GCHQ Can Hack My Smartphone Using a Bunch of Smurfs

Uploaded on 2015-10-12 in NEWS-Cybersecurity News, INTELLIGENCE--Europe, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, TECHNOLOGY--Developments

It could make a scene in SPECTRE, the forthcoming James Bond movie. "So, Q, all I do is send a garbled text to his phone, and I'll be able to track him, listen via his phone, and watch him on his phone's camera? What do you call it?"

"Smurf Suite, Bond."

But this is real life: rather than sticking a cigarette pack-sized tracker to a car, as in Goldfinger, today's spies really can track, listen to and watch people through their own phones, as the former NSA contractor Edward Snowden told the BBC Panorama

It's enabled by the wonderfully named "Smurf Suite" - there's Dreamy Smurf, which controls the power settings, and Nosey Smurf, which turns on the microphone, and Tracker Smurf, which watches your location. And to round it off there's Paranoid Smurf, which hides all the other Smurfs if the phone is examined by an expert.

With recent news that the European Court of Justice has effectively revoked the "safe harbour" practices that let American companies ship European data to the US, where the NSA could trawl it more easily, one suspects that GCHQ's Smurf family will soon get a lot busier. The question is, is it a bad thing if GCHQ can hack into smartphones? Should they be allowed to at all, which seems to be the subtext of some of the coverage of Snowden's interview?

There are three ways to ask this question. First, would you be happy if GCHQ could hack into the Chinese premier's phone, and eavesdrop on him? Second, would you be happy if Chinese hackers (government-paid or not) could hack into David Cameron's phone? Third, would you be happy if GCHQ and Chinese hackers could hack into your phone?

Think carefully, because the answer to each has to be the same. You can't have a situation where we can hack into Xi Jinping's phone and yet his team can't do the same in return. Modern phones are little computers; that means too that they're prey to bugs just as the wheezing boxes on our desks are. You just have to be a lot more expert to find them.

That's where the cleverness of the people hired by the security agencies becomes evident. I've seen some of the work that GCHQ's staff did in trying to figure out counter-insurgency tactics in Afghanistan while they were sitting in Cheltenham: it was internet-based, and made me think "oh, that's really a smart way to track that activity down." I'm not going to give any more detail, for operational reasons. In the end, though, their idea was defeated by a change in encryption used by one of the systems involved. (The change predated Snowden's revelations.)

"It's time we grew up about this: the proper reaction to the 'Smurf Suite' should be: 'that's terrific - well done. Now we've got something to use against our enemies'"

The problem is that if you weaken our phones' security enough to let the government in, then you weaken it enough to let other spies and, potentially, crooks in too. A surprisingly large number of people have had their phones hacked and bank accounts emptied as a result; security matters.

That's why Apple and Google expend so much effort on keeping their software and systems secure: they're trying to keep the crooks, and foreign security services, out. Encrypting communications and routinely securing phones means their messaging can't be intercepted by the bad guys; you don't have to look far up or down the US stock market to find a company that has been the target of Chinese hacking.

But of course that security also keeps the well-intentioned guys out. The encryption that prevents bad guys eavesdropping on the City executive who looks after your pension fund also protects the bomb-making fanatic in Manchester who's using the same make of device from the attentions of security services.
This is where some of the dialog around Snowden's revelations has gone somewhat off the rails. Snowden himself said that he was whistleblowing - drawing attention to the legal problems with indiscriminate data collection. He never said that spying per se is a problem. It's what we fund GCHQ to do, after all. The average person isn't going to be a target of its attention.

Banning GCHQ or the NSA from exploiting weaknesses that exist in the software on phones isn't going to deter the Chinese or Russian or other government or criminal hackers from doing the same. It's time we grew up about this: the proper reaction to the "Smurf Suite" isn't "stop doing that!" but "that's terrific - well done. Now we've got something to use against our enemies".
And then, perhaps: "Smurf suite? Really? Are you sure about that name?"
Telegraph: http://bit.ly/1MrA7T2

« Safe Harbour No More. Facebook Data Transfer Deal Is Ruled Invalid
Global Nuclear Facilities 'at risk' of Cyber Attack »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Securezoo

Securezoo

Securezoo's mission is to simplify and enhance information security by providing trusted security guidance, products, and information to small and mid-sized businesses and security professionals.

IGEL Technology

IGEL Technology

IGEL Technology is one of the world's leading thin client vendors. Thin clients increase data security and compliance.

ISTQB

ISTQB

ISTQB has defined the "ISTQB Certified Tester" scheme that has become the world-wide leader in the certification of competences in software testing.

CloudLayar

CloudLayar

CloudLayar is a cloud-based website firewall for protecting your website against online threats.

National Security Authority (NBU) - Slovakia

National Security Authority (NBU) - Slovakia

The National Security Authority (NBU) is the central government body in Slovakia for the Protection of Classified Information, Cryptographic Services, Trust Services and Cyber Security.

Cyversity

Cyversity

Cyversity's mission (formerly ICMCP) is the consistent representation of women and underrepresented minorities in the cybersecurity industry.

Corelight

Corelight

Corelight is the most powerful network visibility solution for information security professionals.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Cord3

Cord3

Cord3 delivers data protection, even from trusted administrators – or hackers posing as administrators – with high privilege.

Blaick Technologies

Blaick Technologies

Blaick is an Israeli cyber-security company which deploys proprietary Artificial Intelligence threats detection technology for early prevention of online cyber crime.

usecure

usecure

usecure is a global provider of computer-based cyber security awareness training, offering the market’s most time-efficient, cost-effective and admin-lite solution for reducing insider threats.

Exalens

Exalens

With deep roots in AI-driven cyber-physical security research and intrusion detection, at Exalens, we are enhancing operational resilience for cyber-physical systems at the OT edge.

European Data Protection Supervisor (EDPS)

European Data Protection Supervisor (EDPS)

The EDPS is the European Union’s independent data protection authority. We monitor and ensure the protection of personal data and privacy when EU institutions and bodies process personal information.

Myntex

Myntex

Myntex® builds the future of mobile security. We empower our partners to deliver exclusive mobile endpoint security software, fortifying against mobile threats, device exploits and data exfiltration.

VENZA

VENZA

VENZA is a data protection company that can help organisations mitigate their vulnerabilities and ensure compliance, keeping guests and their data safe from breaches.

Applied Connective Technologies

Applied Connective Technologies

Applied Connective is one team for all your technology needs, from IT to phones, cyber security to physical security, audio/video and the infrastructure to support it.