GCHQ Can Hack My Smartphone Using a Bunch of Smurfs

Uploaded on 2015-10-12 in NEWS-Cybersecurity News, INTELLIGENCE--Europe, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, TECHNOLOGY--Developments

It could make a scene in SPECTRE, the forthcoming James Bond movie. "So, Q, all I do is send a garbled text to his phone, and I'll be able to track him, listen via his phone, and watch him on his phone's camera? What do you call it?"

"Smurf Suite, Bond."

But this is real life: rather than sticking a cigarette pack-sized tracker to a car, as in Goldfinger, today's spies really can track, listen to and watch people through their own phones, as the former NSA contractor Edward Snowden told the BBC Panorama

It's enabled by the wonderfully named "Smurf Suite" - there's Dreamy Smurf, which controls the power settings, and Nosey Smurf, which turns on the microphone, and Tracker Smurf, which watches your location. And to round it off there's Paranoid Smurf, which hides all the other Smurfs if the phone is examined by an expert.

With recent news that the European Court of Justice has effectively revoked the "safe harbour" practices that let American companies ship European data to the US, where the NSA could trawl it more easily, one suspects that GCHQ's Smurf family will soon get a lot busier. The question is, is it a bad thing if GCHQ can hack into smartphones? Should they be allowed to at all, which seems to be the subtext of some of the coverage of Snowden's interview?

There are three ways to ask this question. First, would you be happy if GCHQ could hack into the Chinese premier's phone, and eavesdrop on him? Second, would you be happy if Chinese hackers (government-paid or not) could hack into David Cameron's phone? Third, would you be happy if GCHQ and Chinese hackers could hack into your phone?

Think carefully, because the answer to each has to be the same. You can't have a situation where we can hack into Xi Jinping's phone and yet his team can't do the same in return. Modern phones are little computers; that means too that they're prey to bugs just as the wheezing boxes on our desks are. You just have to be a lot more expert to find them.

That's where the cleverness of the people hired by the security agencies becomes evident. I've seen some of the work that GCHQ's staff did in trying to figure out counter-insurgency tactics in Afghanistan while they were sitting in Cheltenham: it was internet-based, and made me think "oh, that's really a smart way to track that activity down." I'm not going to give any more detail, for operational reasons. In the end, though, their idea was defeated by a change in encryption used by one of the systems involved. (The change predated Snowden's revelations.)

"It's time we grew up about this: the proper reaction to the 'Smurf Suite' should be: 'that's terrific - well done. Now we've got something to use against our enemies'"

The problem is that if you weaken our phones' security enough to let the government in, then you weaken it enough to let other spies and, potentially, crooks in too. A surprisingly large number of people have had their phones hacked and bank accounts emptied as a result; security matters.

That's why Apple and Google expend so much effort on keeping their software and systems secure: they're trying to keep the crooks, and foreign security services, out. Encrypting communications and routinely securing phones means their messaging can't be intercepted by the bad guys; you don't have to look far up or down the US stock market to find a company that has been the target of Chinese hacking.

But of course that security also keeps the well-intentioned guys out. The encryption that prevents bad guys eavesdropping on the City executive who looks after your pension fund also protects the bomb-making fanatic in Manchester who's using the same make of device from the attentions of security services.
This is where some of the dialog around Snowden's revelations has gone somewhat off the rails. Snowden himself said that he was whistleblowing - drawing attention to the legal problems with indiscriminate data collection. He never said that spying per se is a problem. It's what we fund GCHQ to do, after all. The average person isn't going to be a target of its attention.

Banning GCHQ or the NSA from exploiting weaknesses that exist in the software on phones isn't going to deter the Chinese or Russian or other government or criminal hackers from doing the same. It's time we grew up about this: the proper reaction to the "Smurf Suite" isn't "stop doing that!" but "that's terrific - well done. Now we've got something to use against our enemies".
And then, perhaps: "Smurf suite? Really? Are you sure about that name?"
Telegraph: http://bit.ly/1MrA7T2

« Safe Harbour No More. Facebook Data Transfer Deal Is Ruled Invalid
Global Nuclear Facilities 'at risk' of Cyber Attack »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Cyberlytic

Cyberlytic

Cyberlytic applies artificial intelligence to combat the most sophisticated of web application threats, addressing the growing problem of high volumes of threat data.

AVR International

AVR International

AVR educate, advise, analyse and provide professional, technical consultancy and support to ensure your business is safe, compliant and protected.

Zivver

Zivver

Zivver is the effortless, secure email platform, powering the next generation of secure communications.

Graphus

Graphus

Graphus provides a simple, powerful, automated solution that eliminates 99% of social engineering and spear phishing attacks against G Suite business Gmail users.

Stealthbits Technologies

Stealthbits Technologies

Stealthbits Technologies is a cybersecurity software company focused on protecting an organization's sensitive data and the credentials attackers use to steal that data.

Spherical Defense

Spherical Defense

Spherical Defense offers an alternative approach to WAFs and first generation API security tools.

MaskTech

MaskTech

MaskTech supplies highest security embedded chipsets, operating systems and related middleware for electronic identification cards, travel documents and authentication solutions.

CipherMail

CipherMail

CipherMail provides email security products which allow organizations world wide to automatically protect their email against unauthorized access both in transit and at rest.

Prescient

Prescient

Prescient’s Cyber solutions supplement your firm’s existing data security infrastructure with specialized investigations that identify unconventional cyber risks.

Clone Systems

Clone Systems

Clone Systems is an award winning global cloud based managed security as a service provider.

BlueHalo

BlueHalo

BlueHalo is purpose-built to provide industry capabilities in the domains of Space Superiority and Directed Energy, Missile Defense and C4ISR, and Cyber and Intelligence.

SecurityStudio

SecurityStudio

SecurityStudio is a continuous cybersecurity risk management platform that allows decision-makers to quickly identify the most immediate threats and make confident risk informed decisions.

Positiwise Software Pvt Ltd

Positiwise Software Pvt Ltd

Positiwise Software offers end-to-end software development solutions to accelerate the digital growth of businesses.

Vonahi Security

Vonahi Security

Vonahi Security is a cybersecurity SaaS company that pioneered automated network penetration testing.

403Tech Inc.

403Tech Inc.

403Tech is a Calgary based IT Solutions Provider, specializing in small & medium business.

Tonic Security

Tonic Security

Tonic is reshaping Exposure and Vulnerability Management by providing the context security teams need to accelerate prioritization and remediation of vulnerabilities and threats.