The battle over who has the most secure smart phone has racheted up in the past year with the revelations by former NSA contractor Edward Snowden of the capabilities of some Western electronic spy agencies.
At last week’s Def Con hacker conference in Las Vegas it accelerated with reports that the new SGP Technologies’ Blackphone, which uses an enhanced version of Android, had allegedly been rooted in five minutes.
For CSOs hoping to have found a handset that C-level execs could trust it might have been a deflating moment. The fact is the conference attracted people who could get into BlackBerrys and other mobile devices as well. And as outlined by Ars Technica in this article. the Blackphone hack didn’t take five minutes and relied on a number of narrow circumstances.
Jon Sawyer, the CTO of Applied Cybersecurity LLC, came up with the Blackphone hack, but it required the attacker have physical access to the handset and connect it to a PC via USB, the phone be configured against the set-up recommendations of the manufacturer, that no encryption be installed on it, have the user ignore an unknown application source warning and have the phone’s PIN code.
Whew. As the Ars writer said, the hacker either would have to have got the phone from a very naïve user (Editor’s note: not so unimaginable), or bought the phone himself.
The article has a longer explanation of Sawyer’s attack. Blackphone said it has already issued a patch for one of the vulnerabilities
As for the vulnerabilities of other smart phones, the article notes that at the Black Hat conference, also in Las Vegas last week, researchers showed how the embedded over the air management interfaces used by wireless carriers to push configuration updates could be used to gain root access to BlackBerrys, some Android phones and some iOS devices.
Some hacks are easier than others. No device is completely secure. But IT security pros should be able to advise their staff about appropriate measures to lower risk (like, if you’re talking about an acquisition use a code name for the target company). Lowering risk is what it’s all about.