, , ,

The Return of the Smartphone Security Issue

As reported previously in this blog, the 2nd Network Integration Evaluation (NIE) appears to have successfully tested ARMY’s communication systems.  Not all the results were reassuring.  For example, there was some nasty feedback about the Nett Warrior.  Most surprising was that many warfighters claimed that they didn’t want or need a smartphone.  The ARMY’s smartphone program is threatened by other dangers as well. As noted in Wired, the smartphone could be a casualty of proposed Defense cuts. However, one of the most serious problems is the one that was identified in the earliest days of the program: security.

I haven’t heard too much about it from the ARMY recently, but some recent news items have raised the prominence of this issue:

  1. Trevor Eckhart, a software-systems administrator in Connecticut, posted a video highlighting the capabilities of Carrier IQ software. Hidden on your smartphone, it can supposedly record your text messages and passwords. Or not, according to other folks.  Whatever its true abilities, I suspect the most startling aspect about this software is that it is invisible to smartphone users.
  2. Back in April, a similar report warned of a hidden file on the iPhone, and 3G iPad.  Allegedly, this unencrypted file could track a user’s location.  Apple said its phone didn’t actually track location, just nearby Wi-Fi hotspots.  This very uncomforting explanation generated all sorts of snide comments.  Mine is that the enemy couldn’t possibly be interested in the location of our Wi-Fi hotspots. To be fair, it’s not clear who has access to this data, but it doesn’t take a lot of imagination to envision dangerous information falling into the wrong hands.
  3. With great fanfare, the ARMY announced that its smartphone OS would be Android.  Guess which OS has the most malware? The problem seems to be in people downloading compromised apps.

Of course, US military personnel would never put unapproved apps on their smartphones.  Similarly, it is safe to assume that the top-notch security experts at Defense would thoroughly scrub all critical hardware and software.  To think otherwise would be as preposterous as transmitting an unencrypted UAV data stream that could easily be hacked by an enemy. Likewise, no Iranian researcher would ever be foolish enough expose their nuclear program to a damaging virus by using a strange USB drive (Sorry, once you make one snide comment, it’s hard to stop).

By no means do I wish to disparage the competence of our security personnel.  From the very beginning of the smartphone effort they have been concerned about security issues. However, in a world full of fallible humans, there is only so much that they can do.  The unexpected and hidden nature of the problems mentioned above is probably their most distressing characteristic.  The most dangerous breach is the one that you don’t know about.