Much was made in the U.S. press in the past month of President Donald Trump’s decision to stick with his favourite (older model) Android phone, rather than a custom designed secure option supplied by the Secret Service. So much for mobile security.
The U.S. president is becoming well known for his sometimes unfiltered Twitter comments that often originate from his mobile phone. Whatever your personal opinions about the content of his ’shoot from the hip’ Tweets the concerns of his aids and the Secret Service that the use of an unsecured Android device by the Commander in Chief are well founded.
Easy to compromise
Nicholas Weaver, a computer scientist at the University of California at Berkeley recently remarked that the phone ‘is so easy to compromise, it would not meet the security requirements of a teenager.’
There have been a wide variety of concerns voiced about how the phone could be compromised, even if it is just used to Tweet. Malware could be used to infiltrate the phone’s camera or microphone – in effect turning it into a highly effective listening device or even used to pinpoint the exact location of the president at any time.
Unconfirmed reports from the Android Central website (using photographic evidence) indicated that Trump is using a Samsung Galaxy S3, released in 2012. Worryingly this model has not received software updates since mid-2015. If this is the case then Stagefright vulnerability, which lets hackers take control of a phone using only a text message could be used to access the phone.
The U.S. president is fond of remarking about ‘fake news’ – a term he uses to lambast many media outlets which incurred his wrath during his presidential campaign. However, the weaker mobile security of the older Android phone that he is using may very well provide hackers with the opportunity to make his device a broadcast mechanism for their own brand of ‘fake news.’ The vulnerability of the device means that hackers may be able to hijack his Twitter feed for their own ends. The chaos that could result is difficult to conceive.
Many experts say that the only way to ensure that this does not happen is for the ‘Tweeter-in-Chief’ to give up the phone and make use of a Secret Service device with stronger mobile security, that simply does not allow access to the Internet and is in fact a ‘dumb’ device. In fact, former present Obama once remarked that the phone he used: ‘doesn’t take pictures, you can’t text. The phone doesn’t work. You can’t play your music on it. So, basically, it’s like — does your 3-year-old have one of those play phones?’
There are other options rather than denying Trump access to his beloved Twitter feed from his mobile device such as working with Twitter to provide a separate, encrypted channel for the President, along with a robust credential verification function and secure keys to the president to use. However – this does not mitigate the other mobile security vulnerabilities of the older model Android phone.
Follow the leader?
If the President of the United States takes such a laissez-faire attitude towards his choice of mobile devices does that mean that captains of industry should be following his lead?
According to many experts that would be a remarkably short sighted and even negligent approach.
However, some of the ways in which data can be compromised are remarkably mundane.
The simplest way disaster can strike is through physical access to the mobile device (and we’re talking across a wide variety of devices). In this day and age, a mobile device travels with C-Suite executives across the globe. According to LonelyPlanet.com in 2016 each traveller carried an average of between 1 and three mobile devices with them when using an airline. CIO Magazine reports that 15% of all mobile devices that go missing are stolen at airports. This is only the tip of the iceberg – mountains of devices are simply left at airports around the world. Once a sticky fingered felon has the device, it’s child’s play to access the data – especially on older devices which have not received software upgrades in a while. In the age of the Internet of Things one device can allow access to many, many others.
The example of airport losses is simply a way to show how vulnerable business users are to hackers.
However – there are many other ways in which hackers are on the prowl for commercially and personally sensitive information and some flaws which make their activity that much more profitable.
Putting the U.S. in harm’s way
The U.S. President’s use of an older model phone which has not received operating system updates for a while is a clear and present danger.
Device manufacturer’s release critical OS updates regularly and these updates have important mobile security fixes. If the phone no longer receives these updates it becomes immensely attractive to hackers who have had all the time in the world to explore the vulnerabilities of its operating system. Hackers know about vulnerabilities and attempt to breach outdated devices on a regular basis.
In fact Trump’s mobile phone exposes a critical vulnerability. The U.S. president is exposing the nation to risk from not only private hackers but also (and perhaps even more worryingly) from nation state sponsored hackers who are busily developing an arsenal of offensive cyber weaponry. These state sponsored hackers are more than capable (and highly motivated) to exploit zero day vulnerabilities to attack and co-opt outdated devices.
Exercise caution using unsecured Wi-Fi
Take unsecured Wi-Fi for instance (hey – there’s that pesky airport experience in the spotlight again). Most modern phones will pop up a warning saying that the server you’re about to use cannot be verified and asking you if you want to proceed. However the scary part is that according to Adi Sharabani, the co-founder of mobile security company Skycure, (who used to work for Israeli Intelligence) around 29% of users will still choose to go ahead. C-Suite users need to exercise caution when using these networks and avoid the transmission of sensitive data.
App attacks mobile security
For users of FarmVille (and wow – you may need to look at updating your phone) and other apps, there may be some disturbing news. Apps are a great way to increase the functionality of your phone – but they also increase the risk of data breach. If you’re downloading from an email link or a website that risk increases dramatically. Malicious code hides in many of the apps we use every day. Even the hyper vigilant folks at Apple cannot possibly examine every app with a fine toothed comb. With Android and its open source code the risk is even greater.
Business users need to limit the amount of apps that they install – and pay extra attention to mobile security and heed the warning messages. If the app requests access to your email or other data rather err on the side of caution.
Rather safe than sorry
C-Suite executives may not have their finger on the nuclear trigger, but the damage that can be caused by a security breach of their mobile phones can be just as explosive (at least to their customers and shareholders) as an A-Bomb. Stock manipulation, identity theft, credit card information loss and other dire consequences await those who do not exercise increased vigilance. If you have an older model business phone that is not receiving updates it’s time to consider ditching it. Even the latest models cannot prevent every hostile action. Even the most globally savvy executive needs to exercise caution.