Imagine this scenario: You’re unavoidably called out of town for the week and are reluctantly forced to delegate the operation of a meeting with some important clients to Bob, an employee who, despite his best efforts, is less than “tech-savvy.” Everything seems to be going swimmingly though, and the meeting is set to begin on time. Just before everyone takes their seats, Bob notices an unidentified cell phone lying on the floor of the conference room. Unconcerned, he decides the phone has been misplaced, puts it on an end table, and begins the meeting. No big deal, right? Wrong. Though many of us may never consider it, cell phones represent a significant operational security vulnerability.
Cell phones are active transmitters that use a nationwide network and have the ability to transmit any conversation to any other cell phone anywhere in the United States. The length of a transmission can be practically indefinite, limited only by the life of the power sources on the respective phones. As a result, any cell phone in proximity to sensitive conversation should always be considered a potential vulnerability from both technical surveillance and operational security perspectives.
From a technical surveillance standpoint, cell phones are extraordinarily convenient tools for eavesdropping. Everyone carries cell phones, so a person simply having one in his or her possession is rarely cause for suspicion. If a cell phone being used to eavesdrop on a sensitive conversation is discovered, the perpetrator can always maintain that the phone was simply lost or misplaced.
Additionally, the integrity of all the participants in any secure or sensitive discussion can never be absolutely assured. The larger the group, the more likely it is that even a legitimate participant has divergent or subversive motives. If this is the case, the ability of a cell phone to transmit sensitive conversation to another phone or to a basic recording device as simple as a home message recorder is a serious security risk.
Cell phones can also be compromised by the clandestine installation of software that enables the phone to be accessed remotely without the knowledge of the user. In effect, this activates a “bug” that is unknowingly introduced into a seemingly secure environment by a legitimate participant. This usually requires that the perpetrator of the intelligence-gathering activity have possession of the target phone for some brief period of time in order to make these operating modifications.
However, the more sophisticated the cell phone, the more vulnerabilities it presents. Smart phones with email and Internet capabilities are susceptible to malicious software like viruses in the same way that computers are. While smart phones can pick up malicious software from general Internet browsing, they are also vulnerable to malicious attachments or programs embedded in email or even text messages. Malicious software can make a smart phone vulnerable to remote command, which can allow intelligence gathering parties to intercept phone conversations or even use a smart phone as a remote-controlled eavesdropping transmitter.
The operational security threat posed by the vulnerability of smart phones to malicious software is substantial in that it can allow perpetrators the ability to download messages and other files contained on the phone to a remote site. Sophisticated identity thieves are using this technology every day in criminal enterprises.
From an operational security perspective, there is always the risk of inadvertent activation of a cell phone by the legitimate user in a secure environment. This is commonly known as a “butt dial.” While this type of call may not be as critical an incident as a deliberate third-party interception, it can produce a dangerously random breach of confidentiality depending on whose phone is called in the accidental activation. The use of a speed dial feature requires that only one or two buttons be pushed to cause a dial-out and complete a call.
Bluetooth devices offer smart phone users a convenient, direct, remote audio link with their phones. However, they also represent a significant vulnerability by providing another viable way for malicious software to be introduced into a smart phone. Bluetooth technology also offers the capability for a parallel communications link to be opened with a user’s device without the user’s knowledge. Even if the Bluetooth is password protected, this second, parallel channel under the control of an eavesdropper can be used to activate a smart phone, or to download information and files from it. Specialized criminal systems have been confiscated that scan for Bluetooth links in public places, detect and identify active links with Bluetooth devices, and then download information from those devices. While Bluetooth technology offers users convenient operation of a smart phone, it poses a significantly higher potential for security breaches.
If you’re going to let Bob run your meetings, make sure he doesn’t allow any cell phones or smart phones into sensitive areas. Tell him to inform board members or senior staff that this is not meant to impugn the integrity of anyone present, but to prevent the vulnerabilities related to the devices, which are often unknown to their owners and users, from becoming a significant risk for security breaches.
To avoid the theft of sensitive information through means of malicious software, make sure Bob and his fellow employees don’t store sensitive communication, information or contacts in their smart phones.
Additionally, tell any personnel dealing with sensitive matters that require secure communication not to use Bluetooth devices.
Plan. Protect. Prosper.
Protus3 specializes in security system design, security consulting, corporate investigations and other investigative services. Partner with Protus3 and we will examine each situation to identify threats and develop solutions for your best outcome.