GCHQ Can Hack My Smartphone Using a Bunch of Smurfs

Uploaded on 2015-10-12 in NEWS-Cybersecurity News, INTELLIGENCE--Europe, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, TECHNOLOGY--Developments

It could make a scene in SPECTRE, the forthcoming James Bond movie. "So, Q, all I do is send a garbled text to his phone, and I'll be able to track him, listen via his phone, and watch him on his phone's camera? What do you call it?"

"Smurf Suite, Bond."

But this is real life: rather than sticking a cigarette pack-sized tracker to a car, as in Goldfinger, today's spies really can track, listen to and watch people through their own phones, as the former NSA contractor Edward Snowden told the BBC Panorama

It's enabled by the wonderfully named "Smurf Suite" - there's Dreamy Smurf, which controls the power settings, and Nosey Smurf, which turns on the microphone, and Tracker Smurf, which watches your location. And to round it off there's Paranoid Smurf, which hides all the other Smurfs if the phone is examined by an expert.

With recent news that the European Court of Justice has effectively revoked the "safe harbour" practices that let American companies ship European data to the US, where the NSA could trawl it more easily, one suspects that GCHQ's Smurf family will soon get a lot busier. The question is, is it a bad thing if GCHQ can hack into smartphones? Should they be allowed to at all, which seems to be the subtext of some of the coverage of Snowden's interview?

There are three ways to ask this question. First, would you be happy if GCHQ could hack into the Chinese premier's phone, and eavesdrop on him? Second, would you be happy if Chinese hackers (government-paid or not) could hack into David Cameron's phone? Third, would you be happy if GCHQ and Chinese hackers could hack into your phone?

Think carefully, because the answer to each has to be the same. You can't have a situation where we can hack into Xi Jinping's phone and yet his team can't do the same in return. Modern phones are little computers; that means too that they're prey to bugs just as the wheezing boxes on our desks are. You just have to be a lot more expert to find them.

That's where the cleverness of the people hired by the security agencies becomes evident. I've seen some of the work that GCHQ's staff did in trying to figure out counter-insurgency tactics in Afghanistan while they were sitting in Cheltenham: it was internet-based, and made me think "oh, that's really a smart way to track that activity down." I'm not going to give any more detail, for operational reasons. In the end, though, their idea was defeated by a change in encryption used by one of the systems involved. (The change predated Snowden's revelations.)

"It's time we grew up about this: the proper reaction to the 'Smurf Suite' should be: 'that's terrific - well done. Now we've got something to use against our enemies'"

The problem is that if you weaken our phones' security enough to let the government in, then you weaken it enough to let other spies and, potentially, crooks in too. A surprisingly large number of people have had their phones hacked and bank accounts emptied as a result; security matters.

That's why Apple and Google expend so much effort on keeping their software and systems secure: they're trying to keep the crooks, and foreign security services, out. Encrypting communications and routinely securing phones means their messaging can't be intercepted by the bad guys; you don't have to look far up or down the US stock market to find a company that has been the target of Chinese hacking.

But of course that security also keeps the well-intentioned guys out. The encryption that prevents bad guys eavesdropping on the City executive who looks after your pension fund also protects the bomb-making fanatic in Manchester who's using the same make of device from the attentions of security services.
This is where some of the dialog around Snowden's revelations has gone somewhat off the rails. Snowden himself said that he was whistleblowing - drawing attention to the legal problems with indiscriminate data collection. He never said that spying per se is a problem. It's what we fund GCHQ to do, after all. The average person isn't going to be a target of its attention.

Banning GCHQ or the NSA from exploiting weaknesses that exist in the software on phones isn't going to deter the Chinese or Russian or other government or criminal hackers from doing the same. It's time we grew up about this: the proper reaction to the "Smurf Suite" isn't "stop doing that!" but "that's terrific - well done. Now we've got something to use against our enemies".
And then, perhaps: "Smurf suite? Really? Are you sure about that name?"
Telegraph: http://bit.ly/1MrA7T2

« Safe Harbour No More. Facebook Data Transfer Deal Is Ruled Invalid

Global Nuclear Facilities 'at risk' of Cyber Attack »