Category: View All

Just recently a story caught my eye that illustrated like no other the importance of trusting your software developers, and really checking the provenance of any apps that you use.

The story, broken by Appthority, was about a vulnerability dubbed ‘eavesdropper’ that could have resulted in a large-scale exposure of data and metadata in mobile apps. The vulnerability is caused by software developers carelessly hardcoding their credentials into mobile apps that use the Twilio Rest API or SDK. Twilio has responded quickly to news of the vulnerability and reached out to all the developers with affected apps, of which there are apparently 700, some 170 of which are still available on the app stores.

Appthority claim that over a lifetime of poor coding practice, developers using the same credentials can expose massive amounts of sensitive data including call records, minutes of calls, minutes of call audio recordings, and SMS and MMS texts.  We’ve written before about the importance of protecting metadata, and once again, here is another instance where metadata has potentially been compromised.

While Apple are fairly aggressive at pushing security updates to end users, once Android devices have ceased to be the latest model, the same cannot be said. Android devices are notoriously under-patched and under-maintained – a headache for any IT department with users that insist on using older Android devices for business use.

This is another example, if any were needed, of the advantages of using an app that is reviewed and certified by a recognized and trusted authority. This type of vulnerability, caused by poor practice, is exactly the type of flaw that NCSC looks for during its certification process.

Unlike some other suppliers in the ‘secure communications’ space, Armour would never use any third-party analytics or tracking libraries and our app does not communicate with any such third-party servers. It’s for the same reason (the trust of our users) that we don’t outsource any of our development work and only use carefully selected third-party libraries (which are also constantly monitored for security updates). Nor will you find any bitcoin miners slipped into the app when you are not looking!

There is a reason why some of these apps are free to use.  It is worth keeping in mind that if you want genuine security, you do need to pay a little for it.

Changes in iOS 11 that could jeopardize your users’ security settings

It’s hard enough to get users to manage their security settings.  Now Apple have thrown another complication into the equation.  With the latest iOS v11, users may think that they have turned off Wi-Fi and/or Bluetooth from their control centre, only to find that both have mysteriously switched themselves back on again later.

This is because in iOS 11, when a user turns off Wi-Fi and Bluetooth from the control centre (which they are used to doing in iOS 10), although the button indicates that they are off, they are still in fact connected to some Apple services. That’s not all, should the user move location, the Wi-Fi and Bluetooth will come back on, and, both reset themselves the next morning at 5am anyway.

The only way for users to completely disable Wi-Fi and Bluetooth is either to enable Airplane mode or navigate to Settings and switch them off from there.

With the known vulnerabilities in Bluetooth and the latest WiFi key attack (KRACK), it is very important that users understand exactly what their security settings are really doing. These recent changes only serve to highlight just how dependent we all are on the operating systems that underpin our mobile devices, and on the manufacturers for fully informing us regarding updates to how the security settings work. IT departments need to be ever-vigilant to such changes, in order to keep their users fully up to date.

These changes to iOS 11 also highlight just how important it is for those in high threat situations to have a locked down, totally controlled application for secure communications – certainly one that doesn’t just reset itself each morning!

IMSI catchers now available for EU300

With Mobile World Congress drawing to a close for another year, we were very interested to see this story, highlighted to us by one of our colleagues in Spain. It confirms what we were already well aware of; that you don’t need to be a nation state, major law enforcement (or even the now defunct News of the World!) to have the resources to tap into people’s mobile calls anymore.  IMSI catchers (see our previous blog for further explanation) can be purchased online for EU300 according to this story: http://www.elconfidencialdigital.com/seguridad/Maletines-espiar-conversaciones-moviles-euros_0_2881511824.html.  For non-Spanish speakers, Google Translate does a good job at the click of a button.

Not only are the number of attack vectors increasing exponentially, so too are the number of people/organisations/criminals able to execute these attacks. With the barrier to entry dropped so low, this means that the number of potential victims of phone tapping also increases and is now well beyond the high threat targets that we would expect (intelligence community, law enforcement, government officials, celebrities). Anyone that talks about or exchanges commercially sensitive information such as new product details, formulae, industrial secrets, or intellectual property is now at risk!

