Recent news reports, covering two separate incidents, confirm a conclusion we continue to draw attention to when talking with security professionals, our customers and anyone concerned about their mobile security posture: Smartphones are inherently vulnerable, and little – to date – can be done to protect, detect, and remediate the compromises. Without full view into the ecosystem of the phone, software solutions alone will never be enough to safeguard the important information of users and protect their privacy.
First, on Wednesday, October 4, Wall Street Journal - “Russia Targets NATO Soldier Smartphones, Western Officials Say” – wrote that, “Russia has opened a new battlefront with NATO, according to Western military officials, by exploiting a point of vulnerability for almost all soldiers: their personal smartphones."
Then, one day later on Thursday, October 5, Politico published an article – John Kelly’s personal cellphone was compromised, White House believes – outlining that a potential nation-state exploit compromising White House Chief of Staff, John Kelly’s personal smartphone likely occurred.
Unto themselves, these stories may seem unremarkable given the almost daily headlines outlining similar exploits and the nature of the exploits. After all, tracking the location of troops, their movements, force size, etc. is a longstanding practice – using lookouts, drones and implanted informants, to name a few. And John Kelly’s international profile and what he holds on his personal smartphone is likely of high value to many – nation states, malicious actors, even opposing political parties. So, the fact that NATO soldiers and John Kelly have “potentially” been hacked seems logical if not probable.
For a full profile into the situation, view our Smartphone Hacking video series:
But the underlying story remains, neither the White House nor “Western Officials” can be certain that smartphones were actually compromised. The “proof” is often a conclusion, drawn based on a combination of factors as wide ranging as leaked information to irregular behavior on the smartphones of high-value targets.
This same, “unknowing” is one of the greatest threats people who carry smartphones should be aware of. Why? Because it changes the solution set. The smartphone has a large attack surface and breaches can happen at any layer in the ecosystem: Chips and boards, firmware, operating system and apps. There aren’t tools to protect, detect and defend from all attacks or to inform when they have occurred because there isn’t adequate access into the different layers. Layers that include components designed, engineered and installed by thousands of different players in the smartphone economy. Note, that even with arguably the best forensics experts money can buy, according to Politico, “Several government officials said it is unclear when – or where – Kelly’s phone was first compromised. It also is unclear what data might have been accessed, if any.”
Smartphones are a consumer device being used in military, government and corporate environments that require a higher level of security. Although certain software will increase their security posture, “software only” solutions have proven vulnerable and fail to fulfill the security needs of advanced users. Attacks like these against NATO and the White House, will continue to exploit the weaknesses and lack of visibility into the underlying hardware. Government smartphone security must start with a “hardware root of trust” and build up and around that foundation. Until we have hardware we can trust, the exploits will continue.