There's an interesting government surveillance tool out there many are not familiar with called StingRay. It's...
a law enforcement aid that can have serious enterprise information security repercussions.
Very secretive in nature and protected by a non-disclosure agreement required by its manufacturer Harris Corporation, StingRay apparently simulates a cell phone tower to lure cell phones into believing they're on a trusted cellular communications infrastructure. The technology, which is also known as cell site simulators or IMSI catchers, has the ability to capture phone calls, SMS text messages, emails and other related Internet data for, no doubt, the "greater good" of society.
The system is so secretive, in fact, that legal cases are now being swayed -- often unfavorably -- so that law enforcement can keep from having to reveal exactly what StingRay is and how it works.
But what about all that information that's being captured? Where does it go? How it is being safeguarded? When will it be used against us? Is there anything we can do to protect corporate data?
The FBI claims it does not keep repositories of cell tower data outside of specific investigations, although that tune has recently changed. Regardless, given the lack of transparency with government spying in recent years, this system is seemingly more akin to the massive database the DEA is compiling on U.S. drivers this very moment.
Personal privacy aside, what can enterprises do to prevent this or other similar technology from collecting corporate data and spying on employees with corporate cell phones and tablets?
Simply put, if cellular data communications are enabled on mobile devices, I'm not convinced there's a good way to prevent tracking and eavesdropping. Even communications via Voice over LTE or any other type of Internet data connection are likely susceptible to interception and eavesdropping. If you need the utmost in security that's currently available, you could consider the Blackphone -- at least for certain users who might need it. Even still, unless everyone is using the same technology, there's no way to truly guarantee all communication channels are secure.
Perhaps, one day we'll have security controls built into mobile phones to prevent them from connecting to these cell tower simulators -- similar to how wireless intrusion prevention systems can inhibit hosts from connecting to evil twin Wi-Fi hotspots.
For now, the best enterprises can do to protect corporate data and prevent it from falling into the wrong hands is to utilize VPNs for mobile clients, encrypt data at rest, and use traditional security controls such as strong passwords and malware protection. Perhaps the best control of all is for us to stop sharing sensitive information over mobile devices altogether; I'm certainly leaning that way for my personal and business communications.
Still, what's the real risk of StingRay's surveillance capabilities to the enterprise? A few hazards come to mind:
- Leakage of intellectual property and trade secrets for corporations, as well as their business partners and customers;
- Details on mergers and acquisitions;
- Exposure of attorney/client privileged case information, including deal and litigation strategies; and
- Revealing passwords to sensitive business applications and network systems.
Even if such information is not abused by local or federal law enforcement, it can still be obtained and exploited by others, given the fact that municipalities struggle with their own security issues.
Are there StingRay-like alternatives that could be used by criminal hackers and other threats? I don't doubt it -- especially for state-sponsored groups that have the financial backing to develop such a system.
Like government surveillance, we unfortunately won't know much until we find out the truth.
In the end, this technology needs to be on the radar of enterprise information security managers and leaders. There's a lot at stake, and unfortunately our hands are tied to a great extent. When technical controls are limited, an informed user is the best line of defense against such surveillance.
About the author:
Kevin Beaver is an information security consultant, writer, professional speaker and expert witness with Atlanta-based Principle Logic LLC. With over 26 years of experience in the industry, Beaver specializes in performing independent security vulnerability assessments and penetration tests of network systems, as well as Web and mobile applications. He has authored/co-authored 12 books on information security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Beaver through his website and follow him on Twitter at @kevinbeaver.