What this expensive ‘secure’ phone tells us about mobile hacking

Will a $12,000 phone protect you from mobile malware?

Mobile security is a bit of a misnomer. Few of us can say we’ve been attacked by a piece of malware or have quarantined an actual virus. The odds are stacked against us. Mobile operators like Verizon and Sprint routinely scan for threats, and both Google Android and the Apple iPhone include multiple security measures on their devices, from fingerprint scanners to full encryption.

Yet, there’s a sneaking suspicion that mobile security is a bigger concern. According to one HP report, 67 percent of employees in the U.S. now work remotely. We’re relying on phones more and more. We store sensitive business documents on them and use them to make purchases.

Recently, a malware client called Pegasus appeared in the wild. It uses a fairly predictable attack strategy that’s well known to anyone who has been the victim of a phishing scam. A text message tricks you into responding and installing an app. The malware can then jailbreak your phone, eventually installing a client that can capture data, per Symantec reports.

What can be done? One solution is the Solarin phone from a company called Sirin Labs based in the UK and Israel. It costs £9,500 (or about $12,500). The features on this 5.5-inch phone reveal quite a bit about where mobile security might be heading and the future of mobile hacking.

Warding off the bad guys

The most interesting feature is a switch on the back of the device. When enabled, the Solarin enters a secure mode that encrypts all text messages. There's a "concierge" service that monitors apps and can alert you if there is an issue. The phone uses chip-to-chip 256-bit AES encryption, and the "secure" mode disables all sensors like the GPS chip, Bluetooth, and Wi-Fi.

Another feature has to do with the people communicating with you. If you want to text or call someone from the phone, they have to use the Secure Comm app for Android or iOS.

The high price for the phone -- coupled with these added steps for security -- reveal what it takes to block intruders both now and in the next few years. As Alex Manea, the director of BlackBerry Security at BlackBerry, tells CSO, not securing a phone is a bit like leaving the house with the front door open when you leave. We’re using mobile devices more than ever for not just some of our sensitive information but all of it, including all of our files, contacts, and bank records.

"As phones have gotten more advanced, so have potential vulnerabilities and so the need for secure devices and services is a hot topic again," says Manea.

Alex Manea, the director of BlackBerry Security at BlackBerry

Alex Cline, director of Information Security for Branding Brand, a mobile commerce platform, agreed that the timing is right for addressing security issues, arguing that there are those who have a greater need to address potential attack vectors before their data is compromised.

"Smartphones have become an extension of ourselves and are integral into our everyday lives," says Cline. "For the same reasons we have security systems installed in our homes, we look for mobile devices with the capability to withstand attacks. Those with access to sensitive and valuable information are at higher risk if that data were to be exposed, therefore they look for smartphones that meet a higher threshold for security and privacy."

Expensive phone?

While phones like Solarin show what it might take to deter hackers, the actual phone is not the perfect solution for everyone. Cline says he’s surprised there’s a fingerprint reader, since that biometric access technology has been widely shown as ineffective.

The Solarin also relies on several third parties for their security platform, including Zimperium and KoolSpan, which was also a red flag to Cline who said that could be a non-starter for some. He says the phone uses the Snapdragon 810 processor, which is known for overheating issues. That alone could nullify all security measures if the phone overheats and data is lost.

Of course, there are many other security options. Many Samsung phones use the KNOX encryption platform, but one of the leaders in this space is still BlackBerry. On their PRIV smartphone, for example, there’s an app called DTEK that provides a security score for your device to help you monitor access points. A BlackBerry Certicom cryptographic library on the device protects against brute force attacks. And, the phone costs $550 unlocked.

Future devices

Still, even with all of these options, one thing is sure: Mobile security is going to take some radical steps soon. The fact that the Solarin phone requires that other people communicate with you through a secure app is a sign that there is a user segment that needs this kind of simplicity.

"For executives, the idea of a phone that's so secure when you need it to be that all you have to do is flip a switch is enticing because they don't have to learn much that's new to figure it out," says Seth Rosenblatt, an editor for the security news site The Parallax.

Rosenblatt does express one concern as these types of phones become more common. He says it will always be beneficial to practice what security pros call good "security hygiene" in never opening an attachment on your phone or opening a text from an unknown party.

If expensive phones become the purview of the tech elite or only executives, there’s a good chance some of these security practices -- not to mention using a VPN or complex passwords -- could be relegated to the steps we used to take on our phones. May that never be.


Join the CSO newsletter!

Error: Please check your email address.

More about AppleBlackBerryCerticomCSOGoogleHPPegasusSamsungSprintSymantecVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Brandon

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts