What Mobile sat down with white-hat hacker Steve Lord for an exclusive interview on the current state of data security and mobile safety.
Smartphones marked an inaugural moment in our lives, a moment where we plugged in and have not hit the off switch since. Smartphones have become our most trusted companion, a new right-hand man and a new limb if you will. But what happens when something you put so much trust in, can be used to damage you. It hurts obviously and smartphones can do just that, with a new age of convenience and information, comes new ways for us to be vulnerable. Take the good with the bad as they say.
Edward Snowden had recently revealed to the BBC’s Panorama that UK intelligence agency GCHQ (Government Communications Headquarters), has the ability to access phones without the knowledge of the owner. According to Snowden the GCHQ can access phones with tools known collectively as Smurf Suite, tools that can survey or extract information from your device discreetly.
“Dreamy Smurf” can switch your phone on and off, “Nosey Smurf” works in conjunction with “Dreamy Smurf, after the latter switches on your device, “Nosey Smurf” gets to work by switching on your mic enabling the user to listen to you. Finally we have “Tracker Smurf” which triangulates your exact location with more precision than the triangulation of mobile phone towers.
Scary stuff and to be honest, if the government wants to get in your phone there’s not a lot that you can do. But for the more nefarious hackers there are measures that can be taken. What better way to protect yourself than to ask a hacker?
Steve Lord is a White Hat hacker, which thankfully means he works for good, also means he would choose to destroy the Sith, not join them. Steve has a decade of experience in information security and runs his own company Mandalorian Security Services Ltd.
• What is your job?
I’m a penetration tester, I’ve been doing it for over 15 years. I get paid by companies to break into their computer systems to identify security flaws so they can fix them. Most people build things. I take them apart. Because computers are everywhere these days, I end up breaking into all kinds of strange things from banks to missile systems.
I’ll be given a target by a customer, it could be a website, a mobile phone or in one case last week a meeting room. You might think meeting rooms are strange things to attack. But within an hour or so we had full control of the TV screens, climate control and were able to stream audio from every meeting room in the building to us. And this is a system that the US Department of Defense uses it at the Pentagon. I write reports on how to fix problems. Often the most serious vulnerabilities are those that affect the underlying business, and they’re usually the ones that need the most support.
• Have you been forced to do something questionable?
No, but we often get asked to do things that are unethical and sometimes downright illegal. A company asked us to uncover the source of the biggest corruption scandal. We politely declined. People who expose corruption scandals in Turkey have a habit of disappearing. We won’t do anything that could endanger lives.
• GCHQ use software tools called ‘smurf’ to extract data from phones. Are there any other tools GCHQ are using or can use?
GCHQ and the other five eyes agencies have a large array of tools, as disclosed through the Snowden and other leaks. They also have internally developed tools, with funny names like SWAMP DONKEY and ANGRY PIRATE. We don’t know exactly what GCHQ can and can’t do. But every time there’s a leak, the details are often both impressive and scary from a hacker’s perspective.
• What kind of information can the GCHQ (or hacker) extract from mobile devices?
I don’t know for sure. With enough time they can probably get anything they want off anything they want to get it from.
• What are your thoughts on the Black Phone 2/Turing Phone and purpose-built smartphones for security.
The original Black Phone was a good effort. But even that had quite a few vulnerabilities that could let hackers in. Just because a phone is built with security in mind doesn’t mean it’s secure.
• Are modified OS like Cyaonogen more secure than stock versions?
The problem with Android phones lies with the way updates are managed. Updates are rolled out by carriers and vendors. So you’re not guaranteed to get security fixes. So some phones lag behind. Others are up to date. CyanogenMod is often more secure on these. If you run stock Android your best bet is to use a Google-branded phone like a Nexus.
• Which OS is most at risk? Windows, Android or iOS?
All have benefits and drawbacks. Currently Windows Phone seems to be the hardest nut to crack. Blackberry has a long history of being very security-focused. If I have physical access to the device, I find Android’s usually the easiest target. Then comes iPhone, then older versions of BlackBerry. If it’s over a network or I have to attack via email or message, Android’s usually the softest target.
• What are your thoughts on smartphone assistants?
All of the assistants (Google Now, Cortana, Siri) are becoming more context-aware. The problem is they have to scan the content and break it into chunks the phone can understand. When this is done on the phone it’s not so bad. But when this data is sent somewhere online and stored, what happens afterwards? The truth is we don’t know. People talk about GCHQ and the NSA reading their emails. Google have been doing this for years publicly and no-one seems to care.
• What can people do to keep personal data more secure?
Make sure your phone has the latest updates. Don’t put anything on it you wouldn’t want to see all over the Internet . Don’t jailbreak or root your phone. Never install apps from outside of your phone’s app store.
• Are there older smartphones that consumers can use to be more secure?
Older smartphones tend be considered less secure as they’re usually affected by known weaknesses. If you’re using an older phone you’re better off with a classic dumb phone. If you have to have an older smartphone, use an older BB10-based Blackberry, or a Windows Phone running Windows Phone 8 or newer.
• Can non-registered pay-as-you-go phones still be accessed?
Absolutely, it makes no difference how the phone’s bought or used.
• Are there any apps that are guilty of making your phone insecure?
Lots of apps that do bad things with permissions. The worst offenders are things like Facebook and Facebook Messenger. Most apps need to access certain things like your photos to allow you to share pictures. But some apps just seem to want to hoover up data and send it back to the mothership.
• How would you know if you’ve been hacked?
Unless the hacker is dumb enough to make something pop up on your screen you probably won’t know for sure. You’d typically find out when some strange charges start appearing on your bank account, or your Gmail says it’s been accessed from somewhere you’ve never been. As long as you make sure the security settings are properly managed and that your handset is up to date, protected with a decent password and auto-locks you’ll be safer than most.
• Is there much difference between white hat and black hat hackers? And do black hat hackers get recruited into the security industry?
A White Hat hacker (like me) works to improve security in an ethical manner. A Black Hat hacker breaks into things without permission for nefarious purposes, like the NSA or the 15-year-old kid in Northern Ireland who allegedly broke into TalkTalk. There are black hats in our industry. But there’s often a stigma attached to a black hat turning white hat.
• What is the future of data and device security? Will we be living in a utilitarian society?
There’s a war between the major mobile operators and manufacturers. Look at how long it took for Microsoft Office to appear on the iPad. Or Facebook’s acquisition of What’sApp Messenger. You’re going to see less personal control of your devices. Providers don’t just want to own your data, they want to control how you access it.
A special thanks to Steve Lord for taking the time to answer our questions.