Marty Singer is CEO and Chairman of PCTEL, which develops software-based radios for wireless network optimization and also develops wireless antenna solutions. A longtime wireless industry expert, Singer previously served as CEO of SAFCO Technologies, a wireless communications company. He also has held executive posts at Motorola, AT&T and Bell Labs. He is Co-Chairman of the Midwest council of TechAmerica. Dr. Singer earned his Ph.D. from Vanderbilt University. He has eight patents in telecommunications and is the author of several essays on telecom and technology competitiveness. With worry over the News Corp phone hacking scandal still lingering, Singer addressed five key questions about mobile security.
Voicemail hacking is a widespread vulnerability.
1. If News Corp has the ability to hack into cell phones, it suggests many others do too. Who has such capability?
Singer: News Corp hacked into voicemail. What they did was relatively trivial. Because most people don’t change their voicemail passwords, almost anyone can do that. When they have an idea of the password, wives and husbands spying on their spouses do that. And when the password isn’t known, you have some 10,000 password possibilities and most computer programs can cycle through and find one that works. Any corporation can do that to a competitor. It’s trivial. It doesn’t take much technical skill or intelligence to do that type of hacking. It’s low hanging fruit. So voicemail hacking is a widespread vulnerability.
Crockett: What can be done to curb the vulnerability?
Singer: One simple thing to do is change your password to five digits. And change it on a regular basis. Some organizations have IT management teams that do away with passwords and require users to go through a server to get to their voicemail.
Android phones are particularly vulnerable
2. If voicemail hacking is trivial what’s the more serious concern?
Singer: The more serious concern is phreaking (the activity of phone freaks who examine the intricacies of phones) or what I call phone breaking. Remember when iPhone and iPad customers were spooked earlier this year to find out that their devices have recorded a detailed history of their locations in an unprotected file? Apple was doing it for advertising purposes, but the fact is, you can do it for much more nefarious purposes. Smart phones, especially Android phones, are particularly vulnerable because they’re based on an open source platform. So when Google prints out millions of documentation for phones developers hundreds of people can figure out where the entry is for phreaking. They can embed code in an image or text like a blog and when you click on it, these so-called “exploits” release a thin “virus thread” that seeps into a smart phone and attaches itself to an element of the phone’s operating system. Think about a thin wisp emanating from Harry Potter’s wand. The phone becomes a reel and it pulls in the rest of the thread until it has the entire wand. Once that wand, or exploit, is inside your phone, it can control sensitive operations. Any file—audio, video, text—on phone belongs to me. Unless the user takes the battery out of the phone, the wand can control the microphone – even when it is turned off. It can turn the microphone on and off, recording everything in the immediate vicinity. Any picture taken by the phone can be sent to a remote website and made available for viewing.
Professionals in finance or healthcare need to have the option of security.
3. How do we as ordinary citizens and professionals prevent such an invasion?
Singer: Exploits can control a phone whether it’s on or off. That’s why when you meet with a government agency or the military it’s not enough to turn your phone off they require you to take the battery out. I take the battery out of my phone regularly now. If you have any concern about vulnerability you should. To address the problem we have to think differently about solutions. Popular antivirus software from say, Symantec or Norton, screens for known viruses. It’s a taxonomic exercise to prevent different classifications of viruses from coming onto a device. In the case of exploits I don’t think you can’t do it that way. I think you have to develop architecture that combines surveillance and policy protection. We’re developing protection that is looking for unusual behavior. You have a phone that being turned on and off by user. Protection of this kind is going to be essential for smart phone use in industries like finance and healthcare. If you are a professional in a sensitive area you are going to want to have the option of security. Other solutions, referred to as virtualization, make a replica of the operating system and layer security onto that virtual representation. But it takes 17,000 lines of code. So the phone sort of turns it into a slow pig. It impairs the functionality of the phone.
The nation’s security is impaired because of insecure cell phones.
4. We shouldn’t let the wireless industry off the hook. What should be the role of cell phone makers and wireless carriers?
Singer: In the 1990s the major problem was associated with roaming. It was something called “fishing,” when people got the ID numbers of cell phones with scanning products. What the cellular industry association (CTIA) did with fishing was form an organization with a committee to attack the problems. They were very powerful committees studying how roaming should be done and ways to detect problems with illegal IDs. The CTIA have a very strong role to play here in setting standards for security. The financial community has trade organizations to set strong encryption on PCs. Industry organizations in vertical segments are going to have to establish strict guidelines that need to be followed. Our research shows that the nation’s security is impaired because of insecure cell phones. The reality is that in the 1990s we used a phone for voice communication. Now you’re carrying around a mobile computer. The risk is unknown. It is really immeasurable.
There is not just a spying element but the capability for destruction and terrorist activity.
5. As technology advances and our use of it becomes more prevalent, what other threats should we watch out for in the future?
Singer: You could have threats that completely disable consumer electronics devices. Exploits could be created that were intended to destroy our communication capability. They could come through Bluetooth ports and destroy our devices. I think there is not just a spying element but the capability for destruction and terrorist activity. Terrorists could infect phones using GPS information to maximize a destructive attack and gain instant information on a city. The concerns about these open phones go far beyond privacy. News Corp hacked into voicemail, but there was no sophisticated intelligence involved, just a lack of civility. There is a world of danger around the corner that is created by much more sophisticated threats.