The Rise of Mobile Espionage. What you need to know now.

1

The Rise of Mobile Espionage. What you need to know now.

Table of Contents

Introduction 2

Why Is Mobile Espionage a Concern? 3

What Makes Smartphones So Attractive? 5

Who’s Spying and Why? 7

Who Needs Protection and Why? 9

How To Reduce Mobile Espionage Risks 11

About Privoro 12

2

The Rise of Mobile Espionage. What you need to know now.

Introduction

Private conversations aren’t private anymore if a smartphone is present. Smartphones are packed with sensors that can be taken over to listen, watch and track users and expose everything about their personal and professional lives. Until recently little could be done to monitor and protect smartphone sensors, thus giving rise to the era of “Mobile Espionage.” This paper will explain the context and methods of cyber espionage and suggest ways to prevent it.

To set the foundation for this whitepaper, here are some basic definitions:

MOBILE: While this term includes all portable wireless digital devices, IoT, as well as apps designed for the mobile experience, for the purposes of this whitepaper, we are speaking exclusively about smartphones.

ESPIONAGE: The use of surveillance, tracking and spying techniques by governments, businesses and individuals to gain access to information that provides economic or political advantage or enhances stability and security.

MOBILE + ESPIONAGE = The act of leveraging smartphone sensors like cameras and microphones or the information revealed by RF signals (Cellular, WiFi, GPS, etc.) to understand what you see, what you say, where you go and whom you meet.

Kaspersky Lab Researchers Announce Threat Predictions for 2017 including “Espionage Goes Mobile: Kaspersky Lab expects to see more espionage campaigns targeted primarily at mobile, benefiting from the fact that the security industry can struggle to gain full access to mobile operating systems for forensic analysis.”

December 2016

3

The Rise of Mobile Espionage. What you need to know now.

Why Is Mobile Espionage a Concern?

Smartphone sensors (microphones, cameras, and RF) offer a wealth of unfiltered access into the day-to-day, real-time operations of a company, exposing the most sensitive conversations of executives and others with valuable information. And the threat extends to wherever users take their phones—behind the closed doors of important meetings, international travel, the offices of customers and partners, at home, at play and more. Data collection from smartphones can be used to stitch together information previously not available or documented, often in a more timely fashion than what is available via other means of collection, as the most sensitive information is typically discussed before it is committed writing.

MOBILE ESPIONAGE, aka Mobile Monitoring, is being conducted in two ways: legally through smartphone apps, service provider contracts (cellular, etc.) and device/OS manufacturer agreements where the user accepts the terms and conditions permitting tracking and monitoring. And illegally, where a malicious actor compromises and takes control of the smartphone to track and monitor users. Users should be aware and have a level of concern about both forms of data collection:

Legal

Concerns about the legal collection of sensor-generated data: With the explosion of human-to-machine interactions like digital assistants and AI, users give permission to be tracked and monitored, which includes where they go and what they say. The exposure to consider in this case is that this data is collected, stored and analyzed in environments we assume are secure. But sophisticated hackers and both governmental and non-governmental organizations with legal authority are highly incented to breach or subpoena such “secure environments” as we’ve seen in the Yahoo Billion Account Breach, the OPM Hack and even the court case that asked for information from an Amazon Alexa at a crime scene.

espionage

noun1. the act or practice of

spying.

2. the use of spies by a government to discover the military and political secrets of other nations.

3. the use of spies by a corporation or the like to acquire the plans, technical knowledge, etc., of a competitor; industrial espionage.

mobile

adjective1. capable of moving or being

moved readily.

2. Digital Technology, pertaining to or noting a cell phone, usually one with computing ability, or a portable, wireless computing device used while held in the hand, as in mobile tablet; mobile PDA; mobile app.

4

The Rise of Mobile Espionage. What you need to know now.

Illegal

Concerns about the illegal collection of sensor-generated data: 1) It’s near impossible to detect threats due to the dearth of tools to analyze and protect smartphones at all levels—chips and boards, firmware, OS and apps. These smartphone vulnerabilities are often exposed in hacks like Pegasus, SideStepper and others; 2) The exposure of data that can be collected through microphones, cameras and RF signals could have a large economic impact on businesses and/or damage their brand credibility; 3) There are very few solutions available today to proactively protect against Mobile Espionage.

The chart below shows just a fraction of what Mobile Espionage can reveal.

Two types of data collection throughsmartphone sensors:

LEGALn Smartphone appsn Service provider contractsn Device/OS manufacturer

agreements

ILLEGALn An unwarranted third-party

compromises and takes control of the smartphone to track and monitor users. WHAT CAN SMARTPHONES GATHER?

