What happens to state-sponsored smartphone hacks when they're uncovered? They get reverse-engineered and enter the cybercrime underworld, of course.
There is no ‘safe’ back door
The inconvenient truth is there is no such thing as a safe back door into smartphone security. Authoritarian governments may force smartphone platform developers to create them, but they make everyone less safe as those exploits will be identified and criminals – who are just as smart as government developers and (sometimes) the same people – will eventually find and exploit them.
Smartphone security isn’t like Harry Potter’s favorite train platform. There is no invisible Platform 9.75 that only government-approved hackers can get to. If a door exists, it will be found. It will be copied. It will be abused.
In 2022, we’re going to see state-sponsored attacks leak into the hacking underworld, and this could lead to a bonfire of security incidents on every platform, experts warn.
WatchGuard says watch out
WatchGuard’s 2022 cybersecurity predictions, and the prospect of state-sponsored attacks such as those used by Israel’s NSO Group leaking into wider abuse, is top of the list.
We know most platform vendors are vigilant against such attacks. Apple most certainly is, judging from its recent commitment to “work tirelessly to protect our users from abusive state-sponsored actors like NSO Group.”
However, state-sponsored hacks are developed with limitless budgets and access to extensive resources unavailable even to platform developers. These designer exploits are initially developed to attack strategic targets.
That expense and the attack complexity means most people don’t need to fear being hit by such hard-to-defend-against exploits. At first.
Mobile malware exists, and while smartphone OS developers work hard to implement hardware and software-based defences (such as secure boot) to protect users, serious vulnerabilities are occasionally identified and used.
What is made can be found
Like governments, criminals recognize the huge value of the kind of information smartphones carry — these digital devices turn your whole life into data, and there’s huge inherent value in that.
Facebook’s roughly $1 trillion market cap isn’t because of its platform, it’s because of the data collected about its users. Cambridge Analytica and Edward Snowden have both shown us how this valuable information is routinely gathered and abused.
With that in mind, it’s not at all surprising nations also want to dip into that data. But the solutions they create to get to it are just like anything else – they can be hacked, stolen, reverse-engineered.
And in many cases building these hacks has already been privatized, with state-sponsored organizations funding research and developing attacks, such as Pegasus, which eventually leak into the hands of rogue states.
[Also read: How to use FileVault to protect business data on Macs]
“Unfortunately, like in the case of Stuxnet, when these more sophisticated threats leak, criminal organizations learn from them and copy the attack techniques,” warns WatchGuard’s latest survey.
“Next year, we believe we will see an increase in sophisticated cybercriminal mobile attacks due to the state-sponsored mobile attacks that have started to come to light.”
Don’t overreact, but do react
It is important not to overreact to WatchGuard’s prediction — at least, if you don’t work at a platform security company.
Smartphone and computer users should try to harden their existing personal or enterprise security. If you run a business, you should educate employees to become more discerning toward phishing attacks, given so many complex exploits begin with targeted phishing expeditions. Preparing for this is of particular consequence as it becomes increasingly likely the latest COVID variant may force a global return to working from home.
But it is also important to consider WatchGuard’s other big security predictions for 2022: Hackers will begin to attack satellites; we’ll see attempts made to abuse messaging platforms with phishing attacks; and we’ll see accelerating deployment of zero-trust security models, such as those now available to more than 1 million Apple Silicon Macs in use across the enterprise.
For me, the biggest concern is that sophisticated state-sponsored attacks will leak into the mainstream, making everyone so much less secure.
Your business could be next
This has consequences on consumer users, of course, but as the rising tide of ransomware attacks shows, criminals go where the money is.
And the first targets once these state-sponsored exploits leak or are reverse-engineered probably won’t be you or your mom or grandpa – they’ll be your business.
That's why every enterprise should share Apple’s disgust at the behavior of state-sponsored entities such as NSO. This rising security vulnerability tide threatens to flatten all the boats at a time when seas are already high, adding to uncertainty, threatening recovery, and damaging lives.
There are no safe backdoors. There are no invisible platforms. No one is safe until everyone is safe.
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.