This only serves to highlight that we all need to be a lot more aware of the potential hazards with the technology we use.

And if you do fancy treating yourself to an IMSI catcher (to find out what your friends, neighbours, work colleagues are up to), you might want to consider a more streamlined rucksack than the one shown in the article!!

NOTE: Much-respected cryptography expert Bruce Schneier recognised these same risks in his blog https://www.schneier.com/blog/archives/2017/04/surveillance_an_2.html

Big data – big trouble

If you’re using WhatsApp, you’ll be on a list somewhere. But not just the lists of friends, family, and work colleagues that you’d expect. Turns out that it is very easy to build a super list using WhatsApp in a web browser.

APIs are available on the web that enable developers, or anyone else for that matter, to request information about any number registered in WhatsApp, it doesn’t need to be in your address book. Information that is freely available includes your profile picture, your about text and your online/offline status. Using this method it is possible to build a database of almost limitless size and construct timelines showing your activity.

Such a database opens up a lot of nefarious possibilities. As the database builds it becomes possible to run queries such as; When was this phone number online? When profile pictures are brought into the equation, with facial recognition technology (which most people use on Facebook), it becomes possible to take a photo of someone and then query the database to find out who they are and their phone number. Apart from being downright creepy, in certain oppressive regimes this could be extremely dangerous.  For those that travel to exotic locations for business, these possibilities are certainly worth keeping in mind.

There are some steps that savvy users can take to guard against this type of abuse of their data.  Casual WhatsApp users should check their privacy settings.

Remember WhatsApp is just an example that has featured in the news of late – almost any other social media app is likely to have similar vulnerabilities and issues with privacy, including where and how your data is stored.

For any sensitive, official or corporate communications social media apps such as WhatsApp should never be used. Better to use an app that you control so that you know where your data is at all times, and that has security and privacy baked in.

Not to mention mysteriously emptying bank accounts!

There have been several recent news stories highlighting the susceptibility of mobile phones to hacking.  As well as the danger of IMSI catchers there are vulnerabilities within the SS7 protocol – which we’ve talked about previously in our blog post, What’s up with WhatsApp?

El Reg recently ran a story about how Ukrainian soldiers are being bombarded with propaganda texts. The use of a fake base station or IMSI catcher mounted on a drone is suspected because the attacks are highly localised, the texts arrive when the phone is showing no reception and they leave no trace on carrier networks.

Back in January customers of European banks had their bank accounts drained in a quite sophisticated attack. Hackers first infected the banks with Trojan malware to steal login details of customers and view account balances. Then they exploited SS7 to intercept the one-off verification codes for transactions that are sent by SMS.

SS7 is the protocol used by telcos to enable mobile phones to connect to other networks, and to enable them to share/swap billing information (for example). SS7 was designed 40 years ago, when mobile phone hacking was thought extremely unlikely and you would need to be a telco to do it.  Nowadays practically anyone can set up as a telco, which opens up a whole world of opportunities for those with malicious intent.

These two separate stories show the dangers of mobile phone hacking, and its increasingly pervasive nature. It’s a wake up call for all of us to take the security of the ultimate end point – the mobile phone – extremely seriously.

Why WhatsApp is not as secure as you thought it was, even before The Guardian’s most recent revelations about a ‘back door’

There’s been a lot of discussion in the media recently about the privacy of calls and messages sent via mobile phones, with some commentators advocating apps like WhatsApp as the answer. While it is true that messages, and now calls, made using WhatsApp are encrypted and therefore should be secure, in fact, there are still gaping holes.

Not least is the so called ‘back door’ revealed by The Guardian in its article ‘ Whatsapp back door allows snooping on encrypted messages’ which explains how ‘WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages’ it goes on to state that ‘The vulnerability calls into question the privacy of messages sent across the service, which is used around the world, including by people living in oppressive regimes.’ And ‘can be used by government agencies to snoop on users who believe their messages to be secure.’

