GCHQ Can Hack My Smartphone Using a Bunch of Smurfs

It could make a scene in SPECTRE, the forthcoming James Bond movie. "So, Q, all I do is send a garbled text to his phone, and I'll be able to track him, listen via his phone, and watch him on his phone's camera? What do you call it?"

"Smurf Suite, Bond."

But this is real life: rather than sticking a cigarette pack-sized tracker to a car, as in Goldfinger, today's spies really can track, listen to and watch people through their own phones, as the former NSA contractor Edward Snowden told the BBC Panorama

It's enabled by the wonderfully named "Smurf Suite" - there's Dreamy Smurf, which controls the power settings, and Nosey Smurf, which turns on the microphone, and Tracker Smurf, which watches your location. And to round it off there's Paranoid Smurf, which hides all the other Smurfs if the phone is examined by an expert.

With recent news that the European Court of Justice has effectively revoked the "safe harbour" practices that let American companies ship European data to the US, where the NSA could trawl it more easily, one suspects that GCHQ's Smurf family will soon get a lot busier. The question is, is it a bad thing if GCHQ can hack into smartphones? Should they be allowed to at all, which seems to be the subtext of some of the coverage of Snowden's interview?

There are three ways to ask this question. First, would you be happy if GCHQ could hack into the Chinese premier's phone, and eavesdrop on him? Second, would you be happy if Chinese hackers (government-paid or not) could hack into David Cameron's phone? Third, would you be happy if GCHQ and Chinese hackers could hack into your phone?

Think carefully, because the answer to each has to be the same. You can't have a situation where we can hack into Xi Jinping's phone and yet his team can't do the same in return. Modern phones are little computers; that means too that they're prey to bugs just as the wheezing boxes on our desks are. You just have to be a lot more expert to find them.

That's where the cleverness of the people hired by the security agencies becomes evident. I've seen some of the work that GCHQ's staff did in trying to figure out counter-insurgency tactics in Afghanistan while they were sitting in Cheltenham: it was internet-based, and made me think "oh, that's really a smart way to track that activity down." I'm not going to give any more detail, for operational reasons. In the end, though, their idea was defeated by a change in encryption used by one of the systems involved. (The change predated Snowden's revelations.)

"It's time we grew up about this: the proper reaction to the 'Smurf Suite' should be: 'that's terrific - well done. Now we've got something to use against our enemies'"

The problem is that if you weaken our phones' security enough to let the government in, then you weaken it enough to let other spies and, potentially, crooks in too. A surprisingly large number of people have had their phones hacked and bank accounts emptied as a result; security matters.

That's why Apple and Google expend so much effort on keeping their software and systems secure: they're trying to keep the crooks, and foreign security services, out. Encrypting communications and routinely securing phones means their messaging can't be intercepted by the bad guys; you don't have to look far up or down the US stock market to find a company that has been the target of Chinese hacking.

But of course that security also keeps the well-intentioned guys out. The encryption that prevents bad guys eavesdropping on the City executive who looks after your pension fund also protects the bomb-making fanatic in Manchester who's using the same make of device from the attentions of security services.
This is where some of the dialog around Snowden's revelations has gone somewhat off the rails. Snowden himself said that he was whistleblowing - drawing attention to the legal problems with indiscriminate data collection. He never said that spying per se is a problem. It's what we fund GCHQ to do, after all. The average person isn't going to be a target of its attention.

Banning GCHQ or the NSA from exploiting weaknesses that exist in the software on phones isn't going to deter the Chinese or Russian or other government or criminal hackers from doing the same. It's time we grew up about this: the proper reaction to the "Smurf Suite" isn't "stop doing that!" but "that's terrific - well done. Now we've got something to use against our enemies".
And then, perhaps: "Smurf suite? Really? Are you sure about that name?"
Telegraph: http://bit.ly/1MrA7T2

« Safe Harbour No More. Facebook Data Transfer Deal Is Ruled Invalid
Global Nuclear Facilities 'at risk' of Cyber Attack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Identity Automation

Identity Automation

Identity Automation is a leading provider of Identity and Access Management software.

Fluency Security

Fluency Security

Fluency is the only Security Analytics & Orchestration (SAO) solution that automates correlation, detection, validation and ongoing tracking.

Spherical Defense

Spherical Defense

Spherical Defense offers an alternative approach to WAFs and first generation API security tools.

Valtori

Valtori

Government ICT Centre Valtori provides sector-independent ICT services for the central government, while taking into account the special requirements related to security and preparedness.

Vuntie

Vuntie

Vuntie blend European craftsmanship, performance and open-source technology to deliver cybersecurity services including penetration testing, incident response, training and consultancy.

CopSonic

CopSonic

Copsonic provide a technology solution based on ultrasonic waves to send secure and encrypted data between two devices in order to achieve authentication.

Forum of Incident Response & Security Teams (FIRST)

Forum of Incident Response & Security Teams (FIRST)

FIRST is the global Forum of Incident Response and Security Teams.

CyberGuru

CyberGuru

CyberGuru is a service provided by CyberSecurity Malaysia specializing in cyber security professional training and development.

Basque Digital Innovation Hub (BDIH)

Basque Digital Innovation Hub (BDIH)

The aim of the BDIH initiative is to provide industrial enterprises, especially SMEs, with the technological capabilities needed to meet the challenges of industry 4.0.

Beyond Identity

Beyond Identity

Beyond Identity employs an elegantly simple concept, the personal certificate authority and self signed certificates, to replace passwords.

Kontron

Kontron

Kontron offers a combined portfolio of secure hardware, middleware and services for Internet of Things (IoT) and Industry 4.0 applications.

Melius Cyber Security

Melius Cyber Security

Melius Cyber Security has developed a world-leading SaaS platform, Cyber Safe Plus, built around continuous assessment and improvement through vulnerability scanning and penetration testing

Debevoise & Plimpton

Debevoise & Plimpton

Debevoise & Plimpton LLP is a premier law firm with market-leading practices in areas including Data Strategy & Security.

J.S. Held

J.S. Held

J.S. Held is a global consulting firm providing technical, scientific, and financial expertise across all assets and value at risk.

OneStep Group

OneStep Group

OneStep Group are a leading Australian provider of information and communications technology (ICT) services, connecting businesses through technology solutions and support.

Fusion5

Fusion5

Fusion5 is a leading ANZ Business Services and IT Solutions provider. Our customers trust us to make their potential reality by providing advisory, IT project deployment, and managed services.