Most technologically literate people practice safety and security when it comes to their laptops and personal computers, but for some, your mobile phone can be a wide blind spot. To understand the inherent vulnerabilities in cell phones and other mobile devices, and what can be done to secure them, we spoke with Bob Stevens, vice president for the Americas at Lookout.
ABERMAN: Well, let’s start with the basics. In general, how have mobile phones become such a security challenge and liability for all of us?
STEVENS: You know, I call it the underbelly of the hacker world, because it’s a lot easier to breach than traditional devices. If you look at your PC, your laptop, you know, there’s a lot of tools that have likely been installed on those to help protect them. Mobile devices, not so much. You know, I think most people think, hey, my phone’s inherently secure, which really isn’t the case. You know, there’s a lot of ways for hackers to be able to get on the device. You know, they can do it via text messages. They can do it via messaging apps. They can do it in an application itself with malicious content. There’s vulnerabilities that exist on the devices. So, there’s just a lot of surface area for hackers to be able to pursue.
ABERMAN: Yeah, I don’t think that people tend to really focus that these days, the phone that they’re carrying around in their pockets really is the technological equivalent of what would have been sitting on their desk as recently as five years ago.
STEVENS: It’s bigger than that. It’s actually a supercomputer. So, you know, it has more processing power than the supercomputers of 20 years ago. So, it is a powerful device, and it literally carries your entire life with you wherever you go.
ABERMAN: We could spend the next 10 minutes talking about the social ramifications that we’re using supercomputers to promulgate cat photos. But let’s take it from the trivial to the important, which is: we now have these devices which provide an enormously attractive attack surface for cyber security hackers, and people who want to steal data and manipulate. I know you’re an expert in this. What’s caused you to want to really raise the alarm around why this is relevant, with respect to politics?
STEVENS: Well, as we know, there are other countries that have attempted or have interfered with our elections. And one of the things that I would like to see is, you know, as many people are allowed to vote as possible, and as many people as possible are informed about the vote that they’re about to place. One of the ways you do that is through your mobile device. And politicians are definitely aware of that. You know, we’ve seen an unbelievable increase in the use of mobile advertisements, text messages, social media to get their message out. One of the ways to ensure that all voters get to participate is to make it easy for them, make it convenient. So, you know, the mobile device allows you to do that. But with that comes a lot of risk.
ABERMAN: Well, absolutely. It is interesting to me that I can bank on my phone. Right. There are many things I could do my phone, but I can’t vote. I’ve always found that very… there’s no reason why you couldn’t overcome the technical challenge to really encourage democracy through these mobile devices, if you chose.
STEVENS: And there are states that have allowed voting on mobile devices. So during the last election, West Virginia allowed absentee ballots to be placed with a mobile device. So it’s mostly for service people that are overseas, that wanted to be able to participate in the election. You know, in the past, you and I would say, well, but they’re absentee ballots, do they really matter? Today, they do. Every single one of them needs to be counted, because in the last election, we saw that they mattered. And you’re right. Having the ability to vote is just a matter of creating an application that allows you to do that, which has been done.
But I’m sure the app developers will tell you, hey, my app is safe, and it probably is. But is the device safe that you’re voting on? You know, is there somebody on that device that’s stealing your credentials, that’s now going to place votes on your behalf? Are they trying to, you know, manipulate the messages that you received from the from the candidates, to try and sway your opinion one way or the other? And, you know, because people are on mobile devices all the time, that’s where generally where they’re getting their data from. You know, it’s a huge concern.
ABERMAN: So in effect, there are multiple aspects to this. Sounds like the first one is: if your personal information, your biases, your behaviors, are reachable by unscrupulous people, they then can use that information to place misinformation, or try to manipulate us. Which is the same issue we have with our personal computers these days, with the social networks. The second one is: my personal information may be taken, and then used to represent or spoof me in the world, and represent that I have an opinion, but I don’t, or I vote in a way that I don’t.
