Smartphones as Cyber Targets

• By David W. Dodd
• 11/01/14

A new arena is emerging within the already white-hot topic of cybersecurity. For years the adage has held that the most secure computer loses that security when connected to the Internet. Without communication, computers have little value. Networking is integral to the effectiveness of computing. Yet networking by its very nature introduces the risk of compromise. This isn’t news for large central computers, and even for laptops. But a new arena is rapidly escalating within cybersecurity where the stakes are high, and where far too little has been done to counter the risks. That arena involves smartphones operating on commercial carrier and WiFi networks, as well as “the cloud” that has been designed as an integral component of smartphone functions.

The rapid transfer of capabilities and information to smartphones has proceeded at a pace far beyond the tools and awareness required to secure them adequately. While some manufacturers may argue their platforms are capable, the consensus is that none have measured up. Recent developments are changing this. But with these developments has come controversy. The reason for this controversy is that both the “good guys” and the “bad guys” have profited from the poor security on mobile devices and public networks.

In the News

In a recent Wall Street Journal Online article, Mathew Solnik, a security consultant at Accuvant, described the risks. Solnik noted that he, and therefore hackers, could take over a smartphone from 30 feet away without alerting the user or the phone company, and then turn the phone into a live microphone, browse its contacts, read its text messages and perform nearly any other compromise a hacker might choose. Recent news accounts have documented the power of hackers using this technology ecosystem.

Unfortunately, the same technologies that were engineered into smartphones to make communication, information sharing, social media, financial transactions (including downloading music) and other functions so easy to perform has led to powerful vectors of attack that companies are working to overcome. Apple’s iCloud has been the subject of attacks during which numerous celebrities had their private information, including nude photos, stolen and distributed. Apple is not alone in this, and other companies, including BlackBerry, Google, Microsoft and others all have their own problems.

A lesser known but highly troubling development involves foreign hackers, and by most accounts very likely foreign government agencies, performing widespread “man-in-the-middle” (MITM) attacks in which sophisticated fake sites are introduced to intercept login information between smartphones and cloud services. These attacks have been successful. Similar methods have been covertly employed by the “good guys” of law enforcement in attaining information for tracking the activities of criminals and networks — a fact known but not advertised.

Public Networks Aren’t Safe

Public networks, both commercial 4G and WiFi, are also vectors for cyberattack. Public WiFi networks are notoriously treacherous. A story in Wired detailed how effectively carrier signals can be in revealing even the most personal details and habits of smartphone users. Sophisticated tools called “stingrays” can track cell users with extraordinary effectiveness. As noted in the story, a Florida judge ruled their unauthorized use by law enforcement violates Fourth Amendment protections, but this and similar cases will ultimately find their way to the Supreme Court.

Technology companies are making improved privacy protection a high priority, as noted in a New York Times article in which FBI Director James Comey’s laments the loss of ease in surveillance techniques. The story cited numerous corporate sources in saying that technology companies would not reverse course in encryption and similar measures. As Brad Smith, general counsel for Microsoft, stated recently: “Just as people won’t put their money in a bank they won’t trust, people won’t use an Internet they won’t trust.”

The stakes are high. Apple has just announced Apple Pay, the most recent installment in smartphone payment systems. The Washington Post reports the Pentagon is planning an expansion of its cybersecurity force with a fivefold increase in staffing. Alan Paller, director of research at the SANS Institute, is quoted as saying that countries including China and Russia are already well ahead of the U.S. in having cyberforces in place.

The implications of this new arena of cybersecurity are twofold for colleges and universities. First, institutions are likely targets, and higher education has the potential to be vulnerable. Second, as noted by the Washington Post story, one of the greatest problems for the U.S. in cybersecurity is the lack of trained professionals available to meet our nation’s needs.

This article originally appeared in the issue of .