A recent 60 Minutes television program exposed vulnerabilities in the world’s mobile carrier networks. This particular show talked about a flaw in SS7, a key protocol used by wireless networks, that lets hackers listen in on your phone calls and read your texts.
This information will come as no surprise to some. Like the Internet itself, mobile wireless networks were never designed for enterprise-grade security and protection against determined and sophisticated hackers. For example, IMSI-catchers represent another threat to privacy when using mobile networks.
But there are simple actions you can take to protect the privacy of your sensitive data – phone calls, text messages, e-mails, etc. – that you transmit over mobile networks using mobile devices. The simple rule of thumb: always encrypt your data before it hits the wireless network.
Phone Calls: use encrypted voice-over-IP – examples include BBM Enterprise(formerly known as BBM Protected) and SecuSUITE as well as a wide range of apps in major app stores (as long as you’re comfortable with the security of the app and its developers).
Text Messages: encrypted services include BBM Enterprise as well as a wide range of apps in major app stores.
E-mail: be sure to use services that employ end-to-end encryption. Many common consumer e-mail services offer encryption between device and cloud e-mail server but fall down when messages are then forwarded to users not on the same e-mail service.
Business Users: BlackBerry provides end-to-end encryption of the communications channel as well as S/MIME and PGP message encryption, an extra level of protection that ensures only your intended recipients can access the mail, regardless of their choice of e-mail service.
File Sharing: BlackBerry’s Workspaces is one way to ensure file data is protected regardless of which networks are used to transmit the data.
For all the aforementioned technologies – encrypted voice, text, e-mail – BlackBerry’s apps are cross-platform, supporting any operating system (iOS, Android, Windows, BlackBerry) that you (or your friends, family, and co-workers) may prefer.
Another important data privacy tool for mobile networks is the VPN, or virtual private network. If all your information flows over a VPN, it will be protected between the device and the VPN server on the other end. All mobile devices managed by BlackBerry UEM software – including those running BlackBerry, Android, iOS, and Windows Phone operating systems – include a built-in end-to-end protected connection between the device and the enterprise network. Users can use any physical network – including open Wi-Fi networks and the carrier mobile networks – and still rest assured that business information is protected.
Hiding In Plain Sight
There remains one other privacy concern brought up by the 60 Minutes piece: location. Unfortunately, mobile networks were designed to uniquely identify mobile devices (and by association, their users). For example, the IMEI number from the modem chipset and the IMSI number from the SIM card are incorporated into mobile network communications emanating from your mobile device and cannot be inhibited by the mobile OS or any apps. Rules set up by the mobile network policy organization – GSMA – require these identifiers be present.
When your device connects to mobile networks, this identifying information is recorded and could be disclosed via lawful government access requests to mobile network providers or by hackers that gain unauthorized access to the mobile network infrastructure. If you are worried about your location being tracked, the safest thing to do is avoid mobile networks entirely: use Wi-Fi data networks (with trusted access points and the aforementioned data encryption enabled) for all communications and disable mobile networks in your device settings.
Modern VoIP and text message services provide excellent quality, often better than the built-in mobile network calling and messaging services. If you must use the mobile network, as many of us do, then maximize your use of encrypted communications as described above. For example, if all of your phone calls are VoIP-based, then identifying information associated with the caller and receiver on a mobile network will simply not exist to be hacked.
Cloudy With A Chance of Hacking
Protecting your privacy on mobile goes beyond just the recently reported cell network risks, of course. When you use cloud apps such as Facebook, Yahoo, and Dropbox, your personal information is being stored in servers managed by these service providers and therefore could be exposed by hackers who can gain access to those servers or by lawful access requests made to those service providers. Services like WatchDox and BBM Enterprise that enable the data owner to control encryption – instead of the service provider – assure your privacy regardless of network or cloud service.
Your location information may also be tracked by these third-party services. And again, those services could be hacked (or subject to lawful access requests) that would expose your location. Most mobile operating systems provide options to disable location services, a draconian approach that limits device functionality but an option when privacy is at a premium. BlackBerry’s PRIV smartphone has a unique feature called DTEK which lets you track, receive notifications about, and disable location-gathering attempts made by your apps.
These simple steps will go a long way towards protecting you against the most common online attacks. At BlackBerry, we’re committed to providing all of the necessary tools to help you encrypt your data and protect your privacy.
Security standards around connected medical devices are woefully lacking, but that’s about to change. Don’t miss the unveiling of DTSec, the first consensus cybersecurity standard for medical devices with security and assurance requirements, by BlackBerry Chief Security Officer David Kleidermacher. It’ll happen May 23-24 at MEDSec 2016, the first international conference covering security and privacy for the Internet of Medical Things. Learn more and register today at MEDSecMeeting.org.