Security News

Reports of NSA spying on your smartphone are overblown

Posted on by


Happy Monday! Once again, it’s time to shed light on some recent questionable reporting about the NSA scandal.

This weekend, there was some murmuring about an article in Der Spiegel about how the NSA can grab all sorts of things from your smartphone. And while they certainly could potentially grab things from smartphones, it’s not nearly as ubiquitous and horrible as the article makes it sound. Some of that could simply be attributed to a lack of technical understanding by the reporter, but it’s being picked up by more technical sites and interpreted as if it’s de facto truth.

Here’s their summary:

SPIEGEL has learned from internal NSA documents that the US intelligence agency has the capability of tapping user data from the iPhone, devices using Android as well as BlackBerry, a system previously believed to be highly secure.

And here’s the bit that made me do the RCA dog head-tilt:

In the internal documents, experts boast about successful access to iPhone data in instances where the NSA is able to infiltrate the computer a person uses to sync their iPhone.

Note that the phrase “infiltrate the computer” is not “infiltrate the iPhone.” We already knew government agencies were up to malware shenanigans on desktop computers. If you’re syncing a device to your computer, it can generally be viewed as sort of a hard-drive. If your computer has been backdoored, there’s no reason that the controller can’t grab data from external devices. And if you’re syncing your device, you’re telling it to make local copies of your important data. So… yeah. Yoink!

This article by Errata Security takes the explanation of the errors in the Der Spiegel report even further, primarily discussing the veracity of the Blackberry-related claims. But there was one other iPhone bit that made me do the head-tilt again:

Every time somebody releases a jailbreak for the iPhone, the NSA quietly copies the jailbreak into their malware. Indeed, some researchers simply sell their jailbreaks to the NSA instead of releasing them to the public.

Say what? Details, please? The ability clearly exists, so it sounds plausible, but has anyone actually seen this occur? As they say: hashes or it didn’t happen!

But more importantly, I liked his list of potential scenarios in which government agencies could potentially grab your data:

  • Through the sync process with your desktop — but they’d need to “put a virus” on your desktop first (as described above)
  • Through the Internet against a “service” on your phone — except that your phone has almost no services that aren’t filtered.
  • Through the Internet against a “client” on your phone, like a browser — which requires 0days, and that you visit their website.
  • Through trojan apps on an app store — hard not to get discovered, and they must convince you to download the app.
  • Locally via bluetooth — probably impractical unless you pair bluetooth with them.
  • Locally via WiFi — lots of good ways, but if they are close enough for WiFi, they are close enough for better monitoring of you.
  • Locally via USB — just as trojaned chargers at airports (which you should avoid using).
  • Through an over-the-air update from the cellphone carrier like AT&T or Vodaphone — requires complicity with the carrier, which is near impossible.
  • Through an update from your phone vendor — again requires complicity with the vendor.
  • Through a trojaned component on the phone — requires bribing a chip manufacturer like Broadcom to put special features in their chips or drivers.
  • Controlling your carrier’s servers to get metadata — requires either a subpoena, hacking, or bribing the support, exposing them (which indeed was done by Snowden).
  • @eqe: “Exploit one of the many known 0day in the 3G baseband, leverage to APU code execution” — in other words, hack the cell chip in the phone, which is essentially a separate computer from the rest of the cellphone, this requires fairly local access, to be within radio range.
  • Controlling BlackBerry enterprise servers — such as by hacking or bribing somebody.

Basically, there are plenty of scenarios in which surveillance could happen, some more plausible than others. But it’s not as simple or as cut-and-dried as the sensationalistic articles make it seem.