Your smartphone is probably not so smart - telling tales out of school, whispering your secrets and being a big blabbermouth.

Years ago, I wrote about the security of the first batch of Windows Mobile phones because I noticed that unlike the desktop operating system, the portable variant never seemed to receive any updates.

Microsoft’s response at the time was that it worked with device vendors who worked with carriers, and updates were released through the latter. It really didn’t happen very often, yet the devices were small, hand-held computers connected to high-speed 3G networks that cost a small fortune at the time to use. If someone had hijacked the Internet connection to send out spam for instance, it could’ve cost thousands of dollars in network charges.

What’s more, the devices also contained the usual slew of personal information that you didn’t want to end up in the wrong hands.

I recall it was possible to set PINs and encrypt the storage areas to protect against physical access in case you lost the phone. However, the internet entrance was left pretty much wide open for the bad guys with little or no thought given to security.

Fast forward to the iPhone Era, and we now use mobiles even more. We buy stuff with them, do our banking on them, use them for business applications and share our social lives with the world.

Smartphones can now do so much, so quickly and so conveniently. So many people have one, but that capability and convenience can make smartphones hazardous to your finances, reputation and freedom.

In fact, the smart bits such as banking apps are just one worry. Because mobile phones do double duty as authentication devices - that is, keys - getting access to non-smart features such as voice and SMS is worthwhile for criminals too.

In Australia, criminals have ported postpaid mobile phone accounts to new, prepaid SIMs. This lets them bypass standard two-factor authentication used for online banking (a combination of texts and/or calls). When that bypass is used in conjunction with a malware-infested browser or computer that logs keystrokes, your money could be gone in an instant.

On top of robbery, smartphones can be tremendously useful as surveillance tools. Not for you, the mobile phone owner, but for anyone who can track you either via the GPS, or through cellsite triangulation. This can allow access to your contacts, emails, voice messages and texts. It’s a subtle panopticon that provides for easy, automated intelligence gathering for any purpose, political or otherwise. If you’re going to an Occupy Movement demo or if you’re a celebrity sneaking off for a secret tryst, don’t bring your phone. It may rat on you.

In light of the various privacy holes already present on phones, it was curious to see the furore around the Carrier IQ ”rootkit„ that’s installed on some 130 million devices around the world. CIQ’s software invisibly monitors the ”mobile user experience„, logging a large number of parameters that show exactly what happens when people use their devices.

Now, CIQ promises that while they can see if an SMS was sent successfully and from where, they don’t peek into the contents of the message. Also, they anonymise the data and say it’s transmitted and stored securely. As of writing, everything points to CIQ not having nefarious or malicious intentions. The software appears to be what CIQ says it is: a telemetry gathering set up to monitor service quality for operators. The company says it has given a fair bit of thought to security and privacy around how the information gathered by the ”rootkit„ is used.

Which is not to say the CIQ ”rootkit„ couldn’t be abused, and this makes it all the more stunning that cellular operators thought it would be a good idea to install it without informing customers.
If you add it all together, an alarming picture appears. Over the years, we’ve seen voice mail systems being implemented with no security, causing messages to be intercepted with ease; insecure devices being sold; app markets with malware; faulty procedures that let allow others to ”slam„ or hijack your account; and now, a probably well-intentioned but ill-advised rootkit that logs everything you do.

As an end-user, there isn’t an awful lot you can do beyond sleeping with one eye open and trusting device vendors and operators to do the right thing when it comes to security and privacy.

The problem is, there aren’t enough incentives for device vendors and operators to do more to stem security and privacy breaches. For instance, US carriers don’t use International Mobile Equipment Identity (IMEI) numbers like our telcos do. These make it easy to remotely disable phones, even when a new SIM with a different number is installed, as the IMEI is unique to each device.

US carriers don’t use IMEIs because it’d cost more to implement and a stolen phone means a new customer on another network.

What needs to happen is for security and privacy breaches were to hurt device vendors and operators as well end-users, with mandatory disclosure requirements.

If that happens, we can start trusting that wonderfully convenient and powerful thing in our pockets again.

