By Chris Bonatti, Consultant, IECA of Casper, WY
For IECA’s full newsletter check out https://www.ieca.com/newsletter/2103-IECA_Cyber_Bulletin.pdf
Industry has been rocked this year by news of various leaks and breaches to smartphones. Cellular carrier privacy violations, SIM-swapping vulnerabilities, operating system 0-day vulnerabilities, and cloud service vulnerabilities are just the tip of the iceberg. A bug in the iPhone Call Recorder gave pretty much anyone access to users’ calls. Other research demonstrated how speech recognition algorithms can latch onto sensitive user information as they learn.
In January, a Johns Hopkins team led by cryptographer Matthew Green published a comparative analysis of the security offered by Android and iOS smartphones. Their report (available from ‘securephones.io’), cited numerous issues with both operating systems, and proposed associated improvements. In March, a Trinity College Dublin team led by Douglas Leith published a report (available from ‘www.scss.tcd.ie/doug.leith/ apple_google.pdf’) that details the exploitable information that our smartphones hemorrhage constantly, and claims that Android phones leak 20 times more telemetry than iOS. Both reports are detailed roadmaps to the privacy and security shortcomings of these devices, but they stopped short of providing any real-world advice that users could heed. The Trinity paper summed things up well, saying, “Currently there are few, if any, realistic options for preventing this data sharing.”
We suggest that if privacy is important to you, sadly the only current option is to avoid smartphones entirely.