GCHQ Can Hack My Smartphone Using a Bunch of Smurfs

It could make a scene in SPECTRE, the forthcoming James Bond movie. "So, Q, all I do is send a garbled text to his phone, and I'll be able to track him, listen via his phone, and watch him on his phone's camera? What do you call it?"

"Smurf Suite, Bond."

But this is real life: rather than sticking a cigarette pack-sized tracker to a car, as in Goldfinger, today's spies really can track, listen to and watch people through their own phones, as the former NSA contractor Edward Snowden told the BBC Panorama

It's enabled by the wonderfully named "Smurf Suite" - there's Dreamy Smurf, which controls the power settings, and Nosey Smurf, which turns on the microphone, and Tracker Smurf, which watches your location. And to round it off there's Paranoid Smurf, which hides all the other Smurfs if the phone is examined by an expert.

With recent news that the European Court of Justice has effectively revoked the "safe harbour" practices that let American companies ship European data to the US, where the NSA could trawl it more easily, one suspects that GCHQ's Smurf family will soon get a lot busier. The question is, is it a bad thing if GCHQ can hack into smartphones? Should they be allowed to at all, which seems to be the subtext of some of the coverage of Snowden's interview?

There are three ways to ask this question. First, would you be happy if GCHQ could hack into the Chinese premier's phone, and eavesdrop on him? Second, would you be happy if Chinese hackers (government-paid or not) could hack into David Cameron's phone? Third, would you be happy if GCHQ and Chinese hackers could hack into your phone?

Think carefully, because the answer to each has to be the same. You can't have a situation where we can hack into Xi Jinping's phone and yet his team can't do the same in return. Modern phones are little computers; that means too that they're prey to bugs just as the wheezing boxes on our desks are. You just have to be a lot more expert to find them.

That's where the cleverness of the people hired by the security agencies becomes evident. I've seen some of the work that GCHQ's staff did in trying to figure out counter-insurgency tactics in Afghanistan while they were sitting in Cheltenham: it was internet-based, and made me think "oh, that's really a smart way to track that activity down." I'm not going to give any more detail, for operational reasons. In the end, though, their idea was defeated by a change in encryption used by one of the systems involved. (The change predated Snowden's revelations.)

"It's time we grew up about this: the proper reaction to the 'Smurf Suite' should be: 'that's terrific - well done. Now we've got something to use against our enemies'"

The problem is that if you weaken our phones' security enough to let the government in, then you weaken it enough to let other spies and, potentially, crooks in too. A surprisingly large number of people have had their phones hacked and bank accounts emptied as a result; security matters.

That's why Apple and Google expend so much effort on keeping their software and systems secure: they're trying to keep the crooks, and foreign security services, out. Encrypting communications and routinely securing phones means their messaging can't be intercepted by the bad guys; you don't have to look far up or down the US stock market to find a company that has been the target of Chinese hacking.

But of course that security also keeps the well-intentioned guys out. The encryption that prevents bad guys eavesdropping on the City executive who looks after your pension fund also protects the bomb-making fanatic in Manchester who's using the same make of device from the attentions of security services.
This is where some of the dialog around Snowden's revelations has gone somewhat off the rails. Snowden himself said that he was whistleblowing - drawing attention to the legal problems with indiscriminate data collection. He never said that spying per se is a problem. It's what we fund GCHQ to do, after all. The average person isn't going to be a target of its attention.

Banning GCHQ or the NSA from exploiting weaknesses that exist in the software on phones isn't going to deter the Chinese or Russian or other government or criminal hackers from doing the same. It's time we grew up about this: the proper reaction to the "Smurf Suite" isn't "stop doing that!" but "that's terrific - well done. Now we've got something to use against our enemies".
And then, perhaps: "Smurf suite? Really? Are you sure about that name?"
Telegraph: http://bit.ly/1MrA7T2

« Safe Harbour No More. Facebook Data Transfer Deal Is Ruled Invalid
Global Nuclear Facilities 'at risk' of Cyber Attack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ON-DEMAND WEBINAR: Harnessing the power of Security Information and Event Management (SIEM)

ON-DEMAND WEBINAR: Harnessing the power of Security Information and Event Management (SIEM)

Join our experts as they give the insights you need to power your Security Information and Event Management (SIEM).

Secunet Security Networks

Secunet Security Networks

Secunet is a leading cyber security company offering a combination of consultancy and products, delivering the highest level of security for data, applications and digital identities.

EC-Council

EC-Council

EC-Council is a member-based organization that certifies individuals in various e-business and information security skills.

Altius IT

Altius IT

Altius IT reviews your website for security vulnerabilities and provides a report identifying vulnerabilities and recommendations to make secure.

Daon

Daon

Daon offers a universal biometric authentication platform for mobile devices.

UZCERT

UZCERT

UZCERT is the national Computer Emergency Response Team for Uzbekistan.

Secude

Secude

SECUDE is an established global security solutions provider offering innovative data protection for SAP users.

Moxa

Moxa

Moxa is a leading provider of industrial networking, computing, and automation solutions for enabling the Industrial Internet of Things.

Uniwan

Uniwan

Uniwan is an IT services company specializing in networking and security.

CybernetIQ

CybernetIQ

CLAW by CybernetIQ is the industry's most advanced SOAR platform helping unify all cybersecurity tools under one umbrella and providing organizations faster, better and more accurate cybersecurity.

Tangible Security

Tangible Security

Tangible employs the most sophisticated cyber security tools and techniques available to protect our clients’ sensitive data, infrastructure and competitive advantage.

Institute for Security and Technology (IST)

Institute for Security and Technology (IST)

The Institute for Security and Technology's goal is to provide the tools and insights needed for companies and governments to outpace emerging global security threats.

Alacrinet

Alacrinet

Alacrinet is an IT and cyber security consultancy. From penetration testing to fully managed MSSP, our team is focused on knowing the latest threats, preventing vulnerabilities, and providing value.

Digital Boundary Group (DBG)

Digital Boundary Group (DBG)

Digital Boundary Group (DBG) is an information technology security assurance services firm providing information technology security auditing and compliance assessment services to clients worldwide.

Acumera

Acumera

Acumera is a leader in managed network security, visibility and automation services.

RubinBrown

RubinBrown

RubinBrown LLP is a leading accounting and professional consulting firm. The RubinBrown name and reputation are synonymous with experience, integrity and value.

Zluri

Zluri

Zluri is a cloud-native SaaSOps platform enabling modern enterprises with SaaS Management and Identity Governance.