Cell phones are not secure. And then, I suppose that I have to qualify that by saying cell phones are not *very* secure. And then I suppose that I have to qualify even *that* by saying *most* cell phones are not very secure.
So, to start off with, yes, there are some cell phones which are secure. There are some cell phones that are secured to specific levels. But these cell phones are usually restricted in quite a few different ways. One of the ways that they are restricted is that you cannot install just any app on one of these cell phones. The cell phone itself will not allow you to. And this takes care of an awful lot of the insecurity of cell phones, in that most apps for cell phones are not secured. Security has not been part of the design of the app. Okay, yes, some aspects of security *may* be *part* of the app. The app may require you to enter a username and a password to get access to your specific account. And, indeed, the cell phone app *may* protect the sign on; the exchange of your username and password with the system that is hosting that account, and may even possibly encrypt the information that you are transferring back and forth between your phone and the app. But all of that is "maybe" on your bog standard cell phone. On a secure cell phone it is going to be mandatory. And anything that doesn't apply stringent security protocols is not going to be allowed on that cell phone.
But that is only one part of the whole security puzzle. When I am preparing candidates for their professional certification in information security, I start with security management. The point being that you can Have all the security tools that you want, and still not be secure. You can be an absolute wizard at setting up firewalls, and know absolutely everything that there is to know about establishing a really secure firewall, but if you don't do all the rest of security, and if you don't manage it all together, you're not going to be secure. In physical terms, I may illustrate it by saying you can have a front door that is solid, and barred, and has really fantastic locks, and you're not going to be secure if your back window is wide open. So, you have to do the whole job with regard to security. And cell phones definitely don't do the whole job. Cell phones are there for availability. Cell phones are there for convenience. Cell phones are not for total and complete security.
To understand why, we go back to our Signalgate scandal.
The person who set up the group chat actually thought about security to a certain extent. But only to eliminate a concern about people being able to get the contents of the chat at a later date. This person enabled the setting that said that all the messages on the group chat would disappear after a week. Yes, that can be helpful in terms of security. (It's also illegal, in terms of government regulations with regard to archiving of all official government communications. But so many other things were illegal about this whole story that what's one more?)
Anyway, back to this issue of the messages disappearing after a week. Actually, this doesn't give you much security at all. For one thing, you can simply copy the text of the messages and put them someplace else. You can paste the text that you have copied from the messages into a text file on another app on the phone that allows you to make text notes. Or you can take the text that you took off this group chat, and paste it into an email, and email it to yourself. There's all kinds of ways that you can take this information and keep it, even though somebody has said that the information is supposed to disappear after a week.
There may be a setting on the Signal app that enforces something that says no, you can't copy that text. This does make it a little bit harder to keep the text, but not very much. For one thing, just about every cell phone allows you to take a snapshot of the screen: a screenshot.
And in fact, when those who were party to this chat (officially, at least) complained that the reporter was misrepresenting what had been said at the chat, and that nothing classified had been said at the chat, the reporter was able to provide an entire transcript of what had been said on the chat, including all the emojis that had been sent in messages in the chat (which, of course, would not have copied over as text). But all he had to do was take screenshots of the messages on the chat. And, there they all are. A complete transcript: complete with emojis and everything that was said.
This is one of the reasons that cell phones are not secure. There are far too many ways of taking information and copying it somewhere else that *isn't* secured, even if you apply security to the cell phone.
But wait, as they keep telling us in the ads, there's more!
Cellphones are actually computers. Small computers, specialised to communications functions, but they are computers. And of course, most of them can be connected to the internet. And therefore people have found ways to write malware for cell phones. And those pieces of malware can be sent to people, embedded in messages that read, "Hey, you'll get a kick out of this! Click on this link!" "Hey, this app is really fun!" Install it on your phone!" Or something like that.
And people will run a program, whether they realise it's a program or not. And that program will take over their cell phone.
Most people, and particularly those people who are willing to think that there are no rules, and therefore rules about not just running any old software, and not clicking on any old link that somebody sends you in any email message or text. People who are willing to not identify and verify people that they add to a group chat. And people who are willing to discuss highly classified information on systems that are not rated for that level of sensitivity of information. Well, those kinds of people will probably be quite willing to click on anything Without realising that it might be a piece of software that can take over your phone.
And, of course, once the software has taken over your phone, it can do whatever it wants. Including setting up a permanent link to send anything that you tap into the phone (your credit card number? high security government account password?), and anything that shows up on your screen when you are looking at the phone, and take recordings of every telephone conversation you have with that phone, and send it to ...
Well, anyone, really. Chinese intelligence agencies. North Korean intelligence agencies. Russian intelligence agencies. Possibly (*shudder* *shock* *horror*) even *Canadian* intelligence agencies! Who *knows* what damage this could do!
Next: "Security for ordinary folks": Lessons from Signalgate - 5 - Authorization
No comments:
Post a Comment