Written byScott Millis
Presidential transitions are always somewhat chaotic affairs. People come and go, each bristling with devices and online accounts, each trailing their own digital exhaust. But it’s often when security is hardest that it is also most important – and even more so for a president-elect who spent so much of the campaign condemning the cyber weaknesses of his opponent.
Reports from early in the transition suggested that President-elect Donald Trump might be speaking to some world leaders on his personal smartphone. More recently, aides say, he has begun to fret about whether he will be allowed to keep his personal phone once he moves into the White House. He should be aware that hackers are turning their efforts toward mobile as more and more critical data is stored and transmitted there.
A compromised mobile device, whether used for professional or personal communications, means that an attacker can potentially monitor all traffic flowing to and from it, as well as all data stored on it. The microphone and camera can be silently, invisibly activated. A keylogger can record unencrypted usernames and passwords, not just for apps on the smartphone, but for executive systems.
That will let a tooled-up attacker move quickly from reconnaissance to exfiltration of sensitive data — to take one example.
All mobile devices — smartphones, tablets, wearable tech — are targets, but Android, the phone OS reportedly used by the president-elect, has some serious security issues, mainly those allowing for “escalation of privilege” attacks. Hackers will normally target security gaps around the OS, boot loader and permissions of Android. Recently the QuadRooter vulnerabilities leveraged the very popular Qualcomm chip set inside most non-Apple devices, including Blackberry and the Blackphone, but that was an entirely different vulnerability.
The Android security model has unique challenges because of the OS’s vast diversity. With more than 20,000 variants of Android globally distributed by thousands of different phone manufacturers and service providers, getting a security fix to propagate quickly and reliably across the huge ecosystem has proved impossible so far. Attackers exploit this. To put it bluntly, anyone using anything but the latest version of Android should be concerned about the security of their data on that platform.
But despite the challenges, some simple steps can protect most users from the majority of mobile threats:
- Assume every email is a phishing attack and don’t click on links or files which seem suspicious.
- Use a strong VPN (not SSL) to make sure all web browsing, electronic communications and confidential network traffic is secure.
- Check the phone’s manufacturer and your network provider to make sure patches are being released regularly.
- Download apps only from Google play or other reputable source.
- Be extremely careful when setting privileges for 3rd party apps (including Pokémon Go, Mr. President-elect).
For those enterprise users who require a higher level of confidentiality for their mobile devices (here’s looking at you, Mr. President-elect) there are additional steps to take to better secure Android devices:
- Use Samsung’s Knox security system, which locks down the phone’s OS – allowing for the most advanced security on Android.
- Always use a VPN, preferably IPSec (Internet Protocol Security) which eliminates the vast majority of mobile hack vulnerabilities.
- No matter how strong your device security is, attacks can still get through — so it’s crucial to have a system in place that scans all mobile traffic to find anomalous traffic before it causes harm.
- Deploy a real-time system that can quarantine an infected device (not just wipe) so that forensics can be applied.
- Use an on-device app to scan regularly.
Mr. President-elect, following these steps still cannot guarantee mobile security from all hackers — if you want that, don’t use a phone at all. But it will make it harder for anyone who wants to eavesdrop on you.
Scott Millis is the Chief Technology Officer of Cyber adAPT. Formerly the Chief IT strategy officer at McAfee, (now Intel Security), he brings a deep understanding of all aspects of IT across diverse sectors including manufacturing, distribution, large enterprises and professional services.