Juha Saarinen

Posted by Siobhan Keogh at 11:03 AM | Permalink | Comments ( 0 )

What a year: 2011 was full of huge natural disasters, widespread political turmoil, civil war, terrorism and rioting.

The financial failures of previous years ago haven’t really gone away despite billions of dollars being thrown at them. They are now threatening to explode: at the time of writing, world financial markets are nervously taking bets on which huge economy will fail first.

People occupy public spaces to protest against the rich getting richer while everyone else must work like dogs to pay for the increased inequality. The most notable response to protests so far has been police violence.

Add global warming to the mix, and it’s a scary line-up for 2012. In the past, so many problems at once would’ve lead to a global meltdown and suffering on a terrible scale.

There’s no doubt we’re screwed in a variety of ways, but it won’t be as bad as it might have been for previous generations, thanks to technology and, in particular, the internet.

The Internet is transforming the worldwide economy at an accelerating pace, and it is already hugely valuable. McKinsey Global Institute reckons the size of the Internet economy is around eight trillion US dollars. What’s more, the Internet is responsible for a fifth of GDP growth in in developed economies and the expansion shows no sign of stopping.

There are some concerns that this kind of economic growth is ”jobless„ in that automation eliminates jobs. It is true that automation and greater efficiencies lead to job losses. However, recent reports from McKinsey and Deloitte believe the technology creates something like 2.6 jobs for each one lost.

We really do need to be part of the Internet economy in other words. Does it mean that we should all geek out and become techies to take advantage of the booming Internet economy? No: this is where it gets complicated. Something like three quarters of the economic value of the Internet actually goes to traditional industries, and not the tech sector as you’d imagine.

Tech by itself doesn’t create many jobs. A recent study from Massachusetts Institute of Technology found that hi-tech accounted for a mere 2.8 per cent of jobs in the US.

That small workforce manages nevertheless to produce some impressive results. Apple for instance rakes in almost half a million US dollars per employee in profit each year; Google worker bees bring home $300,000, and Microsoft a quarter of a million dollars each.

If we could have an AppleNZ or GoogleNZ, great; but perhaps we don’t actually need one? See, the US captures a third of Internet revenues globally, and two-fifths of the worldwide income. That’s a huge amount of money and remember, something like 75 per cent goes to non-tech companies.

That’s the ”techno-economical„ backdrop for next year and it’s been developing over the last decade and a half. Even so, our politicians just don’t seem to get how important it is that we have fast and affordable network connections. That’s understandable though. Many don’t even do their own emailing.

The messy Ultra-Fast Broadband project that’s rolled out at a leisurely pace is evidence that the Internet economic transformation hasn’t hit home with our elected representatives yet.

What should be the most important infrastructure project for generations is at risk of creating a second communications network monopoly, with 75 per cent of the UFB going to Chorus. All subsidised by taxpayers, unregulated for over a decade, and nothing to show for it afterwards.
Another one is the Rural ”Broadband„ Initiative that kicked off this year (good) but promises ”5Mbps peak speeds„ over wireless 3G with 5/10GB data caps which is risible in 2011.
Rural New Zealand happens to be a huge part of our economy. I can definitely leverage technology and benefit from it, so it should be at least as well served with broadband as the cities.

That vision and ensuring New Zealand gets first-rate Internet infrastructure sooner rather than later are both sorely lacking from our political parties this election year however.
Ensuring that from 2012, we get our fingers into that eight trillion dollar Internet economy pie is an investment in the future, and it’s not even a particularly large one. Contrast the UFB money, $1.35 billion over ten years, with roading budget for the same period which is $11 billion.
That funding isn’t going to make the country any money either. For the Puhoi to Wellsford motorway, every dollar spent will return 40c which includes every possible economic benefit such as lower greenhouse gas emissions. In comparison, Chorus is eyeing up a return on investment for the UFB in the 20 to 24 per cent range. That’s just for the network build and deployment, and not counting incidental benefits to the greater economy.

My hope for 2012 is that the Government will see sense and spend our money where it will do everyone a heap of good, namely technology.

Juha Saarinen

Posted by Siobhan Keogh at 2:30 PM | Permalink | Comments ( 0 )