Much was made in the U.S. press in the past month of President Donald Trump’s decision to stick with his favourite (older model) Android phone, rather than a custom designed secure option supplied by the Secret Service. So much for mobile security.
The U.S. president is becoming well known for his sometimes unfiltered Twitter comments that often originate from his mobile phone. Whatever your personal opinions about the content of his ’shoot from the hip’ Tweets the concerns of his aids and the Secret Service that the use of an unsecured Android device by the Commander in Chief are well founded.
Easy to compromise
Nicholas Weaver, a computer scientist at the University of California at Berkeley recently remarked that the phone ‘is so easy to compromise, it would not meet the security requirements of a teenager.’
There have been a wide variety of concerns voiced about how the phone could be compromised, even if it is just used to Tweet. Malware could be used to infiltrate the phone’s camera or microphone – in effect turning it into a highly effective listening device or even used to pinpoint the exact location of the president at any time.
Unconfirmed reports from the Android Central website (using photographic evidence) indicated that Trump is using a Samsung Galaxy S3, released in 2012. Worryingly this model has not received software updates since mid-2015. If this is the case then Stagefright vulnerability, which lets hackers take control of a phone using only a text message could be used to access the phone.
The U.S. president is fond of remarking about ‘fake news’ – a term he uses to lambast many media outlets which incurred his wrath during his presidential campaign. However, the weaker mobile security of the older Android phone that he is using may very well provide hackers with the opportunity to make his device a broadcast mechanism for their own brand of ‘fake news.’ The vulnerability of the device means that hackers may be able to hijack his Twitter feed for their own ends. The chaos that could result is difficult to conceive.
Many experts say that the only way to ensure that this does not happen is for the ‘Tweeter-in-Chief’ to give up the phone and make use of a Secret Service device with stronger mobile security, that simply does not allow access to the Internet and is in fact a ‘dumb’ device. In fact, former present Obama once remarked that the phone he used: ‘doesn’t take pictures, you can’t text. The phone doesn’t work. You can’t play your music on it. So, basically, it’s like — does your 3-year-old have one of those play phones?’
There are other options rather than denying Trump access to his beloved Twitter feed from his mobile device such as working with Twitter to provide a separate, encrypted channel for the President, along with a robust credential verification function and secure keys to the president to use. However – this does not mitigate the other mobile security vulnerabilities of the older model Android phone.
Follow the leader?
If the President of the United States takes such a laissez-faire attitude towards his choice of mobile devices does that mean that captains of industry should be following his lead?
According to many experts that would be a remarkably short sighted and even negligent approach.
However, some of the ways in which data can be compromised are remarkably mundane.
The simplest way disaster can strike is through physical access to the mobile device (and we’re talking across a wide variety of devices). In this day and age, a mobile device travels with C-Suite executives across the globe. According to LonelyPlanet.com in 2016 each traveller carried an average of between 1 and three mobile devices with them when using an airline. CIO Magazine reports that 15% of all mobile devices that go missing are stolen at airports. This is only the tip of the iceberg – mountains of devices are simply left at airports around the world. Once a sticky fingered felon has the device, it’s child’s play to access the data – especially on older devices which have not received software upgrades in a while. In the age of the Internet of Things one device can allow access to many, many others.
The example of airport losses is simply a way to show how vulnerable business users are to hackers.
However – there are many other ways in which hackers are on the prowl for commercially and personally sensitive information and some flaws which make their activity that much more profitable.