And we are not talking about design or style…
Keen fans of TV police dramas may be aware of the term ‘metadata’ which is frequently mentioned in the tense investigation scenes as the police narrow their focus on the perpetrator. However how many of us actually know what metadata is?
Metadata is all the information relating to your phone call except the content of the call itself. It is the information we are used to seeing on itemised mobile phone bills; the when, how, from where and with whom we communicate. However, in the age of the smartphone, metadata collected from our daily activities actually reveals more about us than we realise. Most of us use our smartphone for more than just calls. It is our convenient go-to device for email, messaging, social media, banking, electronic wallet, GPS and camera, in addition to making calls. For many of us, losing our smartphones would impact our day-to-day lives far more than if we lost our credit card.
A smartphone passively generates a vast amount of metadata, leaving behind a digital trace of the activity of its user. Each action and interaction provides a snapshot of our daily activities. Email addresses, websites visited, photos taken and files downloaded all present many new opportunities to gather metadata. Pieced together this information provides a comprehensive record of our associations and public movements, revealing a wealth of detail about our interactions, points of view and personal and professional associations. The reason metadata is so valuable is that it doesn’t lie, it is a digital footprint of our activities.
There are many ways that hackers can obtain metadata illegally. The SS7 vulnerability is well documented, and was one of the first topics that we wrote about in this blog (What’s up with WhatsApp). SS7 was designed over 40 years ago, long before phone hacking was considered a serious threat. SS7 stands for Signalling System No 7, also called the Common Channel Signalling System 7 in the US or Channel Interoffice Signalling 7 in the UK, and is the system that connects mobile phone and landline networks to each other. SS7 protocols enable phone networks to exchange information needed to process calls and text messages across disparate networks, including roaming on foreign networks, and to ensure correct billing. It also enables local number portability, prepaid payments, SMS and number translation.
Limitations in the SS7 protocols enable an attacker to mimic a victim’s device, steal personal data and to snoop on a users’ network communications. While this technique is used by nation states, there is equipment available on the dark web for a few hundred dollars that brings this type of attack into the domain of almost any tech-savvy criminal!
Fake base station
Exploiting the SS7 vulnerability isn’t the only means to access metadata. IMSI (international mobile subscriber identity) catchers, also known as fake base stations, are well established pieces of surveillance technology used by law enforcement all over the world. This portable device is used to intercept digital communications by essentially impersonating a legitimate mobile phone mast. The device can capture the IMSI of every phone in the area and intercept messages, calls and metadata, and even block phones from operating.
IMSI catchers are illegal to operate by parties other than law enforcement agencies and, even then, there are strict codes of conduct. However, for an attacker motivated by financial or commercial gain, remaining on the correct side of the law is rarely of concern! Videos freely available on YouTube show how a DIY IMSI catcher is relatively trivial to setup for a tech savvy criminal. The technology is available to anyone with a cheap laptop, $20 of readily available hardware and the ability to essentially copy and paste some commands into a computer terminal.
The power to control your own metadata
The fact that metadata is collated and sold by telecom carriers and internet companies shows how valuable it can be. Social media companies in particular are regularly sharing our metadata to third parties as a way of targeting advertising and this is typically the key value creator for such companies. Applying this capability across a population, it is possible to compile a very detailed, even invasive, picture of the population including behaviours and interactions which governments, organisations and cyber criminals can act upon.
Whilst it’s not possible to stop metadata from being generated, steps can be taken to control access to it. Armour Comms securely manages communications in the cloud ensuring metadata is minimised and protected. We also offer an on-premises solution for those who want complete control, allowing customers to store metadata on their own servers. Our solutions not only protect the content of communications, but also consider the broader aspects of securing your data and privacy
The weakest link
As the cyber security threat landscape evolves, it’s clear that securing modern methods of communication requires a new approach. Without secure practices, smartphones can effectively be viewed as surveillance devices, exposing confidential business dealings, intellectual property, state secrets, or commercially valuable information to risk. As the saying goes, you’re only as strong as your weakest link. If you fear that your mobile comms could be vulnerable to eavesdroppers, competitors or criminals then it’s time to act. Contact us today to discuss a solution.