Secure mobile or superficial mobile?
Cranky at the Superficial
Six days ago I placed a post on LinkedIn relating to Google's modular mobile phone (and written about on Stuff). Repeating here what I posted on LinkedIn, I'd said: "Most smart phones make for dumb risks. Their producers peddle ethical vacancy in not telling buyers about the inherent cyber security dangers of their products. Consider folks who smoke - they get heaps of warnings about smoking's dangers to their health. So why should consumers tolerate mainstream reviewers' veneration of cyberslack phones and their makers? Most of today's mobile phone users are completely oblivious to the cyber security risks they face with their carriers' unknown and unmitigated SS7 vulnerabilities, and unmitigated exposure to IMSI catchers. So what's there to do about this poor situation? See my next post on the matter this week."
Cranky at the lack of Security
My follow up uses another vacant article from Stuff.co.nz to back up my point: "Smartphone showdown: iPhone SE v Samsung S7 Edge, HTC 10 and Huawei P9 Plus". None of the phones listed featured a price in the article less than NZD$749; the most expensive was NZD$1399. Features looked at in the showdown - design and build, display, camera, OS. Where the heck is security? It's not clear why security was excluded from the evaluation. No worries, I can cover that by saying the devices have the following security vulnerabilities - none have the means to mitigate SS7-based and IMSI catcher-based attack risks. None at all. The cohort is kind of like evaluating some seemingly awesome group of cars for the consumer market, but ignoring the absence of brakes and seatbelts in those cars.
Cranky at the Laziness
How then can this current set of circumstances be changed? I propose you ask your local investigative journos to ask what's going on? They could be asking "Hey carriers, what are you doing about SS7 vulnerabilities? Hey banks, hey insurers, hey hospitals, hey government, are you considering changing your procurement policies to require carriers to mitigate SS7 vulnerabilities? Hey techno-bloggers - why are you letting phone makers get away with peddling slackphones to the marketplace?". Healthy free markets depend on free flows of trade, capital and information. But there's some critical information assymmetry happening with cellular network security across the
Australian, New Zealand, and wider Polynesian and Melanesian regions. That's because there's a drought of information sharing and drum-beating about cellular network security risks and vulnerabilities and the direct and dangerous exposure to exploits available to adversaries and enemies.
Happy there's folks who Care
If you want find out more about what can be fulfilled with SS7 and IMSI catcher vulnerabilities (and what can reasonably be done about mitigating them), check out the following videos:
Bugged, Tracked, Hacked (60 Minutes Australia, Aug 2015, appx 20 mins duration)
IMSI Catchers (60 Minutes Australia, Aug 2015, appx 2 mins duration)
SS7 Exploit (60 Minutes Australia, Aug 2015, appx 1 min 40 sec duration)
ARC Solutions is an information security and risk management consultancy. ARC Solutions is also ESD America's authorised reseller of ESD Oversight (SS7 vulnerability mitigation), ESD Overwatch (IMSI catcher solution) and ESD/GSMK Cryptophone (encrypted phone solution) in New Zealand, Fiji and Solomon Islands. Contact ARC Solutions anytime to arrange a private, confidential, encrypted and secure conversation about how we can help you or your organisation have and use secure, encrypted mobile telecommunications. We can also discuss how our Oversight and Overwatch solutions can help secure your organisation against SS7 and IMSI catcher exploits.