The bug in your mobile

The good people at The Intercept last week reported that the NSA and GCHQ pulled another Wonder Twins team-up, this time to illegally hack computers at Gemalto, the largest SIM card manufacture in the world. The point was to nick encryption keys used to protect mobile communications of AT&T, T-Mobile, Verizon, Sprint customers, as well as those of about 450 other wireless network providers around the world. Gemalto produces 2 billion SIMs per year. You don’t need to check, most likely yours is one. It used to be that spies had to work to put a bug in your phone. Now you buy the bug and install it for them.

Hackers need Powerpoint training. Pic links to the doc. enjoy.
Hackers need Powerpoint training. Pic links to the doc. enjoy.

“We always knew that they would occasionally steal SIM keys. But all of them? The odds that they just attacked this one firm are extraordinarily low and we know the NSA does like to steal keys where it can.” —  Bruce Schneier

This is insanely creepy looking, but your mobile has been conspiring against you for a while now. Consider the situation. It’s a better piece of ID than your driver’s licence or National Insurance number. Having one that’s not tied to your identity is not that simple a feat. Every mobile has a unique IMEI number. Every SIM has a unique IMSI number. Chances are you bought your mobile and SIM through a contract and both numbers are tied to you. If you get a second unregistered (pay-as-you-go) SIM and pop it into your phone, the network instantly correlates the new SIM with the phone, and now that one’s tied to you.

If you manage to acquire a phone for cash and no info, and a SIM to match, then it’s just down to all the other data you’re pumping through it to match you to the device. Depending on how much of that data is insecure will determine if the picture of you that gets painted is more of a Matisse or a Goya. For a more visual example of this, Green party politician Malte Spitz sued Deutsche Telekom in Germany to get six months of his phone data and made a website about it.

Green party politician Malte Spitz sued to have German telecoms giant Deutsche Telekom hand over six months of his phone data that he then made available to ZEIT ONLINE.
Green party politician Malte Spitz sued to have German telecoms giant Deutsche Telekom hand over six months of his phone data that he then made available to ZEIT ONLINE.

“At some point over the past decade, your communications were [illegally] swept up by the U.S. National Security Agency’s mass surveillance program and passed onto Britain’s intelligence agency GCHQ,” says this Privacy International page. That’s a massive amount of data, but one that GCHQ seems to have developed a ‘BADASS’ app for.

It’s time to lock down your mobile:

What’s all this imply? You can’t rely on pre-rolled security. In the end: pack your own parachute. “Ironically one of your best defenses against a hijacked SIM is to use software encryption,” said Silent Circle’s Jon Callas.

Your same incredibly trackable gadget can be used to send very hard-to-break messages and be less open to attack. Set it up:

  • Strengthen your Android mobile’s settings using these guides.
  • Choose applications and browse sites that use HTTPS connections. No plaintext. Better still, use these apps when possible.
  • Download apps from F Droid, instead of the Play Store, and limit how much data goes back to Google about what you’re packing.
  • If you are on an iphone, Whisper Systems just released Signal, especially for you. Get it; use it.
  • Check if your phone is packing “perma-cookies” here.
  • Don’t overload it with games and social apps. Think about what you’re working on and what you’re using the phone for. Use this framework.
  • Before adding a messaging app to your device, check how it ranks here.
  • Think about Google. Android is all up in Google’s junk. Maintaining a wall is difficult to impossible. Make sure you’re previous settings aren’t being trumped by Google’s. Start with your location history. Now work through the rest of them. (You may want a Google account that’s purely for this mobile if you’re using it strictly for work or a specific project).
  • One alternative solution to Googled-up Android is to install an independent flavour of Android, like Replicant.
  • How to travel without your phone tattling: Method 1: Turn it off and remove the battery; Method 2: Plop it into a Faraday Bag; Method 3: Leave it at home.

Lots of information in this post gleaned from here.

The last word goes to Jeffrey Stallman,
The last word goes to Richard Stallman.