TechWeek 2019: How to ensure your smartphone and its data are not weaponised

TechWeek Frankfurt speaker Frank Satterwhite discusses mobile security in the digital age

Over the past few years, cyber security specialist Frank Satterwhite has been working with a talented group of cyber engineers to create and package a security platform that allows users to protect their data in cyberspace. One of the group’s key focuses is on increasing mobile cyber hygiene as smartphones become the default device for most digital tasks at home and, increasingly, in the workplace.

Smartphones have become the central tool of our daily digital lives, whether for facilitating quick communication with friends and family, browsing social media or keeping up to date with the latest news.  But from a cyber security perspective, mobile devices present easy targets for hackers seeking to compromise personal data. 

At TechWeek Frankfurt, 13-14 November, Frank Satterwhite is presenting a free session educating users on mobile cyber hygiene. The former NATO and US Defence security engineer is on a mission to help users turn their portable weak-links into an army of cyber heroes. 

The most common avenue through which attackers undermine users is Android apps — often free — which bury lines of malicious code behind a useful service. Only recently, researchers discovered that malicious VPN apps (downloaded over 500 million times on the Google Play store) were overloading the devices on which they were installed with fraudulent ads. 

“Mobile phones are inherently flawed,” he says. “Out of the box some mobile Android phones allow a person to enable 3rd party apps: the user does not know that these apps have been hacked and can exfiltrate their personal data. Couple inherent flaws like this with multiple attack surfaces and the fact that devices are at the centre of our lives, mobiles provide a wide-open door into our lives.”

As is often the case with poor cyber hygiene, convenience trumps best practice. Being cyber secure only delays us from getting from point A to point B. And unfortunately, most are simply not yet at the stage where they treat phones like they do the front doors to their homes.

People also are irrational when it comes to their own devices. Smartphones are so integral to managing our lives that they have effectively become a part of us that we inherently trust, like a pet or another limb. It takes continuous effort to recognise that these sources of convenience and entertainment can be deployed against us.

Even if users are aware of the risks, they often shrug them off, convincing themselves that it is only “other people’s” data that hackers are interested in. Most are ignorant of the powerful ways in which seemingly innocuous data points can be combined and sold on the dark web to power sophisticated fraud campaigns. 

Aside from personal risk, users are also blissfully unaware of their responsibility to act as cyber soldiers for their employers, whose networks they connect their devices to daily. Employee smartphones present the ideal launchpad for attackers to enter enterprise networks and seize sensitive data and other valuable assets. 

This is something Satterwhite is all too familiar with. In 2017, it was revealed Russia carried out a campaign to compromise NATO soldiers’ smartphones, with the aim of gaining operational information, gauging troop strength and intimidating soldiers. Russia was targeting 4,000 NATO troops deployed to Poland and the Baltic states to protect the alliance’s European border with Russia. The campaign starkly illustrates how the cyber defences of even the most secure organisations can be readily unpicked with a new breed of smartphone lockpicks. 

“The problem is that even if the enterprise has taken steps, it only takes one user connected to enterprise resources from a privileged account to put the company at risk,” says Satterwhite. “Even if controls are put in place for each phase of the Cyber Kill Chain, it still might not be enough. I feel the convenience of mobile phones is not worth the risk they introduce to the enterprise.

Satterwhite adds that it’s not just bank accounts or corporate/military secrets that are at risk but fundamental democratic freedoms we all enjoy. 

Criminals, governments and politically driven hackers are increasingly compromising elections around the world with disinformation, taking advantage of rising smartphone use and the uncritical way we absorb information on our phones. The Digital News Report, conducted in 2015 by the Reuters Institute for the Study of Journalism at the University of Oxford, found that on average people use a “significantly smaller” number of trusted news sources on a mobile phone than on a tablet or computer. 

“People trust their phones yet a phone can be easily weaponised against them and ultimately threaten free society,” says Satterwhite. “I know it sounds sensational but its reality. Political actors are inflicting damage on free thought and ultimately affecting our institutions, behaviours and norms.”

To help minimise interference in future elections, Satterwhite has started a group called MyVote which aims to fundamentally change the way people use and protect their phones. It provides technology and training to ensure voters are not microtargeted and influenced by state-sponsored democratic disruptors. Initially focused on the upcoming US elections, the group plans to export its initiative to other countries around the world.

“MyVote will teach people how to take control of their data,” explains Satterwhite. “I will ask them a simple question: ‘If you have the technology and training to ensure the only thing people know about your personal data is what you give them permission to know, will you protect your data?’  I believe people will rise to the challenge and say yes.”

“We are at a point in society where protecting our freedoms in cyber space is necessary if we want to protect our way of life. Everybody must share a commitment to mitigating the risks resulting from lives so heavily-dependent on the convenience of mobile phones.”

If you want to meet Frank and learn more about mobile security and how MyVote is protecting democratic processes, attend his presentation at TechWeek Frankfurt in November, incorporating Cloud Expo Europe, DevOps Live, Cloud & Cyber Security Expo, Smart IoT, Big Data World, Blockchain Technology World and Data Centre World (Free tickets available now).