SENSOR

Microphones

Cameras

GPS,Cellular, WiFi and Bluetooth

EXPOSURE

The ability to eavesdrop and understand what is being verbally discussed

The ability to watch and capture the end user’s environment

The ability to track the movements and location of a user

EXAMPLES

Listening in to discussions such as legal meetings, M&A activity, R&D efforts, financial discussions, board meetings

Capturing images of computers, systems and tools, passwords, whiteboards, people, etc.

Knowing a user’s habits, lifestyle, places of work, play and worship. Identifying relationships based on whom users meet

5

The Rise of Mobile Espionage. What you need to know now.

What Makes Smartphones So Attractive?

FIRST, smartphones have become ubiquitous and attackers are taking advantage of the mobile lifestyle. Since we take our smartphones everywhere, they have the availability to capture everything we say, everything we see and everywhere we go. And because of our mobile lifestyle, smartphones are increasingly becoming a hub for the access and control of a growing number of other devices with sensors and data collection abilities of their own, such as Amazon Alexa, Smart TVs or other devices covered by the Internet of Things (IoT). The information discussed around smartphones (proximity data) combined with their aggregation of other data make them a fantastic “choke point” for gathering information.

SECOND, smartphones are packed with highly sensitive sensors. Some smartphones have as many as four microphones, each with the capability of capturing even the slightest whisper of a conversation. They typically come equipped with two, high-definition cameras—one front and one rear. And all smartphones use radio frequencies (like cellular, GPS, WiFi and Bluetooth) to determine or provide location information that can be used to pinpoint users’ locations at any time and build a historical record of all of their movements.

THIRD, smartphones are a complex, multi-layered, hardware and software ecosystem. Each of the many elements and layers of this system is a potential attack vector, with no single, comprehensive, available defense, making smartphones an inviting target for malicious actors.

10years ago there were

0smartphones, today there are

5billion

6

The Rise of Mobile Espionage. What you need to know now.

Although each layer has varying degrees of protection from compromise, it’s important to understand that being lower in the stack provides an avenue to beat defenses placed at higher layers. App defenses lose to OS attacks, OS defenses lose to firmware attacks etc.

FOURTH, when looking to gain access to a device, the attacker will often focus on the weakest link in the chain; and that is almost always people. By simply downloading the wrong app, clicking on the wrong link or opening the wrong email, people may unknowingly give up control of their sensors and ultimately control over their microphones, cameras and RF-based information as well. Case in point: In 2015, Intel Security tested over 22,000 people and found that 97% of them couldn’t identify a well-crafted phishing email.

LAST, as overwhelming as it is to protect a smartphone in all these areas, what’s even more concerning is the lack of tools available to analyze, detect and protect them from vulnerabilities. Today’s best practices allow for policing apps, encrypting data and looking for anomalies. But solutions for the full smartphone ecosystem don’t yet exist, and this leaves companies and users at the mercy of the motivated individual, company or country who’s trying to gain a competitive edge or financial advantage.

AREAS OF SMARTPHONE COMPROMISE

AREAS

Applications

Operating Systems

Firmware/Carrier

Hardware/Chips

DESCRIPTION

Apps (including mobile browsers, messaging apps etc.), app platforms and app stores can all be compromised to provide illegitimate access to smartphones, while legitimate apps may over-reach in their data collection

Vulnerabilities within operating systems can be exploited to compromise and control a smartphone

Firmware can be hacked, invisible to protections at the OS or app layer, fake cellphone towers (Stingrays, Dirtboxes; IMSI catchers) can inject malicious code or be used to eavesdrop on smartphone communication

Backdoored chips, PCBs modified during manufacturing and replacement of legitimate chips/PCBs, can all provide attacker control of compromised device parts

EXAMPLES

XCodeGhosts: A New Breed Hits the USLawsuit alleges that Warriors’ app illegally listens in on usersMobile Security: Why App Stores Don’t Keep Users Safe“Godless” apps, some found in Google Play, can root 90% of Android phones

Inside ‘Pegasus,’ the impossible-to-detect software that hacks your iPhoneThe CIA Campaign to Steal Apple’s SecretsAndroids Under Attack: 1 Million Google Accounts Hijacked

Secret Back Door in Some U.S. Phones Sent Data to China, Analysts SayWhat Happens When the Surveillance State Becomes an Affordable Gadget?“Android Malware: 38 New Phones and Tablets Found to be Pre-Installed With Virus Before Being Sold”

“How a Bug in an Obsure Chip Exposed A Billion Smartphones To Hackers”Android Security Flaw ‘QuadRooter’ Hits 900 Million DevicesChip chomped after debug backdoor found in Android phones

7

The Rise of Mobile Espionage. What you need to know now.

