Risk
9/11/2013
12:59 PM
50%
50%

NSA Vs. Your Smartphone: 5 Facts

No, the NSA can't magically hack all iPhones and smartphones, but just like malware developers, it has more than a few tricks up its sleeve for retrieving data stored on mobile devices.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Is your smartphone a sitting duck for government intelligence agencies?

Fears about the security afforded by smartphones rose sharply over the weekend, after excerpts of documents leaked by National Security Agency whistle-blower Edward Snowden revealed that the agency has successfully retrieved data from a number of different makes and models of smartphones. A report published Saturday by Der Spiegel outlined some of those capabilities.

Smartphones are no doubt an attractive target for intelligence agencies. They store not just contact information -- useful for charting a target's social network -- but also photographs, bank account numbers, passwords as well as Web searches that provide insight into people's interests. On top of that, the devices carry a GPS chip that reveals a user's location, and a camera and microphone that could be remotely activated and surreptitiously used to eavesdrop on targets in real time.

[ Are tax dollars being used to spy on taxpayers? Read NSA Paid Tech Companies Millions For Prism. ]

Of course, the NSA already has numerous non-technological means, such as a subpoena, for obtaining access to desired systems that operate inside the United States. Beyond that, however, are NSA smartphone spying worries founded?

Here are five related facts about what's known about the NSA's capabilities:

1. NSA Working Groups Develop Exploits.

The leaked documents revealed that the NSA maintains working groups for each of the major smartphone brands, including not just iPhone, Android and BlackBerry but also Nokia, which has reportedly been the most popular device for accessing extremist forums.

All models of smartphones appear to be vulnerable to some types of surveillance. For example, NSA analysts were reportedly able to retrieve vast quantities of location data from iOS users. That changed with the introduction of iOS version 4.3.3, which restricted the amount of location information stored in memory to just seven days, reported Der Speigel.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TerryB
50%
50%
TerryB,
User Rank: Ninja
12/17/2013 | 10:13:33 AM
re: NSA Vs. Your Smartphone: 5 Facts
Now who is naive? Or at least clueless on legal issues. You really think that would be evidence beyond reasonable doubt? Especially since my car would have no physical evidence of any accident. Besides, I don't text and drive, rarely even carry my smartphone with me unless traveling.

Your comment is the kind mindless fear mongering I'm talking about. What makes you think they wouldn't have satellite images of the accident anyway? Or street cameras? I think going to cell logs is the last thing you have to worry about.

One last point, maybe you should research what the NSA does. Investigating crime, even murder, is not their function. Do you have evidence the local police can subpoena these records for crime investigations? Of course you don't, because you can't do it. You do understand what "classified" access is, right?

All this said, as I clearly said in my first post, I don't think this is constitutional. And on news last night the first judge agrees with that stance. We'll see how appeals process plays out.

My point stands, unless you truely are a terrorist, or hang out with them, the NSA is nothing that should concern you.
TerryB
50%
50%
TerryB,
User Rank: Ninja
9/12/2013 | 5:48:08 PM
re: NSA Vs. Your Smartphone: 5 Facts
Why is that scary to ordinary people, Cara? I've always wondered what people are thinking when they make those comments. Are ordinary people scared the NSA will intercept plans with your friends for golf and steal your tee time?
I understand the theoretical arguments about right to privacy supposedly guaranteed by our constitution and don't necessarily disagree with those. But scared of NSA in my boring mid-western life? Nope.
What scares me is the total dysfunction of government in general. That seems to get worse every year, no matter what your political leanings are. :-)
Mathew
50%
50%
Mathew,
User Rank: Apprentice
9/12/2013 | 10:16:05 AM
re: NSA Vs. Your Smartphone: 5 Facts
Great question. I haven't gotten my hands on iOS 7 but am running this down.
Cara Latham
50%
50%
Cara Latham,
User Rank: Apprentice
9/11/2013 | 7:52:14 PM
re: NSA Vs. Your Smartphone: 5 Facts
This seems to me like a blatant disregard of any privacy whatsoever. Essentially, regardless of what consumers do to protect themselves, the NSA will always find a way to gain access to their data, and that is scary.
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
9/11/2013 | 7:25:51 PM
re: NSA Vs. Your Smartphone: 5 Facts
Mat, any thoughts on how the new iOS will fit in here? Does the location data remain hard to retrieve?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4692
Published: 2015-07-27
The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux kernel through 4.1.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging /dev/kvm access for an ioctl call.

CVE-2015-1840
Published: 2015-07-26
jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space cha...

CVE-2015-1872
Published: 2015-07-26
The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in FFmpeg before 2.5.4 does not validate the number of components in a JPEG-LS Start Of Frame segment, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via craft...

CVE-2015-2847
Published: 2015-07-26
Honeywell Tuxedo Touch before 5.2.19.0_VA relies on client-side authentication involving JavaScript, which allows remote attackers to bypass intended access restrictions by removing USERACCT requests from the client-server data stream.

CVE-2015-2848
Published: 2015-07-26
Cross-site request forgery (CSRF) vulnerability in Honeywell Tuxedo Touch before 5.2.19.0_VA allows remote attackers to hijack the authentication of arbitrary users for requests associated with home-automation commands, as demonstrated by a door-unlock command.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!