Someone is monitoring your mobile

29th June 2015
Someone is monitoring your mobile
Image: Courtesy: The Intercept

PHONE-Y BUSINESS: Your privacy and security is under threat every time  you use your phone..and the  door keepers often seem to help the thieves.... An IndiaTechOnline Special.

Bangalore,  June 29 2015: Omnishambles, a word that the Oxford English Dictionary  added to its online edition in 2013,   means "a situation that has been comprehensively mismanaged, characterized by a string of blunders and miscalculations."  There is no better word to characterize the current state of  the  privacy and security  that millions of mobile device users  entrust to their   service providers and device makers.  The actions of some of the biggest  brand names smack of gross incompetence,  if not of cynical disregard. Consider these assaults -- all  this month --on our right to keep our data or actions on phones, tablets or laptops confidential :

  • At the Blackhat Mobile Security Summit in London on June 16,   Ray Welton, a researcher with security firm NowSecure  showed how a flaw in the  software of the Swiftkey   virtual keyboard installed in millions of Samsung Galaxy S4, S5 and S6 phones made  them vulnerable to attack that could  potentially snoop on camera, microphone, incoming and outgoing text messages. In a chilling demo,  Welton showed how he could pose as an update to the Swiftkey software and install spyware, bypassing  Android's own defences. Samsung  was notified  by NowSecure, of the security flaw as  far back as November 2014, but chose not to go public   till forced by the recent  disclosures. A  patch to repair the flaw has been promised  Fortunately, the phone is  vulnerable only if you are on an unsecured network so the easy solution is to avoid such public hotspots.
  • Researchers at Indiana  and Peking Universities and at  GeorgiaTech,  have released a study which  points to a vulnerability in the latest edition of Apple  iOS and OSX that allows  one app approved  by the App store to gain access  to data of another app on the same phone. They said this is because of  poor levels of security in Apple's  password management tool, KeyChain.  Potentially one rogue app can steal  iCloud , email and bank passwords. Apple  was notified back in October 2014  but sought non disclosure for 6 months  during which time it did  little, not even warning its customers  who are in a quandary.  If you can't trust an app   in the App store  which Apple audits before approving,  whom do you trust?
  • First Post reported that a Bengaluru-based software engineer, who had subscribed to Airtel's 4G data service, found the speeds he was getting very slow at times. His investigation found that the service provider had inserted a piece of Java code  into web pages he browsed.  When he published  the coding that made this happen, he was astonished to receive a legal notice  from an Israel-based company  that  provides tools to help telecom operators   make more money from their clients.   Airtel denies any wrong doing  and says its coding is only meant  to keep track of data usage  -- but that does not explain why a third party claims to be affected by the disclosure!
  • In a report titled "Who has your back?", the  Electronic Frontier Foundation  rates  social media and Internet entities on how diligently they protect your data  privacy  from government requests. Nine Companies receive top rating of 5 on 5. They include Adobe, Apple,  DropBox,  Wikimedia,, and Yahoo.But Whatsup  is bottom of the class with 1/5  for its opaque policies when it comes to  revealing government demands. Deccan Chronicle's Online edition  carried the full score card.

These examples all in June, are disturbing enough. They come on the heels  of  the revelations in February that  43 models of Lenovo's  laptops and tabtops came with a pre-inserted  chunk of so-called adware ( euphemism for spyware) that  siphoned data  back to  a US  search software  player called Superfish.  This  inserted its own shopping hints into your browser, over and above the ones  provided by --say --  Google. Since the adware was inserted by the maker it could not be cleaned by any antivirus software you may have installed.  Lenovo  agreed to desist only after global outrage -- but the problem is  you can't remove the adware  since it is part and parcel of the OS. You have to  buy  your own  copy of Windows 8 and   replace the pre-installed copy.  Who pays for Lenovo's laxity? You!

Government against the people:

What happens when those charged with protecting the rights of citizens, abuse their trust?  What a happens when the products  we buy are compromised -- with or without the collusion of the makers? Three chilling examples of government as spy:
In February 2015  Russian  Net security specialist  Kaspersky  shared   results of a decade long study that showed that  an organisation that it codenamed the  Equation Group    had  pulled off  arguably the most sophisticated  cyber attack  ever, on millions of lay users. It had managed to embed its spyware in the  "firmware" that  sits on  hard drives and solid state drives made by  12 of the world's biggest manufacturers including Maxtor, Seagate, Samsung, Toshiba and WD and sold in 30 countries including India.  Being part of factory-shipped hardware, the spy software cannot be detected  by anti virus tools and in effect the authors can snoop on millions of hard disks  the world over. While Kaspersky  did not name the suspect, there was broad indication that this was the work of  the US National Security Agency. None of the makers admitted to providing any government access to  their devices.
Also in February, The Intercept. a publication  distributing  the revelations of NSA whistleblower Edward Snowden revealed what it called the Great SIM heist: a joint operation of the  UK's Government Communications  HQ  and the US'  National Security agency,  where  they  managed  to hack  the encryption  keys  of the world's largest maker of  phone SIMs  -- Gemalto -- whose products used by some 400 plus  wireless providers,    exceed 2 billion a year.  In effect the  perpetrators  could  monitor mobile communications on any of the hacked SIMS  without needing  approval from  telecom companies and governments. Analysts  said this was  tantamount  to a thief  getting the master key to every room in a hotel. 
In this  murky  gray world of government-sponsored spying,  the most   chilling  image can be found in Glenn Greenwald's 2014 book " No Place to Hide" ( Hamish Hamilton, Rs 599).  where he  reproduces  material  provided by Edward Snowden that show that  murky US agencies were intercepting  shipments of networking hardware from Cisco to  insert spy hardware." “We simply cannot operate this way"  CISCO Chairman John Chambers  protested to President Obama.  The book includes a slide (on page 149 of the book)  which  purportedly shows  operatives  intercepting a Cisco consignment.
 Introducing intentional vulnerabilities into secure products  for the convenience of  government -- that is the zenith of  customer betrayal.  But it is happening  even as you read this  -- and  we the people are largely defenceless.

What can we do?  Get proactive!

In this gloom and doom scenario of looming Net threats what can we do? Internet security specialist ESET  has some suggestions:

-             Ensure that all programs, operating systems, and applications -- even the ones  you rarely use --are kept up-to-date.
-             There are many steps that can be taken including choosing strong passwords, using anti-virus programs, firewalls and anti-spyware programmes.This applies even to rarely used applications  as it makes sure that all the latest security features and fixes are available on your device. Change your password regularly.
-             A second layer of protection can also be added on top of passwords using Two Factor Authentication (2FA). 2FA uses a separate device to generate an access token that acts as a one-time only password. By requiring access to a separate password, this makes an attack less feasible.
-             Security software can be an inexpensive option: don't depend on  built in software when it comes to securing your device.
-             It is also worth looking at test scores and/or certificates from testing agencies such as Virus Bulletin and AV-Comparatives. Any good security software should have been listed by most testing agencies.