Who’s Spying and Why?

It’s easy to understand why Mobile Espionage is a growing concern for companies and users who share valuable information around their smartphones. But who exactly would want to spy on a company or user and why?

COMPETITORS—the ability to gather unfiltered conversations about strategic plans, innovations, financial information, legal discussions, and more, is highly desirable. Unscrupulous competitors have long gathered information in a variety of ways, from dumpster diving to outright data theft. But this new wave of gathering information via Mobile Espionage has the possibility of creating an even deeper, more intimate understanding of companies because it is like having eyes and ears behind company walls.

NATION STATES—countries have always kept a close eye on both their citizens’ activities and foreign rivals to ensure safety and security. Now those spying tactics are expanding to gather valuable business information. Economic security underpins national security and thus eavesdropping on meetings, gathering strategic industry information and enabling domestic businesses with information that support their economic competitiveness is consistent with their goals.

TECH COMPANIES/ADVERTISERS—“always on” digital assistants like Siri, Google Assistant, Amazon Alexa and more are always listening for commands or “wake words” that prompt them into action. Gathering conversational data, verbal commands and requests and pairing these with location data provides powerful profiling information desired by advertisers. Swept up in this information gathering may be sensitive corporate, client or—in the case of healthcare companies—patient information, which corporations have a duty to protect.

Competitorsdomestic and foreign

Nation Statesdomestic and foreign

Tech Companies/Advertisers

Hackers/ Cybercriminals

8

The Rise of Mobile Espionage. What you need to know now.

HACKERS/CYBERCRIMINALS—Malicious actors may be motivated by a variety of reasons, including economic, political, social or personal. Regardless of reason, to these people, smartphones are just another attack vector. As phones continue to become ever more central to daily life and as the valuable information collected or accessible, via smartphones grows, so will the desire to compromise and use them for malicious purposes.

GETTING INTO YOUR PHONE IS A HIGHLY PROFITABLE BUSINESS.

The “lawful” malware/spyware business is expected to reach $1.3B by 2019

–Markets and Markets, 2016

As if hackers, cybercriminals and government agencies developing malware weren’t enough, the effort, growth, sophistication and size of the “for profit” mobile malware industry goes far beyond most people’s comprehension. Despite their efforts to stay under the radar, dozens of companies dedicated to systematically developing such malware have been documented, here are just a few:

n Hacking Team—“Hacking Team brewed potent iOS poison for non-jailbroken iThings”

n Cellebrite— “It Might Cost The FBI Just $1,500 To Get Into Terrorist’s iPhone”

n NSO Group—“Everything We Know About NSO Group: The Professional Spies Who Hacked iPhones With A Single Text”

n Zerodium—“Meet Zerodium, the company that pays $1 million for Apple hacks”

Each earns millions of dollars for the cyber-arms they develop and sell around the world, highlighting the fact that no smartphone should ever be considered secure. And the smartphone access they provide to their customers almost always includes surveillance capabilities in the form of remote control of microphones and cameras and movement/location information.

“ I don’t have anything to hide but I don’t have anything I want to show you either.”

9

The Rise of Mobile Espionage. What you need to know now.

Who Needs Protection and Why?

While everyone deserves the right to privacy and security, most, when asked, will say, “I have nothing to hide.” The insight most people reach when questioned, however, is that they have everything to protect. No one knows how the vast ability to collect data we’ve described will ultimately be used by competitors, nation states, corporations or hackers. What is certain is that there is material risk in not protecting your smartphone sensors from legal and illegal activities.

Everyone should be aware of the risks smartphones pose, whether legally (when users download an app and accept the terms), or illegally (by nefarious attackers look to compromise a smartphone). One of the best ways to keep users safe is to raise their awareness level through training. Having knowledge about the different ways a smartphone can gather information, how hackers will try to compromise them, what users can do if a smartphone is compromised and how to protect themselves, is key to raising their overall mobile security awareness.

However, all the training in the world can’t stop motivated hackers from breaking into smartphones. So, for those users who discuss valuable information, visit confidential clients, attend board meetings, etc., additional security measures should be evaluated and strongly considered.

10

The Rise of Mobile Espionage. What you need to know now.

