Smartphone surveillance has opened up an entirely new avenue of exposure for high-value enterprise information, forcing many security professionals to rethink how they see data. A different class of data, known as data in vicinity, encompasses this new way of thinking. Joining the three established types of data (data at rest, data in transit and data in use), data in vicinity refers to the data in the presence of a smartphone or other data-capturing, internet-connected device. This includes any audio that can be picked up by the device’s microphones—such as conversations and environmental noise—as well as any visual data that can be picked up by the cameras, such as images of people and spaces.
The security implications of smartphone data in vicinity are grave, but there are several actions organizations can take to mitigate the risks of its capture.
Where It Started
As computer webcams and microphones reached widespread adoption in the 2000s, threat actors found themselves with an entirely new target. No longer limited to the data stored on or originating from a computer, sophisticated hackers could hijack a computer’s audio and video capabilities to secretly record a victim’s private conversations and intimate environments.
The advent of the smartphone added another dimension to this surveillance capability. Whereas desktop and laptop computers offered the ability to spy on a target from largely fixed positions within a limited range of spaces, mobile devices opened up surveillance to virtually everywhere the target goes, capturing the smallest audio and visual details via multiple high-definition cameras and microphones. The first known tools for capturing smartphone data in vicinity appeared in the wild in 2012, when multi-stage malware suites such as RCSAndroid and AndroRAT entered the scene.
How It’s Captured
Today, there are a plethora of tools that threat actors—be they nation-states, cybercriminals or competitors—use to remotely hijack smartphone cameras and microphones, whether through precise targeting or a global espionage campaign. These tools provide the ability to perform live surveillance and/or exfiltrate captured audio recordings, photos and videos back to a server for collection and analysis, all without alerting the user or leaving a trace.
The sophistication of these tools varies. Some, such as the infamous Pegasus spyware, are developed by commercial hacking firms and are ostensibly intended for law enforcement, intelligence agencies and other government entities. Such tools typically exploit zero-day vulnerabilities within the iOS or Android operating systems. Other tools may be developed internally or simply recycle off-the-shelf exploits from existing code or underground hacker communities.
Regardless of the level of sophistication, mobile surveillance tools generally follow the same pattern of infection, relying heavily on social engineering tactics designed to get the victim to install malware (typically via a Trojanized app) that gains access to the smartphone’s cameras and microphones.
Why It’s Sought
Smartphone data in vicinity represents a potential gold mine of an organization’s unfiltered and timely information. Unlike a stolen document or intercepted email, data in vicinity includes details that were never meant to be captured and stored in a digital format. A hacker may need to eavesdrop on just a single discussion to gain a valuable window into an organization’s inner workings.
While every organization is different, the conversations and visuals in the presence of a smartphone can potentially reveal major decisions, top-level strategies, operational and financial details, confidential assets and even compromising material. Even seemingly mundane or unrelated details can be stitched together to gain valuable insights.
With this information in hand, threat actors can capitalize in a number of ways. For a competitor, information gleaned can be used to gain an unfair advantage in the marketplace. Captured information also can be leaked to tarnish a brand or influence perception. No matter how the stolen information is used, the affected enterprise finds itself at risk of diminished confidence from both customers and shareholders.
What To Do
Thankfully, technology companies have started developing products and features that provide protections against the illicit capture of smartphone data in vicinity. To combat this emerging threat, organizations should take the following steps:
- Educate employees about the real-world risks of discussing or displaying high-value information in the presence of an unprotected smartphone.
- Leverage operating system tools for restricting camera/microphone access. The latest version of Android (9.0), for example, prevents idle apps from using the device’s sensors.
- Utilize your mobile device management or enterprise mobility management tools to establish policies for camera/microphone usage, such as restricting access within high-risk buildings.
- Use your mobile threat defense tools to detect risky or malicious app behaviors such as unwarranted camera/microphone access.
- Invest in privacy-centric mobile hardware. Some niche smartphone models offer a button or switch that disconnects power from the camera and microphones. For a popular platform such as the iPhone, anti-surveillance smartphone cases are capable of masking surrounding audio and blocking cameras while ensuring adherence to existing policies.
As threat actors continue to look for new ways of capturing and leveraging smartphone data in vicinity, enterprises must learn to adapt to this new threat vector. Through awareness and vigilance, organizations large and small can mitigate the risks of their most valuable information falling into the wrong hands.