Risk
9/11/2013
12:59 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

NSA Vs. Your Smartphone: 5 Facts

No, the NSA can't magically hack all iPhones and smartphones, but just like malware developers, it has more than a few tricks up its sleeve for retrieving data stored on mobile devices.

2. BlackBerry Enterprise Server: Hackable.

According to the released documents, thanks to a discovery by British partner agency GCHQ, the NSA also has the ability to intercept BlackBerry text messages sent using BlackBerry Internet Service (BIS), which are networks operated by telecommunications providers. All BIS traffic is compressed, but not encrypted.

By contrast, many enterprises rely on BlackBerry Enterprise Server (BES), which encrypts all data in transit. But according to a leaked presentation -- titled "Your target is using a BlackBerry? Now what?" -- the NSA can also intercept BES traffic, although it requires a "sustained" operation on the part of the agency's Tailored Access Operation department to "fully prosecute your target." One Mexican government agency email included in the report suggests that the capability has been put to the test.

3. Malware Already Turned Smartphones Into Listening Stations.

Reports into the NSA's smartphone hacking capabilities came on the heels of reports that the NSA had weakened unnamed encryption systems. In the information security realm, was nothing sacred?

But the NSA's reported hacking capabilities aren't exactly news. Notably, the British-built FinFisher malware that's sold to governments can be used to monitor all forms of communication on devices that run Apple iOS, BlackBerry OS, Google Android and Nokia's Symbian platform as well as Windows Mobile. According to teardowns of the software, which has been actively used to target dissidents in autocratic regimes, the software also can perform "silent calls" that remotely activate the device's built-in microphone.

4. Criminals Were Already Infecting Smartphones Via PCs.

According to the Der Spiegel report, the NSA's favored technique for retrieving information from phones is to infect a PC that synchronizes with the device. Again, however, this isn't a revolutionary approach. Criminals have long been infecting PCs with malware that then load malware onto Android smartphones, typically to help gangs intercept one-time codes sent by banks to authorize account transfers.

5. Like Hackers, The NSA Can Jailbreak.

If the NSA can't grab what it needs via malware, it can simply root a targeted Android smartphone, or jailbreak an iPhone or iPad. "Jailbreaking is when hackers unlock phones like the iPhone so that they can install software Apple doesn't approve of," said Robert David Graham, CEO of Errata Security, in a blog post. "Every time somebody releases a jailbreak for the iPhone, the NSA quietly copies the jailbreak into their malware. Indeed, some researchers simply sell their jailbreaks to the NSA instead of releasing them to the public."

Learn more about BYOD, MDM and other topics by attending the Interop conference track on Mobility in New York from Sept. 30 to Oct. 4.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TerryB
50%
50%
TerryB,
User Rank: Ninja
12/17/2013 | 10:13:33 AM
re: NSA Vs. Your Smartphone: 5 Facts
Now who is naive? Or at least clueless on legal issues. You really think that would be evidence beyond reasonable doubt? Especially since my car would have no physical evidence of any accident. Besides, I don't text and drive, rarely even carry my smartphone with me unless traveling.

Your comment is the kind mindless fear mongering I'm talking about. What makes you think they wouldn't have satellite images of the accident anyway? Or street cameras? I think going to cell logs is the last thing you have to worry about.

One last point, maybe you should research what the NSA does. Investigating crime, even murder, is not their function. Do you have evidence the local police can subpoena these records for crime investigations? Of course you don't, because you can't do it. You do understand what "classified" access is, right?

All this said, as I clearly said in my first post, I don't think this is constitutional. And on news last night the first judge agrees with that stance. We'll see how appeals process plays out.

My point stands, unless you truely are a terrorist, or hang out with them, the NSA is nothing that should concern you.
TerryB
50%
50%
TerryB,
User Rank: Ninja
9/12/2013 | 5:48:08 PM
re: NSA Vs. Your Smartphone: 5 Facts
Why is that scary to ordinary people, Cara? I've always wondered what people are thinking when they make those comments. Are ordinary people scared the NSA will intercept plans with your friends for golf and steal your tee time?
I understand the theoretical arguments about right to privacy supposedly guaranteed by our constitution and don't necessarily disagree with those. But scared of NSA in my boring mid-western life? Nope.
What scares me is the total dysfunction of government in general. That seems to get worse every year, no matter what your political leanings are. :-)
Mathew
50%
50%
Mathew,
User Rank: Apprentice
9/12/2013 | 10:16:05 AM
re: NSA Vs. Your Smartphone: 5 Facts
Great question. I haven't gotten my hands on iOS 7 but am running this down.
Cara Latham
50%
50%
Cara Latham,
User Rank: Apprentice
9/11/2013 | 7:52:14 PM
re: NSA Vs. Your Smartphone: 5 Facts
This seems to me like a blatant disregard of any privacy whatsoever. Essentially, regardless of what consumers do to protect themselves, the NSA will always find a way to gain access to their data, and that is scary.
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
9/11/2013 | 7:25:51 PM
re: NSA Vs. Your Smartphone: 5 Facts
Mat, any thoughts on how the new iOS will fit in here? Does the location data remain hard to retrieve?
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2012-0871
Published: 2014-04-18
The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/.

CVE-2012-6646
Published: 2014-04-18
F-Secure Anti-Virus, Safe Anywhere, and PSB Workstation Security before 11500 for Mac OS X allows local users to disable the Mac OS X firewall via unspecified vectors.

CVE-2013-4279
Published: 2014-04-18
imapsync 1.564 and earlier performs a release check by default, which sends sensitive information (imapsync, operating system, and Perl version) to the developer's site.

Best of the Web