ISP incident proves they can capture PDA phone users’ secured messages
Thursday, July 16th 2009 @ 8:09 AM (not yet rated)
This story from Wired.com (click HERE) details an incident where a Middle-Eastern ISP recently configured its subscribers’ Blackberry PDA/phones with software that could intercept all messages to and from a given device - even secure messages. The activity may not have even been discovered if the server side of the eavesdropping infrastructure had been a bit more robust.
Whether the overtures are from a government agency or an deep-pocketed advertising network, Internet Service Providers (ISP) are clearly not above providing some “value-added” services to third parties in the form of breaking into your data streams. And when they have access to the configuration process for the devices - like iPhones and Blackberries - you have some pretty scary privacy and security implications for individuals and businesses.
While some people may assume that their PDAs are relatively secure, and they couldn't imagine their ISP doing such a thing, this story makes it clear that technology to eavesdrop at the lowest level has already been put into use. This time, they got tripped up, due to a poor architectural design for the application. All the ISP's PDAs apparently ended up trying to register to the surveillance service at a server on the Internet within a short period of time, causing it to crash and resulting in noticeable impacts on performance and battery life in the PDAs themselves.
The sneakiest part of this attempted surveillance project is that it was designed to be able to target surveillance of specific devices, at will, and to capture messages even “before” they might have a chance to be encrypted by a user’s security application on the devices.
So, let this be a lesson to individuals and businesses, that rely on the convenience of hand-held PDA/phones. If you plan to transmit or store sensitive information on these devices, you have to take into account the risks of eavesdropping by software that may have been loaded by your ISP. The threats are certainly there now.
To manage these risks, you need to do the following before you start using PDAs for handling sensitive voice conversations or data transmissions:
- Assess the potential damage that could be caused by interception of your data;
- Make sure you have a trustworthy ISP to use these devices on; and
- Have a plan for detection and recovery in case of a data breach.
Otherwise, the convenience of mobility may not be worth the risk to your data.
| | I am now offering monthly briefings, tailored to organizations that want to build and sustain security awareness for staff. Just because your security team is too busy to do its own training and awareness doesn't mean you can't have an economical way to address human security risks. Please call or email me at the coordinates below...
Scott Wright
The Streetwise Security Coach
Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html
Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec
To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.
 |
