Why you should be more afraid of your smartphone than the NSA
by Art Keller, vocativ.com
July 26th 2013
As a CIA case officer, I considered the indiscriminate use of a cellphone as dangerous as doing jumping jacks while carrying a loaded pistol jammed into the waistband of my jeans with the safety off and the hammer cocked. In the world of espionage, nothing will figuratively blow your nuts off quicker than the reckless use of a cellphone.
I don’t feel any better about smartphones now that I’m a public citizen. In fact, if you’re having lingering concerns about the spy tactics used by the National Security Agency on Americans, I suggest you redirect those worries toward your front pocket or your purse: It is your phone that will victimize you.
Just ask Angela Daffron, a smartphone stalking victim living in Sandoval County, New Mexico. In 2009 Daffron was monitored by a hacker through her own mobile device. “You already feel like they know everything,” Daffron, founder of the anti-stalking non-profit Jodi’s Voice, says. “Once they get the spyware on your phone, which happened to me and my husband, it is like they are glued to your side.”
Because of her phone’s GPS functions, the stalker, a woman, knew Daffron’s every move. She listened in on every one of her phone calls. She read all her text messages. When her stalker began taunting her with a series of emails about her personal life, she knew she’d been hacked.
“The smoking gun was that she sent emails about a conversation I had at home with my husband that was not on the phone,” Daffron says. “Her spyware had covertly turned our phones on to hear us inside our own house.” Daffron replaced her phone and got a new number.
Shortly after, Daffron’s home burned down. Witnesses reported seeing a hole in the window of the Daffrons’ home office just before the flames ignited. Daffron believes a Molotov cocktail had crashed through the window. “I was lucky not to be home,” she says. “The metal office chair where the ‘firebomb’ struck was eventually slagged. A fireman told me that meant the fire reached something like 2,000 degrees.”
Even the most primitive phones are constantly sending “here-I-am” signals that give away the precise locations of the user. They also broadcast calls and texts that are easily grabbed from the air with cheap, off-the-shelf interception gear. The body count of terrorists who’ve gotten a “kinetic” lesson for such carelessness is in the thousands. But you no longer have to be a spy for this danger to apply to you. There are literally hundreds of thousands of ways to exploit the security gaps, and hackers are racing to develop more each day.
Obviously, one huge security gap stems from simple connectivity. Smartphones connect to the world via “always on” third- or fourth-generation data networks like Wi-Fi, Bluetooth, Near Field Communications (used for processing mobile payments) and text messaging.
“Smartphones are simply not secure against attack,” Eva Galperin, a global policy analyst at the Electronic Frontier Foundation, says. “The threats against them are too broad,”
SMS phishing, or “smishing,” is one potent hack. These are texts with corrupt links that install malware on a phone if the user opens the message. An April 2013 report from the Anti-Phishing Working Group (APWG) had me shitting myself about the tsunami of smartphone hacking headed our way, particularly in the realm of mobile banking apps.
With global mobile payments predicted to top $1.3 trillion by 2015, according to APWG, the potential personal financial damage from smishing alone is massive. Banking apps are easy targets for these types of attacks, in which hackers hijack special SMS texts from the app and authenticate financial transactions—which of course are not at all “authentic.”
A Forbes report this week claims that major flaws in SIM cards, once believed impossible to hack, have also been found. Between this and the APWG report, I was left so dismayed that I did some digging to find if the threats were real, or merely hype with minimal real impact.
What I found in talking to both average people and security professionals is that threats to our mobile devices highlighted in the report aren’t as bad as the report claimed.
They are way, way worse.
But according to Andrey Komarov, head of international projects Group-IB, a security firm, you won’t know when you’re hacked anyway. ”It is a rare when the user detects the phone hack,” Komarov suggests diplomatically.
One high-profile investigation Komarov cites involves one of the world’s largest smartphone networks. “Blackberry’s enterprise server was hacked with a corrupted picture file,” Komarov says, “and 80 percent of the leading financial companies on the Blackberry intranet then found trojans [malware granting remote access] on their networks. I also ran across a fake application for a bank published to Google Marketplace—fake apps to commit bank fraud are common.”
Hacking is no longer just for masters of the dark arts of espionage. “Spyware” such as Flexispy, the modern stalker’s best friend, is available online for as little as $50 to any schmo smart enough to remember how to turn on a computer. Flexispy piously proclaims their product is intended to monitor kids and employees, but also coyly notes that, “There is nothing to stop this software being used by anyone, on anyone.”
The threats to your smartphone probably have your bosses panicked as well. Now that 70 percent of U.S. businesses have a “Bring Your Own Device” (BYOD) policy allowing employees to use their personal smartphones to access a company’s intranet, gaping holes can exist in a business’s network security. A company’s intellectual property, bank accounts and website are put at risk.
Of course, a hacker can just literally steal your phone, too. Last year, 1.6 million Americans had their smartphones swiped, according to the group “Save Our Smartphones,” a coalition of law enforcement groups pushing phone makers to install a “kill switch” that makes devices unusable if stolen.
Plugging every security hole is impossible, but doing something is better than nothing. The guiding principle behind keeping your phone safe is simple: Don’t be an idiot. This means, keeping your phone concealed, protecting it with a password more complex than your birth date, not opening strange links written in gibberish or emails from foreign princes and installing antivirus software. Personally, I think banking or paying bills from your phone is insane, so avoid that, too.
Less obvious tips include turning off Wi-Fi or Bluetooth when they’re not in use and downloading several security apps to confuse hackers. Some good ones are WickR, Redphone, Orbot, and Gibberbot, all available for free. StrikeForce Technology’s MobileTrust protects what is typed into a smartphone from hackers and costs just $20.
Also, pay attention to your data usage and battery life. Money Crashers magazine editor David Bakke has first-hand experience on this front. “Apparently, my smartphone was hacked because I clicked on a malicious link sent via email,” Bakke says, “although I’m not 100 percent certain that’s how it happened. But I noticed my smartphone battery started to drain really fast, meanwhile, my data usage skyrocketed,” he says.