STEVENS: Yes, all that’s true. I look at three areas as a concern, and things we need to think about protecting. One is the candidates themselves and their staffs. As we know, there were breaches that occurred back in 2016. If somebody that’s trying to get into a candidate’s network or to try and steal any data whatsoever, I’m likely to go after the mobile device, because I know there’s very little protection on it today. And most of the staffers are running around with their mobile devices, and using it to communicate, or accessing the databases of the candidate to understand: I’m in front of a house. How does this person traditionally vote? You know, should I go in and talk to them? Things like that. So the second area is the voters themselves. So, how do I ensure that the integrity of their vote is met? So, I’ve got an app. I place my vote on the app, as we just talked about. Did that register as the candidate that I wanted to select? Or did somebody hack into my into my device potentially change my vote?
ABERMAN: We have Apple out, basically marketing themselves as almost a hack proof ecosystem. They seem to do that on mobile and also on their desktops. I don’t see similar claims in the Windows world. But at the end of the day, is this a software problem? Is this a hardware problem? What technologies exist right now that are deployable into mobile, that can address these types of security issues?
STEVENS: It’s all of the above. Anytime you’re creating software, there’s going to be vulnerabilities. It’s the nature of the beast. So you’ve always got to worry about software and software development. And I wouldn’t say that it’s always malicious. You can download what they call an SDK, which is a kit that you use to help develop software to make things easier for you. And there may be some poorly written code in there that you’re not aware of. But the hackers are, and they can take advantage of it. And then, of course, there’s always hardware. Less likely, but always hardware issues as well. What you need to be able to do is, you need to protect the phone in several areas. One is what we call safe browsing, or safe Wi-Fi.
So, you know, mobile devices try and connect to every Wi-Fi network that they come in contact with. If I’m a bad guy, I’m sitting there waiting for you to try and connect. I’ll try and get in the middle of that connection, and then I’ll start to steal your credentials, or your data or whatever it is. And probably the most important is phishing. You’re trained on your desktop, or your laptop, to spot phishing attempts. You don’t always do that on a mobile device. And also, the phishing attempt can come in a text, via a messaging app. It could come in from Facebook, Twitter, Instagram. You know, e-mails. There’s a whole host of ways that you can be phished on a mobile device.
ABERMAN: If you and I talk about this in the corporate context, I think that you and I agree that that the corporate entity has the responsibility to create and enhance security, so that the data can’t be breached at the server level, and at the edge level. But yet, when you’re talking about mobile, who’s ultimately responsible for the end? Consumers are using the phones, you have the carriers who provide the carriage. You’ve got the companies that are providing the data. Is that really the problem here, that nobody is really responsible for the edge-to-edge security?
STEVENS: You know, I think it lends to the problem. Nobody has stepped up to take responsibility. I think the bigger problem is that most people turn a blind eye when it comes to security on mobile devices, because as you mentioned earlier, they think that they’re inherently secure, and they’re really not a target for the bad guys, which isn’t true. I’ll give an example. We had a customer that recently tested 1,000 devices for 30 days. They had 150 phishing attempts during that 30 day period. So, that’s a huge percentage, and a very small number of the actual employees in the company. So I think the organizations in the government need to step up and take responsibility. And they need to understand that mobile devices are outside of their traditional perimeter. They’re not protected by their firewalls. You know, it’s up to them to ensure that there’s something that’s protecting the device, on the device, and also that the consumer or the user of that device is aware of what’s occurring.
ABERMAN: So if I’m a consumer now, and I don’t want to wait for the government to mandate edge-to-edge security, what do I do?
STEVENS: So the company I work for, Lookout, we have a personal product that’s on both the Apple App Store and Google Play Store.
ABERMAN: So we’ve now come to a situation where, if we want to do our part for democracy, we should actually download an application to protect our phones.
STEVENS: We should, yes. It’s not just you as an employee trying to protect your work phone, as you pointed out. It’s a consumer phone as well, your personal phone. Because if I’m going to go after you, and I know you carry two phones, one for work, one for home, personal use, I’m going to go after the personal one.