Mobile devices are the next battleground for data and privacy, Parmy Olson writes
Pumping phones with information makes them increasingly attractive target for hackers
If people value their privacy, they'll invest in services that encrypt their data
Editor’s Note: Parmy Olson is a journalist for Forbes magazine, covering mobile technology. She is the author of “We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency.”
In the world of cyber security there are some well-known designations for anyone that considers him or herself to be a hacker, the term being so broad in scope now.
One can be a “white-hat” hacker or a “black hat,” the former being someone who uses their programming prowess to protect digital data, and the latter someone who seeks to subvert and steal it for their own malicious reasons. Fall into the middle and you’re a “grey hat.”
The recent revelations about the NSA in the United States have made these labels much fuzzier, since government and NSA hackers should be white hat. Yet a recent report in the Washington Post, citing top-secret documents and an internal audit, showed the NSA had broken privacy rules thousands of times as it conducted its widespread surveillance.
Of course, navigating the ethics of data privacy is a complicated business since there’s just so much of it – 90% of the world’s data has been generated in the last two years, according to IBM.
A very likely consequence of the NSA revelations from former cyber security contractor Edward Snowden, is that people will increasingly not care who the hacker trawling through their data is – whether it’s an ethically-conflicted government contractor like Snowden, or someone more unscrupulous trying to sell their digital address book to spammers.
They just want their data to be un-hackable.
Over the years, we’ve read about how easy it appears to be to hack a website, server, or a device if you just have the know-how and the inclination.
The subversive digital community Anonymous showed this in 2011, when clusters of young people within its network were able to temporarily paralyze websites of major corporations and steal data, often without the background of real programming knowledge.
In more than one case these volunteers used a free program they downloaded from the Web, which automated a data theft for them.
For those in the cyber security industry, such big attacks were an “I told you so” moment, proving how insecure our personal data was when it was stored in online databases by even large companies and institutions.
The question of how we can find a good privacy balance in a networked world leads us to the paradox of mobile devices, the next battleground for data and privacy.
Smartphones are essentially mini computers and as a result can offer both our best hope for private digital communication, and greater vulnerability.
First the hope.
It’s been made clear in the last few months that email is no longer considered a safe and secure way to send information to someone.
The founder of secure email service Lavabit, who counted Ed Snowden as a user, recently suspended his business in the face of a government investigation. The vendors of another secure email service, called Silent Circle, shut down their email service soon after, and cited fundamental security flaws inherent in email.
Phil Zimmermann, the co-founder of Silent Circle and inventor of a popular encryption standard for email called Pretty Good Privacy (PGP) even said at the time that email was just not secure anymore. In one way, thanks to using standard Internet protocols, it never has been. Now instead of using email, Zimmermann increasingly uses mobile messaging services of the kind offered by his company.
The general public can take a leaf out of Zimmermann’s book. Mobile messaging apps like WhatsApp and Wickr look better mainstream options for secure digital communication.
WhatsApp avoids advertisers like the plague and relies on subscription payments, while Wickr encrypts messages and deletes them after a set amount of time – like a burning candle wick.
On the other hand, mobile phones are just another attack vector for grey and black hat hackers, with potentially richer information than what’s obtainable from a desktop computer: location data, access to your contacts address book, photos and real time audio through your microphone.
Smartphones are particularly vulnerable in emerging markets like China, where more people use Android phones than in the U.S. and Western Europe, and download apps from third party sites because Google Play is banned by Beijing. The problem here is that it’s becoming easier to inject malware into fake apps, for unsuspecting Android users to download.
In the last few months, security researchers have found a remote access tool in the wild called AndroRAT, which coupled with a new software tool called a binder, makes it surprisingly easy to inject malicious code into a fake version of a popular, paid-for app or game, package it together and upload it to a third-party site at a discounted rate or for free.
Once the app has been downloaded, the hacker can remotely steal the victim’s contacts data, turn on their camera or turn on their mic and record conversations. Researchers say the tool is most attractive to spammers who want to steal contact data and premium text messages.
What’s disturbing is that using the tool does not require a sophisticated level of programming knowledge, echoing the desktop tools that were used by supporters of Anonymous to attack online databases.
Far more tame, but still disturbing for many privacy advocates, is the amount of data that mobile app developers are able to funnel out to advertising networks after you’ve downloaded one of their free apps – and this applies to anyone that uses an iPhone or Android phone in the developed world.
History repeats itself. So long as we continue to rely on small, rectangular slabs for computers and carry them everywhere, pumping them with all manner of personal and professional information, they’ll increasingly become a target for hackers white, grey or black.
If people value their privacy, they’ll vote with their wallets and invest in services that encrypt their data and keep their communications private – and a few they might ditch their phones altogether.
The opinions expressed in this commentary are solely those of Parmy Olson.