The Mole in Your Pocket: A Study of the Data Gathering Capabilities and Security Implications of Modern Smartphones

pdf icon - download pdf

Paula Maxson

EXECUTIVE SUMMARY

According to a survey by the Pew Research Center, 77 percent of U.S. adults own a smartphone. Since most smartphone users are completely unaware of the sensors that are built into their phones, it is critical to evaluate the potential homeland security risks posed by the routine data collection and sharing inherent to the function of these smartphones. These risks go beyond the potential intelligence issues associated with knowing where people are and what they are doing, but also pose substantial data security issues.
Smartphone sensors fall into four main categories: audio and visual, environmental, location, and biometric. Three major groups can access these sensors and the data they generate: manufacturers, telecommunication carriers, and third-party developers. Though manufacturers have requirements in place for app developers to limit data collection and request user permission to access certain sensors, this requirement does not extend to all sensors. Additionally, mobile web browsers are able to access smartphone sensor data without apps; no notice is required, and data collection may happen when the browser is minimized or when the smartphone has been locked.
User privacy and security concerns center around the possibility of smartphones recording them, tracking them, or stealing their personal data. The sensor datasets create a personalized black box that can retrace a user’s actions in great detail for an indefinite amount of time. Smartphones can provide insight into a users’ movements, relationships, health, fitness, employment, personal data, and more. As part of a larger group of users, datasets can also identify patterns of behavior and movement.
McKenna, Gaudion, and Evans identified the need to take a closer look at how data can be aggregated between multiple data sources, including smartphone sensors, social media, satellite data, and software to identify and address potential privacy and security risks. In their analysis, they identified this “across-device, across-platform, and multi-sourced data aggregation” as “the satellite-smart device information nexus,” which they state, “poses a threat to individual privacy, civil liberties, and national security.”
This thesis provides a framework to evaluate risk based on the type of risk involved, as well as the potential impact. The type of risk is broadly characterized into the scope of impact; that is, whether the impact will most likely affect an individual or an organization.
With the increased use of smartphones in the workplace, both personal and company issued, employers face an increased threat that data aggregation from smartphone sensors will compromise their privacy and security. In the 2019 Verizon Mobile Security Index report, 67 percent of organizations surveyed indicated they were “less confident about the security of their mobile assets than other devices;” 80 percent indicated that mobile threats are growing faster; 48 percent stated that they “sacrificed security to ‘get the job done.’”
The Department of Homeland Security (DHS) published a Study on Mobile Device Security in 2017. The report acknowledged the need to focus on developing policies and protocols for mobile device security, as “the default level of security is optimized for consumer ease of use, which is not appropriate for Federal employees.” The 2019 Verizon Public Sector report indicates that 80 percent of the mobile breaches experienced by the public sector includes data loss. Additionally, the report shows that only 12 percent rated their employees as “highly knowledgeable in mobile security,” the lowest of all sectors.
Three main threat vectors relate to smartphone sensor data: data aggregation and predictive analytics, direct sensor access and control, and data theft or manipulation. Anonymized datasets are frequently published online for research and data mining purposes; however, by correlating the anonymized dataset with other publically available datasets, user data can be linked to specific individuals. The ability of a bad actor to aggregate enough data to generate a complete dossier for a targeted individual or group is growing exponentially. Knowing the patterns and routines of homeland security enterprise (HSE) individuals or groups could compromise physical security. Intimate knowledge of an individual’s personal life can also lead to blackmail scenarios. By aggregating enough data, predictive analytics could be used to analyze user patterns and behavior to predict future behavior.
As a result of data aggregation, malware, or targeted attacks, another threat vector relates to the undetected hijacking and direct control of smartphone sensors. By gaining control of these sensors, bad actors would have the ability to freely spy on users, gathering data on their communications, location, physical and cyber environments, and networks. This control presents a clear risk for the HSE, as highly sensitive data and networks then become accessible to bad actors. Smartphone sensor data scenarios rise to the level of a homeland security risk when the data can be used to impact national security.
Data theft is one of the most common risks because of either or both previous vectors. Bad actors may target a variety of secure datasets they would otherwise be unable to access any other way. The DHS report indicates that government smartphones potentially provide a way to breach systems that house data on millions of Americans and other sensitive government information, with threats ranging from “advanced nation state attacks, to organized crime using advanced fraud technologies, to simple theft of mobile phones.”
Based on the information covered in this thesis, it is apparent that smartphone sensor data, especially when aggregated, poses an increasing risk to not only individual and organizational privacy and security, but also homeland security. Individuals, organizations, and the HSE must evaluate their privacy and data security needs and take action to mitigate the risks. The following recommendations should be implemented for each defined user group.
Individual Users:
• Taking time to understand the capabilities of their smartphones better. By understanding what privacy and security options are available, users can modify their settings appropriately and make informed decisions on privacy and security.
• Reading and understanding the terms and conditions of any downloaded applications.
• Minimizing app downloads and refraining from downloading apps from unauthorized platforms.
• Performing system updates regularly.
Organizations:
• Ensuring individual users are following the previous recommendations.
• Ensuring the organization employs at least the minimum industry standards for mobile security. The four basic security policies are as follows: regularly testing security systems, restricting access on an as needed basis, changing default passwords, and encrypting sensitive data on public networks.
• Implementing data loss prevention (DLP) policies.
• Participating in device enrollment programs (DEP).
• Employing anti-malware to prevent, identify, and eliminate malware on systems and devices.
Homeland Security Enterprise:
• Ensuring recommendations are being followed by individual users and organizations.
• Prioritizing mobile security over ease of use; for example, minimize or closely monitor bring your own device (BYOD) programs.
• Providing DEP smartphones for employees as needed.
• Drafting enhanced policy and regulations for stronger and more consistent acceptable use policies, data and rights management, and the identification of mobile device exclusion zones within secure or sensitive facilities.
• Initiating a Defense Advanced Research Projects Agency (DARPA) project on data anonymity. Modeled after the TOR, or the onion router, project, the DARPA initiative would focus on anonymizing smartphone usage.
• Investing on improving its workforce’s knowledge of mobile security and cybersecurity. With the large number of public sector data breaches, it is crucial that HSE employees have the knowledge and training needed to protect the data for which they are responsible.

No Comments

Post a Comment