This is another example of just how important it is to keep control of your own data and using a free app over which you have no control, simply isn’t good security practice.  As Tim Cook summarised the situation very well when he said:  ‘A few years ago, users of Internet services began to realise that when an online service is free, you’re not the customer.  You’re the product!’

Even before this latest revelation, there are other security holes in Whatsapp that anyone that wants to keep their conversations private should be aware of.

Susceptible to the SS7 hack

First, the app itself. Though its media encryption uses the respected Signal protocol, WhatsApp has been shown to be susceptible (like similar applications) to attacks, for example using flaws in SS7 that allow an attacker to mimic a victim’s device.  SS7 stands for Signalling System No 7 (also called the Common Channel Signalling System 7 in the US or Channel Interoffice Signalling 7 in the UK), and is the system that connects mobile phone and landline networks to each other. SS7 protocols enable phone networks to exchange information needed to process calls and text messages across disparate networks (including roaming on foreign networks), and to ensure correct billing. It also enables local number portability, prepaid payments, SMS and number translation. However, SS7 was designed nearly 40 years ago, long before phone hacking was considered a serious threat.

Whatsapp depends on the integrity of your mobile phone number to identify you, but this can be faked at the SS7 level because of the many vulnerabilities in that system (this particular issue was discovered in 2008 and made public in 2014). Hackers can then take on a victim’s Whatsapp identity and send and receive messages to other users. Of course, a hacker with access to the SS7 system can also transparently control normal voice and SMS services to and from a mobile, intercepting calls, reading SMS messages, and tracking the phone’s location.

Insecure Authentication

Apart from eavesdroppers listening in to your potentially sensitive conversations, where they may gain commercially valuable information, one of the biggest dangers is the interception of two-step verification codes. WhatsApp may be secure once provisioned, but if the verification code is intercepted during set-up the app will be compromised. This vulnerability is equally true for Telegram, Viber and any other apps that use this form of authentication, just as it is for banking and other sensitive web transactions that send codes by (insecure) SMS. For those that are likely to be targeted due to the work that they do (government, military/defence, handling commercially sensitive information like intellectual property, company secrets, financial transactions, sales deals, etc.), this is a relatively easy hack, and one that you wouldn’t know about until it was too late.

No control over who has your data

Second, the company.  WhatsApp is now owned by Facebook, who have declared to their shareholders that once the number of users of WhatsApp reach 1 billion they will look to monetise.  That means sharing your details with advertisers and who knows who else.

This is seen as such a serious situation by the UK Government that the Information Commissioner’s Office (ICO) has intervened and as a result Facebook has agreed to ‘pause’ its plan to share data with advertisers. However, it continues to share data for what it describes as spam fighting services.

Even when a service claims that it has no access to your encrypted data, it still has access to “metadata”, such as the date and time of calls and messages, the mobile phone numbers of the recipients or senders of each call or message, and (depending on the application), other information such as your location, native contact lists and the like – all of which a security-minded user might prefer not to have collected by a company such as Facebook.

You get what you pay for

WhatsApp may be free, but there is a price to pay.  With any free app you don’t really know who has access to your information.  And you certainly don’t know who will have access to it in the future as organisations are acquired and personal data becomes a lucrative asset to be traded.

You might also want to avoid a proprietary system where the vendor wants to lock in its users and so has no interest in promoting interoperability with competitor systems; fine for a social media app but not helpful if you want to link together a variety of organisations, where a standards-based solution would be much more logical.

If you would prefer that your sensitive conversations remain private you should take positive steps to ensure that they stay that way. That means using security applications that you control, so that you know exactly where your data is being held and who has access to it. When provisioning new security services be sure to follow strict security best practice. SMS for activation or authentication simply isn’t secure. Better options include multi-part activation details that can be distributed via separate channels, whether handed over personally, or sent via encrypted email, or best of all, managed from a central distribution point, which is within your organisation’s control, or managed on your behalf by a Government-certified, trusted supplier.

As with everything in life, you get what you pay for. Free apps have their place in leisure time for casual use, but when it comes to business, your intellectual property, state secrets, or commercially valuable information, you really can’t put your trust in something that you don’t control just because it is free.

