There has been extensive, emotional political debate over the use of shadow IT and misuse of mobile phones in sensitive areas by former US Secretaries of State Colin Powell and Hillary Clinton. There is a much needed and very complex discussion we must have about executive security awareness and buy-in, but due to extensive misinformation I wanted to briefly tackle the issue of bringing smartphones into sensitive areas and conversations (and why that’s something that is our responsibility to educate our leadership to stop doing).
This should not be a partisan issue. It underscores a pervasive security issue in business and government: if employees perceive security controls inexplicably inconvenient, they will try to find a way to circumvent them, and if they are high enough level, their actions may go unquestioned. This can happen regardless of party or organization, and in the interest of security, information security professionals must try to discuss these cases in a non-partisan way to try to prevent them from reoccurring.
That being said, let’s talk briefly about why carrying smartphones into any sensitive business or government conversations matters, and is a particularly bad habit that needs to be broken.
There are two things to remember about hackers. The first is that we’re as lazy (efficient?) as any other humans, and we will take the path of least resistance to breach and move across a network. Instead of uploading and configuring our own tools on a network to move laterally and exfiltrate data, we will reach for the scripting and integrated tools already available on the network. In doing so, smart hackers accomplish a second and much more critical objective of limiting the number of detectable malicious tools in an environment. Every piece of malware removed from an infiltration operation is one less potential antivirus or intrusion detection system fire, and one less layer of defense in depth that is effective against hackers. An intrusion conducted using trusted and expected administrative tools and protocols is very hard to detect.
These same principles can apply to more traditional audio and video surveillance. In the past, covert surveillance devices had to be brought into a target facility via human intervention (for instance, brought in by an operative, a bribe, or covertly planted on a person or delivery). The decades of history (we know) about bugs is fascinating – they had to be engineered to pass through intensive security measures and remain in target facilities without notice. In the pre-transistor and the early era of microelectronics, this was a complex engineering feat indeed.
Personal communication devices, and to a greater extent smartphones, are a game changer. Every function that a cold war -era industrial or military spy could want of a bug is a standard feature of the smartphones that billions of people carry everywhere. Most have excellent front and rear facing cameras. They have microphones capable of working at conference phone range. They have storage capable of holding hours of recording, multiple radio transmitters, and integrated GPS. James Bond’s dream.
More importantly than any of this, smartphones tend to be one of three major operating systems, which are commercially available globally and excruciatingly studied for exploits by every sort of hacker. Some of these exploits are offered to the highest bidder on the black market. Although the vulnerability of smartphone operating systems varies by age and phone manufacturer, each is also vulnerable to social engineering and phishing through watering hole attacks, email, text message, or malicious apps.
Why expend the effort and risk to get a bug into a facility and conceal it when an authorized person brings such a fantastic, exploitable surveillance device in knowingly and hides it themselves? If the right person in the right position is targeted, they may not even be searched or reprimanded if caught.
There’s been a lot of discussion about countermeasures against compromised smartphones. Unfortunately, even operating inside a Faraday cage that blocks all communication is not effective because eventually, the phone leaves. A traditional covert device may not. As with the USB devices used to deploy Stuxnet, this trusted air gap is broken the moment an untrusted device can pass across it. A compromised phone can simply be instructed to begin recording audio when it’s cellular signal is lost, and upload the recording as soon as that connection is restored. Turning off the devices is also not particularly effective in the era of smartphones with irremovable batteries.
Yes, of course it’s still possible to put a listening device in a remote control or a light fixture. Surreptitious hacking tools used to compromise networks on site can still function this way. But why expend the substantial effort and risk in installing, communicating to, and removing them if there’s an easier way?
This is not to say it’s time to put on our tin foil hats and throw out our phones. Most people are probably not individual targets of espionage, and using smartphones with current updates and good security settings is decent protection against malware. However, there are people all over the world who are viable targets for industrial or nation-state espionage, either for their own position or for their access to sensitive people, information, or places. If you are informed by a credible authority that you may be targeted and should not bring your smartphone into a particular area, please take this advice seriously and consider that your device(s) could be compromised. If you suspect that there is another valid reason that you could be targeted by industrial or nation state espionage, leave your phone outside. It is generally far simpler to compromise your smartphone than it would have been to break into your office and install a listening device.