The mobile security of political candidates and their staff gets lost in the shuffle when discussing threats to our elections. However, a series of trends point to mobile espionage becoming the next major vehicle for electoral interference. These trends include:
- The smartphone’s rising importance in conducting the day-to-day business of a political campaign
- The increasing use of intrusive smartphone surveillance tools to target political officials
- A growing appetite by malicious outsiders to interfere in elections by any means necessary
In this blog post, I’ll discuss the reasons why smartphones may be the next electoral hacking target and the potential consequences of such a shift.
The incentive: valuable information and access
For chaotic political campaigns, smartphones are often the central point used by candidates and their staff to work and communicate. These devices hold the keys to a great deal of information and access, including:
- Stored information: A variety of important types of data may be stored on a candidate’s device, including personal photos/videos, audio recordings of key meetings and notes of key talking points.
- Live audio and images: The conversations and visuals in the environment surrounding a candidate’s device (what we refer to as data in vicinity) can potentially reveal information both personal (like private family moments) and professional (like strategy discussions).
- Communication channels: Through text and email, a candidate can communicate to staff, key supporters and others.
- Access to online services: A candidate’s smartphone may be used as a launching point for cloud storage (which may contain internal polling data, personnel vetting documents, opposition research, first-draft policy papers, strategy memos and more) and other important systems (such as email/text marketing services, donor databases and social media accounts).
The opportunity: surveillance tools
The use of surveillance tools by intelligence agencies and law enforcement to keep tabs on and discredit political opponents isn’t a new phenomenon; the FBI’s wiretapping of Martin Luther King Jr. as part of the COINTELPRO projects is a notable example. What is new, however, is the ability of these organizations from around the globe to turn a target’s smartphone into a surveillance device, using the following tools:
- Advanced spyware: The most sophisticated malware suites on the planet (like Pegasus) are capable of exploiting zero-day vulnerabilities within smartphones, giving operators the ability to read the target’s text messages, track their calls, collect their passwords, track their location and activate their device’s cameras and microphones.
- IMSI catchers: Devices like the StingRay simulate a cellphone base station, giving operators the ability to intercept a smartphone’s cellular data (including the content of unencrypted phone calls and text messages) and potentially even spoof a user’s identity in calls/texts.
While tools like these are designed to be used for official purposes, lack of oversight means that they can easily end up in the wrong hands, especially given the size and fragmentation of the global marketplace and the potential for blurred lines between official government business and outright political surveillance. In 2016, for instance, three senior Mexican politicians from the National Action Party (Partido Acción Nacional) were targeted with Pegasus from actors within or associated with the country’s federal government.
The endgame: electoral disruption
Whether the goal is to ensure a candidate’s loss, to force a change of positions or simply to create chaos, threat actors can use captured smartphone data and illicit smartphone access to hurt a candidacy in a number of ways:
- Gaining a competitive edge: Key information gleaned from a candidate’s smartphone can be used to help the opposition through things like anticipatory messaging, debate preparation insights and enhanced donor targeting.
- Leaking dirty laundry: Embarrassing or compromising details can be leaked to voters as a way of sowing doubt and derailing a candidate’s message.
- Hacking for hacking’s sake: Information can be used to launch other attacks for the purpose of generating legal liabilities or making donors reluctant to contribute.
- Blackmailing: Instead of leaking dirty laundry, this information can be used to force the candidate into emptying their war chest of campaign funds or changing their position on an issue.
- Sabotaging communications: The candidate’s phone number, email accounts and messaging platforms can be taken over in order to sabotage the candidate or spread disinformation among staff, reporters and supporters.
- Disrupting online systems: Key systems (like the candidate’s website, donation collection systems and voter-tracking software) can be taken offline or defaced, slowing down campaign operations for days or even weeks.
Taking back control
Fortunately, political campaigns can take a number of steps to limit their exposure to smartphone surveillance, including:
- training staff on recognizing social engineering scams in order to avoid spyware infections;
- implementing strong authentication practices as a way to thwart malicious login attempts to key services;
- establishing strict policies for storing and accessing sensitive materials and
- using anti-surveillance solutions to protect sensitive conversations.
Only with vigilance and proactive mobile security will campaigns be able to take back control of their most important information and, in the process, protect the sanctity of our elections.