About Andy Lilly

Andy Lilly is Director and Co-Founder of Armour Communications. He has a proven track record of delivering challenging, leading-edge research and development solutions into global markets, having held leadership positions at multi-national organisations as well as VC-funded start-ups. Andy has been instrumental in delivering military-grade secure communications systems as well as solutions suitable for use in commercial environments for over 25 years.

Andy Lilly discusses how securing your mobile communications could be a key step in meeting the new GDPR regulations

The new General Data Protection Regulation (GDPR) comes into force on 25^th May 2018 and you are probably starting to consider what it will mean for your company. A lot has already been written about GDPR, which will override current national data protection laws. In a nutshell, it includes new and more detailed legislation for managing and protecting personal data, meaning that all organisations will need to review their policies and practices to ensure that they comply.

Many are seeing the introduction of the new regulations as a positive step. It encompasses how personal data is managed, processed and deleted – and in particular, how it is lawfully and fairly protected by documented security measures. GDPR is clear in that it encompasses all of a company’s data (including that held in marketing, sales and finance) when dealing with EU citizens. With many companies using mobiles to communicate with customers, it also means that texts and messaging, whether internal or external, will be considered within the new data laws.

With non-compliance fines of up to €20m or 4% of global turnover, not to mention reputational damage, companies ignore the new legislation at their peril. According to ICO Information Commissioner Elizabeth Denham¹; “If your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance.”

Getting your ducks in a row

Whatever their business, all companies will need to get their ducks in a row when it comes to data retention, compliance and security. Governance will play an enhanced role under GDPR and you will have to ensure that you have appropriate systems and processes in place to be able to manage and monitor all data under the new rules. Accountability is also important so as well as complying, you will have to be able to demonstrate how you comply.

On a practical note, with Armour Mobile your organisation can ensure data and messaging communications are entirely secure whether in transit or stored, either with our cloud solution once you have licensed your mobile devices with us, or with our Armour on-premises solution. In fact, the latter allows your organisation to configure and manage your secure communications service in total privacy, restricting any outside connections.

We can also provide secure voice communications between your mobile and other voice systems (e.g. desk phones within your office) or services (voicemail or conferencing). Securing messaging and voice communications in these ways provides robust audit trails to support compliance and due diligence of the new privacy rules.

GDPR will mean that all organisations will have to start thinking about data in a different way – adopting Armour for your mobile communications could be a big tick in the first steps towards achieving compliance.

Developing young talent through apprenticeships…no added sugar required!

Apprenticeships are a great way to get young people into the workplace, helping them develop meaningful skills and gain valuable hands on experience. That’s why at Armour Comms we implemented an apprenticeship scheme almost 3 years ago that has yielded a fully-fledged Support Engineer. We continue to invest in new apprentices and currently have two bright and enthusiastic people, one of which has recently completed her course and works within marketing, and the other working on the support desk, should complete her course in three months.

We’ve been working with Tech City Stars who, over 13 months, deliver courses via a mix of in-work training and teacher-led classes that are designed to teach apprentices how to deliver value across a range of platforms and technologies relevant to business. The Learning & Development Specialists worked with us to identify our requirements before tailoring the programme to meet our specific needs.

Apprenticeships continue to work very well for us and while for some job functions a degree will always be required, for many roles, apprenticeships are ideal. They provide on the job training with off-site/college based learning and a formal qualification, giving apprentices a solid platform to launch their career.

As James O’Donnell, Director of Employer Partnerships at Tech City Stars, explains;

 “When we recruit apprentices we are looking for energy, enthusiasm, a willingness to learn, ability to take feedback and a propensity to take action. If a young person can demonstrate this to us we know, that with our awesome employers we can help mould and shape some of the stars of the future.”

The final word goes to Kyle, who went through the apprenticeship program and is now a full time Support Engineer at Armour Comms; “The benefit of being an apprentice is learning on the job from extremely knowledgeable people who are experts in their field. I was overjoyed to be offered a full time role at the end of my apprenticeship. I love my job, no two days are ever the same and there is so much flexibility to learn new technologies and expand my skills.“