THE QUESTIONS BELOW PROVIDE A STARTING POINT TO IDENTIFY THOSE WHO MIGHT BE MOST AT RISK:

1. Does the user discuss strategic information about the company or a person within the company?

2. Does the user discuss confidential financial information which, if discovered or disclosed, could impact the company or benefit the eavesdropper?

3. Does the user travel to, transit or do business in high-threat areas (e.g., high-traffic choke points, regions of known cyber activity etc.)? Examples include countries like China and Russia but even a high-traffic U.S. airport, financial district or places like Times Square can be high-risk areas for breaches.

4. Does the user work with or discuss proprietary research and/or development information?

5. Does the user have high-profile legal discussions with outcomes that could affect the company or user financially or strategically?

An answer of “yes” to any of these questions indicates a user group that might benefit from additional security measures.

11

The Rise of Mobile Espionage. What you need to know now.

How To Reduce Mobile Espionage Risks

Because there are so many ways to gather information from smartphones—both legally and illegally—businesses should take a layered approach to securing enterprise mobile data as well as protecting the privacy of the mobile workforce.

WHILE EACH ENVIRONMENT WILL DIFFER, BEST PRACTICES TO CONSIDER INCLUDE:

n Defining the security context/goals for the phone, applying the commonly used framework of confidentiality, integrity and availability for its functions and data.

n Leverage full disk encryption provided by device manufacturers in combination with policies for strong passwords, auto-lock after a short time and device wipe after a limited number of incorrect entries.

n For data in motion such as calling and texting/messaging: Leverage 3rd party, open source, independently reviewed and vetted encrypted calling apps such as Signal.

n For policy enforcement and scalable device management: Use mobile device management software.

n Create separate containers/environments for work and personal use.

n Use mobile threat management software to detect known (and in some, limited cases, unknown) mobile attacks, jailbreak detection, etc.

n Keep the device OS updated/patched.

n If developing custom, corporate apps: Verify and secure the development platform, apply secure coding best practices and ensure there is a plan and resources to keep apps updated on a timely basis.

n Use multi-factor authentication to increase access security to corporate resources, such as VPN, shared file servers and cloud storage.

n Use burner phones for international travel and/or take the phone off-grid (by means of a Faraday cage) while transiting high threat, choke point areas such as airports or while visiting confidential locations (e.g., M&A targets etc.).

n Secure smartphone sensors when not in use or needed. These include microphones, cameras and RF signals, preventing surveillance and the leakage of sensitive information.

12

The Rise of Mobile Espionage. What you need to know now.

About Privoro

WE THRIVE ON TECHNOLOGY.

We are ever-curious as to what it can enable and believe our smartphones provide us with a window to the world. Connections, commerce, communication and more are all accessible wherever we go. But that digital window can also be used to track and monitor us. And, just like pulling the curtains to your bedroom at night, we believe people should be able to pull down the shade to their technology window as well. We believe people should be able to control when they are tracked and monitored, versus it being the default setting.

Our first product allows you to do just that, and at the highest possible standards. The Privoro Privacy Guard is a first-of-its-kind endpoint hardware and software appliance that stops cybercriminals from using personal and workforce smartphones to eavesdrop, spy on and track user movements. It provides:

n Sealed channels that cover all microphones while Active Audio Masking jams these microphones with noise to prevent speech recognition making it nearly impossible for others to monitor or record conversations happening anywhere near your phone.

n A physical barrier that covers all cameras, making it impossible for others to spy on the world of your mobile workforce.

n A patent-pending, proprietary, two-component sealing system that forms a high-performance Faraday cage around any iPhone 6 or 6s. This provides unsurpassed 110+ dB of radio frequency attenuation, preventing the detection of all RF signals used by the smartphone, including cellular, WiFi, Bluetooth, GPS, NFC and RFID technologies.

WHAT YOU SAY[Audio Masking]

PRIVORO PROTECTS:

WHERE YOU GO[RF Attenuation]

WHAT YOU SEE[Video/Camera Block]

13

The Rise of Mobile Espionage. What you need to know now.

n Easy, out-of-the-box implementation into your enterprise security workflow.

n Air-gapped, hardened platform that provides no back doors into its protective electronics and firmware.

n The Privoro mobile app to provide real-time, two-factor verification of both audio and RF protections.

n Full use of phone features with most protections engaged.

In an increasingly exposed, sensor-driven world of overreaching apps, malicious cyberattacks and unauthorized surveillance, we want to put you back in control, ensuring that breaches to your most sensitive information don’t happen on your watch.

Privoro.com

[COVER + CASE]

[CASE]

[FRONT CASE, BACK CASE, FRONT COVER]