Corporate executives and other high value employees traveling abroad need to be on guard for attempts to compromise their mobile devices, and could even have their mobile phone compromised before they even disembark the plane following their arrival, according to security researcher Justin Morehouse.
A thirst for intellectual property and trade secrets, and a bugeoning market of sophisticated mobile surveillance tools means that executives need to begin thinking and acting like spies in order to avoid being spied upon themselves, according to a presentation at the OWASP AppSec DC 2012 conference in Washington DC on Thursday.
Among the common attacks used against high value targets are SMS messages sent to the phones that contain links to Web pages that compromise the mobile device, Morehouse said. It’s not uncommon for these attack messages to imitate the standard “welcome” text message that arriving visitors get from the local mobile carrier that informs them of the local mobile and data rates. The messages are highly effective because mobile users are familiar with them and, in fact, expecting them as soon as they activate their phone.
The likelihood of having your mobile device hacked overseas varies based on the country you are visiting, who you are, and how interested state- and non-state actors are in your work or your employer. And, while China and Russia are the two countries that are most-often mentioned, Morehouse said surveillance of executives and other VIPs isn’t limited to those two destinations.
Morehouse said countries in the Asia-Pacific region, in general, as well as countries in Africa should have executives on guard.
While a few governments – notably China – are known to work with the cooperation of local carriers, Morehouse said that the rapid growth of the spy tools industry has democratized wireless surveillance, and given state and non-state actors plenty of tools to work with to compromise mobile devices.
Morehouse said firms like the Israeli firm ABILITY have tools that can detect the location of a mobile device to within 30 meters. Others allow sophisticated nation and non-nation state backed attackers to target phones by the phone number, IMEI (International Mobile Equipment Identity) number and intercept all inbound and outbound communications from the device and, in some cases, even decrypt encrypted communications on the fly. ELTA Systems, another Israeli firm, even markets a miniature blimp that can fly over targets of interest and suck up mobile signals, he said.
Morehouse said his interest in mobile defense was borne of his own travels around the Globe.
“In the last nine months, I’ve travelled more than 100,000 miles,” he said. Those travels included trips to eight countries – among them: Australia, India, Indonesia, Sri Lanka and Thailand. While he was traveling, Morehouse –the founder and principal of GuidePoint Security in Reston, Virginia — said he was drawn to the question of how a hostile attacker might “own” his mobile device. “I mean, this is a consumer device, but it’s a piece of the security puzzle that hasn’t been getting a lot of attention.”
In the midst of his travels, Morehouse said he was approached by a client with a very similar problem. “They had an executive travel to a country where there were hostile actors, and they wanted to know what they needed to do to secure their mobile devices.”
Morehouse has distilled his research and first-hand experiences into a few tips for travelling executives and VIPs.
First: executives who think they could be targeted should leave their mobile device at home. “If you don’t have to take the device, don’t take it.”
Morehouse also recommends buying a SIM card – if not an entirely new phone – once you arrive at your destination. Many airports have kiosks that sell prepaid SIM cards that are inexpensive.
If you have to have Internet access, Morehouse said that executives should avoid using public Wifi connections at all cost. Have your company provide you with a VPN (Virtual Private Network) that terminates in your home country. Google Voice and other free or inexpensive VOIP services can also be used to create “throw away” voice accounts for travelers.
Finally, don’t ignore physical security. Morehouse said he knows of many executives and foreign travelers who have returned to their hotel room to find it trashed, possibly by hired guns looking for confidential information, laptops or mobile devices. If you’re worried that your conversations are being monitored, old fashioned “coded talk” also works to disguise the meaning of your calls. Asking “how are the kids?” rather than “how’s the progress on our new chip design?” may be enough to throw attackers off the scent.
Editor’s note: The story has been corrected to identify GuidePoint Security as a Reston, Virginia firm.