It’s not exactly a walk in the park when a cash register gets infected, but when technology on the front lines of law enforcement is infected out of the box, we have an entirely new set of nightmares to keep us up at night. It’s bad enough that our military is using 14 year-old software to operate the most powerful naval fleet in the world, and now we have to worry about police officers trying to do an already tough job with infected body cameras. As of this writing, the manufacturer of the devices has yet to comment, but according to the security firm assisting law enforcement agencies with the implementation of these devices, the cameras are shipping with the Conficker worm, a virulent strain of malware that first appeared in 2008 and continues to exploit unpatched Windows machines to this day.
What this means for you:
The more savvier among you may have already posed the question, “How on earth does a simple flash memory-based camera get a virus infection?” The original success of the Conficker worm actually came from its ability to spread via USB devices through a well-known weakness in Windows operating systems: the short-lived “autorun on insert” functionality would execute a script on an infected thumb drive, infect the host computer with the Conficker virus, which would in turn search for any attached networks and other USB devices to infect. Police body cameras are designed to record data to built-in flash memory, and then have that data transferred via USB to a computer. See where this is going? Imagine your local, overworked Police Departments now being overrun by a 6 year-old virus. On top of this, it’s not a stretch to imagine savvy defense attorneys calling into question the integrity of video footage captured by compromised hardware. Though Confickers true purpose was never discovered, it infected millions of PCs. It’s not hard to imagine a new wave of malware infections brought on by untested and widely available devices like web cameras, USB chargers and many other devices that make up the rapidly growing “internet of things.”
Fortunately for the law enforcement agencies that purchased the equipment, their integrator was on their game and detected the infection before the cameras were put into the field. This only came about because the computers to which the cameras were attached were protected by up-to-date and reputable antimalware software. While it won’t be the magic bullet we all wish existed, solid antimalware protection will go a long way towards preventing disaster in your organization. Don’t skimp in this regard – it might put more at risk than you think.
Despite the fact that everyone (including me) has been telling you that encryption makes the data stored on your smartphone safer, it would seem that is not necessarily the case for iOS devices. Renowned iPhone hacker, developer and author Jonathan Zdziarski presented a large body of research and evidence that Apple has built backdoor data access into its devices for some time, and not just the kind required by law enforcement for warranted search or for troubleshooting and debugging. Also damning was the fact that these processes and services aren’t documented at all by Apple, but are apparently well-known by various law enforcement agencies and forensic data specialists. And the cherry on top? The encryption on your iPhone can easily be bypassed by these backdoor tools through USB connections, wifi and possibly even cellular connections.
What this means for you:
According to Mr. Zdziarski’s findings, iPhone encryption is essentially bypassed because iOS maintains a base state of authentication even if your phone is “locked” with a pin or password. The tools and services running quietly in the background of your device have direct access to your data, and not just the “anonymous” or “non-identifying” data that Apple collects for performance and troubleshooting purposes. Apple has yet to comment on Mr. Zdziarski’s findings, but the growing media attention on this issue will likely force a response from the Cupertino company. Unfortunately, there is not much you can do about this, as these backdoors are so deeply embedded in the operating system of iOS that removing or disabling them is impossible. You can, of course, demonstrate your displeasure by contacting your local congress-critter, providing feedback to Apple, as well as restraining yourself from buying Apple products until they address everyone’s privacy concerns. Given Apple’s strangle-hold on the smartphone market, they have very little incentive to change anything unless consumer sentiment starts to sway against them on this issue.
Technology lobbyists have been pushing for reform of the 1986 Electronic Communications Privacy Act for years, primarily to address the multitude of shortcomings, loopholes that couldn’t have been predicted almost 30 years ago. Law enforcement has also jumped onto the bandwagon, having recently submitted a rider proposal that would be attached to any changes proposed to the ECPA. Their objective? To get cellular providers to retain all the text messages passing through their network, primarily for the purposes of investigating criminal activity. Currently, most providers say they do not retain the actual text messages centrally, and smartphones by default are not designed to retain text messages long term, but each provider appears to have different policies governing exactly how much data is retained, and how long. This inconsistency troubles some lawmakers, and enforcement has long held that criminals purposefully use SMS as an “untraceable, untrackable” communication method.
What this means for you:
A proposal is a long way from actual law, but many privacy advocates and watchdog groups say a rider proposal like this could hamper much needed changes to the decades-old ECPA by weighing down progressive proposals with Big Brother agendas that most technology companies find distasteful, if not diametrically opposed to in their publicy stated values – think Google’s “Do no evil” policy. The fight for privacy continues to carry into new areas everyday, but the SMS fight could be a huge battle: six billion text messages are sent everyday. Privacy issues aside, imagine having to figure out how to store this information in a way that is useful, let alone subpoenable!