Mobile devices and cyber espionage, principal concerns for governments

The use of mobile devices in government environments concerns the secret service of any states, cyber espionage more often exploits the mobile platforms.

Mobile devices are reason of great concern for governments, they have a great computational capability, huge memories to store our personal data, GPS to follow our movements and are equipped with a camera and microphone to increase our experience in mobility. But all those features could be exploited by attackers for cyber espionage, the problem is well known to governments that are adopting necessary countermeasures especially following the recent revelations about the U.S. surveillance program.

The UK Government has decided to ban iPads from the Cabinet over foreign eavesdropper fears,  it has been requested Ministers to leave mobile in lead-lined boxes to avoid foreign governments to spy on top level government meetings.

The news is reported by the Mail on Sunday, after the Cabinet Office minister Francis Maude made a presentation using his iPads last week (about how the Government Digital Service might save the UK £2bn a year) the Downing Street security staff has dismissed the mobile device to prevent eavesdropping of ongoing discussions.

The measure was adopted to avoid that foreign security services infecting mobile devices are able to capture audio and data from victims, it is known that hostile actors like China, Russia and Iran have the ability to use mobiles in powerful spy tools.

Ministers belonging to sensitive government departments were recently issued with soundproof lead-lined boxes to guard and isolate their mobile devices during official meetings.

The precautions have been taken due the high concern caused by news that German Chancellor Angela Merkel’s personal mobile has been spied by the NSA for years. My personal opinion it that it is not acceptable that the German Federal Intelligence Service has allowed everything, missing the adoption of appropriate protective measures like crypto mobile devices, protected landline and similar. Other governments already have approached the problem to adopt secure devices to prevent bugging and eavesdropping, the British foreign secretary William Hague confirmed his phone has been armored by GCHQ.

Just a week ago it was published the news that delegates at the G20 summit in Russia received malicious computer memory sticks used to serve a malware to spy on the participants and steal sensitive information, let’s remember also that the information leaked on the NSA FoxAcid platform revealed the existence of spy tool kits RADON and DEWSPEEPER able to exploit victims via USB.

Herman Van Rompuy, the President of the European Council, ordered tests to be carried out on the memory sticks  and the results are shocking:

‘The USB pen drives and the recharging cables were able to covertly capture computer and mobile phone data,’ a secret memo said.

Overseas, the situation does not change, even the US fear that the use of the mobile devices can cause them problems,  The Department of Homeland Security and FBI warn public safety departments that their out-of-date Android devices are a security risk, but updating them is not always easy or simple.

The alert cited unspecified “industry reporting” that, “44 percent of Android users are still using versions 2.3.3 through 2.3.7 (Gingerbread)  which were released in 2011 and have a number of security vulnerabilities that were fixed in later versions.”

Google’s own figures on its site for Android developers estimate that percentage at about a third less — 30.7 percent. But it also showed 21.7 percent using versions 4.0.3-4.0.4, called Ice Cream Sandwich, which is also out of date. Less than half – 45.1 percent – are using the latest OS, called Jelly Bean, and of that group, 36.6 percent are using 4.1, and only 8.5 percent are using 4.2, which is the latest OS.

The DHS/FBI document address principal cyber threats to out-of-date Android mobile devices, including SMS Trojans, Rootkits and fake Google Play Domains.

Despite the alert recommends regular updates, running an “Android security suite” and downloading apps only from the official Google Play Store, the update for Android devices can reveal several problems.

“There is a wide variety of Android OEM versions rolled out to a huge number of different handsets, and not all carriers and handset OEMs will allow you to upgrade to the latest version,” “So, the Android versions that can run are restricted per device. Even now it is possible to buy Gingerbread devices that cannot be upgraded to Jelly Bean.” said Mario de Boer, research director, Security and Risk Management Strategies at Gartner for Technical Professionals.

De Boer suggested that the only solution for now is to block the use of Android devices that are not running the latest OS.

“Apply admission control,””If your Smartphones or tablet is running a vulnerable OS, you cannot get access to the specific service or data.” “this is hard to accomplish for voice and text, and easier for email and access to files.”

The principal problem related to the use of mobile devices in government environment is that almost every Smartphone is not designed following severe requirements in term of corporate or government security, let’s add that wrong user’s habits aggravate the situation.

It needs a change or mobile devices should be excluded from sensitive contexts.

[adrotate banner=”9″]

 

Pierluigi Paganini

(Security Affairs – Mobile devices, BYOD)