PIN to access your phone (and ensure you have the capability to “remote wipe” should you lose control of your device).
In addition, procure your devices from only reputable entities, and if it is your “official device” from a GSA approved vendor, don’t venture off the GSA list to the eBay’s and the like to get a better deal. Speak with your procurement entity about the ways your organization can validate the authenticity of the device. Do not ignore the security policies and guidance brought to you by your company/agency information security processes, especially in “Bring Your Own Device” (BYOD) scenarios. You share the responsibility to know what’s in your phone.