In the last 12 months, the threat of compromised smartphone cameras and microphones has taken on bigger real estate in the public consciousness, transforming from a largely abstract fear into a real, widespread and potentially devastating problem. The bad news is that this problem will get worse before it gets better. The good news is that security-centric organizations are looking for ways to proactively defend against this threat. So what will the next 12 months hold in store? Below, I’ve outlined six mobile security predictions for the coming year.
#1: Commercial mobile spyware will be used to target a high-profile figure in the United States.
For decades, government-affiliated actors within authoritarian and democratically challenged countries have used digital threats to target activists, journalists and other perceived opponents. Only in recent years has commercially available mobile spyware – ostensibly intended for lawful interception – become the tool of choice for these actors, providing the ability to remotely capture the conversations of chosen targets. Despite export controls and attempts at self-regulation, vendors of these tools have yet to demonstrate the ability to properly prevent egregious misuses of spyware by nations with notorious records of abusive targeting.
Lately, we’ve seen increasingly risky behavior, with actors targeting not just domestic members of civil society but residents living abroad and even children. And without any global framework for policing these types of commercial spyware, the problem is likely to get worse. It’s not hard to imagine a high-profile figure in the United States becoming the next target. Threat actors could, for example, target the Secretary of State as a way to get an edge in foreign policy matters, or perhaps target a celebrity as a form of retaliation for advocating against the human rights abuses taking place in the threat actor’s country.
#2: The maker of a popular mobile app will become embroiled in an eavesdropping scandal.
Sadly, data privacy scandals affecting popular mobile services are a staple of life in the digital age. In the past year, we’ve seen large companies utilizing underhanded data practices, hiding behind disingenuous wording in their permissions requests and privacy settings. In March, it was revealed that Facebook took liberties with permissions, using access to users’ contact lists as a gateway for storing call and message logs. And in August, Google took heat for storing users’ time-stamped location data despite privacy settings indicating the contrary.
Given the current distrust of the likes of Google and Facebook, it’s no surprise that people have grown suspicious that their data-hungry apps are listening to their conversations in order to serve them better-targeted advertisements. Endless anecdotes have been shared online about this phenomenon – “My wife and I were discussing our collection of fine china and then I saw an ad in my Facebook feed for a Chinese restaurant!” – and it has even caught the attention of Congress, but hard evidence supporting these claims has yet to be found. But where there’s smoke, there could very well be fire.
#3: World leaders will face additional scrutiny over their use of personal phones.
The smartphone communications of world leaders have long been an eavesdropping target by other nations. In 2013, reports of German Chancellor Angela Merkel’s phone being tapped by the National Security Agency (NSA) caused a bit of an international kerfuffle. More recently, a story in The New York Times revealed that Chinese spies are listening to President Trump’s calls as a way of learning how he thinks and how he can be persuaded, all for the purpose of keeping a trade war with the United States from escalating further.
According to security expert Bruce Schneier, if a leader like President Trump is using a personal, off-the-shelf smartphone, there’s a “100 percent” chance that the microphones and cameras are being monitored to spy on the high-value target and their conversations. Edward Snowden detailed one possible method for how this takes place, involving a specially crafted text message that the target never sees. As more details about international smartphone espionage come to light, we’ll see world leaders face greater pressure to secure their personal phones against the threat of compromised cameras and microphones.
#4: Smartphone anti-surveillance will become a part of a Fortune 500 company’s cybersecurity strategy.
While the federal government at large is typically behind the curve when it comes to understanding, adopting and regulating technology, the Department of Defense (DoD) has been at the leading edge of cybersecurity awareness and adoption. For instance, it expanded its Trusted Foundry Program in 2007, long before many enterprises were aware of risks to the technology supply chain. And the DoD implemented chip-based ID cards (Common Access Cards) in 2001, before that technology reached widespread commercial adoption.
When it comes to understanding the surveillance risks associated with mobile devices, the DoD is similarly leading the charge. In May, the DoD’s second-highest-ranking official (US Deputy Secretary of Defense Patrick Shanahan) released a memo outlining a policy banning smartphones from the secure spaces where classified information is being processed and discussed. With corporate cyberespionage from Chinese operatives intensifying, big enterprises will follow the lead set by the DoD and add smartphone anti-surveillance to their cybersecurity toolkits.
#5: Data in vicinity will be the next cybersecurity concept to go mainstream.
Before Edward Snowden made encrypted messaging cool, it was a niche thing. Other cybersecurity concepts – like password managers, ad-blocking browser extensions and a healthy fear of public Wi-Fi – were similarly reserved for security professionals before reaching a mainstream audience. The same path of awareness is happening for the concept of data in vicinity. Data in vicinity is a newly coined term that refers to the data in the presence of a smartphone (or other digital device). This data includes any audio that can be picked up by the device’s microphones (such as conversations) and any visual data that can be picked up the cameras (such as images of people).
The Snowden leaks helped to bring awareness to the fact that computer webcams can be hacked, turning webcam covers into must-have fare for security professionals, intelligence officers and privacy-concerned individuals. Sooner or later, the general public will figure out that smartphone cameras and microphones, whether accessed by overreaching apps or hijacked by advanced spyware, need to be protected, as well.
#6: More major manufacturers will build the ability to disconnect cameras and microphones into their products.
In the past year, we’ve witnessed a number of companies incorporate the ability to physically disconnect internal sensors – including cameras and microphones – into their products. In November, Facebook released the Facebook Portal, a smart speaker that gives the user the option to completely disable the camera and microphones with the touch of a button. And in October, Apple revealed that its latest MacBook models feature a hardware disconnect that ensures that the microphone is disabled whenever the laptop lid is closed.
While efforts to incorporate similar tools for smartphones have been made by lesser-known players like Purism, major manufacturers have yet to do so, leaving users looking for solutions – like Privoro’s SafeCase – that can coexist with the popular platforms. As more consumers and enterprise and government customers start to clamor for solutions that protect their most private conversations and most personal environments, more manufacturers will take note.