As the manager (and former lead engineer) of the “security intelligence” portions of our Insight product, I’m often tasked with thinking about security in different ways. A big part of that is finding weaknesses in everyday technologies that could be used to exploit and expose our customers to potential breaches, and then figure out a way to model that with Insight. As a result, I often track security in the media and emerging threats in the industry, and provide internal (as well as external now, I suppose) commentary.

So, last week’s press coverage regarding privacy issues surrounding the use of a certain mobile diagnostics technology started a (small) media frenzy on the nature of mobile phones. Now, normally, I consider anything that stealthy ignores user privacy settings and stealthy sends personal information anywhere to be a Bad Thing… But, in this case it DID bring mobile security to the forefront of mass media and at least got people thinking about the topic. I guess for once a potential privacy breach actually did have at least one good side effect.

Let’s face it: We get much more personal with our mobile devices. I am probably on Facebook more via my iPhone than any PC. My mother texts me there. I check several email accounts, personal and corporate. In a lot of ways, my PC has become a work/gaming device and my mobile is where I conduct most of my interpersonal interaction. The fact there could be some spyware application peeking at the texts my wife sends me feels like a profound violation. Not that they’re steamy or anything… I just don’t like the concept of Big Brother know what I’m having for dinner that night.

For some reason, the devices where we store all of our important contact information and provide access to several web services, that (some of us) regard as critical, are the least secured and the least observed. For how long had the rogue service sent location data to a third party (even though the setting was disabled)? What’s really disturbing is that most of the companies getting this data had no established privacy policy to even say how they were using it and, they gave no choice in users to opt-in.

I wish I could say “as mobility develops into a viable platform, we need to think about security”, because let’s face it: mobile platforms are already here and are a huge potential security issue for a lot of people. Unfortunately, not only do we need to worry about what malware authors are doing, but what third party software is coming preloaded onto our devices that can snoop on us with no real constraint. If exploit research has taught us anything it’s that one man’s debugger is another man’s gaping security vulnerability.

When companies insert these frameworks with little clarity provided to the end user, it is no surprise that they end up getting abused in some fashion. While we don’t know of any malicious usage of this data yet, that doesn’t mean that they’re not out there. How many times in the last year has a company sent a shaming email to you implying your identity was compromised in some fashion? How many more don’t even know they lost it yet? And, this isn’t a simple password hash. With the level of data this application logs and captures, who’s to say someone couldn’t profile your geolocation patterns and break into your home/office or check your call logs for behavior that you might not want known publicly? While these are extreme examples, global security trends show us more and more that attackers are going to great lengths to break into corporate enterprises, and it isn’t like blackmail is a new concept.

I’d recommend we build security completely into the mobile platform and give our data and geolocation the same protection our voice calls have with Federal wiretapping laws. This would at least give us some manner of legal protection from the methods companies are using to ‘improve service’. What do you think? Isn’t it hard enough to secure mobile devices without these types of applications? Is this another situation where the law needs to catch up before users can be completely safe, or is there another way to secure what our phones are telling others?

 

- Ken Pickering, Development Manager, Security Intelligence