Risk
9/11/2013
12:59 PM
50%
50%

NSA Vs. Your Smartphone: 5 Facts

No, the NSA can't magically hack all iPhones and smartphones, but just like malware developers, it has more than a few tricks up its sleeve for retrieving data stored on mobile devices.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Is your smartphone a sitting duck for government intelligence agencies?

Fears about the security afforded by smartphones rose sharply over the weekend, after excerpts of documents leaked by National Security Agency whistle-blower Edward Snowden revealed that the agency has successfully retrieved data from a number of different makes and models of smartphones. A report published Saturday by Der Spiegel outlined some of those capabilities.

Smartphones are no doubt an attractive target for intelligence agencies. They store not just contact information -- useful for charting a target's social network -- but also photographs, bank account numbers, passwords as well as Web searches that provide insight into people's interests. On top of that, the devices carry a GPS chip that reveals a user's location, and a camera and microphone that could be remotely activated and surreptitiously used to eavesdrop on targets in real time.

[ Are tax dollars being used to spy on taxpayers? Read NSA Paid Tech Companies Millions For Prism. ]

Of course, the NSA already has numerous non-technological means, such as a subpoena, for obtaining access to desired systems that operate inside the United States. Beyond that, however, are NSA smartphone spying worries founded?

Here are five related facts about what's known about the NSA's capabilities:

1. NSA Working Groups Develop Exploits.

The leaked documents revealed that the NSA maintains working groups for each of the major smartphone brands, including not just iPhone, Android and BlackBerry but also Nokia, which has reportedly been the most popular device for accessing extremist forums.

All models of smartphones appear to be vulnerable to some types of surveillance. For example, NSA analysts were reportedly able to retrieve vast quantities of location data from iOS users. That changed with the introduction of iOS version 4.3.3, which restricted the amount of location information stored in memory to just seven days, reported Der Speigel.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
9/11/2013 | 7:25:51 PM
re: NSA Vs. Your Smartphone: 5 Facts
Mat, any thoughts on how the new iOS will fit in here? Does the location data remain hard to retrieve?
Cara Latham
50%
50%
Cara Latham,
User Rank: Apprentice
9/11/2013 | 7:52:14 PM
re: NSA Vs. Your Smartphone: 5 Facts
This seems to me like a blatant disregard of any privacy whatsoever. Essentially, regardless of what consumers do to protect themselves, the NSA will always find a way to gain access to their data, and that is scary.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
9/12/2013 | 10:16:05 AM
re: NSA Vs. Your Smartphone: 5 Facts
Great question. I haven't gotten my hands on iOS 7 but am running this down.
TerryB
50%
50%
TerryB,
User Rank: Ninja
9/12/2013 | 5:48:08 PM
re: NSA Vs. Your Smartphone: 5 Facts
Why is that scary to ordinary people, Cara? I've always wondered what people are thinking when they make those comments. Are ordinary people scared the NSA will intercept plans with your friends for golf and steal your tee time?
I understand the theoretical arguments about right to privacy supposedly guaranteed by our constitution and don't necessarily disagree with those. But scared of NSA in my boring mid-western life? Nope.
What scares me is the total dysfunction of government in general. That seems to get worse every year, no matter what your political leanings are. :-)
TerryB
50%
50%
TerryB,
User Rank: Ninja
12/17/2013 | 10:13:33 AM
re: NSA Vs. Your Smartphone: 5 Facts
Now who is naive? Or at least clueless on legal issues. You really think that would be evidence beyond reasonable doubt? Especially since my car would have no physical evidence of any accident. Besides, I don't text and drive, rarely even carry my smartphone with me unless traveling.

Your comment is the kind mindless fear mongering I'm talking about. What makes you think they wouldn't have satellite images of the accident anyway? Or street cameras? I think going to cell logs is the last thing you have to worry about.

One last point, maybe you should research what the NSA does. Investigating crime, even murder, is not their function. Do you have evidence the local police can subpoena these records for crime investigations? Of course you don't, because you can't do it. You do understand what "classified" access is, right?

All this said, as I clearly said in my first post, I don't think this is constitutional. And on news last night the first judge agrees with that stance. We'll see how appeals process plays out.

My point stands, unless you truely are a terrorist, or hang out with them, the NSA is nothing that should concern you.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.