Secure smartphones are nice, but not enough
- 01 March, 2014 12:08
Smartphones are perfect targets for hacking, tracking, surveillance, industrial espionage and malware.
Unlike, say, desktop PCs, smartphones often connect promiscuously to many public Wi-Fi networks. They can connect to multiple types of wireless networks, including Wi-Fi, mobile data networks, Bluetooth and NFC -- all of which are potential doorways for unauthorized access.
Smartphones, in fact, run two operating systems: there's the one you know about -- the one that does normal operating system jobs, and which you may diligently update with the latest security patches; and there's one you may not know about -- the one that controls the radio hardware and is rarely updated.
Smartphones can report location, which the phone figures out with GPS. And even when GPS is turned off, phones connect to cell towers, which can be triangulated to pinpoint a phone's location, or to Wi-Fi networks, which give away your location when you connect.
Carriers routinely sell location information to any organization willing to pay for it.
Smartphones are more likely to run apps from developers the user has never heard of and that can be loaded with secret, backdoor functions that can harvest personal data and send it off to some unknown server.
Yes, smartphones are super insecure. Everybody knows it. Nobody likes it. Yet who really does anything about it?
In the past week, two new ultra-secure smartphones have been in the news. One is called the Blackphone. The other is called the Black phone. No, I'm not making this up. The difference in their names is a space.
Here's what we know about the two most secure smartphones ever created.
The $629 phone was made in partnership with Silent Circle, a U.S.-based company founded by a former Navy SEAL and the inventor of Pretty Good Privacy (PGP).
Silent Circle is also known for shutting down its Silent Mail service last August, which the company reportedly did because it believed it would soon receive requests from the government to turn over the email data of its customers.
Blackphone is an Android device and more or less looks and feels like a regular Android phone. However, it uses a forked version of Android called the PrivatOS, which prevents apps from accessing personal information and works with privacy-enabled apps. For example, the built-in Web browser doesn't track your Web surfing. The phone also enables you to choose what personal information is available to each app. When you install apps, the installer presents you with individual permissions on each source of data that each app requests.
The Blackphone prevents its wireless radios from being logged via Wi-Fi as you walk around. Wi-Fi turns off when you're outside the range of a trusted hotspot. All data on the phone is encrypted, so if your phone is lost or stolen nobody else can gain access to the data. It has its own remote-delete tools as well.
The phone comes with a two-year subscription to Silent Circle's platform that encrypts phone calls and emails. The subscription covers three people -- the owner of the Blackphone and two friends or colleagues, regardless of what phones they use. It also comes with a two-year subscription to Disconnect, which anonymizes Wi-Fi connections, and SpiderOak, which is an anonymous cloudstorage service.
Blackphone is designed for the general market, but Geeksphone claims that it's getting inquiries from government customers.
The Blackphone handset will go on sale in June for $629. It looks like a typical Android smartphone and is based on a security-hardened version of Android called PrivatOS. (Video: IDG News Service)
The Black phone
For the past two years, aerospace and defense contractor Boeing has been working on a special-purpose phone called the Black for customers who work in the government, the military and espionage. The phone was revealed in public FCC documents that all phone makers are required to file.
The Boeing Black phone is also an Android smartphone, but we know much less about it, because Boeing intends to keep its details secret. Papers filed with the FCC specifically request that information about the phone be kept secret, and a letter accompanying those papers says that even after the phone is available, it won't be available to the general public, nor will information about the phone be public.
The Black phone is small, thick and heavy. The handset is 5.2 in. tall. It's about twice as thick as an iPhone and much heavier. It has a modular design that enables users to attach add-ons, such as tracking tools, satellite transceivers, biometric sensors and solar charging devices.
The target market is government agencies and contractors who work with those agencies.
The Black phone will reportedly be "sealed." If the physical handset case is pried open, the phone will erase all of the data it holds. It will, essentially, self-destruct.
The Android-based Boeing Black smartphone is being marketed to government agencies and contractors. (Photo: Boeing)
It will also have two SIM card slots: one for regular public mobile networks and another for private government networks. When the phone is connected to a public network, its security features lock everything down so no data can be accessed. In order to gain access to certain information, the user has to disconnect the phone from the public network and connect to the private one.
Why Black is the new black
A smartphone that protects against intrusion, surveillance and hacking sounds like a good idea. But in the short term, at least, hardly anyone is likely to buy a phone like that.
Why not? For starters, hardly any carrier will sell the Geeksphone Blackphone. One of the Blackphone's security features is a stipulation that carriers who sell it are not allowed to install any software on the phone, and that makes it less appealing for them. The Dutch telecom KPN announced that it will sell the Geeksphone Blackphone starting in June in three European countries, but so far no other carrier has announced that it will sell it.
The Boeing Black phone won't be for sale to the public or to individuals at all. It will be purchased by government agencies and distributed by them.
Smartphones are insecure. But the Geeksphone Blackphone and the Boeing Black phone, as useful as they'll be to a tiny number of users, aren't going to solve the larger problem. It's unlikely that they'll account for anywhere close to even 1% of the total smartphone market anytime soon.
What we need is for regular, everyday smartphones to get better security. Consumers also need to care enough about security to seek out both more-secure phones and apps that provide better security. I just don't see either happening anytime soon.
Mike Elgan writes about technology and tech culture. You can contact Mike and learn more about him on Google+. You can also see more articles by Mike Elgan on Computerworld.com.
Read more about mobile security in Computerworld's Mobile Security Topic Center.